Send a report with the outmost confidentiality.
Useful Links
What to report Learn more

Privacy

 

Privacy policy pursuant to EU Regulation 2016/679 and applicable reference legislation

Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the “Regulation”), in addition to the reference legislation on Privacy, the Company, as Data Controller, informs you that the processing of your personal data or special categories of data (Article 9 EU Regulation) provided by you will be carried out in a relevant and transparent way and in compliance with the principles of legality and necessity according to the provisions in force.

Purpose and obligatory nature of data conferment:

The Data Controller will process personal data for the following purposes:

  • management of the report at every phase, including that of ascertaining the facts reported and taking any resulting measures, as described in the Whistleblowing Procedure, which is available on the company’s website and intranet;
  • compliance with legal or regulatory obligations to which the Company is subject regarding whistleblowing.

Legal basis of the processing for the purposes described above: (i) the requirement to fulfil the legal obligation to enforce the whistleblowing legislation to which the Company is subject (Articles 6(1)(c), 9(2)(b) and 10, in addition to Article 88 of Reg (EU) 2016/679, in relation to Legislative Decree No. 24/2023; (ii) the requirement to perform the task of public interest as provided for by the legal system, related to the whistleblowing legislation (Article 6, paragraph 1(e), Article 9, paragraph 2(e), of the Regulation).

Legal basis of the processing

The legal basis for the processing resides in Legislative Decree No. 24/2023 and in the related Procedure adopted as a supplement to the Organisation and Management Model pursuant to Legislative Decree 231/2001.

Categories of personal data processed

As part of its role, the Company may process special categories of data in order to allow it to fulfil its obligations under this Procedure.

As part of the process of handling reports of violations pursuant to Legislative Decree No. 24/2023, on the protection of persons who report violations of EU law and the protection of persons who report violations of national regulatory provisions (whistleblowing), the Data Controller will process the personal data of the reporters, the reported parties, the parties otherwise mentioned in the report, the parties involved in the process of handling the report, and in any case the parties covered by the protections under Legislative Decree No. 24/2023.

This data will include personal identifying data, such as biographical, contact and work-related information about the data subject and - to the extent strictly necessary - personal data belonging in the special categories referred to in Article 9 of EU Regulation 2016/679. This includes data relating to the data subject’s health, trade union membership, racial origin, political opinions, religious or philosophical beliefs or data relating to criminal convictions and offences referred to in Article 10 of the Regulation.

Personal data will be collected directly from the person concerned or from third parties. The data will be contained in the report of wrongdoing and attached documentation or collected during the process of handling the report.

Data retention

In compliance with the principles of proportionality and necessity, the data will not be kept for longer periods than those indispensable to the fulfilment of the aforementioned purposes

Recipients of personal data

The data may be communicated to: third parties, including the companies of the BasicNet Group. In such an event, these subjects will be identified as autonomous Data Controllers, in accordance with the provisions of privacy law.

 

Manner of data processing

Personal data will be processed using paper, computer or telematic means, so as to ensure the security and confidentiality of such data, in accordance with the provisions of Legislative Decree No. 24/2023, adopting the necessary security, technical and organisational measures to mitigate the risk that unauthorised parties may obtain the identity of the reporter and other parties involved.

Rights of the Data Subject

The subjects to whom the personal data refer have the right at any time to obtain confirmation of whether or not their personal data are being processed and, if so, to obtain access to the data and information referred to in Article 15 of the Regulation, to obtain a copy of such data or to correct it (Articles 15 and 16 of the Regulation).

Furthermore, data subjects have the right to request the deletion, restricted processing and portability of data and to lodge a complaint with the supervisory authority and to object in any case, for legitimate reasons, to processing of said data (Article 17 and subsequent of the Regulation).

These rights may be exercised by written communication sent to: RequestGDPR@basic.net.

 

Data controller

The data controller is the receiving company at its registered office.

The Data Protection Officer is SeeFree S.a.s., contactable at dpo@seefree.it

The updated list of External Data Processors is published on the Data Controller’s website in the section Company Info - Privacy