provided as part of a report made through the internal reporting channel established by the Company pursuant to Leg. 24/2023 on whistleblowing
Your data will be processed by Mare Group S.p.A., acting as the Data Controller. The company is headquartered at Via Ex Aeroporto c/o Consorzio Il Sole 4, 80038 Pomigliano d’Arco (NA), Italy, and may be contacted at the following email address: privacy@lasia.it.
We will process your personal data in order to handle the internal report received through the Company’s whistleblowing channel and verify its validity, as well as for the purpose of any resulting disciplinary proceedings.
If you are the author of the report, the data you provide will also be used to provide you with the communications required by law or to request, if necessary, additions.
Such processing is necessary to implement the legal obligations under the whistleblowing regulations, compliance with which is a condition for the lawfulness of processing under Art. 6(1)(b). (c) and parr. 2 and 3, Art. 9(2)(b). (b) and Articles 10 and. 88 of the GDPR.
We will ask for the consent of the author of the report only in relation to the possibility of disclosing his or her identity to the person or persons believed to be responsible for the reported violations, in order to guarantee his or her right to be heard in the context of any disciplinary proceedings, if these cannot be sustained without mentioning the report.
The aforementioned consent may be freely withheld, with the sole consequence that disciplinary proceedings may not be cultivated in the absence of evidence separate and apart from the report.
If you are the person making the report, then the data used are those that you yourself provided through the whistleblowing channel. Please note that the Web Portal is configured so that you can access it without any registration, and that the company’s computer systems, which you should eventually use to connect to it, are set up so that they do not keep track of that connection.
If you are a person involved in an internal report made by others, the data we will process will be the data communicated through it.
In any case, only the information strictly necessary to achieve the above purposes will be processed. Any excess and irrelevant information will be deleted.
The receipt and handling of reports result in the Company’s processing of personal data of a common, special (formerly “sensitive data”) and judicial nature (such as criminal convictions and offenses) relating to all individuals-identified or identifiable-in various capacities involved in the reported events. The types of data processed may vary depending on the facts reported.
Your data are collected and recorded lawfully and in accordance with fairness, for the pursuit of the purposes stated above and in accordance with the basic principles established by law.
We will process your personal data both by manual, computer and telematic means, but always under the supervision of suitable technical and organizational measures to guarantee their security and confidentiality, especially in order to reduce the risks of destruction or loss, even accidental, of the data, unauthorized access, or processing that is not permitted or does not conform to the purposes of collection.
We will not put in place activities that involve decisions based solely on automated data processing, including profiling.
The Web Portal allows the reporter to choose whether to make a “confidential report,” which allows his or her identity and any contact details to be known only to the Report Manager, or to make an “anonymous report,” which allows his or her identity and contact details to be omitted, without prejudice to the ability to follow the progress of the report and receive the feedback required by law by accessing the Web Platform anonymously.
If you are a person other than the reporter, the data we process are those provided as part of the report or that will be collected during the processing of the report.
Your personal data will be retained for the time necessary to process the specific report and, in any case, no longer than five years from the date on which the final outcome of the reporting procedure is communicated.
Upon expiration of the above period, the personal data will be securely deleted or stored in a form that does not allow the identification of the data subjects.
Your data will generally be processed within the Web Platform or at the offices of the reporting manager acting as a data controller under Art. 28 of the GDPR.
In the event that company functions are involved in the investigations, the processing will be carried out at our offices by the Data Controller’s personnel, who are duly instructed and trained in the protection of data security and confidentiality and who operate under specific authorization to process the data.
In the event that external parties are involved, the disclosure of personal data will take place only after verifying their reliability and entering into an appointment agreement as data processor pursuant to Art. 28 GPDR.
The company providing the Web Platform, also acts on our behalf, as a data controller and on the basis of a special agreement under Art. 28 GPDR.
The identity of the author of a report may be disclosed to the person or persons blamed for a violation only in the cases described above and with his or her consent.
An up-to-date list of our Data Processors can be requested according to the procedures for exercising rights below.
Personal data will not be disseminated.
The processing of your personal data takes place only within the European Union.
The applicable legislation grants you, as a Data Subject, the right to exercise at any time, simply by contacting us at the details provided herein, a number of rights, including the right to:
a. to access the personal data in our possession, obtaining information on the purposes of their processing, the categories of data involved, the recipients to whom such data may be disclosed, the applicable retention period, and the existence of automated decision-making processes;
b. to obtain, without undue delay, the rectification of inaccurate personal data relating to you;
c. to obtain, in the cases provided for by law, the erasure of your data;
d. to obtain the restriction of processing, where applicable.
e. to request the portability of the data you have provided to us;
f. to object, in whole or in part, on grounds relating to your particular situation, to processing carried out on the basis of our legitimate interest, unless such interest prevails;
g. to file a complaint with the Data Protection Authority under Art. 77 of EU Regulation 2016/679.
However, by express regulatory provision, the exercise of the aforementioned rights may be excluded or, alternatively, limited or delayed in the case of persons blamed or otherwise involved in the reported facts, where their exercise may result in prejudice to the protection of the confidentiality of the Whistleblower, for as long as such danger exists.
