Whistleblowing

For the intents and purposes of art. 13 and 14 of European Regulation (EU) 2016/679 (hereinafter the “GDPR”) and the relevant Italian legislation, this is to inform you that the personal data you contribute in the context of whistleblowing reports will be processed by the procedures and for the purposes set out below:

1) Data Controller

Depending on the company to which the whistleblowing report is addressed, the Data Controller is:

  • Ocmis Irrigazione S.p.A., with registered office in Castelvetro di Modena (Modena, Italy), via S. Eusebio n. 7, certified email address: ocmis@pec.ocmis-irrigazione.it ,
  • Irtec S.p.A., with registered office in Castelvetro di Modena (Modena, Italy), via G. Mameli n. 12/14, certified email address: ocmis@pec.irtec-irrigazione.it;
  • Marani Irrigazione S.r.l., with registered office in Castelvetro di Modena (Modena, Italy), via S. Eusebio n. 7, certified email address: marani@pec.maraniirrigazione.it;
  • Scova Engineering S.p.A., with registered office in Castelvetro di Modena (Modena, Italy), via S. Eusebio n. 7, certified email address: scova@pec.scova-engineering.it;
  • R.M. S.r.l., with registered office in Castelvetro di Modena (Modena, Italy), via Palona n. 28/C, certified email address: officinerm@pec.officinerm.it

and in its capacity of Data Controller with regard to the processing of your personal data pursuant to European Regulation (EU) 2016/679 and Italian legislation, it hereby informs you that your data will be processed in a fair, lawful, transparent manner which protects your privacy and your rights.

2) Category of personal data processed

The personal data processed further to a whistleblowing report will be all the data of relevance for management of the report, which you have contributed by compiling the form provided or which have been collected during the investigation, which may concern:

  1. a) identification (e.g. first name and surname) and contact (e.g. phone number, email address, etc.) data of employees, customers and third parties (such as suppliers and consultants, for example);
  2. b) employment data (e.g. external associate, company), data concerning qualifications and duties and in any way related to the employment relationship (e.g. type of contract, rank) and social security and payroll data;
  3. c) details concerning the unlawful conduct reported, such as written documents, photographs, videos, data relating to special categories of personal data (e.g. health data etc.), data relating to administrative law proceedings, judicial data, civil court sentences, criminal convictions and offences, also concerning third parties involved in the report.

Personal data are collected directly from the data subject (e.g. data concerning the whistleblower) or from third parties (e.g. as in the case of the personal data of the subject of the report or any third parties), or obtained from the report or the subsequent investigations.

3) Purposes

Your personal data are processed for the management of whistleblowing reports regarding presumed breaches of or incomplete compliance with national and/or European Union legislation damaging to the public interest or the integrity of government bodies or private organisations, submitted by employees, associates and third parties in accordance with the provisions of Italian Legislative Decree no. 24/2023.

The personal data acquired through your whistleblowing report may be used to perform the necessary investigations to verify the merits of the report and, if appropriate, to adopt suitable corrective measures and undertake the appropriate disciplinary actions with the possible imposition of penalties, as well to bring as legal proceedings against the subjects responsible for the unlawful conduct.

4) Legal Basis

The legal basis for the processing as above is as follows: art. 6, para. 1, point. c) of the GDPR, i.e. compliance with a legal obligation to which the Data Controller is subject, as per Leg. Dec. no. 24/2023, and the legitimate interest of the Data Controller in preventing and punishing unlawful conduct damaging to the public interest, the integrity of government bodies or private organisations and, if appropriate, the protection of the legitimate interests and rights of the Data Controller and/or third parties, also through judicial proceedings (art. 6, para. 1, point f) of the GDPR).

The legal basis for the processing of special categories of data is provided by art. 9, para. 2, point b) of the GDPR, i.e. compliance with obligations to which the Data Controller is subject, and point f) of the same article, i.e. the affirmation, exercise and defence of a right.

The legal basis with regard to data concerning convictions and offences is art. 2 octies, para. 3 of Leg. Dec. no. 196/2003 (known as the “Data Protection Code”).

Your consent is not required for the processing of personal data for the purposes covered by point 3 of this Privacy Policy Statement.

5) Data processing methods

Your personal data will be processed in accordance with the principles of proportionality in relation to the purposes pursued and the minimisation of data processing, taking care to ensure confidentiality and the measures required to prevent any kind of disclosure of information to third parties or unauthorised staff.

All processing takes place with the adoption of adequate technical and organisational security measures, in accordance with the provisions of art. 32 of the EU Regulation.

All data are processed in electronic, voice recording and/or paper form and measures are implemented to minimise processing, with regard to the type of data, access authorisations and storage times, in accordance with the provisions of Leg. Dec. no. 24/2023 and the specific procedure adopted by the Data Controller.

In all cases, during processing of the personal data contributed the confidentiality of the identity of the whistleblower and of any people involved, and of the contents of the whistleblowing report and the relative documentation, will be protected.

6) Nature of the contribution of data

The contribution of personal data is optional for the submission of a whistleblowing report.

However, if all or some of the data referred to in subsections a), b) and c) of point 2.3 of this Privacy Policy Statement are not provided, it may be impossible to follow up the whistleblowing report effectively.

