LIST S.P.A., with registered office at via Pietrasantina, 123, 56122 Pisa (PI), VAT IT00928190503, as Data Controller and Owner of the Website, informs, pursuant to art. 13 of the EU Regulation n. 679/2016 (hereinafter “Regulation”), that personal data, including the particular categories of personal data pursuant to art. 9 of the Regulation, freely communicated by the user and acquired by LIST S.p.A. will be processed lawfully, fairly and in transparent manner, according to the purposes and the methods specified below.

1. Type of data processed
We may collect various categories of personal data relating to the user, including:

Data provided voluntarily by the user: the optional, explicit and voluntary sending of information by request information form on this site, automatically involves the subsequent acquisition of:

• any personal data (i.e. Name, surname, email, company and telephone number);
• any data related to CV included in the form.

Browser data: the computer systems and software procedures used to operate this website acquire some personal data during normal operations, which can be implicitly transmitted by using the Internet communication protocols.
This information is not gathered for the purposes of its association with the identified data subjects, but by its very nature, it could enable the users to be identified when processed and associated with data held by third parties.
This category of data includes the IP addresses or domain names of the computers used by visitors to the website, the addresses of the requested resources in URI (Uniform Resource Identifier) form, the time of the request, the method used to submit the request to the server, the size of the file received in response, the numerical code which indicates the status of the response provided by the server (successfully delivered, error, etc.) and other parameters relative to the user’s operating system and IT environment.
This data is only used to process anonymous statistical information on the use of the website and monitor it is functioning smoothly and is erased immediately after processing. The data could be used to verify the liability of the user should cyber crimes be committed, which could damage the website.

Cookies: Please read our Cookies Policy. 

2. Purposes of treatment
The above data will be processed for the following purposes:

• allow the user to use the Website;
• provide assistance to the user and respond to requests for information;
• recruitment of employees;
• comply with laws or judicial procedures.

3. Optional nature of data conferral
Without prejudice to the terms specified for the browsing data, the user is free to provide his personal data in the registration forms for the services on LIST’s official website. Failure to provide such data could make it impossible to obtain what requested.

4. Processing methods
Data processing, related to the web services of this website, takes place at the head office of LIST S.p.A. and is only performed by authorized persons. Your personal data is processed using automated tools. Specific technical and organisational security measures are in place to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

5. Communication and dissemination of data
No personal data resulting from the website service will be communicated or disclosed to third parties.

6. Personal data retention period
Personal data provided by user are retained for no longer than is necessary for the purposes for which the personal data are processed.

7. Rights of the data subjects
For any request to exercise the rights in art. 15, 16, 17, 18, 19, 20, 21 and 22 of the Regulation 2016/679 or any other question relating to the treatment of the Data concerning them, the interested party can contact the Company, as Data Controller and/to the DPO, at the following address: 
via mail to: LIST S.p.A., Via Pietrasantina, 123, 56122, Pisa (PI); or
via e-mail to: dpo-privacy@list-group.com

8. Complaint with the supervisory authority
Without prejudice to any other administrative and judicial appeal, if the data subject considers that the processing of data concerning him / her violates the provisions of EU Reg. 2016/679, pursuant to art. 15 letter f) of the aforementioned EU Reg. 2016/679, he has the right to lodge a complaint with the Data Protection Officer.

9. Contact of Data Protection Officer (DPO)
Data Protection Officer
GRECSO s.r.l.
Via Riboldi, 24 20062 – Cassano d’Adda (MI)
Phone: +39 0363 1922 281
Fax: +39 02 7005 45299
E-mail DPO: dpo-privacy@list-group.com
13 July 2023

LIST S.P.A, with registered office in via Pietrasantina, 123, 56122 Pisa (PI), Italy, VAT 00928190503 as Data Controller (hereinafter referred to as the “Controller”), hereby informs you that, pursuant to the EU Regulation n. 679/2016 (hereinafter referred to as the “Regulation”), all personal data communicated by You and acquired by us for the management and execution of the contract to which this information is attached, will be treated lawfully, in a fair and transparent manner with the purposes and methods indicated below.

