Language

Cart

Your cart is empty

Whistleblowing Reporting Privacy Policy

PRIVACY POLICY REGARDING WHISTLEBLOWING REPORTS
(Art. 13 EU Regulation 27 April 2016, no. 679 on the protection of personal data “GDPR”)

With this policy, Abraham Industries Srl explains how data is processed and identifies the rights granted to the data subject pursuant to Regulation (EU) 2016/679, concerning the protection of natural persons with regard to the processing of personal data and Legislative Decree 196/2003, on the protection of personal data, as amended by Legislative Decree 101/2018. Data processing will be carried out in compliance with the principles of lawfulness, fairness, and transparency.

Data Controller

The Data Controller is Abraham Industries Srl, with registered office at Via Fosse Incrociate, 284, Santarcangelo di Romagna (RN) - info@abrahamindustries.it

Data Processor

The Data Processor is the company providing the whistleblowing IT platform: Smart Compliance Solutions for you s.r.l. telephone: +39 059 8030759, Email: info@scs4u.it.

Abraham Industries Srl, in fact, has decided to use an IT platform to allow whistleblowers to submit reports.

Type of data processed

The receipt and management of reports involves the processing of so-called "common" personal data (name, surname, job role, etc.), and may also, depending on the content of the reports and the acts and documents attached thereto, involve the processing of so-called "special" personal data (data relating to health conditions, sexual orientation or trade union membership, as per art. 9 GDPR) and personal data relating to criminal convictions and offences (as per art. 10 GDPR).

Purpose of processing

Personal data is collected to fulfill legal obligations provided for by Legislative Decree 24/2023 "Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, on the protection of persons who report breaches of Union law and containing provisions concerning the protection of persons who report breaches of national legal provisions". The data is provided to report, in the interest of the integrity of Abraham Industries Srl, alleged unlawful conduct of which the whistleblower became aware due to their employment, service or supply relationship with the Company, and will be processed by the Company to manage such situations. Personal data is acquired as contained in the report and/or in acts and documents attached thereto. It refers to the whistleblower, but also to persons indicated as possible perpetrators of the unlawful conduct, as well as to those variously involved in the reported events. Specifically, to carry out the necessary investigative activities aimed at verifying the merits of what has been reported, and, if necessary, to adopt appropriate corrective measures and take appropriate disciplinary and/or legal actions against those responsible for the unlawful conduct.

Legal bases for processing

Taking into account the reference legislation and, in particular, art. 54-bis of Legislative Decree 165/2001, it is specified that:

  • the processing of "common" data is based on the legal obligation to which the Data Controller is subject (art. 6, par. 1, letter c) of the GDPR)
  • the processing of "special" data is based on the fulfillment of obligations and the exercise of specific rights of the Data Controller and the Data Subject in matters of labour law (art. 9, par. 2, letter b), GDPR)
  • the processing of data relating to "criminal convictions and offences", taking into account the provisions of art. 10 GDPR, is based on the legal obligation to which the Data Controller is subject (art. 6, par. 1, letter c), GDPR).

It should be noted that, in accordance with the provisions of art. 54-bis of Legislative Decree 165/2001, if the report leads to the initiation of disciplinary proceedings against the person responsible for the unlawful conduct, the identity of the whistleblower will not be disclosed.

If knowledge of the whistleblower's identity is essential for the defense of the accused, the whistleblower will be asked if they intend to give specific, free consent for the disclosure of their identity.

Nature of data provision and consequences of failure to provide data

The provision of data is mandatory. In order to classify a report as whistleblowing, identifying data (name, surname) must be provided mandatorily, as anonymous reports do not fall – by express will of the legislator – directly within the scope of art. 54-bis of Legislative Decree 165/2001. If the whistleblower still wishes to proceed with an anonymous report, the latter will be managed as an ordinary report and will only be considered if it is adequately substantiated, illustrated, and suitable for bringing out facts and situations in relation to specific contexts. The decision of which additional personal data to provide rests with each whistleblower. The more details present in the report, the more tools the report manager will have to investigate the report.

