Whistleblowing privacy policy

SCOPE

As “Data Controller”, Interkom S.p.A., VAT N. 01347530634, with registered office in Naples, Via Bernini n. 20, 80129, in the person of its pro tempore legal representative, hereby informs you about the characteristics and methods of the processing of personal data provided via the “Whistleblowing Reporting Platform”, or in the “Whistleblowing Reporting Form” sent by registered post. The whistleblowing process is regulated by a dedicated procedure adopted by the Company, which all employees are required to read. The policy is accessible to employees on the Intranet and is also published on the company website at the link https://www.interkom.it/en/whistleblowing-2/whistleblowing-privacy-policy.

The personal data provided by the whistleblower at the time the “Whistleblowing Reporting Form” was sent and the information contained in the form and in any documents attached, as well as any data acquired during the inquiry led by the prescribed body, will be processed fairly, lawfully, transparently, and respecting the privacy and the rights of anyone involved (whistleblower, suspect, and any third party), in compliance with the applicable personal data protection regulation and law N. 179 of 30 November 2017 – “Provisions for the protection of whistleblowers who report crimes or misconduct of which they become aware in the context of private or public employment”.

As reports can be sent anonymously, whistleblowers are not required to provide their personal details. It must be noted that anonymous reports may expose whistleblowers to retaliation from the suspect while not allowing the Company to implement the protective measures applicable to non-anonymous, yet confidential, reports. Furthermore, without prejudice to any evidence obtained by the prescribed body during its inquiry, anonymous reports cannot be used in any disciplinary procedures against the suspect.

However, during the assessment of anonymous reports, the prescribed body may nevertheless receive information containing identifying data, professional data, or financial data pertaining to the other categories of subjects mentioned above (suspect, third parties), which will be processed in compliance with this policy.

PURPOSES AND LEGAL BASIS OF PROCESSING

Any personal data provided by the whistleblower and/or acquired by the prescribed body (SB – Supervisory Body) during the inquiry will be processed in compliance with Law 179/2017.

  More specifically, personal data will be processed for the following purposes:

 – Dealing with reports (to verify facts alleged in reports). The main legal basis of the processing is the legitimate interest of the Data Controller [art. 6, par. 1, lett. f) of the GDPR] to conform the Organization, Management, and Control Model (OMCM), adopted pursuant to Legislative Decree 231/01, to the amendments introduced by said law with reference to the OMCM requirements (art. 6, par. 2-bis et seq. of Legislative Decree 231/01 introduced by art. 2 of Law N. 179/2017). In consideration of the main purpose of the legislation on corporate liability of legal entities, said legitimate interest prevails over the personal data protection rights of the data subjects. 

– Dealing with disciplinary procedures based entirely or partially on reports. In order to ensure the suspect’s right of defence, the information included in the report may be used, together with any other externally verified evidence, in the disciplinary procedure started against the suspect. On the other hand, the identity of the whistleblower may be revealed within the disciplinary procedure – therefore also to the suspect – only if the procedure is based exclusively on the report, in order to ensure the suspect’s right of defence and, in any case, with the express consent of the whistleblower. The whistleblower’s consent to reveal their identity within a disciplinary procedure is not mandatory; however, if the disciplinary procedure is solely based on the report, failure to provide consent will result in the impossibility to proceed against the suspect.

TYPE OF DATA PROCESSED

The two channels made available by the Company acquire only the personal data of the whistleblower (if provided) and the data included in the report. However, the following personal data may be acquired during the process:

• Identity document, and any other contact details provided by the whistleblower;

 

• Information (identifying data, professional data, financial data) regarding the suspect, whether included in the report or acquired during the inquiry;
• Information (identifying data, professional data, financial data) regarding third parties, which may be included in the report and in any documents attached or acquired during the inquiry.

When provided, any personal data that identify the whistleblower can be accessed exclusively by the prescribed body (SB – Supervisory Body). The Company adopts all the measures prescribed by the law to protect the identity of the whistleblower and ensure it is not disclosed without their express consent, except in the case of defamatory allegations or reports sent with malice.

Reports must not contain an excess of data and only include the details necessary to demonstrate the substance of the report. Therefore, reports will not usually include specific details or personal details that reveal health conditions or judicial information. If a report includes any of these categories of personal data, reported by the whistleblower or by a third party, and such data are found to be unnecessary for the purposes mentioned above, they will be destroyed or, if this is not possible, redacted out, except in cases authorised by law or by a decision from the Data Protection Authority. 

DATA PROCESSING METHOD

Data will be processed according to the organization logic and procedures strictly relevant to the purposes mentioned above and, in any case, using methods that guarantee the security, integrity, and privacy of the data, and complying with the organizational and physical measures and logic prescribed by the applicable regulations.

In the case of reports sent online: https://interkomspa.whistlelink.com any data provided by the whistleblower via the platform is transferred using the HTTPS communication protocol. Data are also encrypted, ensuring the confidentiality of all information transferred. 

