fbpx

Privacy policy Whistleblowing

With EU Regulation 679/2016 (known as GDPR), containing provisions on the protection of personal data and their free circulation,  Rummo S.p.A.  (henceforth also Rummo for short), is required to provide some information regarding the use of personal data for the purposes indicated below, communicated as part of the reporting procedure and acquired through IT tools and/or through the additional methods indicated in the specific documentation. All personal data will be processed in accordance with current legislation on personal data protection, meaning Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data (“GDPR”), Italian Legislative Decree no. 196/2003 as amended by Italian Legislative Decree no. 101/2018 (“Privacy Code”) and any other legislation on the protection of personal data applicable in Italy, including the provisions of the Guarantor (hereinafter, together with the GDPR, “Privacy Policy”), to guarantee full respect of fundamental rights and freedoms, with particular emphasis on the confidentiality of the identity of the parties involved and the security of the processing methods.

Data Controller

The Data Controller is Rummo SPA, in the person of its legal representative, with registered offices in Via Dei Grandi Maestri Pastai no. 1, 82100 Benevento (Italy) VAT number 01418030621.

The Data Controller can be contacted by sending an email to gdpr@pastarummo.it, or by writing to Rummo SpA, Via Dei Grandi Maestri Pastai no. 1, 82100 Benevento (Italy).

Type of data processed

The personal data acquired and to which this disclosure refers are mainly communicated by the interested party through the use of the “Software as a Service” (SaaS) solution, GlobalLeaks (digital whistleblowing system), which can be used in accordance with the provisions of the regulations governing its implementation.

The reporting process is designed to protect the anonymity of the whistleblower. By following the instructions indicated on the dedicated page, it is possible to hide one’s IP address. The operator appointed to manage and forward reports is not authorised to communicate any personal data, unless they are disclosed by the whistleblower, in order to facilitate investigative and judicial activities.

The data that are the object of the processing fall among the following categories: 

Anonymous report

  • Personal details of the reported person (e.g. name, surname, place and date of birth);
  • Data of a professional nature related to the person reported (e.g. business department they operate in, company position, type of relationship with the company or other third parties, profession);
  • Any relationship between the person reported and the whistleblower;
  • Personal data of any witnesses;
  • Working position of witnesses;
  • Any relationship between the witness and the whistleblower.

In certain conditions, in order to proceed with the investigation of the report, additional information may be requested, including an indication of the personal data of the whistleblower if not previously indicated; in any case, it should be noted that the anonymous reporting procedure can only be activated if the reports themselves are specific enough and provided with sufficient detail, in other words when they bring to light facts and situations and these are linked to specific contexts.

Reporting with identification of the whistleblower

In addition to the data indicated above regarding the person reported and any witnesses, we also have access to:

  • Personal details of the whistleblower (e.g. name, surname, place and date of birth);
  • Contact details of the whistleblower (e.g. e-mail address, telephone number, postal address);
  • Data related to the whistleblower’s job (e.g. business department they operate in, company position, type of relationship with the company or other third parties, profession);
  • Images or audio messages related to the report filed from which it is possible to deduce the identity of the recorded parties;
  • any other information relating to the person reported that the whistleblower decides to share with the Data Controller in order to better substantiate his/her report, regarding:
    • Illicit conduct deemed relevant by Italian Legislative Decree no. 231/2001 or violations of the body’s Organisation and Management Model;
    • Irregularities and/or unlawful conduct, either committed or omitted, which constitute or may constitute a violation of the principles enshrined in the adopted Code of Ethics, company policies and rules and/or that may result in fraud or damage, even of a potential nature, against colleagues, shareholders and stakeholders in general or that constitute acts of an unlawful nature or detrimental to the company’s reputation;
    • Improper or suspicious activities and payments, other than expenses or contributions, or direct/indirect requests made by public officials, private entities or other subjects, related to donations, as well as any suspected violation.

Additional personal data that may be processed

As a result of the changes introduced by Italian Legislative Decree 24/2023, protection, in addition to the aforementioned subjects who make reports, complaints or public disclosures, is also granted to those subjects who could be targets for retaliation, even indirectly, given their role in the reporting process, public disclosure or complaint and/or as a result of the particular relationship that binds them to the whistleblower, which may lead them to being identified:

  • Personal identification data concerning the Facilitator, (natural person who assists the whistleblower in the reporting process, operating within the same working context and whose assistance must be kept confidential);
  • Personal data concerning persons in the same working context as the whistleblower, the informer or the person making a public disclosure and who are linked to them by a stable emotional bond or relatives up to a fourth degree of kinship;
  • Personal identification data that refers to the work colleagues of the whistleblower, the informer or person making a public disclosure, who work in the same working context as them and who regularly and currently engage with said person.

The communication of data of a special nature as detailed in Article 9 of the GDPR (such as, by way of example but not limited to, information on the state of health, racial and/or ethnic origin, religious and/or ideological beliefs trade union membership or sexual orientation) is not foreseen or required, and the same goes for data related to criminal convictions and offences pursuant to Article 10 of the GDPR. However, for the purposes of managing the whistleblower’s report, the Data Controller may become aware of such data, if voluntarily communicated in the free text fields in the report form, which will only be used where strictly necessary for the management of the report, in full compliance with the principles of proportionality and necessity and, if deemed irrelevant for said purposes, shall not be subject to further processing. 

