Skip to main content

Whistleblowing Privacy

NOTICE UNDER ARTICLES 13 AND 14 OF REGULATION (EU) NO. 2016/679 concerning the processing of personal data in the context of whistleblowing reports

In accordance with Articles 13-14 of the European Regulation 2016/679 (“GDPR”), please be advised that Frezza S.r.l. processes the personal data (“Data”) of individuals who report alleged unlawful conduct or violations of which they became aware in the work context, as identified in Art. 3, sec. 3 of Legislative Decree No. 24/2023, as well as those identified in Art. 3, sec. 5 of the aforementioned Decree (e.g., facilitators), and individuals other than those mentioned above whose personal data are included in whistleblowing reports and/or otherwise processed to manage the report (e.g., third-party data) (hereinafter, collectively, the “Data Subjects”). In compliance with the transparency principle, we provide the following information to the Data Subjects.

DATA CONTROLLER: IDENTITY AND CONTACT DETAILS. The Data Controller is Frezza S.r.l., VAT No. 00767170268, with registered office at Via Ferret 11/9, Vidor (TV) (hereinafter “Company” or “Controller”). For any information, questions, or clarification concerning Data processing, you can contact the Controller by sending a registered letter to the Company’s registered office (see also “DATA SUBJECT RIGHTS” below).

DATA PROTECTION OFFICER: CONTACT DETAILS. The Data Protection Officer appointed by the Controller can be contacted at the following email address: info@frezza.com.

PURPOSE OF DATA PROCESSING. The Data is processed solely to manage and follow up on reports received by the Company pursuant to whistleblowing regulations concerning the protection of persons who report violations of which they became aware in the work context (as defined in Legislative Decree No. 24/2023). “Report management” includes both the management of the channel(s) activated by the Company and the management of received reports (e.g., to conduct necessary investigations to verify the validity of the reported facts and take appropriate action), in compliance with the procedure adopted by the Company for handling reports.

CATEGORIES OF DATA PROCESSED. To fulfill the above purpose, the Controller processes the personal data included in the report and any data collected during its management. Specifically, depending on the case, the Controller processes:

  • Common personal data (Art. 6 GDPR), such as, for example, identifying data (e.g., name and surname), location data (e.g., residential address), contact information (e.g., phone number, email), position/role, company affiliation, etc.;
  • Special categories of personal data (Art. 9 GDPR), such as, for example, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, or data concerning the individual’s sex life or sexual orientation;
  • Judicial data (Art. 10 GDPR), i.e., data relating to criminal convictions and offenses or related security measures.

LEGAL BASIS OF PROCESSING. Data processing is carried out:

  • for common personal data, under Art. 6, para. 1, letter (c) GDPR, to comply with a legal obligation to which the Company is subject (Legislative Decree No. 24/2023);
  • for special categories of personal data, under Art. 9, para. 2, letter (b) GDPR, to fulfill a legal obligation to which the Company is subject;
  • for judicial data, under Arts. 10 and 88 GDPR (). The Company generally does not process judicial data. Only if: i) the whistleblowing report contains such data; ii) processing is necessary to manage the report; iii) the conditions under Arts. 10 and 88 GDPR are met, will such Data be processed by the Controller. Otherwise, the Controller will refrain from processing it, deleting it when possible. () Ref. Data Protection Authority Ruling No. 304 of July 6, 2023.

Furthermore, where expressly required by Legislative Decree No. 24/2023, processing will be conducted only with the whistleblower’s consent. In particular, consent will be required:

  • under Art. 12, para. 2: for disclosure to persons other than those authorized to receive or follow up on the report, of the whistleblower’s identity or any other information that could reveal it directly or indirectly;
  • under Art. 12, para. 5: for disclosure of the whistleblower’s identity in disciplinary proceedings if the allegation is substantiated and the knowledge of that identity is essential for the defense of the accused;
  • under Art. 14, para. 2: for documenting, by recording on a device suitable for storage and listening or by full transcription, a report made via phone line;
  • under Art. 14, para. 4: for documenting, by recording on a suitable storage device or by written record, a report made orally during a meeting with designated personnel.

