Whistleblowing

Reporting procedure

Whistleblowing information

Information pursuant to data protection legislation - Whistleblowing

Pursuant to art. 13 of EU Regulation no. 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) and of Italy’s Legislative Decree 24/2023, F2A S.p. A, registered in Milan, via della Moscova n.3 (hereinafter “F2A”, the “Company” or “Data Controller”) hereby provides information relating to the processing of "Personal Data" carried out within the Company’s management of whistleblowing according to the Company’s Whistleblowing Procedure.

1) Categories of personal data

  1. Personal Data of the whistleblower as defined in art. 4, point 1, of the GDPR (in the case of non-anonymous reports) as well as Personal Data of any persons involved or mentioned in the report and facilitators, as defined by the Whistleblowing Procedure (hereinafter "Interested Parties"), such as any information which are related to an identified or identifiable natural person: name and surname and contact information (e.g. fixed/mobile telephone number, correspondence/e-mail address);
  2. special categories of data as defined in art. 9) of the GDPR, if included in the report.

2) Purpose of the processing and its legal basis

The aforementioned personal data is processed by the Data Controller for the following purposes:

  1. management of the Report filed pursuant to Legislative Decree no. 24/2023 and Legislative Decree 231/01;
  2. fulfillment of legal obligations to which the Data Controller is subject in compliance with the Italian and EU laws;
  3. defense or establishment of a person’s rights in civil, administrative or criminal disputes.

The legal basis of the processing consists of:

  1. for the purposes referred to in letters a) and b), from the fulfillment of a legal obligation to which the Data Controller is subject (art. 6, par. 1, letter c) of the GDPR);
  2. for the purposes referred to in letter c), by the legitimate interest of the owner (art. 6, par. 1, letter f) of the GDPR).

Providing your personal data is necessary to achieve the above purposes; failing to provide this data, or providing partial or incorrect data, could result in the impossibility for the Controller to manage the report.

3) Data storage

F2A stores personal data in compliance with the terms set out in the art. 14 of Legislative Decree no. 24/2023, that is, for the time necessary for the processing of the report and in any case for no more than 5 years starting from the date of notification of the final outcome to the Supervisory Body 231.

4) Modalities and rationale of the processing 

Data processing is carried out manually and/or through automated IT and telematic tools only for the aforementioned purposes and, in any case, in such a way as to guarantee its security and confidentiality.

The reporting management system guarantees, at every stage, the confidentiality of the identity of the reporting person, of the people involved and/or otherwise mentioned in the report, of the content of the report and of the related documentation, without prejudice to the provisions of the art. 12 of Legislative Decree no. 24/2023.

5) Owner, Data Protection Officer, persons and body authorized to process data in F2A

The Data Controller of personal data is F2A S.p.A., headquartered in via della Moscova, n. 3 – 20121 Milan.

The Data Controller has appointed a Data Protection Officer, whom can be reached at the following e-mail address: dpo@f2a.biz.

Pursuant to art. 6, point 1, letter. b) of Legislative Decree no. 231/2001, the Data Controller has established the Supervisory Body, which has the power to exercise control and act independently, as well as the Compliance department, which is also the owner of the reporting management process governed by the Whistleblowing Procedure.

6) Recipients of personal data

Personal data may be disclosed exclusively to persons and entities who have a role in the management of the Whistleblowing procedure (specifically named internal persons, Supervisory Body and third parties specifically named by them, and external consultants who may be involved in the management of the report). These entities are bound by a duty of confidentiality and follow specific technical and organisational measures.

Data may be disclosed to additional third parties, including the providers of the report management service, who may access personal data only for technical purposes relating to the platform, and who will act as data controllers on the basis of specific technical and organisational measures provided by the owner. 

Judicial authorities, public authorities, Italy’s National Anti-Corruption Authority (ANAC) and, in general, all entities who must be notified pursuant to a law may also have access to the data and information collected.

Personal data will not be disclosed or disseminated to entities other than those indicated above.

7) Rights of the interested parties

Interested parties (the reporting persons or facilitators) have the right to access their data at any time and to exercise the rights provided for by articles 15 to 22 of the GDPR, as applicable, such as for instance the right to access, rectification and erasure (the so-called right to be forgotten), the right to restriction of processing, the right to portability, the right to object or the right of not being subject to processing, by sending an e-mail to the address: dpo@ f2a.biz.

Furthermore, interested parties have the right to lodge a complaint with the Italian Data protection authority.