The following information is provided for the purpose of transparency towards those who have been the subject of a report or who have been named in a whistleblowing procedure (hereinafter, the "Reported") to inform them about the processing of their data in the context of the aforementioned procedure, in accordance with Articles 13 and 14 of the European Parliament and Council Regulation (EU) 2016/679 of April 27, 2016 (hereinafter, the "Regulation").

The reporting channel is to be understood as an internal channel pursuant to Article 4 of Legislative Decree 24/2023, allowing the submission of reports in both written and oral form (hereinafter, the “Whistleblowing Portal”).

Through the Whistleblowing Portal, accessible from the Data Controller's website, the individual who is the victim of a corporate wrongdoing, or a third party aware of an already occurred or potentially occurring corporate wrongdoing, may submit their case either completely anonymously or, at their discretion, in a non-anonymous form.

Read more

Personal data is collected and processed for purposes strictly related to managing reports of unlawful conduct, conducting subsequent investigations, and all activities connected thereto.

Therefore, the legal basis for processing is the necessity to fulfill a legal obligation to which the Data Controller is subject, with reference to the provisions in Legislative Decree No. 24/2023 implementing Directive 2019/1937, as well as the ANAC guidelines on the matter. It is also possible that the Data Controller may need to conduct investigations for their legitimate interest in protecting corporate assets. In this case, the legal basis is the legitimate interest pursuant to Article 6, letter f) of the Regulation.

Personal data related to the Subject of the Report is collected through the report and related documentation provided by the whistleblower and during the corresponding investigation. The personal data related to the Subject of the Report may fall into the following categories:

• Personal data (e.g., name, surname, place and date of birth);
• Contact data (e.g., email address, phone number, postal address);
• Professional data (e.g., hierarchical level, business area, job role, type of relationship with companies in the Engineering Group or other third parties, profession);
• Any other information regarding the subject of the report that the whistleblower decides to share with the Data Controller to better detail their report, including any data belonging to special categories as per Articles 9 and 10 of the Regulation, related to:
  1. Relevant unlawful conduct;
  2. Irregularities and/or unlawful behaviors, either committed or omitted, that constitute or may constitute a violation of the principles established in the Code of Ethics, corporate policies and rules, and/or that may result in fraud or potential damage to colleagues, shareholders, and stakeholders in general, or constitute unlawful acts detrimental to the company’s interests and reputation.

With specific regard to the data that the Data Controller may receive through the reports, it is specified that such processing takes place in strict observance of the minimization principle and that, pursuant to Article 13, paragraph 2, of Legislative Decree 24/2023, “personal data that are manifestly not useful for processing a specific report are not collected or, if collected accidentally, are immediately deleted.”

Furthermore, if investigations are conducted, additional personal data regarding the Subject of the Report may be collected, particularly concerning their use of the Data Controller’s IT resources, including email and other company messaging tools.

The collected data may be processed for all purposes connected to the employment relationship.

The Data Controller commits to processing only the data necessary to achieve the essential purposes for the execution of activities related to the report, in a lawful, fair, and transparent manner.

The processing will be excluded and/or limited in cases where the intended purposes can be achieved through anonymization or by means that allow the identification of the data subject only if necessary.

Read more

Reports and the documentation related to their management will be stored for a period not exceeding that necessary to pursue the purposes for which they were collected, in accordance with legal obligations or in any case to allow the Data Controller to protect their own or third-party rights and interests (e.g., defense in court).

The data is automatically deleted from the platform 5 years after the report is closed.

For the pursuit of the aforementioned purposes, the provided personal data may be made accessible only to those within the Data Controller's organization who require access for their role/position in relation to the process of receiving, analyzing, investigating, and managing reports, as well as any subsequent actions.

Data may also be processed by consultants, external companies with technical functions (e.g., the IT platform provider), and/or other parties providing professional services, who act, depending on the case, as independent data controllers or as data processors/sub-processors, and have signed a specific contract. Where these parties qualify as processors/sub-processors, the contract explicitly governs the processing activities assigned to them and their obligations concerning data protection and security of processing.

Finally, personal data may also be transmitted to other independent data controllers, based on legal or regulatory provisions (e.g., Public Authorities, the Data Protection Authority, the Judiciary, the Court of Auditors, and ANAC).

The processing is carried out within the territory of the European Union. The Controller does not transfer personal data outside the European Union / European Economic Area.

If a transfer outside the EU/EEA becomes necessary, the processing will be governed in accordance with the safeguard measures set forth in Chapter V of the Regulation.