1. Type of data
We may collect various categories of personal data necessary to fulfill the purposes indicated in point 2, including:

• identification and personal data (eg name, surname, identity document, passport number, place and date of birth);
• contact information (eg e-mail address and address);
• images acquired by the video surveillance system.

2. Legal Basis and Purpose of Personal Data Processing
Your data indicated in point 1 will be processed for the following purposes and with the following legal basis:
fulfill the obligations and exercise the pre-contractual and contractual rights provided by the report;
fulfill legal obligations;
for the pursuit of the legitimate interest of the holder in terms of physical security of company offices and for the protection of company assets.
If the Data Controller intends to process the data for purposes other than those indicated above, you will be provided with adequate information on the matter prior to such further processing.

3. Modalities of Processing
Your data indicated in point 1 might be processed manually, computer or telematic systems, in accordance with art. 32 of the Regulation, by authorized staff specifically appointed to this task, as art. 29 of the Regulation.

4. Recipients
Your data indicated in point 1 will be communicated exclusively to the specifically authorized subjects in compliance with the provisions of art. 29 of the Regulation.

5. Communication and Data disclosure
Data referred to in point 1 can be communicated to the competent authorities of European or non-European countries to provide responses to their requests in accordance with the regulation applicable from time to time.
Furthermore, within the scope of the aforementioned purposes, the data may be communicated, in Italy and abroad, to other companies of the Group, to third parties appointed as data processors and sub-processors pursuant to article 28 of the regulation and/or independent third-party data controllers.
The data may be accessible to other companies of the Group for the same purposes as above and/or for administrative-accounting purposes pursuant to article 6, par.1, letter f and recitals 47 and 48 of the Regulation.

6. Transfer of personal data outside the European Economic Area
Given the international presence of the LIST S.p.A, and in order to optimise the quality of the services provided, LIST S.p.A. may have to transfer the personal data collected to countries outside the European Economic Area, whose legal provisions on the protection of personal data are different from those of the European Union. In this case, LIST S.p.A. ensures the protection of personal data by signing Standard Contract Clauses or other protection tools defined by law.

7. Data Retention
Your data indicated in point 1 will be kept for the period of time necessary for the pursuit for which the data were collected and in compliance with the time limits prescribed by the law.

8. Rights
As an interested party, you can exercise your rights as per art. 15, 16, 17, 18, 19, 20, 21 and 22 of the Regulation and, more specifically, the Controller must provide the Data Subject with the following information:
a) as per art. 15, the confirmation that his or her personal data are being proceeded and, in that case, granted access to this information;
b) as per art. 16, the rectification, without undue delay, of inaccurate personal data him or her;
c) as per art. 16, the integration of incomplete personal data, also by providing a supplementary statement;
d) as per art. 17, the erasure of personal data concerning the data subject without unjustified delay, without prejudice to the specific legal obligations of the Controller, and if the conditions set forth in this article are satisfied;
e) as per art. 18, the restriction of processing of personal data, without prejudice to the specific legal obligations of the Controller and if the conditions set forth in this article are satisfied;
f) as per art. 20, data subjects shall have the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, with the exception of the Controller’s specific law obligations or legitimate interests in charge of the Controller, and if the conditions set forth in this article are satisfied;
g) as per art. 21, data subjects have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, including profiling based on this provision, without prejudice to specific legal obligations or legitimate interests in charge of the Controller, you have the right to object, on grounds relating to your particular situation.
As per art. 19, in case of exercise by the interested party of the rights of the articles 16, 17 and 18 of the Regulations, the Controller shall notify each of the recipients to whom the personal data have been transmitted, any rectifications, erasures or limitations of the processing performed, unless this proves impossible or involves a disproportionate effort. The Controller shall inform you about the recipients, if you request it.
Without prejudice to any other administrative and judicial appeal, every Data Subject shall have the right to lodge a complaint with the Data Protection Supervisor, if the processing of his or her personal data are believed to violate the EU Regulation 2016/679 under art. 15 letter f) of the aforementioned Regulation.