7) Categories of recipients of personal data and automated decision-making process

Your personal data and those of the people indicated as potentially responsible for the unlawful conduct, and of anyone in any way involved in the reported events, will not be disclosed.

The whistleblower’s identity and any information from which it may be directly or indirectly obtained cannot be revealed to anyone other than the persons assigned to receive and follow up the whistleblowing report except with the whistleblower’s specific consent in accordance with Leg. Dec. no. 24/2023.

The right to confidentiality ceases if the whistleblower is suspected of slander and libel under the Italian Criminal Code or art. 2043 of the Italian Civil Code, or in the circumstances covered by art. 12 of Leg. Dec. no. 24/2023.

Therefore, your personal data will be processed by staff with the skills required to receive or follow up whistleblowing reports, specifically authorised to process the said data pursuant to art. 29 and 32, para. 4 of the GDPR and art. 2-quaterdecies of Leg. Dec. no. 196/03.

Your personal data may be disclosed to third parties (e.g. companies) which provide technical and organisational and other functions and/or services necessary for the fulfilment of the purposes set out in point 3, designated as Data Processors.

Moreover, data collected further to whistleblowing reports may also be communicated to any other bodies involved in their investigation and management, and to supervisory and controlling bodies.

If appropriate, the said data may be communicated to the competent Authorities, if the relevant laws have been breached, as well as being disclosed on the request of the Authorities themselves.

The aforesaid entities may act independently (as “Data Controllers”) or on our behalf, within the limits set by the instructions provided to them (as “External Data Processors”).

The up-to-date list of External Data Processors is available on request from the contacts provided herein.

Further to the adoption of measures to guarantee the confidentiality of the information contained in whistleblowing reports, for the pursuance of the purposes stated above the Data Controller may disclose the data contributed by you or subsequently collected to professionals involved in various ways in the investigation and management of the said reports.

Moreover, your data will not be in any way inserted in any automated decision-making process.

8) Transfer of data outside the European Union

Your data will not be transferred to a third country or an International Organisation (country outside the European Union).

9) Data storage period

Your personal data will be stored for the period of time necessary to process the report and in all cases for no more than 5 years after the date of notification of the final outcome of the whistleblowing procedure. After this period, if further storage of the data is necessary for jurisdictional safeguards and/or for any disciplinary and/or criminal proceedings, data will be stored to permit these purposes, until such time as they are concluded.

10) Rights of the data subject

With regard to the processing of your personal data, you are entitled to exercise the following rights at any time: a) Right of access to personal data (art. 15 GDPR): to obtain confirmation as to whether or not data relating to you are held and to obtain a copy of them; b) Right to rectification (art. 16 GDPR): right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data; c) Right to erasure (art. 17 GDPR): to obtain from the Data Controller, without undue delay, the erasure of personal data concerning you, provided their continued storage is not required by law; d) Right to restriction of processing (art. 18 GDPR): to obtain from the Data Controller the restriction of processing to specified purposes, provided one of the specific legal grounds envisaged by the regulatory framework applies; e) Right to portability (art. 20 GDPR): to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format and to have them transmitted to another controller without hindrance; f) Right to object (art. 21 GDPR): to oppose the processing of personal data concerning you at any time, for reasons related to your particular situation.

Depending on the company concerned, all the aforesaid rights may be exercised by writing:

  • for Ocmis Irrigazione S.p.A. to the registered office in Castelvetro di Modena (Modena, Italy), via S. Eusebio n. 7, or by certified email to: ocmis@pec.ocmis-irrigazione.it;
  • for Irtec S.p.A. to the registered office in Castelvetro di Modena (Modena, Italy), via G. Mameli n. 12/14, or by certified email to: irtec@pec.irtec-irrigazione.it;
  • for Marani Irrigazione S.r.l. to the registered office in Castelvetro di Modena (Modena, Italy), via S. Eusebio n. 7, or by certified email to: marani@pec.maraniirrigazione.it;
  • for Scova Engineering S.p.A. to the registered office in Castelvetro di Modena (Modena, Italy), via S. Eusebio n. 7, or by certified email to: scova@pec.scova-engineering.it;
  • for R.M. S.r.l. to the registered office in Castelvetro di Modena (Modena, Italy), via Palona n. 28/C, or by certified email to: officinerm@pec.officinerm.it;

The exercise of the rights of the Data Subject who is the subject of the whistleblowing report under articles 15 et seq. of the GDPR will be guaranteed as far as this is compatible with the need to ensure the confidentiality of the identity of the whistleblower, in accordance with Leg. Dec. no. 24/2023 and art. 2 undecies of Leg. Dec. no. 196/2003 as amended (the “Data Protection Code”) and implementing article 23 of the GDPR, which envisages that the aforementioned rights cannot be exercised by data subjects involved in whistleblowing reports if the exercise of the said rights may be effectively prejudicial to the confidentiality of the whistleblower’s identity.

Under art. 77 of the GDPR, you are also entitled to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

The Data Controller
Ocmis Irrigazione S.p.A.

The Data Controller
Irtec S.p.A.

The Data Controller
Marani Irrigazione S.r.l.

The Data Controller
Scova Engineering S.p.A.

The Data Controller
R.M. S.r.l.