Whistleblowing information

Pursuant to Article 13 of Regulation (EU) No. 2016/679 (General Data Protection Regulation, hereinafter GDPR) and Legislative Decree 24/2023 Olivari B. S.p.a (hereinafter Data Controller) provides information regarding the processing of your personal data for the management of the Report you submitted to the attention of the Company.

“Whistleblowing” means any communication concerning violations and conduct aimed at concealing violations of which employees, trainees, collaborators of companies supplying goods or services, as well as self-employed workers, freelancers and consultants performing their activities and carrying out works in favor of the Data Controller, in accordance with Legislative Decree no. 24/2023, implementing Directive (EU) 2019/1937 on the protection of persons who report violations of Union law or national regulatory provisions (so-called “Whistleblowing Decree”).

1. Data Controller and how to get in contact

The Data Controller of the processing of personal data is Olivari B. S.p.a , with registered office in Via Matteotti 140, 28021 Borgomanero (NO) – Italy.

The Data Controller can be contacted through the following channels:

• Mail: Via Matteotti 140 – 28021 Borgomanero NO – Italy.
• e-mail: privacy@olivari.it
• Pec: olivari@pec.olivari.eu

2. Categories of personal data

• Common personal data referred to in Article 4, comma 1 of the GDPR of the Whistleblower (in the case of non-anonymous Reports) as well as of any Persons involved in or mentioned in the Report and Facilitators, as defined by the Whistleblowing Procedure (hereafter “Data Subjects”), such as: biographical data (e.g., first name, last name, date and place of birth), contact data (e.g., landline and/or mobile phone number, postal/e-mail address).
• Special categories of data under Article 9) of the GDPR, if included in the report.

3. Purpose of processing and its legal basis

The aforementioned personal data are processed by the Data Controller for the following purposes:

a. management of the Report made pursuant to Legislative Decree No. 24/2023;
b. fulfillment of obligations under the law or EU regulations;
c. defense or ascertainment of one’s right in civil, administrative or criminal litigation.

The legal basis for the processing is:

• for the purpose referred to in (a), by the fulfillment of a legal obligation to which the Data Controller is subject (Art. 6(1)(c) of the GDPR); in addition, for recorded reports collected by telephone or through voice messaging systems or otherwise in oral form, by the consent of the Reporting Party (Art. 6(1)(a) of the GDPR);
• for the purposes referred to in (b), by the fulfillment of a legal obligation to which the Data Controller is subject (Art. 6(1)(c) of the GDPR);
• for the purposes referred to in (c), from the legitimate interest of the Data Controller (Art. 6(1)(f) of the GDPR).

The provision of data is necessary for the achievement of the above purposes; failure to provide, partial or inaccurate data may result in the inability to handle the report.

4. Retention of personal data

The Data Controller retains personal data according to the terms provided for in Article 14 of Legislative Decree No. 24/2023, i.e., for the time necessary for the processing of the report and in any case for no longer than 5 years from the date of communication of the final outcome of the Report.

Personal data that are manifestly not useful for the processing of a specific report shall not be collected or, if accidentally collected, shall be deleted promptly.

5. Method of processing

The data – where provided and collected – will also be processed with electronic instruments, registered in special databases, and used strictly and exclusively for the indicated purposes. These tools are suitable to guarantee the security of the processing and confidentiality of the personal data collected, as well as to prevent unauthorized access, dissemination, modification and subtraction of the data, thanks to the adoption of appropriate technical and organizational security measures, in compliance with the above-mentioned regulations and related confidentiality obligations and, in any case, according to the purposes and methods reported in this information notice.

6. Categories of third parties to whom the data may be disclosed

Some processing of personal data may be carried out by third parties, to whom the Data Controller entrusts certain activities (or part of them) for the purposes referred to in point 3); these parties will operate as autonomous Data Controllers or will be designated Data Processors and are essentially included in the following categories:

a. Consultants (CNVV, CdL, law firms, etc.);
b. Companies in charge of personnel administration and management;
c. Auditing/auditing firms;
d. Investigative agencies;
e. Public Institutions and/or Authorities, Judicial Authority, Police Organs.
f. Digital plattform Wallbreakers in quality of Data Processor

7. Rights of Data Subjects

The system for the management of Reports guarantees, at every stage, the confidentiality of the identity of the Reporting Party, the Persons involved and/or otherwise mentioned in the Report, the content of the Report and the related documentation, with the exception of the provisions of Article 12 of Legislative Decree No. 24/2023.

Confidentiality will be protected, to the maximum extent permitted, with particular reference to the identity of the reporter, which will not be disclosed to the reported subject or to third parties, except when necessary for the needs of judicial protection, to fulfill legal obligations, and in any case always within the limits provided by law, in order to avoid retaliation, threats, violence, discrimination, etc., direct or indirect against him for reasons related directly or indirectly to the Reporting. The confidentiality of identity cannot be guaranteed in the case of Illegal Reporting (by which is meant that reporting which, from the results of the investigative phase, is found to be unfounded on the basis of objective elements, and with respect to which the concrete circumstances ascertained in the course of the same investigation allow for the belief that it was made in bad faith or with serious negligence).

The reporter or facilitator, has the right to access at any time the data concerning him or her and to exercise the rights provided for in Articles 15 to 22 of the GDPR, as far as applicable (right of access to personal data, right to rectify them, right to obtain their deletion or so-called right to be forgotten, the right to restriction of processing, the right to portability of personal data or the right to object to processing) by sending an e-mail to: privacy@olivari.it

In addition, the Data Subject has the right to file a complaint with the Data Protection Authority.

The aforementioned rights are not exercisable by the person involved or the person mentioned in the report, for the time and to the extent that this constitutes a necessary and proportionate measure, pursuant to Article 2-undecies of the Privacy Code because the exercise of these rights could result in actual and concrete prejudice to the protection of the confidentiality of the identity of the reporting person.

The Data Controller reserves the right to limit or delay the exercise of these rights, within the limits set by the applicable legal provisions, particularly where there is a risk that actual, concrete and not otherwise justified prejudice to the confidentiality of the identity of the Reporting Party may result and that the ability to effectively verify the merits of the Reporting or to gather the necessary evidence may be compromised.

This policy is effective December 14, 2023.