9. How to Exercise your Rights
For any request to exercise the rights in art. 15, 16, 17, 18, 19, 20, 21 and 22 of the Regulation 2016/679 or any other question relating to the treatment of the Data concerning them, the interested party can contact the Company, as Data Controller and/to the DPO, at the following address: 
via mail to: LIST S.p.A., Via Pietrasantina, 123, 56122, Pisa (PI); or
via e-mail to: dpo-privacy@list-group.com

10. Contact Details of Data Protection Officer
Data Protection Officer
GRECSO s.r.l.
Via Riboldi, 24 20062 – Cassano d’Adda (MI)
Phone: +39 0363 1922 281
Fax: +39 02 7005 45299
E-mail DPO: dpo-privacy@list-group.com
13 July 2023

LIST S.P.A, with registered office in via Pietrasantina, 123, 56122 Pisa (PI), Italy, VAT 00928190503 as Data Controller (hereinafter referred to as the “Controller”), hereby informs you that, pursuant to the EU Regulation n. 679/2016 (hereinafter referred to as the “Regulation”), all personal data communicated by You and acquired by us for the management and execution of the contract to which this information is attached, will be treated lawfully, in a fair and transparent manner with the purposes and methods indicated below.

1. Type of data
We may collect various categories of personal data necessary to fulfill the purposes indicated in point 2, including:

• identification and personal data of yours employees,
• contact information of yours employees.

2. Legal Basis and Purpose of Personal Data Processing
Your data indicated in point 1 will be processed for the following purposes and with the following legal basis:
fulfill the obligations and exercise the pre-contractual and contractual rights provided by the report;
fulfill legal obligations;
for the pursuit of the legitimate interest of the holder in terms of physical security of company offices and for the protection of company assets.
If the Data Controller intends to process the data for purposes other than those indicated above, you will be provided with adequate information on the matter prior to such further processing.

3. Modalities of Processing
Your data indicated in point 1 might be processed manually, computer or telematic systems, in accordance with art. 32 of the Regulation, by authorized staff specifically appointed to this task, as art. 29 of the Regulation.

4. Recipients
Your data indicated in point 1 will be communicated exclusively to the specifically authorized subjects in compliance with the provisions of art. 29 of the Regulation.

5. Communication and Data disclosure
Data referred to in point 1 can be communicated to the competent authorities of European or non-European countries to provide responses to their requests in accordance with the regulation applicable from time to time.
Furthermore, within the scope of the aforementioned purposes, the data may be communicated, in Italy and abroad, to other companies of the Group, to third parties appointed as data processors and sub-processors pursuant to article 28 of the regulation and/or independent third-party data controllers.
The data may be accessible to other companies of the Group for the same purposes as above and/or for administrative-accounting purposes pursuant to article 6, par.1, letter f and recitals 47 and 48 of the Regulation.

6. Transfer of personal data outside the European Economic Area
Given the international presence of the LIST S.p.A, and in order to optimise the quality of the services provided, LIST S.p.A. may have to transfer the personal data collected to countries outside the European Economic Area, whose legal provisions on the protection of personal data are different from those of the European Union. In this case, LIST S.p.A. ensures the protection of personal data by signing Standard Contract Clauses or other protection tools defined by law.

7. Data Retention
Your data indicated in point 1 will be kept for the period of time necessary for the pursuit for which the data were collected and in compliance with the time limits prescribed by the law.

