Privacy Policy*
POLICY STATEMENT FOR THE PROCESSING OF PERSONAL DATA PROVIDED FOR THE MANAGEMENT OF WHISTLEBLOWING REPORTS UNDER LEGISLATIVE DECREE NO. 24/2023
Pursuant to Articles 13 and 14 of the EU Regulation 679/2016 (GDPR) in relation to the protection of personal data.
Dear Data Subject,
Ambrosi S.p.A., with registered office in Via P. Togliatti, n. 56, 06073 Loc. Taverne, Corciano (PG), and Ambrosi Auto S.p.A., with registered office in Via Tripoli, 110, 00199 Roma, in their capacity as Joint Controllers (hereinafter also jointly referred to as "Joint Controllers" or "Companies"), in compliance with the current legislation on Whistleblowing, as prescribed by European Regulation 2016/679 (GDPR) and Legislative Decree 24/2023 (Whistleblowing Decree), provide you with the following information.
1. Data Controller.
Joint Controllers of the processing of personal data, i.e. the subjects responsible for making decisions regarding the purposes, methods of processing and security of personal data, are Ambrosi S.p.A. and Ambrosi Auto S.p.A., in the person of their respective legal representatives p.t. Reciprocal relations are governed by a specific joint ownership agreement.
If you have any questions or requests regarding the processing of your personal data, you can contact us by sending a request to the following addresses:
Ambrosi S.p.A, Via P. Togliatti, 56, 06037, Loc. Taverne, Corciano (PG)
E-mail: privacy@ambrosispa.it
PEC: ambrosispa@pec.it
2. Type of personal data processed.
Receipt and handling of whistleblowing reports may give rise to the processing of so-called "common" personal data (first name, surname, occupational role, etc.) and may give rise, depending on the content of the reports and the records and documents attached to them, to the processing of so-called "special" personal data (data relating to health conditions, sexual orientation or trade union membership and personal data relating to criminal convictions and offences).
It should be noted that the report should not contain facts that are not relevant to the report, nor special categories of personal data, as referred to in Art. 9 of the GDPR (hereinafter also " Special Data Categories," i.e., those from which racial and ethnic origin, philosophical and religious beliefs, party or trade union membership, as well as health status, sex life or sexual orientation, among others, may potentially be inferred), nor data relating to criminal convictions and offenses referred to in Art. 10 of the GDPR, except in cases where this is unavoidable and necessary for the purposes of the report itself.
In any case, Companies will take care to process only the data strictly necessary for the management of the individual report, deleting any additional data that may be provided to it, due to the principle of minimization.
The data that is subject to processing refers to the whistleblower and may also refer to persons named as possible perpetrators of violations, as well as those in various capacities involved or mentioned in the report.
3. Purpose and legal basis of the processing.
Purpose
(Why we process your data)
|
Legal Basis
(On the basis of which provision of the law we treat the data)
|
Consequences
(What happens if you refuse to give personal data and/or authorize processing)
|
To follow up on the reports received; to carry out the necessary investigative activities to verify the validity of the information reported
|
Art. 6(1)(c) GDPR (the processing is necessary for the fulfilment of the obligations imposed on the Company by Legislative Decree 24/2023, as amended)
Art. 9(2)(b) GDPR (processing is necessary for the purposes of fulfilling the obligations and exercising the specific rights of the data controller or the data subject in the area of employment and social security law and social protection, insofar as it is authorized by EU or Member State law or by a collective agreement under the laws of the Member States, where appropriate safeguards are in place for the fundamental rights and interests of the data subject) - with regard to special data.
Art. 10 GDPR and Art. 2-octies Legislative Decree 196/2003 for data relating to criminal convictions and offenses - in fulfilment of legal obligations under the Decree
|
The provision of data is necessary to have the protections set out in Legislative Decree 24/2023. However, reports can also be submitted anonymously.
In this regard, we invite you to consult the Whistleblowing Procedure adopted by the Company.
|
For the defence of rights in the course of judicial, administrative or extrajudicial proceedings and in the context of disputes arising in relation to the report made; to take legal action or make claims
|
Art. 6 (1) (f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data)
|
In this case, a new and specific provision of personal data is not required, as the same data already processed for the management of the report referred to in the previous point will be processed.
|
To disclose your identity as a whistleblower to persons other than those in charge of handling the report, in the cases expressly provided for in Article 12 of Legislative Decree 24/2023, except as required by law (e.g., criminal proceedings instituted as a result of the report)
|
Art. 6, Par. 1, Lett. a) GDPR (the data subject has given consent to disclose his or her identity in the cases provided for in Art. 12 Legislative Decree 24/2023 in order to follow up the report; in this case, consent will be requested from you when the circumstances envisaged in the regulations occur)
|
In absence of your consent, your identity will not be disclosed, except as required by law
|
4. Method of data processing.
The data provided at the time of reporting and the data contained in the reports will be processed in accordance with the principles of fairness, lawfulness, transparency and the protection of confidentiality and rights, both yours and those of all interested parties, in compliance with the confidentiality obligations imposed by privacy regulations and the law on whistleblowing.
The data processing will make use of IT and electronic tools designed for the organisation and processing of data strictly related to the purposes referred to above, and, in any event, in such a way as to ensure the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures envisaged in the applicable provisions.
In particular, Joint Controllers, in accordance with the provisions of the Whistleblowing Decree, are equipped with an IT platform as an internal reporting channel.