Purpose of data processing

Personal data are collected and processed for the purposes strictly related to the management of reports of unlawful conduct, related to activities and/or conduct at odds with the procedures implemented by the company, such as the violation of rules of professional conduct and/or ethical principles enshrined in current legislation – both internal and external – and/or unlawful or fraudulent behaviour that may be pinned on employees, members of corporate bodies or third parties (customers, suppliers, consultants, collaborators), to combat unlawful conduct or irregularities, rule violations, actions likely to harm the company’s assets or image and in order to implement a reporting system in line with the provisions of the mandatory regulations aimed at ascertaining the truthfulness of the report and carrying out all activities required to manage the same, mitigate/eliminate its effects and to adopt any ensuing measures.

Legal basis

The legal bases for the processing of personal data for the purposes indicated above are:

  • The need to fulfil legal obligations to which the Data Controller is subject (see in particular art. 6, par. 2bis et seq. of Italian Legislative Decree no. 231 of 8 June 2001);
  • The need to ascertain, exercise or defend a right in court.

Data retention period

The data are kept only for the period necessary to achieve the purposes for which they are processed or within the terms prescribed by national and EU laws, rules and regulations with which the organisation is required to comply. In particular, the Data Controller has established the following retention periods:

  • Reports that have been deemed irrelevant and kept on file on the basis of the provisions of the company procedure adopted by the Data Controller will be cancelled after 60 days of the completion of the checks on the facts set out in the report;
  • All other reports received from the approved reporting channels, any documents attached to the report or received during the investigation are kept for the statutory period applicable to most of the data from the date of report closure. Furthermore, once the storage periods indicated above have elapsed, the reports may be stored only in anonymised form solely for statistical purposes.

Confidentiality and protection of the whistleblower

The Data Controller, in compliance with art. 6 of Italian Legislative Decree 231/2001 as amended by art. 2 of Italian Law no. 179/2017, protects the confidentiality of the identity of the whistleblower during the management of the report and prohibits direct or indirect retaliatory or discriminatory actions against the whistleblower for reasons directly connected to the report received. Therefore, with the exception of cases in which instances of slander and/or defamation may be established pursuant to the provisions of the Criminal Code or Art. 2043 of the Italian Civil Code and cases in which confidentiality may be overridden for legal reasons, (e.g. criminal, tax or administrative investigations, inspections on behalf of supervisory bodies) the identity of the whistleblower will be protected from the time of receipt of the report and during each subsequent phase, in compliance with the current provisions governing Privacy Regulations. The identity of the whistleblower may therefore be disclosed only in cases in which a) the application of the disciplinary measure was based, in whole or in part, on the report, and the knowledge of the whistleblower’s identity is absolutely essential to enable the person reported to defend him/herself; b) there are mandatory provisions that require Rummo Spa to disclose the identity of the whistleblower. All those who receive and/or are involved in the management of reports are required to protect the confidentiality of this information. Violation of the confidentiality obligation may lead to disciplinary actions, without prejudicing any other forms of liability envisaged by law.

Data transfer outside the EU

No data will be transferred to non-EU areas

Rights of the data subject (arts. 15-16-17 of Regulation EU 679/16)

The data subject has the right to access personal data; to obtain the rectification or cancellation of the same or the limitation of the processing that concerns him/her; to object to the processing; request data portability; revoke the consent without prejudice to the lawfulness of the processing, based on consent, provided prior to the revocation. If a violation in the processing of personal data comes to light, the data subject may lodge a complaint with the Data Controller, the Data Protection Authority or the competent Legal Authority. The rights of the data subject may be exercised through the registered office of the company at the contact details indicated for the Data Controller in this disclosure and by applying to the Data Protection Officer.

Restrictions on the rights of the reported person and other data subjects

The following information is provided for the purposes of transparency towards the person reported and any data subject that plays a prominent role in a report, primarily to make him/her aware of the limits on the exercise of certain rights foreseen by the GDPR: Right to information – the right to be informed on the processing of personal data pursuant to Articles 12 and 14 of the GDPR is limited as a result of the obligations related to secrecy and confidentiality imposed by Italian Legislative Decree 231/2001, as amended by Italian Law no. 179/2017, in addition to the risk of making it impossible or seriously hindering the achievement of the purposes of the processing related to the reports received through the reporting system (see Article 14, paragraph 5, letters b) and d) of the GDPR). Other rights of the data subject – the rights referred to in Articles 15 to 22 of the GDPR may not be exercised (with a request to the Data Controller or by filing a complaint pursuant to Article 77 of the GDPR) if this could effectively and tangibly endanger the confidentiality of the whistleblower’s identity (see Article 2-undecies of the Privacy Code and Article 23 of the GDPR) and/or compliance with the regulations on reporting unlawful conduct. In particular, the person reported is hereby informed that the exercise of these rights: may be executed in compliance with the legal or regulatory dispositions that govern the sector (including Italian Legislative Decree no. 231/2001, as amended by Italian Law no. 179/2017); may be delayed, limited or ruled out by means of a reasoned communication sent without delay to the data subject, unless the communication might compromise the purpose of the limitation, for the time and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the whistleblower’s identity; if need be, in these cases, the rights of the data subject may also be exercised through the Guarantor for the Protection of Personal Data (“Guarantor”) according to the methods set forth in Article 160 of the Italian Privacy Code, in which case the Guarantor informs the data subject that it has carried out all the necessary checks or a review, notwithstanding the right of the data subject to lodge a judicial appeal.