8. Rights
As an interested party, you can exercise your rights as per art. 15, 16, 17, 18, 19, 20, 21 and 22 of the Regulation and, more specifically, the Controller must provide the Data Subject with the following information:
a) as per art. 15, the confirmation that his or her personal data are being proceeded and, in that case, granted access to this information;
b) as per art. 16, the rectification, without undue delay, of inaccurate personal data him or her;
c) as per art. 16, the integration of incomplete personal data, also by providing a supplementary statement;
d) as per art. 17, the erasure of personal data concerning the data subject without unjustified delay, without prejudice to the specific legal obligations of the Controller, and if the conditions set forth in this article are satisfied;
e) as per art. 18, the restriction of processing of personal data, without prejudice to the specific legal obligations of the Controller and if the conditions set forth in this article are satisfied;
f) as per art. 20, data subjects shall have the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, with the exception of the Controller’s specific law obligations or legitimate interests in charge of the Controller, and if the conditions set forth in this article are satisfied;
g) as per art. 21, data subjects have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, including profiling based on this provision, without prejudice to specific legal obligations or legitimate interests in charge of the Controller, you have the right to object, on grounds relating to your particular situation.
As per art. 19, in case of exercise by the interested party of the rights of the articles 16, 17 and 18 of the Regulations, the Controller shall notify each of the recipients to whom the personal data have been transmitted, any rectifications, erasures or limitations of the processing performed, unless this proves impossible or involves a disproportionate effort. The Controller shall inform you about the recipients, if you request it.
Without prejudice to any other administrative and judicial appeal, every Data Subject shall have the right to lodge a complaint with the Data Protection Supervisor, if the processing of his or her personal data are believed to violate the EU Regulation 2016/679 under art. 15 letter f) of the aforementioned Regulation.

9. How to Exercise your Rights
For any request to exercise the rights in art. 15, 16, 17, 18, 19, 20, 21 and 22 of the Regulation 2016/679 or any other question relating to the treatment of the Data concerning them, the interested party can contact the Company, as Data Controller and/to the DPO, at the following address: 
via mail to: LIST S.p.A., Via Pietrasantina, 123, 56122, Pisa (PI); or
via e-mail to: dpo-privacy@list-group.com

10. Contact Details of Data Protection Officer
Data Protection Officer
GRECSO s.r.l.
Via Riboldi, 24 20062 – Cassano d’Adda (MI)
Phone: +39 0363 1922 281
Fax: +39 02 7005 45299
E-mail DPO: dpo-privacy@list-group.com
13 July 2023 

LIST S.P.A, with registered office in via Pietrasantina, 123, 56122 Pisa (PI), Italy, VAT 00928190503 as Data Controller (hereinafter referred to as the “Controller”), hereby informs you that, pursuant to the EU Regulation n. 679/2016 (hereinafter referred to as the “Regulation”), all personal data communicated by You and acquired by us for the management and execution of the contract to which this information is attached, will be treated lawfully, in a fair and transparent manner with the purposes and methods indicated below.

1. Type of data
We may collect various categories of personal data necessary to fulfill the purposes indicated in point 2, including:

• identification and personal data;
• contact info;
• images acquired by the video surveillance system.

2. Legal Basis and Purpose of Personal Data Processing
Your data indicated in point 1 will be processed for the following purposes and with the following legal basis:
fulfill the obligations and exercise the pre-contractual and contractual rights provided by the report;
fulfill legal obligations;
for the pursuit of the legitimate interest of the holder in terms of physical security of company offices and for the protection of company assets.
If the Data Controller intends to process the data for purposes other than those indicated above, you will be provided with adequate information on the matter prior to such further processing.

3. Modalities of Processing
Your data indicated in point 1 might be processed manually, computer or telematic systems, in accordance with art. 32 of the Regulation, by authorized staff specifically appointed to this task, as art. 29 of the Regulation.

4. Recipients
Your data indicated in point 1 will be communicated exclusively to the specifically authorized subjects in compliance with the provisions of art. 29 of the Regulation.

