PURSUANT TO REGULATION (EU) 2016/679 (GDPR) AND ITALIAN LEGISLATIVE DECREE 196/2003
The Data Controller is Interfashion S.p.A., with registered office at Via Coriano n. 58/90 – 47924 Rimini (RN), Italy, Certified Email (PEC): info@pec.interfashion.it (hereinafter also referred to as “Interfashion” or “the Controller”).
Within the process of managing reports of violations pursuant to Legislative Decree no. 24/2023 (the so‑called Whistleblowing Decree), the Controller may process personal data relating to individuals who submit reports, individuals reported, individuals mentioned or otherwise involved in the report, and in general individuals to whom the protections provided by Legislative Decree no. 24/2023 apply, as detailed in the Whistleblowing Procedure published on the Controller’s website.
The processing involves the voluntary provision of data by completing a form through a dedicated IT procedure, by means of voice recording,
or through a direct meeting with the whistleblowing officer or function designated by the Data Controller and indicated in the relevant procedure “Whistleblowing Reporting Procedure”.
The processing may therefore concern personal data such as identification data, contact details and data relating to the individual’s work activity and, to the extent strictly necessary, special categories of personal data pursuant to Art. 9 of EU Regulation 2016/679 (hereinafter: the Regulation or GDPR), such as data relating to health, trade union membership, data revealing racial origin, political opinions, religious or philosophical beliefs of the data subject, or data relating to criminal convictions and offences pursuant to Art. 10 of the GDPR.
Personal data may be processed for the following purposes:
– management of the report in all its phases, including assessment of the reported facts and the adoption of any resulting measures, as described in the Whistleblowing Reporting Procedure published on the Controller’s website;
– compliance with legal obligations regarding whistleblowing applicable to the Controller.
For the above purposes, the legal basis for the processing is the necessity to comply with a legal obligation to which the Controller is subject, namely Legislative Decree no. 24/2023, and to apply the procedures required to implement the provisions of said decree, pursuant to Art. 6(1)(c), Art. 9(2)(b) and Art. 10 of the GDPR, as well as Art. 88 of the Regulation.
The legal basis for the following processing activities is consent, pursuant to Art. 6(1)(a) GDPR:
– the disclosure of the identity of the whistleblower and any other information from which such identity may be directly or indirectly inferred to persons other than those competent to receive or follow up on the reports, in the cases provided for by applicable legislation;
– the disclosure of the whistleblower’s identity within disciplinary proceedings where the charge is based, wholly or partially, on the report and knowledge of such identity is indispensable for the defence of the accused;
– the transcription of the report or recording on a device suitable for storage where the report is made by the whistleblower through a recorded telephone line or another recorded voice messaging system.
In the above cases, the Controller, or persons appointed by the Controller for this purpose, will obtain the whistleblower’s consent through a specific form.
The provision of personal data is optional. However, failure to provide such data may hinder the assessment of the report:
anonymous reports will in fact be considered only where they are sufficiently detailed and supported by adequate information, enabling facts and situations connected to specific contexts to emerge, in accordance with the Whistleblowing Procedure published on the Controller’s website.
Processing will be carried out through an IT platform equipped with encryption tools to ensure the confidentiality of the whistleblower’s identity and of the content of the reports and related documentation, adopting appropriate technical and organisational measures to protect them from unauthorized or unlawful access, destruction, accidental loss, or breach of integrity and confidentiality.
Personal data may also be processed using paper-based tools, in a manner designed to guarantee security and confidentiality, in compliance with the provisions of Legislative Decree 24/2023.
In addition to persons specifically authorized by the Controller, personal data may also be processed by entities performing outsourced activities on behalf of the Controller, acting as Data Processors.
Furthermore, where required by law, personal data may be disclosed to the National Anti-Corruption Authority (ANAC), to the ordinary judicial authority, or to the Italian Court of Auditors.
At present, no transfer of personal data to countries outside the European Economic Area (EEA) is envisaged.
Personal data will be retained for a maximum period of 5 years from the date of communication of the final outcome of the reporting procedure and, in any case, until the completion of any proceedings initiated by the offices or authorities receiving the report.
In any event, personal data transmitted by the whistleblower that are not useful for processing the report will be deleted immediately.
Whistleblowers have the right, in the cases provided for by the Regulation, to obtain access to personal data, rectification, completion, erasure of the data or restriction of processing, or to object to processing (Articles 15 et seq. of the GDPR).
Requests may be submitted by contacting the reporting manager through the IT platform used for reporting.
Data subjects who believe that the processing of their personal data is carried out in violation of the provisions of the Regulation also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) using the forms available at the following link: https://www.garanteprivacy.it/i-miei-diritti
Furthermore, for processing operations based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.