EN
Whistleblowing Privacy Policy

PRIVACY POLICY NOTICE PURSUANT OF ART. 13 OF THE EU REGULATION 2016/679

 

For “reporting persons” and eventual “facilitators” as for the Legislative Decree n. 24 of 2023 (implementing the so-called “Whistleblowing Directive”) “on the protection of persons who report breaches of Union law and containing provisions regarding the protection of persons who report violations of national regulatory provisions”

 

For Tamburi Investment Partners S.p.A., personal data protection is a very serious matter, so we hereby wish to inform you about the ways in which data is processed and the rights you can exercise under current data protection legislation, in particular EU Regulation 2016/679 (hereinafter also: “GDPR”).

  1. Data Controller and DPO

Data Controller

Tamburi Investment Partners S.p.A.

Registered office: Via Pontaccio 10, 20121 Milano (MI)

Telephone contact details: 02.8858801

E-mail contact details: TIP@tamburi.it

 

Contact Details of the

Data Protection Officer (DPO)

Vera Cantoni Esq.

Domicile for the role: Via Turati 26, 20121 Milano (MI)

Telephone contact details: 02.70039991

E-mail contact details: dpo@tamburi.it

 

  1. Categories of processed personal data

The categories of “personal data” (pursuant to Art. 4.1 of the GDPR) processed by the Data Controller can be, by way of example only, but certainly not exhaustively:

–  identifying data (name, date of birth, place of birth, nationality, social security number, VAT number, profession/job, etc.);

–  contact data (address, e-mail address, phone number, etc.);

–  information collected as a consequence of the report which can include but are not limited to, information regarding, information on the work and/or professional activity carried out, working or professional relationships, even indirect, with the reported person or persons involved, circumstances and reasons why the Data Subject became aware of the suspected violations of regulatory obligations;

–  any special category of personal data in relation to the reporting of certain types of offenses or violations, if the Data Subject suffers such offenses or is an offended party in this regard (by way of example but not limited to: health-related data in the case of reporting of crimes and other offenses related to work-related injuries, if the data subject is the same victim of the injury);

–  with reference to the “facilitator,” the processing will concern only identification and contact data, as well as personal data pertaining to the relationship with the reporter, with reference to working relationships, and those pertaining to the assistance provided to the latter.

 

  1. Lawfulness and purposes of the personal data processing

Personal data is processed in accordance with the provisions of the General Data Protection Regulation (GDPR) and any other applicable data protection legislation. More details are provided below:

 

3.1      Purposes based upon the need to comply with a legal obligation (ex-art. 6, paragraph 1 (c) of the GDPR)

  1. fulfillment of obligations under Laws, Regulations and Union regulations, with particular reference to those provided for in Legislative Decree No. 24 of 2023 and, more generally, on the subject of protection of persons, who report violations of Union regulations and national regulatory provisions (so-called “Whistleblowing” legislation”).

The retention period for personal data, in regard to the above-mentioned purpose is:

For purpose: a., for as long as necessary for the processing of the report and, in any case, no longer than 5 years from the date of the communication of the final outcome of the reporting procedure.

This retention period may lengthen in the event of litigation, findings by public or judicial authorities, and any special provisions of law.

  1. Recipients or categories of recipients of personal data (ex-art. 13 paragraph 1 (e) of the GDPR)*

As part of the aforementioned purposes, the Data Controller may communicate your data to:

  • offices and internal functions of the Data Controller, specifically entrusted with the management of the report, as well as, relatively and limitedly to the Reporting Person, the offices that may be involved for the purpose of taking appropriate disciplinary measures against the reported person, subject to the issuance of specific and free consent by the reporting person;
  • any external parties entrusted with the management of the reporting channel;
  • companies and professional operators that provide IT services, including, for example, software and cloud management;
  • control and supervisory bodies of the Data Controller, when it is necessary for the performance of their control activities;
  • with regard to the Reporting Person, any law firms, if the follow-up to the report involves legal proceedings, in the context of which it would be necessary to disclose the identity of the Reporting Person;
  • with regard to the Reporting, the persons involved, within the framework of disciplinary or reporting proceedings, should it be indispensable, respectively, for the defense of the accused or of the person involved, subject, in the latter case, to the appropriate and free consent of the Reporting Person;
  • judicial authorities and/or public supervisory authorities;
  • other public administrations and public authorities.

* More information on the Recipients (ex-art. 4.9 of the GDPR) is made available by the Data Controller at the above contact details.