5. Communication and Data disclosure
Data referred to in point 1 can be communicated to the competent authorities of European or non-European countries to provide responses to their requests in accordance with the regulation applicable from time to time.
Furthermore, within the scope of the aforementioned purposes, the data may be communicated, in Italy and abroad, to other companies of the Group, to third parties appointed as data processors and sub-processors pursuant to article 28 of the regulation and/or independent third-party data controllers.
The data may be accessible to other companies of the Group for the same purposes as above and/or for administrative-accounting purposes pursuant to article 6, par.1, letter f and recitals 47 and 48 of the Regulation.

6. Transfer of personal data outside the European Economic Area
Given the international presence of the LIST S.p.A, and in order to optimise the quality of the services provided, LIST S.p.A. may have to transfer the personal data collected to countries outside the European Economic Area, whose legal provisions on the protection of personal data are different from those of the European Union. In this case, LIST S.p.A. ensures the protection of personal data by signing Standard Contract Clauses or other protection tools defined by law.

7. Data Retention
Your data indicated in point 1 will be kept for the period of time necessary for the pursuit for which the data were collected and in compliance with the time limits prescribed by the law.

8. Rights
As an interested party, you can exercise your rights as per art. 15, 16, 17, 18, 19, 20, 21 and 22 of the Regulation and, more specifically, the Controller must provide the Data Subject with the following information:
a) as per art. 15, the confirmation that his or her personal data are being proceeded and, in that case, granted access to this information;
b) as per art. 16, the rectification, without undue delay, of inaccurate personal data him or her;
c) as per art. 16, the integration of incomplete personal data, also by providing a supplementary statement;
d) as per art. 17, the erasure of personal data concerning the data subject without unjustified delay, without prejudice to the specific legal obligations of the Controller, and if the conditions set forth in this article are satisfied;
e) as per art. 18, the restriction of processing of personal data, without prejudice to the specific legal obligations of the Controller and if the conditions set forth in this article are satisfied;
f) as per art. 20, data subjects shall have the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, with the exception of the Controller’s specific law obligations or legitimate interests in charge of the Controller, and if the conditions set forth in this article are satisfied;
g) as per art. 21, data subjects have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, including profiling based on this provision, without prejudice to specific legal obligations or legitimate interests in charge of the Controller, you have the right to object, on grounds relating to your particular situation.
As per art. 19, in case of exercise by the interested party of the rights of the articles 16, 17 and 18 of the Regulations, the Controller shall notify each of the recipients to whom the personal data have been transmitted, any rectifications, erasures or limitations of the processing performed, unless this proves impossible or involves a disproportionate effort. The Controller shall inform you about the recipients, if you request it.
Without prejudice to any other administrative and judicial appeal, every Data Subject shall have the right to lodge a complaint with the Data Protection Supervisor, if the processing of his or her personal data are believed to violate the EU Regulation 2016/679 under art. 15 letter f) of the aforementioned Regulation.

9. How to Exercise your Rights
For any request to exercise the rights in art. 15, 16, 17, 18, 19, 20, 21 and 22 of the Regulation 2016/679 or any other question relating to the treatment of the Data concerning them, the interested party can contact the Company, as Data Controller and/to the DPO, at the following address: 
via mail to: LIST S.p.A., Via Pietrasantina, 123, 56122, Pisa (PI); or
via e-mail to: dpo-privacy@list-group.com

10. Contact Details of Data Protection Officer
Data Protection Officer
GRECSO s.r.l.
Via Riboldi, 24 20062 – Cassano d’Adda (MI)
Phone: +39 0363 1922 281
Fax: +39 02 7005 45299
E-mail DPO: dpo-privacy@list-group.com
13 July 2023 

LIST S.P.A, with registered office in via Pietrasantina, 123, 56122 Pisa (PI), Italy, VAT 00928190503 as Data Controller (hereinafter referred to as the “Controller”), hereby informs you that, pursuant to art. 13 of the EU Regulation n. 679/2016 (hereinafter referred to as the “Regulation”), your personal data, by you freely communicated and acquired by us, will be processed in a lawful, correct and transparent manner, in relation to the purposes stated below:

1. Source of Personal Data
The collection of your personal data is done by recording the data you provide yourself, as an interested party, upon access to the LIST S.p.A. premises, in the electronic visitors register at the reception.

