Send a report with the outmost confidentiality.

Privacy

Information provided pursuant to Articles 13-14 of the GDPR (General Data Protection Regulation) 2016/679

Premise

This Privacy Policy - to be intended as information pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter the "Regulation") - is provided by Namirial S.p.a., Namirial S.R.L, Namirial Deutschland GmbH, Namirial GmbH, Bit4id S.r.l., Uanataca Sa unipersonale (Italian branch)  (hereinafter, jointly, the "Joint Controllers" or "Group") in its capacity as Joint Controllers, for the purpose of informing you about the use of the personal data of whistleblowers, reported persons and any other third parties involved (hereinafter also the "Data Subjects"), in relation to the management of the reports governed by the document entitled "Whistleblowing Group Policy" of the Group, to the reading of which you are referred for further details.

Identity and contact details of the Joint Controllers and Data Protection Officer (DPO)

The Joint Controllers are:

  • Namirial S.p.a. with registered office in Via Caduti sul Lavoro n. 4, Cap 60019, Senigallia (AN), ITALIA.;
  • Namirial S.R. L, con sede legale in Str.Nerva Traian No.3, Floor 8 – Sector 3 – 031041 Bucharest

ROMANIA;

  • Namirial Deutschland GmbH, con sede legale in Kalkofenstraße 51, 71083 Herrenberg, GERMANY;
  • Namirial GmbH, con sede legale in Haider Straße 40a,4052 Ansfelden Seilerstätte 16, 1010 Vienna, AUSTRIA;
  • Bit4id S.r.l., con sede legale in Via Diocleziano n.107 – 80125 Napoli, ITALIA;
  • Uanataca Sa unipersonale, con sede legale in Via Diocleziano n.107 – 80125 Napoli, ITALIA;

The Joint Controllers have signed agreement ex art. 26 GDPR whose essential content of the agreement can be requested by the Data Subject upon his/her request to the address dpo@namirial.com

Contact details of the Data Protection Officer (DPO)

The Data Protection Officer designated by Namirial S.p.A., who will be the point of contact for Data Subject, can be contacted at the following e-mail address: dpo@namirial.com. It remains, in any case, without prejudice, to the right of the Data Subject to exercise its rights towards other Joint Controllers.

 

Categories of data

As a result of a report, the Group may become aware of the following personal data (referring to the person making the report if the report is not anonymous and, if applicable, to the person making the report and/or other third parties indicated in the report):

  • Name, surname, date of birth, copy of identity document (only in the event that he/she has decided to make an anonymous report) and e-mail address of the reporter together with any other information he/she may wish to provide such as telephone number, postal address, etc;
  • Name, surname of the reported person and/or of third parties, company and business area to which the person reported belongs, as well as any other information, which may also include data of a particular nature, relating to the reported person which the reporting person decides to share in order to better substantiate his/her report;
  • any information relating to the reported person concerning events connected with the commission of offences or criminal proceedings. This data will be processed in accordance with the legislation in force and, in particular, in compliance with Article 10 GDPR.

The report must not contain facts that are not relevant for the purposes of the report itself, nor special categories of personal data referred to in Article 9 GDPR, except in cases where this is unavoidable and necessary for the purposes of the aforementioned report.    

Purposes and lawful basis

The personal data of the Data Subjects will be processed by the Joint Controllers for the purposes related to the application of the above-mentioned "Whistleblowing Group Policy", i.e. for the purpose of managing the reports received, ascertaining the facts that are the subject of the reports and taking the relevant measures.

Pursuant to Article 6(1)(c) and (f) of the Regulation, all personal data collected as part of this processing operation are strictly functional and necessary to fulfil a legal obligation to which the Joint Controllers are subject, with regard to the obligation to open one or more channels for the transmission of circumstantiated reports of unlawful conduct pursuant to Article 6(2-bis) of the Italian Legislative Decree no. 231/2001, and for the pursuit of the related legitimate interest of the Joint Controllers concerning the maintenance of the integrity of the corporate organisation, as well as the prevention and suppression of wrongdoing, also in implementation of the Company's Code of Ethics and 231 Organisational Model of each company in the Group. It is specified that Legislative Decree 231/2001 applies only to the Group’s Italian companies).

