Whistleblowing

INFORMATION ON THE PROCESSING OF PERSONAL DATA pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 RELATED TO “WHISTLEBLOWING” REPORTS

This notice explains how EMMEPI GROUP S.R.L. processes data collected from whistleblowing reports, in compliance with Regulation (EU) 2016/679 and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.

Data Controller: EMMEPI GROUP S.R.L., Via della Ghisa, 1, Ponte Felcino, PEC: pec@pec.emmepigroup.com.

Purpose of Processing: Personal data provided for whistleblowing is processed to manage reports of alleged misconduct, involving the whistleblower, potential responsible parties, and other involved individuals. This includes verification and potential corrective actions, disciplinary measures, or legal proceedings.

Types of Data Processed:

• Common Data: Name, surname, work role, etc.

• Special Categories of Data: Health, sexual orientation, union membership, etc., as per Article 9 GDPR.

• Criminal Convictions and Offenses: As per Article 10 GDPR.

Legal Bases for Processing:

• Common Data: Based on legal obligations (Article 6(1)(c) GDPR).

• Special Categories of Data: For fulfilling obligations in labor law (Article 9(2)(b) GDPR).

• Criminal Convictions and Offenses: Based on legal obligations (Article 6(1)(c) GDPR).

The whistleblower's identity will not be revealed unless necessary for the accused’s defense, in which case the whistleblower will be asked for explicit consent.

Authorized Data Processors: Only the internal communication channel manager can associate reports with whistleblower identities. If other internal parties need access to reports, the whistleblower’s identity will not be revealed, unless legally required. All personnel handling personal data are trained and bound by confidentiality obligations.

Data Recipients: Personal data may be shared with the judiciary, courts, or external service providers (e.g., lawyers, IT specialists) involved in handling the report. All external service providers are appointed as data processors under Article 28 of Regulation (EU) 2016/679.

In criminal proceedings, the whistleblower’s identity will remain confidential under Article 329 of the Code of Criminal Procedure.

Data Retention:

• Reports deemed irrelevant and archived according to company procedures will be deleted 120 days after the verification process is completed.

• Other reports and related documents are kept for 5 years from the date of closure.

• After these periods, reports may be anonymized for statistical purposes.

Rights of Data Subjects: Under Articles 15 and following of the GDPR, data subjects have the right to access, rectify, delete, or limit the processing of their data. Requests should be sent to info@emmepigroup.com. If the processing violates the GDPR, you can file a complaint with the Data Protection Authority.

Whistleblower Protection:

• The identity of the whistleblower will be protected unless consent for disclosure is given, or disclosure is required by law.

• Violations of confidentiality will result in disciplinary action.

Processing Methods: Personal data is processed using automated tools and secure measures (e.g., file encryption) to ensure integrity, confidentiality, and protection from unauthorized access.

For the Accused and Other Involved Parties:

• Data collected on the accused is obtained from the whistleblower and pertains to the accused’s actions related to alleged misconduct under Legislative Decree 24/2023.

• The right to access this data is limited to avoid compromising the whistleblower's anonymity.

Conclusion: The personal data collected will be processed and retained according to legal and regulatory requirements, with the utmost respect for confidentiality and whistleblower protection.

 Ponte Felcino  07/08/2024                                                                                                                  EMMEPI GROUP S.R.L.