CIRCULAR LETTER PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) NO. 2016/679
on the processing of personal data in the context of whistleblowing
Pursuant to Articles 13 and 14 of European Regulation 2016/679 (“GDPR”), you are hereby informed that CLIVET S.P.A. processes the personal data (“Data”) of individuals who report alleged unlawful conduct or violations of which they have become aware in their work, as set out in Article 3, paragraph 3, of Italian Legislative Decree 24/2023, as well as of the individuals set out in Article 3, paragraph 5, of the same Decree (e.g. facilitators) and of individuals other than those indicated above whose personal data are included in the whistleblowing reports and/or in any case processed to handle the report (e.g. third party data) (hereinafter, all the aforementioned individuals, known only as “Data Subjects”). In compliance with the principle of transparency, the following information is therefore provided for the Data Subjects. This circular letter does not exclude the possibility that more information regarding Data processing may be provided in other ways.
DATA CONTROLLER: IDENTITY AND CONTACT DETAILS
The Data Controller is CLIVET S.P.A., VAT number 00708410253, with registered office in Via Camp Lonc, 25 - 32032 z.i. Villapaiera - Feltre (BL) Italy (hereinafter “Company” or “Data Controller”). For any information, doubt or clarification regarding the processing of your Data, and to exercise the rights recognised by the GDPR, within the limits of the provisions of Article 2 undecies of Italian Legislative Decree no. 196/2003, you may send a communication by registered letter with return receipt to the Company’s registered office or by e-mail to: privacy@clivet.it.
In order to ensure the utmost confidentiality of the Data Subject making the request to exercise his/her rights in accordance with the privacy regulation in force and the whistleblowing regulation (Italian Legislative Decree 24/2023), the Data Subject is asked to write “REQUEST TO EXERCISE PRIVACY RIGHTS - WHISTLEBLOWING REPORT” in the subject line of the e-mail or on the envelope of the registered letter.
DATA PROTECTION OFFICER: CONTACT DETAILS
he Data Protection Officer appointed by the Data Controller can be contacted at this e-mail address: dpo@clivet.it
PURPOSE OF PROCESSING, CATEGORIES OF DATA PROCESSED AND LEGAL BASIS
The Data are processed for the sole purpose of handling and following up the reports received by the Company pursuant to the whistleblowing regulation on the protection of persons who report offences that they have become aware of in their work (as defined in Italian Legislative Decree no. 24/2023). “Handling of reports” means both the management of the channel(s) activated by the Company, and the handling of the reports received (e.g. for the purpose of carrying out the necessary investigative activities aimed at verifying the validity of the wrongdoing being reported and the adoption of the consequent measures), in accordance with the Company procedure on handling reports.
To accomplish this purpose, the Data Controller processes the personal data in the report and those collected while it is being handled. Specifically, as the case may be, the Data Controller processes:
- Personal data of a common nature (Article 6 of the GDPR) such as, but not limited to, identification details (e.g. first name and surname), location details (e.g. home address), contact details (e.g. telephone number, e-mail address), job/role, company, etc.;
- Special categories of personal data (Article 9 of the GDPR) such as, but not limited to, information disclosing racial or ethnic origin, political views, religious beliefs, trade union membership, information relating to the health or sexual life or sexual orientation of the data subject.
Processing is necessary:
- for personal data of a common nature, pursuant to Article 6, paragraph 1, letter c) of the GDPR, for compliance with a legal obligation to which the Company is subject (Italian Legislative Decree no. 24/2023);
- for special categories of personal data, pursuant to Article 9, paragraph 2, letter b) of the GDPR, for compliance with a legal obligation to which the Company is subject.
Reports made through the voice messaging system provided by the Company will be documented by recording them on a storage and listening device, subject to the consent of the whistleblower, pursuant to Article 14, paragraph 2, of Italian Legislative Decree 24/2023.
