Dear user,

current legislation requires us to provide information regarding the processing of personal data of users/reporters who consult and use it. The validity of the information contained on this page is limited to the Service only and does not extend to other external websites that may be consulted via hyperlink.

Following the entry into force of D.Lgs 10 March 2023, n. 24 - Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of Union law and laying down provisions concerning the protection of persons reporting breaches of regulatory provisions national (so-called Whistleblowing), Tecnomatic S.p.A., with registered office in Pescara, Via delle Caserme 85, has drawn up this information regarding the processing of personal data which is implemented through the appropriate channel for reporting violations of unlawful acts.

Tecnomatic S.p.A. protects the confidentiality of the whistleblower's personal data and guarantees them the necessary protection from any event that could put them at risk of retaliation. To this end, suitable technical-organizational measures have been adopted regarding the collection, use of personal data and the exercise of the rights that are recognized to the reporter by the applicable legislation.

Pursuant to Regulation (EU) 2016/679 regarding the protection of personal data (hereinafter "Regulation" or "GDPR") and related legislation, Tecnomatic S.p.A., in the person of its legal representative pro tempore, is the Data Controller of your Data (the “Data Controller”).

The data controller determines the purposes of the data processing by undertaking to carry out processing in accordance with this document and the whistleblowing regulation and in a lawful, correct and transparent manner towards the interested parties.

The Data Controller guarantees towards interested parties that:

a) The Processing carried out complies with the declared purposes;

b) The declared purposes are limited to what is necessary for the exercise of the Data Controller's activity;

c) Only the data necessary for the declared purposes are used;

d) Data retention is limited in time to a period consistent with the declared purposes;

 e) Systems are implemented to guarantee data conservation,

 f) For each Processing, the legitimacy criterion of the Processing is verified;

g) At least annually, a verification of the level of compliance with the legislation and a review of this document are promoted and improvement plans in the management of Treatments are defined;

h) The information provided to interested parties complies with those indicated in the Guidelines for the management of Processing

In light of the uniform level of Data protection, the transmission of Data between the Data Controllers is permitted provided that: (i) the transmission is necessary for the purposes for which the data is Processed; (ii) the transmission was included among the treatments listed in the information released at the time the Data was collected; or that the transmission is necessary for the provision of a service from one company to another.

The Data Controller is supported, limited to the processing of Data relating to the information in the header, by the Data Controller, defined as the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller as required by the Whistleblowing Regulation adopted by the company. By evaluating the organizational structure of Tecnomatic SPA, composed not only of the central headquarters but also of a secondary office, the Data Controller carries out management and coordination activities of the common processes, and appoints the Data Processors, including external ones.

Any Data Processors (including external ones) appointed by the Data Controller must: a) ensure that the persons authorized to process personal data are aware of and bound by confidentiality obligations in relation to the Data they are processing; b) arrange for the cancellation or return of Personal Data once the purpose for which they were collected and processed has been fulfilled.

Pursuant to the GDPR, personal data means: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of his physical identity, physiological, genetic, psychological, economic, cultural or social” (“Data”).

Only those data that are functional to the purposes indicated will be processed, thus excluding the use of all information that is irrelevant for the purpose.

For this purpose or for completing the "Whistleblowing Violation Report Form", the Data Controller collects and processes exclusively the following categories of Data relating to you:

• personal and identification data (e.g., name, surname of the reporter and/or facilitator);

• their contact details, such as email address;

• information relating to the type of relationship with the company (customer, supplier, consultant, employee or other subjects indicated in the Whistleblowing Regulation) and the tasks performed;

• in general, any other information strictly necessary, according to the principle of data minimization, to substantiate the report and allow the competent parties to be able to receive and manage it pursuant to Legislative Decree 24/2023.

• In any case, the Owner undertakes to ensure that the information collected and used is appropriate with respect to the purposes set out below

3. PURPOSE OF THE PROCESSING AND RELATED LEGAL BASIS

The data provided by the reporting party are processed for the purpose of conducting the necessary preliminary and investigative activities, aimed at verifying the validity of the fact being reported and the adoption of the consequent measures. In this circumstance, the legal basis is constituted by the fulfillment of a legal obligation to which the Data Controller is subject [Art.6 par.1 lett. c) GDPR].

The "Whistleblowing Regulation" procedure dictates the flow of conduct to be implemented, in compliance with current legislation, to correctly manage the report. In this circumstance, the legal basis is constituted by the fulfillment of a legal obligation to which the Data Controller is subject [Art.6 par.1 lett. c) GDPR].

