INFORMATION ON THE PROCESSING OF PERSONAL DATA
(Article 13 of EU Regulation 2016/679)
Dear
Recupero Etico Sostenibile SpA, with registered office in Pettoranello del Molise (IS) at Zona Industriale snc, Tax Code/VAT Number 00333320943, can be reached at the email address segreteria@recuperoeticosostenibile.it, as the data controller (the “Data Controller”), intends to provide its employees, partners, customers, suppliers, consultants, collaborators, and, more generally, anyone with an interest in the data controller (the “Data Subject” or collectively, the “Data Subjects”) with specific information regarding the processing of personal data that is necessary in relation to reports submitted via the Whistleblowing Portal (hereinafter the “Portal”), accessible via links on the Data Controller’s website, pursuant to Article 13 of EU Regulation 2016/679. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) and the European and national legislation that integrates and/or amends it (“Applicable Privacy Legislation”), including the provisions on the protection of personal data pursuant to Legislative Decree no. 196/2003, as amended by Legislative Decree no. 101/2018 (hereinafter, the “Privacy Code”).
Type of data processed: The Data Controller will process the data provided by the reporting party in order to identify the alleged unlawful conduct of which it has become aware, committed by individuals who interact in various capacities with Recupero Etico Sostenibile SpA, for the purpose of carrying out the necessary investigative activities aimed at verifying the validity of the reported fact and adopting the resulting measures.
The data collected and processed includes personal details and contact information if the reporting person chooses not to remain anonymous and access the Portal in a “confidential” manner, data relating to employment, the function performed, or the elements characterizing the report (hereinafter: “Common Data”).
The Data Controller will process data belonging to special categories, i.e., data capable of revealing, among other things, racial and ethnic origin, data relating to health and sex life (the “Special Data”) only if you freely choose to provide them as characterizing elements of the report.
Common Data and Special Data are hereinafter jointly referred to as “Personal Data”.
The Personal Data is provided directly by you by filling in the appropriate fields when sending the report or, subsequently, if you decide to enter further information to substantiate the report via the Portal’s messaging system (chat), which allows you to establish a virtual conversation with the body responsible for managing the report.
Purpose of processing and legal basis: The Personal Data will be processed to manage the report and to ensure your protection in the event of a report of crimes or irregularities of which you have become aware in the context of your relationship with the Data Controller.
For the purposes indicated above, the legal basis for processing the Personal Data provided is:
- a) your specific consent pursuant to Articles 6, paragraph 1, letter a) and 9, paragraph 2, letter a) of the GDPR, which you may provide directly online, before submitting the report, on the Portal made available by the Data Controller;
- b) the legitimate interest of the Data Controller, pursuant to Article 6, paragraph 1, letter f) of the GDPR, which, having become aware of the report you have submitted, intends to guarantee and preserve the integrity of the company’s assets;
- c) the need to fulfill legal obligations to which the Data Controller is subject (see in particular Article 6, paragraph 2bis et seq. of Legislative Decree No. 231 of 8 June 2001);
- d) the need to ascertain, exercise, or defend a right in court, if necessary.
Processing methods: Personal Data will be processed—according to the principles of fairness, lawfulness, and transparency—using computerized, manual, and/or electronic media and/or tools, using methods strictly related to the purposes of the processing and, in any case, guaranteeing the confidentiality and security of the data and compliance with specific obligations established by law.
The availability, management, access, storage, and usability of the data are guaranteed by the adoption of technical and organizational measures to ensure adequate levels of security pursuant to Articles 25 and 32 of the GDPR.
Processing is carried out by persons specifically authorized by the Data Controller and in compliance with the provisions of Article 29 of the GDPR.
Period of processing: Personal Data will be retained for five years from the date of notification of the unlawful act or fact, in compliance with the data minimization principle referred to in Article 5, paragraph 1, letter c), of the GDPR, as well as the Data Controller’s legal obligations.
In the event of legal disputes, Personal Data will be retained for the entire duration of the dispute, until the time limit for appeals has expired. Further information is available from the Data Controller at the contact details indicated below.
Data Recipients: Your Personal Data will not be disclosed, except where disclosure or disclosure is required by law by public bodies for defense or security purposes or for the prevention, detection, or suppression of crime.
In carrying out its business activities and for the purposes indicated above in the “Purpose of processing and legal basis” section, the Data Controller may disclose your Personal Data to third parties such as:
- Suppliers and consultants, who typically act as data processors pursuant to Art. 28 of the GDPR, including, for example, the company that provides the Portal’s application software and related maintenance services, as well as the Data Controller’s supervisory bodies who act as independent data controllers;
- Competent authorities (e.g., public institutions and/or authorities; judicial authorities and law enforcement agencies) who formally request it; in this case, the provision of data is necessary to fulfill a legal obligation.
A complete and updated list of data recipients may be requested from the Data Controller.
Data Transfer: Your Personal Data will not be transferred to third countries outside the European Union or to international organizations.
Nature of Data Provision and Consequences of Refusal: Failure to consent to the processing of data for the purposes indicated above will prevent the reporting party from submitting reports via the Whistleblowing Portal.
Rights of the Data Subject: The GDPR provides: the right to access, rectification, erasure, restriction, objection, data portability, withdrawal of consent, and the right to lodge a complaint with the Data Protection Authority.
How to Exercise Your Rights:
You may exercise your rights by:
- Registered mail with acknowledgement of receipt to Recupero Etico Sostenibile SpA – Zona Industriale, snc – 86090 Pettoranello del Molise (IS)
- email: segreteria@recuperoeticosostenibile.it