Home /

Privacy policy Whistleblowing

PRIVACY POLICY UNDER ARTICLE 13 EU REGULATION 679/2016 ("PRIVACY REGULATION")

Pursuant to Article 13 of the Privacy Regulations, we therefore wish to inform you that the processing of your personal data will be based on the principles of correctness, lawfulness and transparency, and protecting your confidentiality and your rights and in compliance with current legislation on security and protection of personal data.

In particular, we inform you of the following:

a. Types of personal data, purposes and legal basis
As part of the handling of reports, both personal data of the reporter, where the report is in the name of the person reported, such as first name, last name, position held, etc., and personal data of any third parties, as well as any additional information collected in the context of the investigation that is necessary and appropriate to ascertain and verify the merits or otherwise of the report, will be processed.
The data processed in the management of the report are:

  • Contact, identifying or contact information issued by the reporter;
  • information (identification data, professional data, financial data) about the reported person contained in the report or acquired during the investigation;
  • information (identification data, professional data, financial data) about third parties that may be included in the report and any documents attached or acquired during the investigation.
The data provided will be processed for the following purposes:
  • Receiving, handling and evaluating reports of wrongdoing or violations, in accordance with current regulations and company procedures.
  • Ensure the protection of integrity and fairness within the organization.
The processing of personal data is necessary for the fulfillment of a legal obligation to which the Data Controller is subject pursuant to Article 6(1)(c) of the GDPR and, where relevant, pursuant to Legislative Decree 24/2023 (implementing EU Directive 2019/1937 on the protection of persons who report breaches of Union law).
In order to guarantee the whistleblower's right of defense, the information contained in the report may be used, together with any other external evidence, in the disciplinary proceedings initiated against the whistleblower. The identity of the whistleblower may not be disclosed, where the allegation of the disciplinary charge is based on investigations separate and additional to the report, even if consequent to it. If the charge is based, in whole or in part, on the report and knowledge of the identity of the reporting person is indispensable for the defense of the accused, the report will be usable for the purposes of disciplinary proceedings only if the reporting person expressly consents to the disclosure of his or her identity.
Any personal identification data provided by the reporter (in the case of a non-anonymous report) shall be processed and stored so that they are visible only to the body in charge of handling the report. The company adopts all the guarantees provided by law in order to protect the confidentiality of the reporter's identity, so that it is not revealed to third parties without the reporter's express consent, except in the case of bad faith or defamatory reports.

b. Method of treatment
The data will be processed using manual or electronic methods, suitable to guarantee, in relation to the purposes for which they were communicated and collected, their security, as well as to prevent unauthorized access by third parties and, in any case, in compliance with what is indicated by national and European regulations.

c. Nature of conferment and consequences of refusal
The provision of personal information is optional, but failure to provide it may prevent the proper handling of the report.

d. Subjects of Data Processing and Communication
Personal data will be processed only by personnel authorized by the Data Controller and by third parties assigned for purposes strictly related to the handling of reports, including:
  • SB - as the manager and recipient of the report, duly authorized for this purpose;
  • Manager of the Whistleblowing platform, duly appointed as data controller under Article 28 GDPR;
  • Outside legal advisors or investigative agencies, if needed.
  • Judicial or administrative authorities in cases provided for by law.
The complete and updated list of third parties to whom your data have been communicated or transferred, System Administrators and Processors, can be requested from us by writing to the e-mail address given in paragraph h.

e. Data dissemination
The Data Controller will not carry out dissemination activities of your personal data.

f. Transfer of data abroad
Your personal data will not be transferred to non-EEA countries.

g. Rights of the data subject
Finally, we would like to inform you of the possibility of exercising at any time the rights recognized by law, which we outline below:
  • Access the data provided;
  • obtain the rectification of the data provided, their cancellation, transformation into anonymous form, the blocking of data processed in violation of the law, or the restriction of the processing of data concerning you;

WHISTLEBLOWING DISCLOSURE
  • Object to the processing of data;
  • Obtain portability of your data;
  • obtain confirmation of the existence or non-existence of the same data, know their content and origin, verify their accuracy or request their integration or updating, know the purposes and methods of processing, the logic applied in case of processing carried out with electronic instruments, the identification details of the Owner, the Managers and the DPO, if designated;
  • Propose a complaint to the competent supervisory authority (Privacy Guarantor); and
  • To obtain, without undue delay, notice of a breach of your personal data.

Requests should be addressed to:
  • via e-mail: panzeri@panzeri.it
  • by fax: +39 (039) 2497396
  • or by mail, to the address: Via Padania 8, 20853 Biassono (MB)

h. Period of data retention
Personal data relating to reports and related documentation are retained and maintained for the period necessary to complete the verification of the facts set forth in the report and for a subsequent 5 years after the closure of the report, except for any proceedings arising from the handling of the report (disciplinary, criminal, accounting) against the reported person or the reporter (bad faith, false or defamatory statements). In this case, they will be kept for the duration of the proceedings and until the expiration of the time limit for appealing the relevant measure. Personal data that are manifestly not useful for the processing of a specific report shall not be collected or, if accidentally collected, shall be deleted immediately.

i. Data controller
The Data Controller is Panzeri Carlo S.r.l., in the person of its legal representative pro tempore, with administrative headquarters in Biassono (MB), Via Padania 8, Tel. +39 039 2497483, VAT IT00887290963, e-mail panzeri@panzeri.it.