Please be reminded that any identifying data pertaining to the whistleblower – whether acquired through the Platform or the Whistleblowing Reporting Form – are saved using methods that guarantee confidentiality. The direct association between the whistleblower and the report can be made only by the prescribed body (SB – Supervisory Body). 

DATA RETENTION

Personal data pertaining to reports can be saved and retained for the time necessary to complete the assessment of the facts included in the report and for 5 years after the report is archived, unless additional procedures (disciplinary, criminal, financial) stemming from the report are brought against the suspect or the whistleblower (in the case of false or defamatory allegations, or reports filed with malice). In this case, data are retained until the procedure has come to a conclusion and until the deadline to appeal the decision expires. If the allegations in a report are obviously groundless, data are immediately erased.

DATA RECIPIENTS

For the purposes mentioned above, the information sent via the Platform or the Whistleblowing Reporting Form, is received by the Supervisory Body (SB), the body appointed by the Company to receive reports.   

Please be reminded that only the Supervisory Body has access to the data that identifies the whistleblower, acquired through the above-mentioned channels. Furthermore, the members of the SB are bound by strict confidentiality rules.

On the other hand, data included in the report may be processed by Company employees appointed specifically to carry out the processing, who operate following the instructions provided by the Data Controller. Data may also be processed by external consultants or service providers acting as designated Data Processors pursuant to article 28 of the GDPR, who operate following the instructions provided by the Data Controller, especially with regard to the adoption of the measures required to guarantee data confidentiality and security. Data Processors also include Whistleblowing Solutions AB, who provides the platform, processes the information uploaded on it, and stores it on its server located within the European Union. This service provider only provides the infrastructure required to implement the whistleblowing procedure but does not have access to its content (whistleblower identity, details of the report, documents attached, messages exchanged between the whistleblower and the Supervisory Body, etc.) All content is encrypted, therefore it is not accessible by the provider, not even during maintenance activities.

Personal data included in reports may also be communicated to the competent Company departments, in order to trigger any judiciary and/or disciplinary measures in connection with the report, or to the relevant Authorities, in the case of violations of laws or regulations.

Even if the facts reported are not in the realm of competence of the SB, as defined in the scope of the procedure adopted, the report is “protected”. This means that the prescribed body will not reveal the identity of the whistleblower without their prior explicit consent – as long as the disclosure is not required by laws, investigations, or subsequent judiciary procedures.

In all the cases of disclosure mentioned above, the Data Controller ensures that all necessary measures are adopted to prevent the information from circulating and guarantee confidentiality in view of the special purposes of the processing.

DATA DISCLOSURE 

 Personal data are not published or disclosed to unidentified recipients.

 

INTERNATIONAL DATA TRANSFERS

Personal data are not transferred outside the EU.

DATA SUBJECT RIGHTS

 

• Whistleblower Rights

 

The whistleblower, compatibly with any existing legal requirements, can exercise the rights recognised by articles 15-22 of the EU Regulation:

• right to access personal data; 
• right to obtain the rectification or erasure of the data (except for the content of the report); 
• right to revoke consent, where applicable: revoking consent does not affect the data processing carried out before the consent was revoked; once consent is revoked the whistleblower will not be able to access their profile, however will have access to the reports via their codes; consent cannot be revoked when processing is necessary to comply with the legal obligations to which the Data Controller is subject; 
• right to file a complaint with the Data Protection Authority, pursuant to article 77 of the GDPR, or appeal to the competent Judicial Authorities, pursuant to article 79 of the GDPR, within the limits set by the applicable national regulations (Legislative Decree 196/2003).

2. Suspect Rights 

Pursuant to article 2-undecies of Legislative Decree 196/2003 (Personal Data Protection Code), the Data Controller informs the suspect that the exercise of the above-mentioned rights (Data Subject Rights recognised in articles 15-22 of the GDPR), and in particular the right to access data, may be delayed, limited, or excluded for the entire time during which it constitutes a necessary and proportionate measure, having taken into account the fundamental rights and legitimate interests of the data subject, in order to protect the confidentiality of the whistleblower and ensure that the inquiry is not compromised (tampering with evidence, hiding information).

The above-mentioned rights cannot be exercised by submitting a request to the Data Controller, or filing a complaint pursuant to article 77, if the exercise of said rights may cause actual prejudice to the whistleblower’s right to confidentiality. However, in these cases, data subject rights can be exercised via the Data Protection Authority pursuant to article 160 of Legislative Decree 196/2003, according to which the Data Protection Authority informs the data subject that all necessary checks have been carried out or that a review has been completed, without prejudice to the right of the data subject to seek judicial remedy.

In any case, Data Subject rights can be exercised through the following channels:

• via email to privacy@interkom.it

COOKIES

The platform does not acquire the personal details of its users.

 

Cookies are not used to transmit personal data and no persistent cookies are used for tracing purposes.

The platform only uses technical cookies strictly necessary for the efficient use of the platform. Session cookies (cookies that are not permanently saved on user devices, instead disappear once the browser is closed) are used to transmit session details (random numbers generated by the server) required to allow users to browse the platform safely and efficiently.