PROCESSING METHODS
Data processing will be carried out using paper and IT tools, in compliance with the provisions on the protection of personal data and, in particular, with the appropriate technical and organisational measures referred to in Article 32.1 of the GDPR, and any precautionary measures that guarantee their integrity, confidentiality and availability. More specifically, and in accordance with Italian Legislative Decree no. 24/2023, the Company uses - among others - security encryption measures, in order to ensure that the identity of the whistleblower, of the person involved and of any person mentioned in the report, as well as the content of the report and of the relevant documentation, are kept confidential. The processing referred to in this Circular Letter is not subject to automated decision-making processes.
PERSONAL DATA SOURCE. NATURE OF THE PROVISION AND CONSEQUENCES OF REFUSAL
The Data, including those of individuals other than the whistleblower, are in the report and/or collected subsequently during handling of the report, and also through publicly accessible sources where applicable. The provision of personal data is optional; however, anonymous reports will only be taken into consideration if they are adequately substantiated, so as to disclose any wrongdoing and situations related to specific contexts.
CATEGORIES OF PERSONAL DATA RECIPIENTS
Data are not disclosed. The company personnel in charge of handling the report have been specifically authorised to process the Data pursuant to Article 29 of the GDPR and Italian Legislative Decree 24/2023, receiving specific operating instructions from the Data Controller. If the report is submitted to the competent Authorities, the Data may be known and processed by the latter as autonomous Data Controllers. The Data may also be sent to and/or known by the Data Controller’s service providers who process them, as the case may be, as autonomous Data Controllers (e.g. lawyers) or as Data Processors pursuant to Article 28 of the GDPR (e.g. external supplier in charge of maintenance on the reporting channel). The updated Register of Data Processors is kept at the Data Controller’s head office and can be consulted on the Data Subject’s request.
TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
Data are not transferred to countries outside the European Union/EEA or to International Organisations. Should such a transfer be necessary to achieve the purposes set out in this Circular Letter, the Data Controller guarantees that it will take place in full compliance with current regulations (in particular with Italian Legislative Decree 24/2023) and with the conditions set out in Chapter V of the GDPR (Articles 44 et seq.), in order to ensure that the level of protection to natural persons by the GDPR is in no way affected. Any transfer will therefore only be made to those countries that the European Commission has judged can guarantee an adequate level of protection, in accordance with the provisions of Article 44 of the GDPR or in compliance with specific standard contractual clauses approved by the European Commission pursuant to Article 46 of the GDPR, provided that the recipient of the data provides adequate guarantees and that Data Subjects have enforceable rights and effective remedies. Any exceptions to the above will only occur in full compliance with Article 49 of the GDPR.
PERSONAL DATA RETENTION PERIOD
Reports and related documentation are kept for as long as necessary to process the report and in any case no longer than five years from the date of communication of the final outcome of the reporting procedure, subject to confidentiality obligations. After the above time limits, the Data will be subject to irreversible deletion or anonymisation. A longer period of retention may be determined by legitimate requests from the Authorities or by the involvement of the Data Controller in judicial procedures regarding the processing of Data.
RIGHTS OF THE DATA SUBJECT. COMPLAINTS TO THE SUPERVISORY AUTHORITY
If the Data Controller is contacted as indicated in the “DATA CONTROLLER: IDENTITY AND CONTACT DETAILS” section in this Circular Letter, the Data Subject may exercise the rights granted to him/her by the GDPR – within the limits of the provisions of Article 2 undecies of Italian Legislative Decree no. 196/2003 – i.e. to request: a) access to Data concerning him/her; b) rectification of the Data c) deletion of the Data, within the limits provided for by the GDPR; d) limits to the processing of Data, pursuant to the conditions set out in Article 18 of the GDPR; e) portability of these Data in a structured format, in the cases set out in Article 20 of the GDPR; f) opposition to the processing of these data, pursuant to Article 21 of the GDPR. If the Data Subject considers that the processing of his/her data violates the GDPR, he/she also has the right to lodge a complaint with the Supervisory Authority. In Italy, this Authority is represented by the Personal Data Protection Officer based in Rome.