Privacy Notice on the Processing of Personal Data within the Reporting Procedure (Whistleblowing): Reporter
What type of notice is it?
In compliance with the obligations established by applicable law, Engineering Ingegneria Informatica S.p.A., VAT number 00967720285, with registered office at Piazzale dell'Agricoltura 24, 00144 Rome, has implemented an internal channel for reporting corporate misconduct, adopting, for itself and all the companies in the group (hereinafter the "Engineering Group"), an IT platform provided by a selected partner that complies with EU Directive 2019/1937 (ISO 27001 certified, in accordance with Regulation (EU) 2016/679).
Read more
In this notice and, together, in the one addressed to the reported person and third parties, both provided pursuant to Article 13 of Regulation (EU) 2016/679, the purposes and methods by which the data controller collects and processes personal data in the context of the reports are outlined. It also specifies which categories of data are processed, the rights of the data subjects, and how they can be exercised.
Data Controller ("Controller") and Data Protection Officer ("DPO")
The data controller is the company within the Engineering Group that is involved in the report (hereinafter referred to as the "Controller"), which can be contacted at the addresses provided at the end of this document.
In managing the reporting platform, Engineering Ingegneria Informatica S.p.A. also acts on behalf of the subsidiaries, following an explicit appointment as data processor pursuant to Article 28 of Regulation (EU) 2016/679.
Read more
All personal data will be processed in accordance with the applicable data protection laws, including Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data, and on the free movement of such data ("Regulation"), Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018 ("Privacy Code"), as well as any other applicable data protection legislation in Italy, including the measures issued by the Data Protection Authority (together with the Regulation, hereinafter referred to as the "Privacy Legislation"), ensuring full respect for the rights and fundamental freedoms, with particular regard to the confidentiality of the identities of the individuals involved and the security of the processing.
The Data Protection Officer ("DPO") responsible for all matters related to personal data processing and the exercise of the data subject's rights can be contacted at the following email address:
Purposes and legal basis of processing – Nature of the provision
The reporting channel is considered an internal one under Article 4 of Legislative Decree No. 24/2023 and allows the submission of reports in both written and oral form (hereinafter, the "Whistleblowing Portal").
Through the Whistleblowing Portal, accessible from the Controller's website, an individual who is a victim of corporate misconduct or a third party who is aware of an already occurred or potentially occurring corporate misconduct, can report the case, either completely anonymously or, at their choice, non-anonymously.
Read more
The report will be promptly processed to ensure compliance with the applicable legal requirements.
Personal data is collected and processed for purposes directly related to the management of reports of illegal conduct.
Therefore, the legal basis for processing is the necessity of fulfilling a legal obligation to which the Controller is subject, in accordance with the provisions of Legislative Decree No. 24/2023 implementing Directive 2019/1937, as well as ANAC guidelines on the matter.
Confidentiality and protection of the Reporter
The Controller informs that, in compliance with the provisions of Article 17 of Legislative Decree No. 24/2023, the confidentiality of the reporter's identity is safeguarded in the management of the report. Retaliatory or discriminatory actions, whether direct or indirect, against the reporter for reasons related, directly or indirectly, to the report, are prohibited.
Read more
Therefore, except in cases where liability for defamation and slander may be established under the provisions of the Penal Code or Article 2043 of the Civil Code, or in cases where confidentiality cannot be opposed by law (e.g., criminal, tax, or administrative investigations, inspections by regulatory bodies), the reporter's identity will be protected from the receipt of the report and at every subsequent stage, in compliance with the applicable provisions of the Privacy Legislation.
All individuals who receive and/or are involved in the handling of reports are required to protect the confidentiality of this information.
Violation of the confidentiality obligation may result in disciplinary responsibility, without prejudice to other forms of liability provided by law.
Processing methods, recipients, and retention periods
The Controller commits to processing only the data necessary to achieve the essential purposes for carrying out the activities related to the report, in a lawful, fair, and transparent manner.
The processing will be excluded and/or limited in cases where the pursued purposes can be achieved through anonymization or methods that allow the identification of the data subject only when necessary.
Read more
The reports and the documentation related to their management will be kept for a period no longer than necessary to achieve the purposes for which they were collected, in accordance with legal obligations or to allow the Controller to protect their rights and interests or those of third parties (e.g., defense in legal proceedings).
The data is automatically deleted from the platform 5 years after the closure of the report.
For the achievement of the above-mentioned purposes, the personal data provided may only be made accessible to those within the Controller’s organization who need it for their role/job in relation to the process of receiving, analyzing, investigating, and managing the reports and any subsequent actions.
The data may also be processed by consultants, external companies with technical functions (e.g., the IT platform provider), and/or other individuals providing professional services, who act, depending on the case, as independent controllers or as data processors/sub-processors and have signed a specific agreement. If these entities qualify as data processors/sub-processors, the contract specifically regulates the processing they are entrusted with and their obligations regarding data protection and security of processing.
Finally, personal data may also be transmitted to other independent data controllers based on laws or regulations (e.g., Public Authorities, Data Protection Authority, Judicial Authorities, Court of Auditors, and ANAC).
Data subject rights
The Regulation (Articles 15 to 22) grants data subjects the exercise of specific rights.
In particular, with regard to the processing of their personal data subject to this notice, the data subject has the right to request access, rectification, erasure, restriction, and objection; they can also lodge a complaint with the Supervisory Authority, which in Italy is the Italian Data Protection Authority (Article 77 of the Regulation).
Read more
It is informed that, in accordance with Article 23 of the Regulation, the aforementioned rights cannot be exercised by the whistleblower or the individuals involved in the report if the exercise of such rights could result in a real and concrete prejudice to the confidentiality of the whistleblower's identity.
In particular, the exercise of these rights may be delayed, restricted, or excluded with a motivated communication provided to the data subject without delay, unless such communication would compromise the purpose of the restriction, for the time and within the limits in which this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the whistleblower's identity.
At any time, the data subject may request to exercise their rights by contacting the Data Protection Officer at the following email address:
Transfer of data abroad
The processing is carried out within the territory of the European Union. The Titolare does not transfer personal data outside the European Union / European Economic Area.
In the event that a transfer outside the EU/EEA becomes necessary, the processing will be governed in accordance with the safeguard measures provided in Chapter V of the Regulation.
