PERSONAL DATA PROTECTION POLICY
under EU Regulation 2016/679 (GDPR) and Legislative Decree No. 24/2023 (WHISTLEBLOWING LAW)
Please read this policy on the processing of your personal data provided under Article 13 of the EU Regulation 2016/679 (GDPR) by the Data Controller indicated below. It refers specifically to personal data processed following your use of the reporting portal ("Portal"), which serves as an internal channel for submitting reports concerning acts, conduct and/or omissions that constitute breaches of Italian law and European legislation as referred to in Legislative Decree 24/2023 ("Reports").
For any further information on reportable breaches under Legislative Decree 24/2023, on the use of the internal reporting channel provided and on external reporting channels, please refer to our “Whistleblowing Policy” and “Whistleblower Guide” available on the Portal.
1 DATA CONTROLLER (“Controller”)
The Data Controller is: M.M.B S.R.L.
With current registered office in Via Pana 180 - 48018 Faenza (RA)
Tax Code and VAT No: 02619140391 - Telephone number: 0546/637711
EMAIL: legale@mmbsoftware.it; Certified Email (PEC): legale@pec.mmbsoftware.it
DATA PROTECTION OFFICER: rpd@mmbsoftware.it
2 PERSONAL DATA PROCESSED
In compliance with the provisions of Legislative Decree No 24/2023, The Data Controller, has implemented its own internal channel for submitting Reports. This channel takes the form of a Portal accessible from the appropriate area of the company website that the reporting person can use – with full guarantee of confidentiality – to communicate any appropriate information on alleged unlawful conduct that has come to his or her knowledge as a result of his or her legally-valid relationship with the company, so that it can be brought to the attention of the Whistleblowing Manager (Manager) appointed by the Data Controller.
The personal data to be processed are those provided under the heading “Data referring to the reporting person” below and any data given with reference to the various categories of data subjects potentially involved.
When compiling the report, please do not provide any special categories of personal data as referred to in Article 9 GDPR or personal data relating to criminal convictions and offences as referred to in Article 10 GDPR, unless you consider it strictly necessary for the purposes of sending and handling the report. If personal data are provided that are superfluous for report handling purposes, they will be deleted or otherwise not processed, in compliance with the principle of data minimisation.
Data relating to the reporting person: the reporting person will be required to state his or her personal data, such as: name, surname, job title or job title at the time of the reported facts and current job title, personal email address, as well as any other information or data, including personal data, that may be set out in the sections of the reporting form requiring a factual description of the breach. When submitting Reports via the Portal, you can also attach documents, which may contain personal data referring to the reporting person or third parties. The reporting person may also choose to submit a report by means of a voice recording (again via the Portal). In this case, all data provided with the recording will be processed, together with the reporting person’s voice, which will be automatically distorted by the Portal to protect confidentiality, The reporting person can decide to send anonymous Reports by choosing not to give any data that could identify them or make them identifiable at the time of the report. Such data can be provided later as supplements to the report.
If the reporting person provides a contact email together with his or her personal data, this will be used for receiving communications relating to the Report (e.g. read receipts and progress reports). To ensure full confidentiality, you are therefore advised not to provide company email addresses and/or email addresses shared with other parties: only provide email addresses that are exclusively for your own personal use.
The reporting person’s identity is in any case always kept confidential: the reporting person’s identity would only be disclosed to persons other than those competent to receive and follow up reports with the express consent of the reporting person, as required by the relevant legislation.
Data referring to third parties: the reporting person may communicate personal data referring to third parties in the context of the Report, if they believe it to be indispensable (e.g. persons with knowledge of the facts, perpetrators of the alleged unlawful conduct, persons in the same work environment and work colleagues). Personal data of third parties such as name, surname, contact data, institution or company, job title or role held can therefore be collected at the reporting person's discretion.
Data referring to the whistleblowing manager (Manager): the Manager is assigned special credentials to access the Portal in order to perform the related report receiving and handling activities. Data such as name, surname and email address of the manager's office staff (or of a third-party manager's office staff) will be processed.
Browsing data and technical cookies: all operations performed on Reports, by all user categories, are recorded in the system logs in an anonymous and encrypted manner. The Portal only uses technical session cookies and does not use any type of profiling and/or third-party cookies. The internal channel is configured to exclude identification data processing and/or collection. For more data on cookies, please consult our cookie policy.
3 PURPOSE OF PROCESSING AND LEGAL BASIS
Within the limits laid down by current legislation, the data will be processed for the following purposes:
- to allow the performance of operations strictly connected with and instrumental to the proper receipt and handling of Reports submitted through the Portal. Data and information provided by the reporting person will be processed for the purpose of carrying out the necessary investigative activities aimed at verifying whether the reported fact is well-founded and, if so, for adopting the consequent measures.
- to enable the fulfilment of obligations that may be required by further mandatory regulatory sources or provisions issued by the authorities. The provision of personal data and its processing for this purpose are necessary in order to fulfil legal obligations, which may include the storage and disclosure of data to the competent authorities.
The legal basis for the processing is the fulfilment of regulatory obligations, with particular reference to Legislative Decree No. 24/2023 and EU Reg 2016/679.
4 PERSONAL DATA RECIPIENTS AND TRANSFERS
Personal data, where provided, will be made known to the Manager.
The identity of the reporting person and any other information from which this can be inferred, directly or indirectly, will not be disclosed to persons other than those competent, except with the reporting person's express consent and, in the cases provided for by law, after sharing the reasons that make this necessary.
Under current legislation, personal data will be disclosed, where required or necessary, to the competent Authorities, which will act as autonomous and separate Data Controllers.
The data will not be disseminated or transmitted to countries outside the European Union or the European Economic Area.
5 STORAGE OF PERSONAL DATA
Personal data processed for the purpose of Report handling will be stored for a maximum of five years after the closure of a report or, on a case-by-case basis, once its purpose has been fulfilled.
Personal data processed for the purpose of fulfilling legal obligations will be stored for the period provided for by the applicable binding provision.
6 NATURE OF THE DATA SUBMISSION
Submission of data marked with the symbol (*) in the forms on the Portal is obligatory in order to carry out the procedure. The report cannot be successfully processed if these sections are not completed.
Failure to submit data that is not marked as obligatory will not stop the procedure going ahead, but may mean that we cannot provide the reporting person with feedback on his or her report.
Failure to consent to the transmission of the reporting person's data to persons other than those competent to receive and follow up the report will mean that this information cannot be transmitted.
7 RIGHTS OF THE DATA SUBJECT
The data subject may, within the limits of the GDPR, request access to the data and processing and, in the cases provided for, rectification and erasure of the data. He or she may request portability to another Data Controller as well as restriction of processing or he or she may object to processing. In cases where, at the express request of the Data Controller, the data subject consents to his or her identity being disclosed to persons other than the Manager, they may revoke such consent at any time , provided that the Data Controller has not already disclosed his or her identity on the basis of the consent previously and lawfully given.
The Data Controller may not grant requests to exercise the above rights if this could cause effective and specific damage to the confidentiality protecting the identity of the reporting person. This damage will be assessed on a case-by-case basis and only where it is a necessary and proportionate measure. In such cases, under current privacy law, the data subject is also entitled to exercise his or her rights through the Personal Data Protection Authority in the manner set out in Article 160 of the Privacy Code.
The data subject has the right to lodge a complaint with the Personal Data Protection Authority, following the instructions available at the following link https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524.
