"WHISTLEBLOWING" INFORMATION

Within the limits strictly necessary to pursue the purposes described above, the Controller may also process personal data belonging to special categories referred to in Article 9 of the Regulation (e.g. information relating to health, trade union membership, data aimed at disclosing racial origin, political opinions, religious or philosophical beliefs of the data subject, etc.) or data relating to criminal convictions and offences under Article 10 of the Regulation.

You are requested to provide only the necessary data to describe the facts being reported, avoiding any unnecessary personal data.

4.3 Personal data automatically collected by the platform:
Anyone can access and use the System, regardless of their role and position in the company.
Cookies are not used to transmit information of a personal nature, nor are persistent cookies used to track users. 
Only technical cookies are used that are strictly necessary for the correct and efficient use of the platform. 
The use of session cookies (which are not stored persistently on the user's computer and disappear when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to enable the safe and efficient navigation of the platform.
IP addresses where the report originates are not collected or stored.

5. Recipients of personal data
To whom may the data be disclosed? 
Only persons who are expressly and directly authorised by the Controller shall have access to the data.
In particular, the processing of data may only be carried out by the members of the Whistleblowing Office, i.e. the dedicated, independent, internal office with specifically trained staff, which is entrusted by the Controller with the management of the Platform and of the reports received at each stage pursuant to the law.
Personal data collected shall only be disclosed to third parties whose activities are necessary to carry out the activities involved in the handling of the report or the activities required to follow it up, as well as to comply with certain legal obligations. 
In particular, transmission may take place in respect of 

• a) Whistleblowing Solutions AB, the company appointed for connectivity services and technical management of the Whistleblowing Channel, in its capacity as the External Processor pursuant to Article 28 GDPR;
• b) the internal audit functions of the control and supervisory bodies, within their respective areas of competence;
• c) the heads of the department concerned by the report; 
• d) the organisational positions in charge of investigating the report in cases where their knowledge is essential for understanding the facts reported and/or for conducting the relevant investigation and/or processing activities; 
• e) the corporate functions involved in following up the reports; 
• f) institutions and/or Public Authorities, Judicial Authorities, Police Bodies, Investigation Agencies; 
• g) external consultants (e.g. law firms, private investigators) that may be involved in the investigation phase of the report.

The updated and detailed list of data recipients can be requested by sending an e-mail to privacy@photosi.com.

All persons who will receive and/or be involved in the handling of reports are required to respect confidentiality and privacy when handling the information, also in compliance with applicable legislation.

 

6. Consent 
The identity of the whistleblower and any other information from which this identity may be inferred, directly or indirectly, may not be disclosed, without the express consent of the whistleblower themselves, to persons other than those responsible for receiving or following up reports and expressly authorised to process such data.
In criminal proceedings, the identity of the whistleblower is covered by secrecy in the manner and to the extent provided for in Article 329 of the Italian Code of Criminal Procedure.
Within the framework of disciplinary proceedings, the identity of the whistleblower may not be disclosed where the allegation of the disciplinary charge is based on investigations that are separate from and additional to the report, even if consequent to the report. 
If the charge is founded, in whole or in part, on the report and knowledge of the identity of the whistleblower is indispensable for the accused's defence, the report will be admissible for the purposes of disciplinary proceedings only if the whistleblower expressly consents to the disclosure of their identity.
Therefore, in such a case, written notice will be given of the reasons for the disclosure of confidential data, with a request for consent.
Consent is optional and may be withdrawn freely at any time, without affecting the lawfulness of the processing based on the consent given before the withdrawal of consent. 


7. Disclosure of personal data 
Your personal data will never be disclosed, published, displayed or made available/consulted by persons other than those identified above nor by unspecified persons.


8. Transfer of personal data abroad
The Controller does not transfer personal data abroad to third countries. 
Personal data are stored exclusively within the territory of the European Union, as certified by the External Processor in charge of managing the Platform under Article 28.

