The Data Controller is Interfashion S.p.A., with registered office at Via Coriano n. 58/90 – 47924 Rimini (RN), Italy, Certified Email (PEC): info@pec.interfashion.it (hereinafter also referred to as “Interfashion” or the “Controller”).
Within the process of managing reports of violations pursuant to Legislative Decree no. 24/2023 (the so-called Whistleblowing Decree), the Controller may process personal data relating to individuals who submit reports, individuals reported, individuals mentioned or otherwise involved in the report, and in general individuals to whom the protections provided by Legislative Decree no. 24/2023 apply, as detailed in the Whistleblowing Procedure published on the Controller’s website.
The processing involves the voluntary provision of data by completing a form through a dedicated IT procedure, by means of voice recording, or through a direct meeting with the whistleblowing function designated by the Data Controller and indicated in the relevant procedure “Whistleblowing Reporting Procedure”.
The processing may therefore concern personal data such as identification data, contact details and data relating to the data subject’s work activity and, to the extent strictly necessary, special categories of personal data pursuant to Article 9 of Regulation (EU) 2016/679 (hereinafter: the Regulation or GDPR), including data relating to health, trade union membership, data revealing racial origin, political opinions, or religious or philosophical beliefs of the data subject, as well as data relating to criminal convictions and offences pursuant to Article 10 of the GDPR.
Personal data may be processed for the following purposes:
– management of the report in all its phases, including verification of the facts reported and the adoption of any resulting measures, as described in the Whistleblowing Reporting Procedure published on the Controller’s website;
– compliance with legal obligations regarding whistleblowing applicable to the Controller.
For the above purposes, the legal basis for the processing is the necessity to comply with a legal obligation to which the Controller is subject, namely Legislative Decree no. 24/2023, and to apply the procedures required to implement the provisions of said decree, pursuant to Articles 6(1)(c), 9(2)(b) and 10 of the GDPR, as well as Article 88 of the Regulation.
The legal basis for the following processing activities is consent, pursuant to Article 6(1)(a) GDPR:
– the disclosure of the identity of the whistleblower and any other information from which such identity may be directly or indirectly inferred to persons other than those competent to receive or follow up on the reports, in the cases provided for by applicable legislation;
– the disclosure of the whistleblower’s identity within disciplinary proceedings where the charge is based, wholly or partially, on the report and knowledge of such identity is indispensable for the defence of the accused;
– the transcription of the report or recording on a device suitable for storage when the report is made by the whistleblower through a recorded telephone line or another recorded voice messaging system.
In the above cases, the Controller, or persons appointed by the Controller for this purpose, will obtain the whistleblower’s consent through a specific form.
The provision of personal data is optional. However, failure to provide such data may prejudice the examination of the report. Anonymous reports will be considered only where they are sufficiently detailed and supported by adequate information enabling facts and situations connected to specific contexts to emerge, in accordance with the Whistleblowing Procedure published on the Controller’s website.
Processing will be carried out through an IT platform equipped with encryption tools to ensure the confidentiality of the whistleblower’s identity and the content of the reports and related documentation, adopting appropriate technical and organisational measures to protect them from unauthorized or unlawful access, destruction, loss of integrity and confidentiality, including accidental events.
Personal data may also be processed using paper-based tools, in a manner designed to guarantee security and confidentiality, in compliance with the provisions of Legislative Decree no. 24/2023.
In addition to persons specifically authorized by the Controller, personal data may also be processed by entities performing outsourced activities on behalf of the Controller, acting as Data Processors.
Furthermore, where required by law, personal data may be disclosed to the National Anti-Corruption Authority (ANAC), to the ordinary judicial authority, or to the accounting judicial authority.
At present, no transfer of personal data to countries outside the European Economic Area (EEA) is envisaged.
Personal data will be retained for a maximum period of 5 years from the date of communication of the final outcome of the reporting procedure and, in any case, until the completion of any proceedings initiated by the offices or authorities receiving the report.
In any event, personal data transmitted by the whistleblower that are not useful for processing the report will be deleted immediately.
Whistleblowers have the right, in the cases provided for by the Regulation, to obtain access to personal data, rectification, completion, erasure of the data or restriction of processing, or to object to processing (Articles 15 et seq. of the GDPR).
Requests may be submitted by contacting the reporting manager through the IT platform used for reporting.
Data subjects who believe that the processing of their personal data is carried out in violation of the provisions of the Regulation also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) using the forms available at the following link: https://www.garanteprivacy.it/i-miei-diritti
Furthermore, for processing operations based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.