SINELEC S.p.A. has appointed a Data Protection Officer (also known as “DPO”). The DPO can be contacted via the following email address: DPO@sinelec.it.
Click here to read the Privacy policy for customers’ employees and collaborators
Click here to read the Privacy policy for suppliers’ employees and collaborators
Click here to read the Privacy policy for candidates
INFORMATION FOR INDIVIDUALS WHO REPORT OFFENCES (a.k.a. WHISTLEBLOWERS)
IN ACCORDANCE WITH THE REGULATION ON THE PROTECTION OF PERSONAL DATA
1. Processing of Personal Data
Pursuant to articles 13 and 14 of Regulation (EU) 2016/679 regarding the protection of personal data (“GDPR”) and in the event of reports made non-anonymously, Sinelec S.p.A. (the “Company” or the “Owner”), as data controller, processes the personal data of the individual reporting offences (“Whistleblower”) in order to manage reports relating to behaviour, acts or omissions which, pursuant to Legislative Decree 24/2023, have the potential to jeopardise the public interest or the integrity of the Company or in any case are in conflict with the company policies of the Data Controller (“Violations”).
2. Scope of this notice
This document allows the Whistleblower to know the nature of the personal data being processed, the purposes and methods of the processing, any recipients of the same, as well as the rights recognised in relation to the processing of personal data.
3. Purpose and legitimacy of the processing
If the report is made non-anonymously, the personal data of the Whistleblower, in compliance with regulatory obligations and, in particular, in compliance with Legislative Decree 24/2023, will be used for the following purposes:
a) for the receipt of notifications;
b) for internal investigation aimed at verifying the validity of the Report, including by contacting the Whistleblower in order to gather additional information;
c) if the report turns out to be founded, adoption of disciplinary sanctions or activation of the appropriate contractual remedies;
d) possible initiation of legal actions against the individuals involved;
e) where the reported conduct constitutes a crime, the reporting of the offences to the Judicial Authority;
f) for the carrying out of all the instrumental and ancillary activities, and in any case required for the pursuit of the aforementioned purposes.
4. Nature of the provision of personal data
The processing of personal data is instrumental to the purposes referred to in Paragraph 3 above.
The provision of data by the Whistleblower is mandatory in the event of a report made non-anonymously. Any refusal to provide data therefore makes it impossible to report non-anonymously.
5. Legal basis for processing
The processing of personal data is carried out by the Company:
a) to fulfil the specific legal obligations established by Legislative Decree. 24/2023, pursuant to art. 6, 1 c) of the GDPR;
b) in relation to the Company’s legitimate interest in repressing any offences or irregularities that damage the integrity of the Company, pursuant to art. 6, 1 f) of the GDPR.
6. Personal data subject to processing
6.1 Categories of data subject to processing
In the event of a Report made non-anonymously, the Whistleblower’s personal data will be processed, including identification data (name, address or other personal identification elements) and contact data (e-mail address and telephone number).
No special categories of personal data will be processed, for example information on racial and/or ethnic origin, religious and/or ideological beliefs, trade union membership or sexual orientation.
6.2 Processing of data other than that included in the above categories
The Company may in any case request and process additional personal data to that which falls within the above categories, for the same purposes as stated in paragraph 3 above, if the provision of such additional data is:
a) imposed by laws, regulations or the decisions of authorities; and/or
b) necessary and instrumental for the management and execution of the investigation following the Report or for the exercise of the right of defence in court.
7. Data retention times
The data will be kept for a period not exceeding five years starting from the date of receipt of the Report or from the conclusion of any proceedings arising from the management of the Report.
Once these activities have been completed, personal data will be deleted or anonymised.
8. Data usage
8.1 The processing of the Whistleblower’s personal data is carried out with digital tools by internal or external individuals who have been specifically appointed for this and are bound by confidentiality.
8.2 Data is protected by security measures to prevent unauthorised access, loss or destruction, in line with applicable data protection legislation.
8.3 In particular, in the event of a Report made in written or oral form via the Digital Platform used by the Company, data relating to the IP address of the Whistleblower and its location are not processed.
8.4 The Digital Platform, managed by the supplier who acts as data controller, is equipped with adequate technical measures to guarantee data protection and confidentiality. The data provided will be stored in a database managed by the supplier of the Digital Platform, which is specially protected and equipped with adequate security safeguards. Data stored in this database is encrypted using the most advanced technology available.
8.5 The personal data present on the Digital Platform will be processed exclusively within countries belonging to the European Economic Area.
9. Data sharing
9.1 The personal data of the Whistleblower is made accessible only to those who, within the corporate organisation of the Company and who have been given adequate operating instructions, have a specific need for it due to their job or hierarchical position, as well as for the correct investigation and management of the Report.
9.2 In case of use of the Digital Platform, personal data will be processed, as Data Processing Manager pursuant to art. 28 of the GDPR, by the supplier of the same, EQS Group AG, with registered office in Munich (Germany), Karlstraße 47, on the basis of instructions given by the Data Controller.
9.3 Personal data may also be processed by public or supervisory individuals with whom the Company shares the data, in both cases for the sole purposes referred to in Paragraph 3 above.
For more information on the recipients and categories of recipients with whom personal data is shared, email privacy@sinelec.it.
10. Data controller
The data controller is Sinelec S.p.A., with registered office in S.P. 211 della Lomellina, loc. San Guglielmo 3/13, 15057 Tortona, company registration number, tax code and VAT number IT07937690019.
11. Data Protection Officer
The Company avails itself of a Data Protection Officer (also known as “DPO”). The DPO can be contacted via the following communication channel: dpo@sinelec.it
12. Exercising your rights
Upon occurrence of the conditions and within the limits of the applicable legislation, including art. 2-undecies of Legislative Decree 196/2003, the Whistleblower may exercise the following rights in relation to the processing of their personal data: (i) right to access personal data and information on the processing of personal data; (ii) right to rectification of personal data, should it be inaccurate or incomplete; (iii) right to deletion of personal data; (iv) right to object to the processing of personal data; (v) right to limit the processing of personal data: (vi) the right to obtain the transfer of personal data to other companies or organisations and/or to receive personal data in a structured and commonly used electronic format. The aforementioned rights can be exercised by contacting privacy@sinelec.it
Should the Whistleblower notice irregularities in the processing of their personal data, they may lodge a complaint with the Guarantor for the protection of personal data, following the procedure indicated on the Guarantor’s website (www.garanteprivacy.it).
Sinelec S.p.A.