9. Methods and period of data retention
The processing of personal data relating to reports takes place through digital means and tools made available to persons acting under the authority of the Controller and authorised and trained for this purpose. 
They shall be granted access to personal data to the extent and within the limits necessary for the performance of the processing activities concerning them. 
The Controller, also through the persons authorised to process the information, periodically checks that

• technical and organisational security measures relating to the tools processing the data are effective, in good working condition and constantly updated; 
• data are not collected, processed, stored or retained beyond that which is deemed necessary;
• data are stored with appropriate guarantees as to their integrity and authenticity and their use for the purposes of the processing actually carried out;
• any personal data provided by the whistleblower that are not useful for the processing of the specific report are deleted immediately;
• data are retained for the time necessary to perform the activities related to the management of the report submitted, and in particular, no longer than the time predetermined in advance.

In particular, the personal data collected are retained for a period exceeding no more than five years, starting from the date of communication of the final outcome of the reporting procedure, as well as for as long as necessary for the conduct of any proceedings arising from the management of the report (disciplinary, criminal, accounting). 
This is without prejudice to storage for a longer period in connection with requests by public authorities and the National Data Protection Authority. 
This is without prejudice to the storage of personal data, including special data, for a longer period, within the limits of the statute of limitations of rights, in connection with requirements related to the exercise of the right of defence in the event of disputes. In that case, the retention period is 10 years from the conclusion of the litigation or pre-litigation stage.

I. Exercisable rights
In accordance with the provisions of Chapter III, Section I GDPR, any data subject may exercise the rights set out therein, and in particular:

• Right of access - To obtain confirmation as to whether or not personal data relating to him/her are being processed and, if so, to receive information relating, in particular, to: the purposes of the processing, the categories of personal data processed and the period of retention, the recipients who the data may be disclosed to (Article 15 GDPR);
• Right to rectification - To obtain, without undue delay, the rectification of inaccurate personal data concerning him/her and the completion of incomplete personal data (Article 16 GDPR);
• Right to erasure - To obtain, without undue delay, the erasure of personal data concerning him/her in the cases provided for by the GDPR (Article 17 GDPR);
• Right to restriction of processing - To obtain restriction of processing, in cases provided for by the GDPR (Article 18 GDPR);
• Right to data portability - To receive, in a structured, commonly used and machine-readable format, personal data concerning him/her, and to ensure that it be transmitted to another data controller without restriction, in the cases provided for by the GDPR (Article 20 GDPR);
• Right to object - To object to the processing of personal data concerning him/her, unless there are legitimate grounds for the Controller to continue the processing (Article 21 GDPR);
• Right to lodge a complaint with the supervisory authority - To lodge a complaint with the Italian Data Protection Authority, Piazza Venezia no. 11, Rome https://www.garanteprivacy.it/.

 

The data subject may exercise these rights by simply sending an e-mail request to privacy@photosi.com.
These rights are granted without any particular charge or formality for the request to exercise them, which is understood to be essentially free of charge, except for a reasonable contribution to costs. 

Pursuant to Article 2-undecies of the Italian Privacy Code (implementing Article 23 of the GDPR), please note that the aforementioned rights may not be exercised by data subjects (by request to the Controller or by complaint pursuant to Article 77 of the GDPR) if the exercise of such rights would result in actual and concrete prejudice to the confidentiality of the whistleblower’s identity.  
In particular, the exercise of such rights:

• will be carried out in accordance with the provisions of the law or regulations governing the sector (including Legislative Decree no. 231/2001 as amended by Law no. 179/2017);
• may be delayed, limited or excluded by reasoned communication made without delay to the data subject, unless such communication could jeopardise the purpose of the limitation, for such time and to the extent to which this constitutes a necessary and proportionate measure, having regard to the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the whistleblower’s identity;
• in such cases, the rights of the data subject may also be exercised through the Supervisor in the manner set out in Article 160 of the Italian Privacy Code, in which case the Supervisor will inform the data subject that it has carried out all the necessary verifications or has carried out a review, as well as of the data subject's right to submit a judicial appeal.