Privacy

The following information aims to provide you with an overview of the use of your personal data by Mattioli S.p.a., headquartered in Turin, via Bologna, 220, as data controller. At the same time, we provide you with a description of the rights related to whistleblowing reports (hereinafter referred to as “whistleblowing”) in relation to the provisions of Legislative Decree 24/2023, which concerns the protection of persons who report violations of European Union law and contains provisions regarding the protection of persons who report violations of national regulatory provisions. This information concerns the processing of personal data of whistleblowers, reported persons, witnesses, or any other individual involved in a report and is provided pursuant to the General Data Protection Regulation – Regulation (EU) 2016/679 (hereinafter also GDPR) and Legislative Decree 196/2003 (hereinafter also Privacy Code) as amended by Legislative Decree. 101/2018.

Mattioli S.p.a. processes your personal data for the purpose of managing the whistleblowing procedure, in accordance with Law No. 179 of November 30, 2017, containing “Provisions for the protection of authors of reports of crimes or irregularities of which they became aware in the context of a public or private employment relationship.”

The personal information concerning you will be processed in order to ensure:

1. the correct and complete management of the whistleblowing procedure in compliance with current regulations on the matter;
2. the necessary investigative activities aimed at verifying the validity of the reported facts and the adoption of consequent measures;
3. the protection of a right in court;
4. the response to a request from the judicial authority or equivalent authority.

These purposes determine the legal basis that legitimizes the processing of your personal data in relation to the legal obligations to which Mattioli is subject in order to correctly manage reports in compliance with current regulations, as well as its internal rules.

Mattioli collects and/or receives the information you provide through the submission thereof via the reporting channels activated by the Company, namely written communication, oral report, and direct and confidential meeting with the Internal Reporting Channel Manager (Whistleblowing Officer).

The information collected concerns the personal data of the Whistleblower, the alleged Responsible Party for the violation, as well as any Facilitator and other individuals involved and mentioned in the report.

Special categories of personal data (i.e., data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health or sexual life), if not relevant to the type of report, will be processed by Mattioli exclusively for purposes strictly connected and instrumental to verifying the authenticity of irregularity reports or in order to fulfill specific legal obligations (connected to the purposes of the report).

Personal data relating to criminal convictions and offenses or related security measures, if not relevant to the type of report, are not collected on the initiative of the Controller but, should they be provided, will be processed by Mattioli exclusively for purposes strictly connected and instrumental to verifying the authenticity of irregularity reports or in order to fulfill specific legal obligations (connected to the purposes of the report).

The communication of collected personal data occurs primarily to third parties and/or recipients whose activity is necessary for carrying out activities related to report management, as well as to respond to certain legal obligations. In particular, transmission may occur to:

a) Internal Reporting Channel Manager (Whistleblowing Officer), identified by the Controller as a professional external to the Company;

b) company appointed to manage any activated IT platform, in its capacity as External Processor pursuant to and for the purposes of Article 28 GDPR;

c) external consultants (e.g., law firms) potentially involved in the investigative phase of the report;

d) company functions potentially involved in the activity of receiving, examining, and evaluating reports;

e) manager(s) of the function(s) affected by the report;

f) organizational positions potentially assigned to conduct investigations on the report in cases where their knowledge is essential for understanding the reported facts and/or for conducting related investigative and/or processing activities;

g) institutions and/or public authorities, judicial authorities, police bodies, investigative agencies.

Your personal data will in no way be disseminated or disclosed to parties other than those identified above.

The processing of personal data is carried out using manual, computerized, and telematic tools with logic strictly connected to the purposes themselves and, in any case, in such a way as to guarantee the security and confidentiality of the data.

In accordance with the purposes and limits established for the processing of personal data concerning you, the rights granted to you to enable you to always maintain control over your data are:

1. access;
2. rectification;
3. erasure;
4. restriction of processing;
5. objection to processing;
6. portability.

Your rights are guaranteed without charges and particular formalities for requesting their exercise, which is essentially free of charge.

You have the right:

1. to obtain a copy, including in electronic format, of the data for which you have requested access;
2. to obtain their erasure or restriction of processing or also the updating and rectification of your personal data and that third parties/recipients also comply with your request should they receive your data, unless legitimate superior reasons prevail over those that determined your request;
3. to obtain any useful communication regarding activities carried out following the exercise of your rights without delay and in any case within one month of your request, except for an extension, duly justified, of up to two months, which must be duly communicated to you.

In compliance with current regulations (in particular, Article 2-undecies of the Privacy Code, in implementation of Article 23 of the GDPR), please be informed that the aforementioned rights cannot be exercised by the data subjects (by request to the Controller or by complaint pursuant to Article 77 of the GDPR) when the exercise of such rights may result in actual and concrete prejudice to the confidentiality of the whistleblower’s identity.

In particular, the exercise of such rights:

1. shall be exercisable in accordance with the legal or regulatory provisions governing the sector (including Legislative Decree 231/2001 as amended by Law No. 179/2017);
2. may be delayed, limited, or excluded with a reasoned communication provided without delay to the data subject, unless the communication may compromise the purpose of the limitation, for the time and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the whistleblower’s identity;
3. in such cases, the data subject’s rights may also be exercised through the Guarantor in the manner provided for in Article 160 of the Privacy Code, in which case the Guarantor informs the data subject that it has carried out all necessary verifications or conducted a review, as well as the data subject’s right to file a judicial appeal.
4. Finally, you have the right to lodge a complaint with the Guarantor for the protection of personal data in the forms and manner provided for by current regulations.

Mattioli S.p.a. processes and retains your personal data for a period of time not exceeding that necessary to achieve the purposes for which they are collected or subsequently processed.

Personal data processed in the context of an internal reporting procedure must be erased without delay and normally within five years of completion of the verification of the facts set out in the report.

At the end of the applicable retention period, personal data relating to the data subject will be erased or retained in a form that does not allow your identification (e.g., irreversible anonymization), unless their further processing is necessary for one or more of the following purposes: i) resolution of pre-litigation and/or litigation initiated before the expiration of the retention period; ii) to follow up on investigations/inspections by internal control functions and/or external authorities initiated before the expiration of the retention period; iii) to follow up on requests from Italian and/or foreign public authorities received/notified to Mattioli S.p.a. before the expiration of the retention period.

In the event of application of one or more of the aforementioned cases of suspension of the erasure/irreversible anonymization process of personal data, the Controller’s right to restrict access to the identifying data of the whistleblower remains firm, pursuant to and for the purposes of Article 2-undecies, first paragraph letter f) of Legislative Decree 2003/196, as amended by Legislative Decree. 101/2018.

To exercise the rights described in paragraph 5), you may contact Mattioli S.p.a. at the email address: privacy@mattioli.it.
The deadline for response is one (1) month, extendable by two (2) months in cases of particular complexity; in these cases, Mattioli S.p.a. provides at least an interim communication within one (1) month of receiving the request.

The Data Controller is Mattioli S.p.a., via Bologna, 220, Turin. The Controller may also be contacted at the address privacy@mattioli.it.