2. Legal Basis and Purpose of Personal Data Processing
Your data will be processed for the following purposes and with the following legal basis:

• pursuing the legitimate interests of the owner in terms of physical security of the company’s offices and the safeguarding of corporate assets.

If the Data Controller intends to process the data for purposes other than those indicated above, you will be provided with adequate information on the matter prior to such further processing.

3. Mandatory Nature
Data provision is optional but in its absence the access to LIST S.p.A premises will not be granted.

4. Modalities of Processing
Personal data might be processed manually, via computer or telematic systems, in accordance with art. 32 of the Regulation, by authorized staff specifically appointed to this task, as per art. 29 of the Regulation.

5. Communication
Your personal data shall be processed exclusively by the personnel of LIST S.p.A. identified as an authorized subject to treatment, without prejudice to any competent judicial or police authority consultation.

6. Data Dissemination
Your data will not in any case be disseminated.

7. Data Retention
Your personal data will be kept for the period of time necessary for the pursuit for which the data were collected in compliance with the time limits prescribed by the law.

8. Rights of the Data Subject
As an interested party, you can exercise your rights as per art. 15, 16, 17, 18, 19, 20, 21 and 22 of the Regulation and, more specifically, the Controller must provide the Data Subject with the following information:
a) as per art. 15, the confirmation that his or her personal data are being proceeded and, in that case, granted access to this information;
b) as per art. 16, the rectification, without undue delay, of inaccurate personal data him or her;
c) as per art. 16, the integration of incomplete personal data, also by providing a supplementary statement;
d) as per art. 17, the erasure of personal data concerning the data subject without unjustified delay, without prejudice to the specific legal obligations of the Controller, and if the conditions set forth in this article are satisfied;
e) as per art. 18, the restriction of processing of personal data, without prejudice to the specific legal obligations of the Controller and if the conditions set forth in this article are satisfied;
f) as per art. 20, data subjects shall have the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, with the exception of the Controller’s specific law obligations or legitimate interests in charge of the Controller, and if the conditions set forth in this article are satisfied;
g) as per art. 21, data subjects have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, including profiling based on this provision, without prejudice to specific legal obligations or legitimate interests in charge of the Controller, you have the right to object, on grounds relating to your particular situation.
As per art. 19, in case of exercise by the interested party of the rights of the articles 16, 17 and 18 of the Regulations, the Controller shall notify each of the recipients to whom the personal data have been transmitted, any rectifications, erasures or limitations of the processing performed, unless this proves impossible or involves a disproportionate effort. The Controller shall inform you about the recipients, if you request it.

9. How to Exercise your Rights
The aforementioned rights might be exercised by sending a witten request to the Controller:
List S.P. A, Via Pietrasantina, 123, 56122, Pisa (PI), Italy; or
E-mail: privacy@list-group.com

10. Complaint to the Supervisory Authority
Without prejudice to any other administrative and judicial appeal, every Data Subject shall have the right to lodge a complaint with the Data Protection Supervisor, if the processing of his or her personal data are believed to violate the EU Regulation 2016/679 under art. 15 letter f) of the aforementioned Regulation.

11. Contact Details of Data Protection Officer
Data Protection Officer
Via Riboldi, 24 20062 – Cassano d’Adda (MI)
Phone: +39 0363 1922 281
Fax: +39 02 7005 45299
E-mail DPO: maurizio.comelli@grecso.it
14 July 2021 Data Controller

Privacy Notification concerning the processing of personal data of those who make reports (reporting) through the Whistleblowing platform pursuant to art. 13 of EU Regulation 2016/679 This document has been drawn up pursuant to art. 13 of EU Regulation 2016/679 (hereinafter: “Regulation”) in order to allow users to know our privacy policy, to understand how their personal information is managed when they make reports through the Whistleblowing platform (https://ewhistlelist.azurewebsites.net).
The information and data provided by users will be processed in compliance with the provisions of the Regulation and the related confidentiality obligations.