PROCESSING METHODS. Data processing is carried out through paper and electronic means, in compliance with personal data protection regulations, particularly with adequate technical and organizational measures under Art. 32.1 GDPR, and with all necessary precautions to ensure integrity, confidentiality, and availability of Data. Specifically, under Legislative Decree No. 24/2023, the Company adopts, among other measures, encryption to ensure the confidentiality of the whistleblower’s identity, the identity of the persons involved, and the identity of any other person mentioned in the report, as well as the content and related documentation. The processing covered by this Notice is not subject to automated decision-making.

SOURCE OF PERSONAL DATA. NATURE OF DISCLOSURE AND CONSEQUENCES OF REFUSAL. The Data, including data on persons other than the whistleblower, are contained in the report and/or subsequently collected during its management. Providing personal data is necessary for making and handling a whistleblowing report. Anonymous reports will be processed as regular reports only if they are adequately detailed, allowing specific facts and contexts to emerge.

CATEGORIES OF RECIPIENTS OF PERSONAL DATA. Data is not disclosed. The staff authorized to manage the report have been specifically authorized for Data processing under Art. 29 GDPR and have received operational instructions from the Controller. In cases where the report is forwarded to the competent Authorities, Data may be accessed and processed by these Authorities as independent Data Controllers. Data may also be disclosed to and/or accessed by service providers of the Controller who process it, as appropriate, as independent Data Controllers (e.g., legal advisors) or as Data Processors under Art. 28 GDPR (e.g., an external provider responsible for maintaining the reporting channel; external consultants managing the report). An updated list of Data Processors is kept at the Controller’s office and can be consulted upon request by the Data Subject.

DATA TRANSFER TO NON-EU COUNTRIES OR INTERNATIONAL ORGANIZATIONS. Data is not transferred to non-EU/EEA countries or International Organizations. Should such transfer become necessary to fulfill the purposes outlined in this notice, the Controller ensures that it will occur in full compliance with Chapter V of the GDPR (Arts. 44 et seq.), to maintain the level of personal data protection provided by the GDPR. The transfer will thus be to countries that the European Commission has determined provide an adequate level of protection, as per Art. 44 GDPR, or in compliance with specific standard contractual clauses approved by the European Commission under Art. 46 GDPR, provided that the recipient offers adequate safeguards and that data subjects have enforceable rights and effective remedies. Any deviations from the above will occur only in compliance with Art. 49 GDPR.

RETENTION PERIOD FOR PERSONAL DATA. Reports and related documentation are retained only as long as necessary to process the report, and in any case, no longer than five years from the date of the final outcome of the reporting process, in compliance with confidentiality obligations. After the retention period, Data will be deleted or irreversibly anonymized. A longer retention period may be required by legitimate requests from Authorities or by the Controller’s involvement in legal proceedings involving Data processing.

DATA SUBJECT RIGHTS. COMPLAINT TO THE SUPERVISORY AUTHORITY. By contacting the Controller using the methods indicated in the “DATA CONTROLLER: IDENTITY AND CONTACT DETAILS” section of this notice, the Data Subject has the right to exercise the rights recognized under the GDPR – within the limits of Art. 2 undecies of Legislative Decree No. 196/2003 (**) – namely, to request: a) access to Data concerning them; b) rectification of Data; c) deletion of Data, within the limits provided by the GDPR; d) restriction of Data processing, where the conditions of Art. 18 GDPR are met; e) Data portability in a structured format, in cases under Art. 20 GDPR; f) objection to Data processing, under Art. 21 GDPR. If the Data Subject believes that their Data processing violates the GDPR, they also have the right to lodge a complaint with the Supervisory Authority. In Italy, this Authority is represented by the Data Protection Authority, located in Rome. Data Subjects not residing in Italy may lodge a complaint with the Supervisory Authority in their country of residence.

To ensure the confidentiality of the Data Subject making a rights request, requests should be submitted with the subject line “PRIVACY RIGHTS REQUEST – WHISTLEBLOWING REPORT” (in the email subject line or on the registered letter envelope).

(**) Please note that the rights under Articles 15 to 22 of the GDPR cannot be exercised through a request to the Controller or by lodging a complaint with the Authority if the exercise of these rights would result in actual and substantial prejudice to the confidentiality of the identity of the individual reporting violations that they became aware of due to their employment relationship or duties.

Open sidebar Open sidebar
Back to top Back to top