PRIVACY POLICY - WHISTLEBLOWING

provided as part of a report made through the internal reporting channel established by the Company pursuant to Leg. 24/2023 on whistleblowing

Your data will be processed by LA SIA S.p.A. as the Data Controller. The company is headquartered at (00173) Rome, Via Luigi Schiavonetti 286, and can be contacted by e-mail at privacy@lasia.it.

We will process your personal data in order to handle the internal report received through the Company’s whistleblowing channel and verify its validity, as well as for the purpose of any resulting disciplinary proceedings.

If you are the author of the report, the data you provide will also be used to provide you with the communications required by law or to request, if necessary, additions.

Such processing is necessary to implement the legal obligations under the whistleblowing regulations, compliance with which is a condition for the lawfulness of processing under Art. 6(1)(b). (c) and parr. 2 and 3, Art. 9(2)(b). (b) and Articles 10 and. 88 of the GDPR.

We will ask for the consent of the author of the report only in relation to the possibility of disclosing his or her identity to the person or persons believed to be responsible for the reported violations, in order to guarantee his or her right to be heard in the context of any disciplinary proceedings, if these cannot be sustained without mentioning the report.
The aforementioned consent may be freely withheld, with the sole consequence that disciplinary proceedings may not be cultivated in the absence of evidence separate and apart from the report.

If you are the person making the report, then the data used are those that you yourself provided through the whistleblowing channel. Please note that the Web Portal is configured so that you can access it without any registration, and that the company’s computer systems, which you should eventually use to connect to it, are set up so that they do not keep track of that connection.

If you are a person involved in an internal report made by others, the data we will process will be the data communicated through it.

In any case, only the information strictly necessary to achieve the above purposes will be processed. Any excess and irrelevant information will be deleted.

The receipt and handling of reports result in the Company’s processing of personal data of a common, special (formerly “sensitive data”) and judicial nature (such as criminal convictions and offenses) relating to all individuals-identified or identifiable-in various capacities involved in the reported events. The types of data processed may vary depending on the facts reported.

Your data are collected and recorded lawfully and in accordance with fairness, for the pursuit of the purposes stated above and in accordance with the basic principles established by law.

We will process your personal data both by manual, computer and telematic means, but always under the supervision of suitable technical and organizational measures to guarantee their security and confidentiality, especially in order to reduce the risks of destruction or loss, even accidental, of the data, unauthorized access, or processing that is not permitted or does not conform to the purposes of collection.

We will not put in place activities that involve decisions based solely on automated data processing, including profiling.

The Web Portal allows the reporter to choose whether to make a “confidential report,” which allows his or her identity and any contact details to be known only to the Report Manager, or to make an “anonymous report,” which allows his or her identity and contact details to be omitted, without prejudice to the ability to follow the progress of the report and receive the feedback required by law by accessing the Web Platform anonymously.

If you are a person other than the reporter, the data we process are those provided as part of the report or that will be collected during the processing of the report.

Your personal data will be kept for as long as necessary for the processing of the specific report and in any case no longer than five years from the date of the communication of the final outcome of the reporting procedure.
Upon expiration of the above period, personal data will be securely erased or stored in a form that does not allow for the identification of data subjects.

Your data will generally be processed within the Web Platform or at the offices of the reporting manager acting as a data controller under Art. 28 of the GDPR.
In case of involvement of business functions in the investigation, the processing will be carried out at our offices by the owner’s staff, educated and trained in data security and confidentiality protection and operating under specific processing authorization.
In case of involvement of several external parties, the disclosure of personal data will take place only after verification of reliability and agreement of appointment as data controller under Art. 28 GPDR.

The company providing the Web Platform, also acts on our behalf, as a data controller and on the basis of a special agreement under Art. 28 GPDR.

The identity of the author of a report may be disclosed to the person or persons blamed for a violation only in the cases described above and with his or her consent.

An up-to-date list of our Data Processors can be requested according to the procedures for exercising rights below.

Personal data will not be disseminated.

The processing of your personal data takes place only within the European Union.

The legislation in force recognizes that you, as a Data Subject, may exercise at any time, simply by contacting us at the contact details given here, a series of rights, including that:
a. to access the personal data we hold, obtaining evidence of the purposes of their processing, the categories of data involved, the recipients to whom the data may be disclosed, the applicable retention period, and the existence of automated decision-making processes;
b. To obtain without delay the rectification of inaccurate personal data concerning you;
c. To obtain, in the cases provided for, the cancellation of your data;
d. to obtain restriction of processing when possible;
e. To request the portability of the data you have given us;
f. to object in whole or in part, on grounds relating to your particular situation, to processing carried out on the basis of our legitimate interest, unless the latter prevails;
g. to file a complaint with the Data Protection Authority under Art. 77 of EU Regulation 2016/679.

However, by express regulatory provision, the exercise of the aforementioned rights may be excluded or, alternatively, limited or delayed in the case of persons blamed or otherwise involved in the reported facts, where their exercise may result in prejudice to the protection of the confidentiality of the Whistleblower, for as long as such danger exists.