1. Data controller and DPO
The Data Controller is LIST S.P.A, via Pietrasantina 123, 56122 Pisa.
The Data Protection Officer (“DPO”) pursuant to art. 37 et seq. of the Regulation can be reached at the e-mail address: dpo-privacy@list-group.com

2. Personal data subject to processing
The use of the platform will imply the processing of personal data, in particular common data (by way of example and not exhaustive: identification data of the whistleblower). Please note that it is absolutely forbidden for whistleblowers to insert, in the description section of the report, special category data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. These data, in fact, will not be taken into account either in the preliminary activity or in the investigation activity concerning the report that will be formulated.

3. Purpose of the  processing
The processing of personal data provided is aimed at managing reports in accordance with the regulatory requirements of Law no. 179/17 containing “Provisions for the protection of authors of reports of crimes or irregularities of which they have become aware in the context of a public or private employment relationship”.

4. Processing methods
According to the rules of the Regulation, the treatments carried out will be based on the principles of lawfulness, correctness, transparency, purpose limitation and conservation, data minimization, accuracy, integrity and confidentiality, as well as the principle of accountability pursuant to art. 5 of the Regulation. Specific security measures are observed to prevent illicit or incorrect use of data and non-access Authorized. Especially: – all processed data are encrypted (reporting records, reports) with different crypt keys for each table; – the data of the whistleblower are stored in a separate table with respect to the content of the report formulated by the same; – the report is assigned an identification code c.d. “anonymous”. In this way, throughout the reporting management process and even after its storage, the personal data of the whistleblower will be accessible only to specifically authorized personnel, exclusively for the purpose of allowing checks on the report and in full compliance with current legislation.

5. Legal basis and mandatory or optional nature of the processing
The legal basis of the processing of personal data for the purposes referred to in art. 3 is Art. 6.1.f) of the Regulation as the treatments are based on a legitimate interest of each Data Controller. The provision of personal data for these purposes is necessary, in fact any failure to provide will make it impossible to follow up on the reports received.

6. Recipients of personal data
The personal data collected in this way may be shared, for the purposes referred to in Article 3 of this Information, with:
(i) subjects who typically act as data processors pursuant to art. 28 of the Regulation, or by subjects who cooperate with one of the Data Controllers for the pursuit of the aforementioned purposes, including subjects delegated to carry out technical maintenance activities;
(ii) subjects, bodies or authorities to whom it is mandatory to communicate personal data pursuant to legal provisions or orders of the authorities;
(iii) person authorized by the competent Data Controller, pursuant to art. 29 of the Regulation, to the processing of personal data necessary to carry out activities strictly related to the provision of services, which are committed to confidentiality or have an adequate legal obligation of confidentiality.

7. Transfer of personal data
The personal data are not transferred outside the European Union.

8. Storage of personal data
The Personal data processed for the purposes referred to in art. 3 will be kept for the time strictly necessary to achieve those same purposes. In any case, since these are treatments carried out for the provision of services, the Data Controllers will keep personal data for the period of time provided for and permitted by Italian law to protect their interests (Article 2220 of the Civil Code and subsequent amendments). More information regarding the data retention period and the criteria used to determine this period can be requested by sending a written request to the Data Controller to whom the report was addressed to the relative address indicated in this statement.

9. Rights of the interested parties
Pursuant to articles 15 et seq. of the Regulation, the interested party has the right to ask the Data Controller to whom he has addressed the report, at any time, access to his personal data, the correction or cancellation of the same or to oppose their treatment, request the limitation of processing in the cases provided for by art. 18 of the Regulation, as well as to obtain in a structured format, commonly used and readable by automatic device, the data concerning him, in the cases provided for by art. 20 of the Rules of Procedure. Requests should be sent in writing to the Data Controller or to the DPO at the address indicated in this statement.

25 July 2023