PERSONAL DATA PROCESSING NOTICE
WHISTEBLOWING PROCEDURE
in compliance with EU Regulation 2016/679
and the LEGISLATIVE DECREE No. 24 of 10 March 2023
Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and on provisions concerning the protection of persons who report breaches of national laws.
Who is the owner of the processing of your data if you report violations according to D. Lgs 24/23?
Nuova Lofra srl, with registered office in via Montegrotto 125, Torreglia (PD) P.I. 04433800283, operating in the field of production and trade of kitchens, as the data controller, is concerned about the confidentiality of the person reporting the violation and, therefore, of your personal data in order to guarantee the necessary protection from any event that might put them at risk of violation.
The Controller has provided for an adequate policy aimed at the correct and safe collection and use of your personal data and at the exercise of the rights granted to you by the legislation in force. The Controller takes care to update the policies and practices adopted for the protection of personal data whenever necessary and in any case in the event of regulatory and organisational changes that may affect the processing of your personal data.
What data does the Data Controller collect from you?
The Data Controller in relation to reports protected by the protection provided for in Legislative Decree 10 March 2023, no. 24 Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, may collect and/or receive the following information: – about you
– first name, last name;
– physical and telematic address;
– fixed and/or mobile telephone number;
– data provided for the purpose of representing alleged unlawful conduct of which the reporting person has become aware by reason of his or her work relationship and/or collaboration with the company committed by persons interacting with it in various capacities.
How and why does the Controller collect and process your personal data?
Your data will be collected through the Trusty AG system, a provider of web-based, secure and anonymous internal reporting systems, at https://www.lofra.it/whistleblowing/ or by other means chosen by you (email, pec, phone call).
Your personal data will be processed for the following purposes:
1) for the execution and management of the alert procedure
| Purpose | Legal basis |
| for the execution and management of the reporting procedure | Fulfilment of regulatory obligations related to the complete handling of the report from submission to finalisation |
2) for filing and storing the report
| Purpose | Legal basis |
| for the filing and storage of the report | Fulfilment of regulatory obligations related to the complete handling of the report from submission to finalisation |
3) for IT security activities
| Purpose | Legal basis |
| – control and monitoring of the use of the Owner’s IT equipment and infrastructures
– implementation of data breach detection and notification procedures |
Performance of activities dependent on the relationship established
Fulfilment of legal obligations (detection and notification of data breach events) Legitimate interest |
The owner does not transfer your personal data abroad (non-EU countries). The database is encrypted and hosted on virtual servers in high-security data centres located in the EU.
To whom your data are communicated
In compliance with the legislation in force, your data are confidential and processed only by the persons in charge of the company, and may be disclosed to the competent authorities at the outcome of investigations and for the fulfilment of regulatory obligations.
Please note that if the accusation is based, in whole or in part, on the report and knowledge of the identity of the whistleblower is essential for the defence of the accused, the report may be used in the disciplinary proceedings arising from the report only with the explicit consent of the whistleblower to the disclosure of his or her identity.
You will be notified in writing of the reasons for disclosure if it is essential to reveal the identity of the whistleblower and related information also for the defence of the person concerned.
How, where and for how long are your data stored?
How
Data processing is carried out, as the case may be, through paper media or computer systems by specially authorised persons. Access to your personal data is permitted to the persons in charge to the extent and within the limits necessary for the correct performance of the processing activities concerning you.
Nuova Lofra srl periodically checks the instruments used to process your personal data and all the security measures envisaged, updating them constantly. In particular, it respects all the rights set out in Articles 15 to 22 EU Regulation 2016/679, also through its employees specifically trained for this purpose.
The Data Controller guarantees that any data that, even following verifications, prove to be excessive or irrelevant will not be used except for the possible conservation, in accordance with the law, of the deed or document that contains them.
Where
The processed data are stored in paper, computer and electronic archives located within the European Economic Area, and appropriate security measures are in place to protect them.
How long
Your personal data collected on the occasion of your report are kept for the time necessary to fulfil the legal obligations related to the complete management of the report from its submission to its settlement and for the fulfilments, including legal ones, resulting from it, in any case no longer than 5 years from the closure of the procedure.
What are your rights?
At any time, you may exercise, if the conditions are met and by contacting the data controller at privacy@lofra.it., the following rights, pursuant to Articles 15 to 22 EU Regulation 2016/679:
a. to request confirmation of the existence or non-existence of your personal data and to obtain information about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, where possible, the storage period;
b. obtain the rectification and erasure of data
c. obtain the restriction of processing when one of the cases provided for in Article 18 of EU Regulation 2016/679 applies;
d. obtain the portability of the data, i.e. receive them from a data controller, in a structured, commonly used and machine-readable format, and transmit them to another data controller without hindrance
e. where the processing is based on consent, withdraw it at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation
f. lodge a complaint with the Data Protection Authority
g. object to an automated decision-making process concerning natural persons, including any profiling.
In the event of a request, the appropriate form will be provided.
You will in any case be given written feedback within 1 month of the request. The response time may be longer in cases of particular complexity, but in any case will not exceed 3 months. In such cases, the Controller will, within one month of receiving your request, inform you and inform you of the reasons for the extension.
The exercise of rights is, in principle, free of charge, but there may be exceptions: in cases of particular complexity of the response, if the request is manifestly unfounded, excessive or even repetitive (Art. 12(5)), or if several ‘copies’ of personal data are requested in the case of the right of access (Art. 15(3)). In the latter case, the administrative costs incurred will be taken into account.
Clarifications
For any clarification or doubt in relation to Nuova Lofra srl’s data processing policy and this information notice, please contact the data controller at the e-mail address privacy@lofra.it. In the event of any changes to this policy, we will notify you of the new, updated version.