Should the report contain data of a special nature, the data shall be processed by the Joint Controllers pursuant to Art. 9(2)(b) of the Regulation, in order to enable the Joint Controller to fulfil its obligations and exercise specific rights in the field of labour law and, where applicable, also pursuant to Art. 9(2)(f), in order to enable the Joint Controller to ascertain, exercise or defend a right in court.

Method of processing

Data processing is carried out through the use of a portal that can be reached at the following web address: https://namirial.segnalazioni.net/. The processing will be carried out in accordance with the above-mentioned purposes and, in any case, in such a way as to guarantee the security and confidentiality of the data. In particular, the transmission of data provided by the reporter by filling in the platform is managed with https protocol. Moreover, 'asymmetric' encryption techniques are applied using a public key pair and a private key assigned to each user, thus guaranteeing the confidentiality of the information transmitted.

Retention of personal data

Reports and the personal data relating to them shall be retained for a period not exceeding 5 (five) years from the conclusion of each report, except where judicial and/or disciplinary proceedings are instituted against the reported person or the person making the report; in such cases, personal data may be retained until the final conclusion of the judicial and/or disciplinary proceedings, even if this is after the five-year period has expired.

Transfer of data to third countries

The Joint Controllers within the scope of the purposes described above do not make any transfers to third countries outside the EU (EXTRA-UE countries) of their data. In case of a future involvement of third parties established in countries outside the EU countries, the appropriate safeguards corresponding to the adequacy decisions issued by the European Commission and/or the National Data Protection Authority from time to time appropriate to the case will be adopted for the relevant data transfer. Further information regarding the cases of possible data transfers to countries outside the EU (EXTRA-UE countries), the relevant safeguards adopted, as well as information regarding the companies appointed as personal data processors, will be made available to Data Subjects.

.

 

Scope of data communication

 

As indicated in the procedure, the reports and the data referring to them will be received by the competent committee of the Group at the Namirial S.p.A (hereinafter also the "Parent Company”).

 

Within the scope of the above-mentioned purposes, your data may also be communicated by the Joint Controllers:

  • to third parties who perform part of the processing activities and/or activities connected and instrumental to the same on behalf of the Joint Controllers. These subjects will also be appointed as data processors pursuant to Article 28 of the GDPR. These include the company DigitalPA, which supplies and manages the technological platform used for sending the reports;
  • to individuals, employees and/or collaborators of the Joint Controllers, who have been entrusted with specific and/or multiple processing activities on your personal data. Such individuals have been given specific instructions on the security and proper use of personal data and are defined as the persons authorised to process personal data under the direct authority of the Joint Controllers or Data Processor;
  • to the Judicial Authority or other external Authorities, for the relevant investigations, according to the modalities required by the regulations in force. 

 

On the other hand, your personal data will not be disclosed to unspecified recipients or published.

 

 

Data Subjects’ rights

 

The Joint Controllers grants you the possibility of exercising the rights recognised in Articles 15 et seq. of the Regulation (i.e. right of access to personal data, rectification or cancellation thereof, restriction of processing, portability of personal data, objection for reasons related to your particular situation).

In addition, in the terms and within the limits provided for by the legislation in force, you have the right to lodge a complaint with the Italian Data Protection Authority pursuant to Article 77 of the Regulation. Your rights may be exercised by e-mailing dpo@namirial.com. Through the same address, you may request the updated list of Data Processors appointed by the Joint Controllers from time to time.

Pursuant to the provisions of Article 2-undecies of the Italian Legislative Decree 196/2003 (Italian Data Protection Code), it should be noted that the aforementioned rights cannot be exercised by making a request to the Joint Controllers, or by lodging a complaint pursuant to Article 77 of the Regulation, when the exercise of such rights may result in actual and concrete prejudice to the confidentiality of the identity of the employee who has made a report, pursuant to the Italian Law No. 179 of 30 November 2017, of an unlawful act of which he/she has become aware by reason of his/her office.

The exercise of the same rights may, in any event, be delayed, limited or excluded for as long as this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the person concerned, in order to safeguard the confidentiality interests of the reporter. In such cases, the data subject's rights may also be exercised through the Italian Data Protection Authority in the terms set out in Article 160 of the Italian Data Protection Code. It is specified that the Decree 196/2003 (Privacy Code) and Law No. 179 of November 30, 2017, apply only to the Group's Italian companies.