If it is necessary to provide feedback to a request from the judicial authority or similar authority, the legal basis is represented by the fulfillment of a legal obligation to which the Data Controller is subject [Art.6 par.1 lett. c) GDPR].

Finally, for the Data Controller's assessment, exercise or defense in court, the processing of the Data is lawful for the pursuit of the Data Controller's legitimate interest, deemed to be prevalent [Art.6 par.1 lett. f) GDPR].

The data is collected by the Manager or by the Owner himself. Personal data that is clearly not useful for processing a specific report are not collected or, if collected accidentally, are deleted immediately.

Reports from which it is not possible to derive the identity of the reporter are considered anonymous; where detailed, they are treated as ordinary reports. In such circumstances, they are recorded and stored with the relevant documentation for no more than five years from the date of receipt of such reports.

The Data Controller may communicate the Data to third parties located in the European Economic Area who provide services which it uses to carry out activities related to the management of the report.

The processing is carried out by these subjects as External Data Processors (art.28 GDPR). The updated list of data controllers is maintained by the Data Controller and is available upon request.

Furthermore, the Data Controller may communicate the Data to third parties to whom the communication is due pursuant to legal obligations such as Public Administrations, ANAC, Judicial Authorities, etc.: these subjects identify themselves as independent data controllers (art.4 and 24 GDPR). The Data is possibly communicated only to the extent strictly necessary in relation to the aforementioned purposes, or in any case only for the purposes necessary for the Service, i.e. those required by law or by order of the Authority.

The categories of Recipients are as follows:

a) subjects necessary for the execution of the activities connected and consequent to the execution of the Service, linked by a data processing agreement (external managers);

b) Appointees and people authorized by the Data Controller who are committed to confidentiality or have an adequate legal obligation of confidentiality (e.g. employees and collaborators of the Data Controller);

 The Data Controller may also have to communicate Data to fulfill legal obligations or to comply with orders from public authorities, including judicial authorities.

The Data Controller does not transfer Data to third countries in the European Economic Area.

Recognizing the importance that the planning and implementation of IT security measures assumes, Tecnomatic SPA, in the figure of its Data Controller, has adopted the following IT security policies and measures:

- Electronic data storage

- Correct management of access to IT documents by staff

- Correct management of back ups of data managed at an IT level

- Adequate Firewall and Antivirus systems in order to avoid malicious codes.

The Data will be kept for the time necessary for processing and in any case for no longer than five years from the date of communication of the final outcome of the reporting procedure, in compliance with confidentiality obligations. After this period, the Data will be deleted, without prejudice to further conservation obligations required by law.

During the period in which the Data Controller is in possession or processes the Reporter's Data and, if present, the facilitator, the latter may at any time exercise some of the rights referred to in the articles. from 15 and following of the GDPR:

a) Right of access – you have the right to receive any information relating to the processing of the Data;

b) Right to rectification – you have the right to obtain rectification of the Data held by the Data Controller, if the same are incomplete or inaccurate;

c) Right to cancellation - you have the right to obtain the immediate cancellation of the Data present in the report, which are manifestly not functional for the purposes indicated;

d) Right to limitation of processing – upon the occurrence of certain conditions, you have the right to obtain the limitation of processing concerning the Data.

The above rights may be exercised against the Owner by writing to the addresses in the "Contacts" paragraph.

In the event that the interested party believes that the processing concerning him or her violates the Privacy regulations, he or she has the right to object by filing a complaint.

As regards the exercise of rights, the person involved or the person mentioned in the report, with reference to their personal data processed in the context of the report, public disclosure or complaint, cannot exercise - for the time and within the limits in which this constitutes a necessary and proportionate measure - the rights that Regulation (EU) 2016/679 normally recognizes to interested parties (the right of access to personal data, the right to rectify them, the right to obtain their cancellation, the right to limit processing, the right to object to processing). The exercise of these rights could in fact result in an effective and concrete prejudice to the protection of the confidentiality of the identity of the reporting person

This information refers to the methods of processing of visitors' personal data while browsing and using the Web Service. The possible entry into force of new sector regulations, as well as the constant examination and updating of the Service, could lead to the need to vary these methods over time. We therefore invite you to periodically consult this page. For this purpose, this document indicates the update date.

To lodge a complaint regarding the ways in which the Data is processed by the Data Controller, you have the right to submit a request directly to the Guarantor Authority for the Protection of Personal Data.

The Data Controller and Data Processor can be contacted by writing to the email address info@tecnomatic.it.