Whistleblowing Disclosure
Who is the Data Controller and how can he or she be contacted?
Società Italiana Lastre Spa (hereinafter also the “Data Controller”) is the data controller of your personal data (hereinafter “Data”) and, pursuant to and in accordance with EU Regulation no. 679/2016 (hereinafter “GDPR”), protects its confidentiality and ensures its protection against any possible breach.
The processing of Data is based on the principles of fairness, lawfulness, transparency and protection of the confidentiality and rights of the data subject in accordance with the provisions contained in the GDPR.
You can contact by email: [email protected] – phone: 0309920900
Why do we process your Data and on what legal bases?
The Data collected will be processed for the proper handling of the report and, therefore, for the verification of any wrongdoing reported in the interest of the integrity of the Holder in accordance with the provisions of D.Lgs.231/01 and D.Lgs. 24/2023.
The legal bases that, in relation to the identified purpose, justify the Processing of your Data are:
- need to fulfill legal obligations to which the Controller is subject (Art. 6(1)(c) of the GDPR);
- pursuit of the legitimate interest of the Data Controller, e.g., to protect its rights in court, provided that the interests or fundamental rights and freedoms of the data subject do not prevail (Art. 6(1)(f) GDPR).
By what methods is the treatment carried out?
The Data will be processed using computer and telematic tools, in compliance with the security measures adopted by Società Italiana Lastre Spa, in accordance with the provisions contained in Art. 32 of the GDPR. The Data Controller does not process Data through automated decision-making processes or perform profiling of data subjects. Your Data will be processed by personnel expressly authorized by the Data Controller and in particular, by the following categories of employees:
- Compliance function for the prevention of corruption;
- Third-party (technical or legal) consultants to analyze the report.
To whom is your Data disclosed?
Your Data may be processed by parties in charge of handling the reports and duly appointed as Data Processors under Article 28 of the GDPR, such as: manager of the Whistleblowing information platform, external consultants.
What happens if you do not provide your Data?
Providing the requested Data is necessary to enable Compliance Function for Prevention of Corruption to properly handle the report. Failure to provide the Data will make it impossible to process the report received. This is without prejudice to the possibility of making anonymous reports using the special platform for whistleblowing reports on the dedicated website https://safespeak.io/it/report-form/1d8df27b-2b09-467b-b7ec-8472e0b9c1ae
How long do we keep your Data?
In compliance with the principles of lawfulness, purpose limitation, and data minimization enucleated in Article 5 of the GDPR, the Data Controller will process your Data for the period of up to 5 years from the date of the communication of the final outcome of the reporting procedure, subject to confidentiality obligations.
What are your rights?
At any time, free of charge and without special burdens and formalities, you may exercise a number of rights recognized by Articles 15 et seq. of the GDPR, consistent with the prerequisites set forth in the treatment.
Specifically, it is given the right to:
- request access to your Data;
- request and obtain the rectification of those that are inaccurate as well as the supplementation of those that are incomplete;
- obtain the deletion of the Data, unless the processing is necessary for the fulfillment of a legal obligation provided for by law or for the establishment, exercise or defense of a right in a court of law;
- obtain the restriction of Data processing;
- request Data portability;
- object to the processing;
- propose complaints to the competent supervisory authority.
The Holder undertakes to provide you with information regarding the action taken regarding a request to exercise rights without undue delay and, in any case, no later than one month after receipt of the request.