Top-of-page hero image

Whistleblower Policy

PRIVACY POLICY

Privacy Notice for Whistleblowers Regarding the Processing of Their Personal Data

(pursuant to Articles 13–14 of EU Regulation 2016/679 – GDPR)

Dear Data Subject, pursuant to and for the purposes of EU Regulation 2016/679, hereinafter referred to as the “GDPR,” we hereby wish to inform you that the aforementioned regulation provides for the protection of data subjects with regard to the processing of personal data. Such processing will be based on the principles of fairness, lawfulness, transparency, and the protection of your privacy and your rights.

Your personal data will be processed in accordance with the provisions of the legislation referred to above and the confidentiality obligations applicable to the processing of your personal data provided through the Whistleblowing Portal.

Data Controller: ETAFELT SRL – VAT Number: 00517960019 – Registered Office: Corso Piemonte No. 66 – 10099 SAN MAURO TORINESE – email: info@etafelt.it

Categories of personal data processed: The Reporting Portal – Whistleblowing collects only, where provided, general identification data, such as personal information (first name, last name) and contact information (email, phone number) contained in the report, within which the Data Subject (otherwise referred to as the “Reporter” or “Whistleblower”) may disclose any special categories of personal data and/or criminal records.

Purpose and legal basis of the processing: specifically, your data will be processed for purposes related to compliance with legal obligations (Legislative Decree 24/2023 and Law 179/2017) in order to facilitate the management of investigative activities necessary to assess reports concerning violations of internal and/or external rules, as set forth in the Code of Ethics, in Model 231 (if applicable), and in applicable legislation.

Methods of Processing. Data processing will be carried out in accordance with the principle of data minimization by authorized, formally designated, and adequately trained personnel, and will be conducted using computer and telecommunications systems in a manner that ensures the security, integrity, and confidentiality of the data collected, in compliance with the organizational, physical, and logical measures required by applicable regulations.

The Whistleblowing Portal guarantees, at every stage, the confidentiality of the content of the report and the identity of the whistleblower, which may not be disclosed without the whistleblower’s express consent to anyone other than those authorized to receive or follow up on reports pursuant to Articles 29 and 32, paragraph 4, of the GDPR, including through the use of encrypted communications, except in cases where (I) the report is unfounded and made solely for the purpose of harming the person against whom the report is filed, or due to gross imprudence, negligence, or incompetence on the part of the reporter; (II) anonymity is not enforceable by law (e.g., criminal investigations, inspections by regulatory bodies, etc.); (III) the report discloses facts which, although unrelated to the company, require reporting to the judicial authorities (e.g., crimes of terrorism, espionage, attacks, etc.).

All processing is carried out in accordance with the procedures set forth in Articles 6 and 32 of the GDPR and through the implementation of the appropriate security measures provided for therein.

Categories of recipients of personal data. Your data will be processed solely by personnel expressly authorized by the Data Controller and, in particular, by the designated whistleblowing recipients.

Disclosure: Your personal information will not be disclosed in any way.

Retention Period. Please note that, in accordance with the principles of lawfulness, purpose limitation, and data minimization, pursuant to Article 5 of the GDPR, reports and related documentation are retained for the time necessary to process the report and, in any case, for no longer than five years from the date of notification of thefinal outcome of the reporting procedure, in compliance with the confidentiality obligations set forth in Article 12 of Legislative Decree No. 24 of 2023. Furthermore, your data will be retained for a period no longer than is necessary to achieve the purposes for which it is collected and processed, and in compliance with the mandatory timeframes prescribed by law.

You have the right to request that the data controller delete (right to be forgotten), restrict, update, correct, or transfer your personal data, or object to the processing of your personal data; furthermore, you may generally exercise all the rights provided for in Articles 15, 16, 17, 18, 19, 20, 21, and 22 of the GDPR.

Rights of the Data Subject

As a data subject, you have the right to obtain confirmation as to whether or not personal data concerning you exists—even if it has not yet been recorded—to receive such data in a comprehensible form, and to file a complaint with the supervisory authority.

You also have the right to obtain information regarding the origin of the personal data, the purposes and methods of processing, the logic applied in the case of processing carried out with the aid of electronic tools, the identification details of the data controller, the data processors, and the representative designated pursuant to Article 5, paragraph 2; and the entities or categories of entities to whom the personal data may be disclosed or who may become aware of it in their capacity as the designated representative within the territory of the State, as data processors, or as persons in charge of processing.

The data subject also has the right to have the data updated, corrected, or supplemented; the erasure, anonymization, or blocking of data processed in violation of the law, including data that no longer needs to be retained for the purposes for which it was collected and/or processed; and data portability.

The data subject has the right to object, in whole or in part and for legitimate reasons, to the processing of personal data concerning him or her, even if such data is relevant to the purpose for which it was collected; and to the processing of personal data concerning him or her for the purposes of sending advertising or direct sales materials, or for conducting market research or commercial communications.