REPORTS UNDER LEGISLATIVE DECREE 231/2001, LEGISLATIVE DECREE 24/2023 AND SA8000 STANDARD - PRIVACY NOTICE UNDER ARTICLE 13 OF EU REGULATION 2016/679 (GDPR)
DATA CONTROLLER - DPO
The Data Controller is Fater S.p.A. (P.IVA 01282360682), with registered office in Spoltore (CAP 65010), Via Mare Adriatico n. 122.
The contact details of the Data Protection Officer (DPO) appointed by the Data Conroller are: dataprotectionofficer@fatergroup.com.
PURPOSE AND LEGAL BASIS OF THE PROCESSING
Personal data are processed by Fater S.p.A. in order to fulfill specific obligations arising from the law, with specific reference to the investigation of any tort reported in the interest of corporate integrity by the persons indicated in the above-mentioned legislation.
In addition, the Data Controller will process the data as part of any litigation, both in court and out of court, resulting from the reports in order to prepare an adequate defense of its rights and interests, including in court.
In case of oral reports made, for example, through the use of telephone voice messaging systems, the reports may be recorded with the consent of the whistleblower on a device suitable for storage and listening or may be transcribed in full.
Except with the express consent of the whistleblower, under no circumstances will the identity of the whistleblower be disclosed to parties other than those charged with receiving and handling the report.
CATEGORY OF DATA SUBJECTS, TYPES OF DATA PROCESSED AND THEIR SOURCE
The data processed concern both the whistleblower, the accused person and/or any third party involved in the report.
The data processed are those provided by the whistleblower with the report and those that are subsequently collected during the investigation of the case according to the procedure adopted by the company.
Only data necessary for the purpose of management of reports are processed. Data not necessary for the management of reports will not be used and will be promptly deleted.
DATA RECIPIENTS
Within the scope of the above-mentioned purposes, data may be processed by emplyees and authorized appointees of Fater S.p.A. and by external parties appointed as data processors and, if the conditions of the law apply, by autonomous data controllers. The list of names and contact details of these recipients can be provided based on simple request to Fater.
In the event of disciplinary proceedings against the accused person, the identity of the whistleblower will be disclosed only if he or she consents and if the charge is based, in whole or in part, on the report and knowledge of the identitỳ of the whistleblower is indispensable for the defense of the accused.
DATA PROCESSING AND DATA RETENTION
The data collected as a result of reporting will also be processed by IT and telematic tools, adopting measures to protect the confidentiality of the data subjects, and stored for the time strictly necessary for the management of the investigation activities aimed at assessing the validity of the reports submitted, and in any case no longer than 5 years from the date of the communication of the final outcome of the reporting procedure, without prejudice to additional storage periods determined on the basis of legitimate interests (e.g.: pending litigation).
DATA TRANSTER TO NON-EU COUNTRIES
The Data Controller will store data on servers located in EU countries, but some of the providers it uses may, for technical reasons, transfer such data to non-EU countries on the basis of adequate safeguards under Articles 45, 46 and 47 GDPR, such as EU Commission adequacy decisions, EU Commission-approved standard contractual clauses and Binding Corporate Rules (so-called: BCRs). The list of countries and appropriate safeguards for the transfer can be provided upon simple request to the Data Controller.
RIGHTS OF THE DATA SUBJECTS AND MODALITIES FOR THEIR EXERCISE
In the cases provided for by Articles 15 et seq. EU Regulation 679/2016, within the limits identified by Article 2-undecies of Legislative Decree 196/2003 (Privacy Code), the data subject has the right to ask the Data Controller for access to personal data and the rectification or erasure of personal data or the restriction of the processing of such data or to object to the processing.
The data subject may also revoke any consent given. To exercise the above-listed rights, the data subject may contact the contact details of Fater and its DPO specified above. If the prerequisites are met, the data subject also has the right to lodge a complaint with the Garante Privacy, as the supervisory authority in accordance with the establish