The IT platform protects personal data through an encryption system, thus ensuring the confidentiality of the information transmitted.
Printed documentation is limited to the bare minimum and archived and stored in cabinets and rooms equipped with security locks.
In any case, the personal data of data subjects will not be disseminated.
6. Persons in charge of Processing data
The personal data you provide and any subsequent data acquired in the course of the service will be processed exclusively by personnel authorized for this purpose or by data processors designated for this purpose.
These individuals are all formally designated/authorized for the data processing, and are also required to maintain the confidentiality of any information learned as a result of their duties, without prejudice to the reporting and denunciation obligations set forth in Article 331 of the Criminal Code.
Further information on the designated Persons, Data Processors, and System Administrators can be obtained from Joint Controllers at the contact information above.
7. Communication of personal data to third parties.
Although personal data may not be disseminated, it may be transmitted to public administrations legitimated by law (e.g., Judicial Authority, Court of Auditors, ANAC-Italian National Anti-Corruption Authority, etc.), which are considered autonomous data controllers.
Companies use DigitalPA, as their technology partner, which is entrusted with the management of the digital platform, designated for this purpose as the Data Processor pursuant to Article 28 GDPR.
8. Transfers of personal data to third countries or international organizations - Automated processes
Your personal data is not transferred outside the European Union, nor is it processed in automated decision-making processes.
9. Data retention period.
Companies shall retain personal data in accordance with Article 14 of Legislative Decree No. 24/2023, i.e., for the time strictly necessary to investigate the report received and, in any case, for no longer than 5 years from the date of communication of the final outcome of the reporting procedure, unless legal proceedings deriving from the report itself should arise during the 5-year period. In the latter case, the data retention period will follow the course of said judicial proceedings.
Personal data that is manifestly unnecessary to the handling of a specific report is not collected or, if accidentally collected, is promptly deleted.
After the above retention periods have elapsed, the data will be destroyed, deleted, or anonymized, as consistent with the technical procedures for deletion and backup.
10. Rights of data subjects
We inform you that you have the right to exercise the following rights in relation to the personal data covered by this policy:
- Right of access and rectification (Articles 15 and 16 of the EU Regulation)
- Right to erasure of data (Art. 17 of the EU Regulation)
- Right to restriction of processing (Art. 18 of the EU Regulation)
- Right to data portability (Art. 20 of the EU Regulation)
- Right to object (Art. 21 of the EU Regulation)
- Right to lodge a complaint (Art. 77 of the EU Regulation)
- Right to revoke consent (Art. 13 of the EU Regulation)
At any time, you may exercise your rights with reference to the specific processing of personal data carried out by Joint Controllers, at the contact addresses indicated in point 1 of this policy.
The aforementioned rights may not be exercised by the person involved or by the person mentioned in the report, for the time and to the extent that this is a necessary and proportionate measure, pursuant to Article 2 undecies of the Privacy Code, inasmuch as the exercise of these rights could result in actual and concrete prejudice to the protection of the confidentiality of the identity of the whistleblower.
11. Organizational and technical security measures
Joint Controllers adopt adequate organizational and technical security measures to safeguard the confidentiality, integrity, completeness and availability of the personal data it processes. Technical, logistical and organizational measures have been developed with the aim of preventing damage, loss, even accidental, alterations, improper and unauthorized use of the data processed.
ESSENTIAL CONTENT OF THE JOINT CONTROLLER AGREEMENT FOR THE PROCESSING OF PERSONAL DATA (ART. 26 OF EU REGULATION 2026/679)
between Ambrosi S.p.A. and Ambrosi Auto S.p.A.
Ambrosi S.p.A., with registered office in Via P. Togliatti, n. 56, 06073 Loc. Taverne, Corciano (PG), and Ambrosi Auto S.p.A., with registered office in Via Tripoli, 110, 00199 Roma (hereinafter also jointly referred to as "Joint Controllers" or "Parties"), have signed a joint controller agreement in relation to the processing of personal data carried out as part of the management of Whistleblowing Reports pursuant to Legislative Decree 24/2023, as representatives in the above Information.
In particular, the Parties have implemented a joint Whistleblowing System through:
- activation of shared reporting channels (i.e. common IT platform);
- joint adoption of the Whistleblowing Procedure that regulates the System;
- identification of a single Whistleblowing Designated Department.
The joint controller refers to the processing of the personal data provided by the Whistleblower at the time of the Whistleblowing Report and those contained in the Report itself and concerns the processing of all data that will be acquired for the purpose of managing the same.
The Joint Controllers are jointly and severally obliged to prepare and keep up to date all the requirements regarding the protection of personal data.
The Joint Controllers undertake to ensure that anyone acting under their authority and having access to personal data processes such data only after receiving the relevant instructions from the respective Joint Controller.
The Joint Controllers have agreed that, for the processing operations covered by the joint controller agreement, Ambrosi S.p.A. is entrusted with the burden of notifying the competent Supervisory Authority of the breach without undue delay and, if possible, within 72 hours of becoming aware of the processing, giving prior and timely information to the other Joint Data Controller.
The Joint Data Controllers have identified Ambrosi S.p.A. as the contact person and point of contact for the Data Subjects, without prejudice to the possibility of exercising these rights against each Joint Data Controller.
For further details on the processing carried out jointly by the Data Controller, as well as for the purposes of exercising the rights of the Data Subjects, please refer to the specific information above.