  1. Recipients or categories of recipients of personal data (ex-art. 13 paragraph 1 (f) of the GDPR)* and personal data transfer outside the EU

The Data Controller informs you that it has no intention of transferring your data to countries outside the EU and EEA for the purposes stated above.

* More information on the Recipients (ex-art. 4.9 of the GDPR) is made available by the Data Controller at the above contact details.

 

  1. Data Subject’s rights (ex-art. 13 paragraph 2 (b) of the GDPR)

The Data Subject can exercise the following rights:

  • right of access by the data subject [art. 15 of EU Regulation] (possibility to be informed on the treatments carried out on his personal data and, if necessary, receive a copy of them);
  • right to rectification [art. 16 of EU Regulation] (data subject has the right to rectify incorrect data concerning him);
  • right to erasure without unjustified delay (“right to be forgotten”) [art. 17 of EU Regulation] (data subject has the right to delete his personal data);
  • right to restriction of processing, as provided by article 18 of EU Regulation, among the other cases, in case of illicit processing or contestation of the accuracy of personal data by the data subject [art. 18 of EU Regulation];
  • right to data portability [art.20 of EU Regulation], (data subject has the right to receive the personal data concerning him/her, which he/she or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as provided by the same article);
  • right to object to processing [art. 21 of EU Regulation] (the data subject has the right to object processing of personal data as provided by article 21 of EU Regulation);
  • right to not be subject to automated individual decision-making [art. 22 of EU Regulation] (The data subject shall have the right not to be subject to a decision based solely on automated processing).

Further information about the rights of the Data Subject may be obtained on the company website or by requesting from the Data Controller full excerpts of the above-mentioned articles.

Regarding the purposes for which consent is required, the Data Subject may revoke his or her consent at any time and the effects will run from the time of revocation, subject to the time limits provided by law. In general terms, revocation of consent affects only future processing.

The above-mentioned rights may be exercised in accordance with the Regulations by sending, also, an e-mail to the following address TIP@tamburi.it, specifying that the Data Subject may exercise the right of access, as per Article 15, limited to his or her own personal data and with the exclusion, therefore, of personal data relating to the reported persons or persons involved, without prejudice to the provisions regarding the obligation to respond to the report, in accordance with the aforementioned legislative decree, containing the communication regarding the follow-up to the report.

In accordance with Article 19 of the EU Regulation, the Data Controller proceeds to inform the recipients to whom the personal data have been disclosed, about any rectification, deletion or restriction of processing requested, where possible.

To enable a faster response to your requests made in the exercise of the above-mentioned rights, the same may be addressed to the Data Controller by sending them to the addresses indicated in point 1.

  1. Right to lodge a complaint (ex-art. 13 paragraph 2 (d) of the GDPR)

If the Data Subject believes that his or her rights have been compromised, he or she has the right to lodge a complaint with the Data Protection Authority in the manner specified by the Authority at the following Internet address http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or by sending written notice to the Data Protection Authority.

  1. Possible consequence of non-disclosure of personal data and nature of personal data provision (ex-art. 13 paragraph 2 (e) of the GDPR)

8.1      When fulfilling legal or contractual obligations

Please note that if the processing purposes have a legal or contractual (or even pre-contractual) obligation as a legal basis, the Data Subject must necessarily provide the requested data.

Failure to do so will make it impossible for the Data Controller to proceed with the pursuit of the specific processing purposes.

When the data are no longer needed these are routinely deleted, if deletion is impossible or possible only with disproportionate effort due to a particular storage mode the data cannot be processed and must be stored in inaccessible areas.

  1. Existence of automated decision making (including profiling activities)

The use of purely automated decision-making processes as detailed in Article 22 of the GDPR is currently excluded. If in the future it is decided to establish such processes for individual cases, the Data Subject will be notified separately if this is required by law or updated in this policy.

  1. Method of personal data processing

Personal data will be processed in paper, computerized and telematic form and entered in the relevant databases (customers, users, etc.) which may be accessed, and therefore become aware of, the persons expressly authorized by the Data Controller, which may be Processors or Authorized Personnel for the processing of personal data, which may carry out consultation operations, usage, processing, comparison and any other appropriate operation also automated in accordance with the provisions of the law necessary to ensure, among other things, the confidentiality and security of personal data as well as the accuracy, updating and relevance of the personal data to the stated purposes.

 

This privacy policy notice and its subsequent updates are publicized on the website www.tipspa.it.