Pursuant to Articles 13 and 14 of the EU Regulation 2016/679 of 27 April 2016 (hereinafter referred to as the “Privacy Regulation”), the following information is provided to data subjects regarding the processing of personal data carried out in the context of whistleblowing reports.
The data controller of personal data (hereinafter also the “Data Controller”) is OMINI S.p.A., the recipient of the whistleblowing report.
For the purposes of whistleblowing reports, the persons to whom the protection of their confidentiality must be guaranteed, with regard to both the identity and the content of the report, are the person making the report, the whistleblower, the facilitator, the persons involved and the persons mentioned in the report.
Personal data are processed, in compliance with legal obligations arising from the provisions of Legislative Decree No. 231/2001, Law No. 179/2017 and Legislative Decree No. 24/2023, in order to:
• receive, analyse and manage, through the designated communication channels, reports of alleged irregularities and/or unlawful conduct (so-called whistleblowing reports) committed by persons who, in various capacities, interact with the Controller and of which the reporter has become aware.
• carrying out all further activities connected with the management of the report and consequent to the need to manage it fully (e.g. conducting interviews, gathering elements useful for the purposes of investigating the case examined, etc.) by the competent persons designated as authorised to process it.
• responding to any requests from the competent Authorities and entities, etc.
Reports may be made either by disclosing one’s identity or anonymously. In the latter case, no data relating to the person making the report will be processed, except in the cases provided for by law and/or with the prior authorisation of the person making the report.
It is understood that, for the purposes of proper management of the report and for the performance of related activities, the data contained in the report itself and in the relevant supporting documentation may be processed, also with reference to other identified or identifiable persons involved in the report.
It should be noted, by way of example, that the following categories of personal data may be processed:
• personal data (e.g. first name, surname, tax code, address, date and place of birth);
• contact data (e.g. telephone numbers, landline and/or mobile, e-mail address);
• professional data (e.g. hierarchical level, company area of belonging, company role, type of relationship with third parties, profession);
• image and/or voice data;
• any information relating to the whistleblower, or to the other persons concerned, which the whistleblower decides to share in the report in order to better substantiate it;
• information that the reported person, or other data subjects, share with the Controller in the context of the management of the report;
• special data (e.g. data relating to political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data relating to a person’s health or sex life or sexual orientation);
• judicial data;
• any other data relating to the alert that may or may not fall within the above categories.
The processing will be carried out by authorised and specifically trained persons for the management of reports (above all, the Supervisory Board), persons who need to have knowledge of the information in the performance of their activities, with or without the aid of electronic tools, in accordance with principles of lawfulness and fairness: this is to ensure at all times the confidentiality and rights of the persons concerned in compliance with the provisions of the relevant legislation.
Reports, whether anonymous or not, can be sent through the communication channels set up for this purpose in various formats; it is also possible for the reporting party to attach files and documentation that is suitable for attesting the merits of his/her report.
In order to protect confidentiality and ensure possible anonymity, appropriate technical and organisational measures have been implemented.
Personal data that are clearly not useful for processing a specific alert, if accidentally collected, are deleted once their relevance is excluded.
The persons concerned may be asked for specific authorisation, as provided for in Legislative Decree 24/2023, in the following cases
• disclosure of the identity of the person making the report to persons other than those competent to receive or follow up reports;
• a report made orally during a meeting with the staff, for the purposes of documentation by recording it on a device suitable for storage and listening or by drawing up a report.
Authorisation may then be requested from the persons concerned, accompanied by a specific communication containing the reasons for disclosing their identity, in the following cases
• in disciplinary proceedings, if the charge is based in whole or in part on the report, where disclosure of the identity of the reporter is indispensable for the defence of the person against whom the disciplinary charge is brought;
• in proceedings following internal or external reports, where such disclosure is also indispensable for the defence of the person concerned.

Disclosure of personal data
The personal data referred to above may be made available
• Public Authorities and other entities in fulfilment of legal obligations (e.g. Judicial Authority, Court of Auditors, ANAC), in their capacity as Data Controllers.
Data subjects’ data will not be disseminated (made available to unspecified parties).
Personal data will be processed within the European Economic Area (“EEA”). Should it exceptionally become necessary to transfer personal data outside the EEA, such transfer will take place on the basis of an adequacy decision of the European Commission, if applicable, or subject to the appropriate safeguards required by the Privacy Regulation.

Duration of data retention
Reports and related documentation are kept for as long as necessary for the processing of the report and in any case no longer than 5 years from the date of communication of the final outcome of the reporting procedure.
Personal data, if already processed in the context of the current employment relationship with the employer-owner, will be retained within the terms indicated in the general employee information notice.

What rights can be exercised?
Data subjects have the right to request from the Data Controller:
• confirmation as to whether or not your personal data is being processed and, if so, to obtain access to it (Art. 15 – right of access)
• rectification of inaccurate personal data or the integration of incomplete personal data (Art. 16 – right of rectification);
• deletion of the data if one of the reasons provided for in the Privacy Regulation applies (Art. 17 – right to be forgotten);
• restriction of processing when one of the cases provided for in the Privacy Regulation occurs (Art. 18 – right to restriction);
• to receive in a structured, commonly used and machine-readable format the personal data you have provided to the Data Controller and to transmit such data to another Data Controller (Art. 19 – right to portability).
Right to object (Art. 21). Should processing be carried out on the basis of the Controller’s legitimate interest, data subjects are informed that they may object to such processing. In this case, the Data Controller shall refrain from further processing the personal data of the data subjects, unless there are compelling legitimate grounds for processing or for the establishment, exercise or defence of a legal claim.
To exercise their rights, data subjects may send a written communication addressed to the Company.
Without prejudice to any other administrative or jurisdictional recourse, data subjects have the right to lodge a complaint with the Italian Data Protection Authority if they consider that the processing concerning them violates the Privacy Regulation (art. 77).

Limitation to the rights of the data subject.
The rights referred to in Articles 15 to 21 of the Privacy Regulation listed above may not be exercised by making a request to the Data Controller or by lodging a complaint pursuant to Article 77 of the Privacy Regulation, if the exercise of such rights may result in actual and concrete prejudice to the confidentiality of the identity of the person reporting breaches of which he/she has become aware by reason of his/her employment relationship or duties performed.
In particular, we inform data subjects that the exercise of these rights:
• shall be carried out in accordance with the provisions of the law or regulations governing the sector (between Law no. 179/2017 and Legislative Decree 24/2023);
• it may be delayed, limited or excluded by reasoned communication made without delay to the data subject for the time and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the identity of the reporter; in such cases, the rights of the data subject may also be exercised through the Guarantor in the manner set out in Article 160 of D. Legislative Decree No. 196/2003 (Privacy Code), in which case the Garante shall inform the person concerned that it has carried out all the necessary checks or that it has conducted a review, as well as of the right of the person concerned to lodge a judicial appeal.

What is the source of the personal data?
The data are voluntarily provided by the persons concerned. Refusal to disclose them may result in the impossibility of the proper handling of the report or the handling of any objections to the report.