Processing methods

Personal data will also be processed using automated tools for the time strictly necessary to achieve the purposes for which they were collected. The Company Abraham Industries Srl adopts and guarantees the adoption of suitable measures to ensure that the provided data are processed adequately and in accordance with the purposes for which they are managed. The provider company of the whistleblowing IT platform employs suitable security measures (e.g., file encryption), organizational, technical, and physical, to protect information from alteration, destruction, loss, theft, or improper or unlawful use. Subjects authorized to process data Abraham Industries Srl has identified in writing the subjects authorized to process data. The report managers have been expressly authorized and instructed in this regard. If the management of the report, for investigative needs, requires that other subjects, internal or external to Abraham Industries Srl, must be informed of the content of the report or the documentation attached thereto, the identity of the whistleblower will never be revealed, nor will elements be revealed that could, even indirectly, allow their identification. However, such subjects could still become aware of other personal data. For this reason, they are all formally authorized to process and specifically instructed and trained for this purpose, as well as bound to secrecy regarding what they learn due to their duties, without prejudice to the reporting and denunciation obligations referred to in art. 331 of the Code of Criminal Procedure.

Categories of personal data recipients

The personal data of the whistleblower and those of persons indicated as possible perpetrators of unlawful conduct, as well as persons variously involved in the reported events, will not be disseminated, except as specified below. In the context of disciplinary proceedings, the identity of the whistleblower will not be revealed in all cases where the disciplinary charge is based on separate and additional investigations compared to the report, even if consequential to it. It may be revealed only when three conditions are met simultaneously:

  • (i) that the charge is based, in whole or in part, on the report;
  • (ii) that knowledge of the whistleblower's identity is essential for the defense of the accused;
  • (iii) that the whistleblower has given specific consent to the disclosure of their identity.

In the context of any criminal proceedings initiated by the Administrative Body, following a finding that the report is well-founded, the identity of the whistleblower will be kept secret in the manner and within the limits provided for by art. 329 of the Code of Criminal Procedure, i.e., until the end of the preliminary investigation phase. If the Judicial Authority requests the whistleblower's name, the Company is obliged to transmit it.

Categories of personal data recipients, dissemination and data transfer abroad

The personal data mentioned above will not be disseminated outside Abraham Industries Srl and will not be transferred to any non-EU country or International Organization, with the exception of the following categories of recipients:

  • provider company of the whistleblowing IT platform used for reports;
  • authorized personnel with access, IT system administrators;
  • Supervisory Body;
  • company functions and/or third parties expressly involved in the investigation of the report;
  • Authorities to whom the communication of the whistleblower's identity is mandatory.

Data retention period

The report manager carries out a preliminary investigation of the report. If, as a result of the activity carried out, manifest unfounded elements are found, it is archived. If, however, the manager finds a prima facie case for the report's validity, they transmit it, without the whistleblower's data, to the Company's Administrative Body for the adoption of measures within its competence against the perpetrator of the violation. Personal data is stored for a maximum period of 5 years and, in any case, until the conclusion of the proceedings initiated with the reports.

Rights of data subjects and complaints

Under the conditions provided for by EU Regulation 2016/679, the whistleblower may exercise the following rights:

  • art. 15 Right of access by the data subject;
  • art. 16 Right to rectification;
  • art. 17 Right to erasure;
  • art. 18 Right to restriction of processing;
  • art. 20 Right to data portability;
  • art. 21 and art. 22: Right to object and automated individual decision-making.

To verify the existence of the conditions and modalities for exercising the aforementioned rights, please refer to the full text of the cited provisions, available on the website: www.garanteprivacy.it. These rights can be exercised by sending a request to: Abraham Industries Srl with registered office in Via Fosse Incrociate, 284, Santarcangelo di Romagna (RN) - info@abrahamindustries.it

Should the whistleblower believe that the processing has not occurred in accordance with the Regulation and Legislative Decree 196/2003, they may contact the Data Protection Authority, pursuant to art. 77 of the same Regulation.

Further information regarding your personal data protection rights can be found on the website of the Italian Data Protection Authority at www.garanteprivacy.it.