WhistleblowingPolicy

With this disclosure BDF DIGITAL S.P.A. (hereinafter the “Company”) intends to provide the indications provided for in articles 13 and 14 of Regulation (EU) 2016/679 (or “General Data Protection Regulation” − “GDPR“), regarding the processing of personal data performed by the Company within the framework of its “Whistleblowing Policy” adopted in accordance with Italian Legislative Decree 10 March 2023 no. 24¹ and, in particular, and regarding all the activities and obligations related to the operation of the company system for the management of whistleblowing reports.

The following information is provided to “whistleblowers” and to all other potentially “interested parties”, such as, for example, the persons indicated as being possibly responsible for illegal conduct, any “facilitators” (as defined by the relevant legislation), as well as any other person in a different capacity involved in the “Whistleblowing Policy”.

The Data Controller of personal data is BDF DIGITAL S.P.A. (Via dell’Oreficeria 41, Vicenza). The Data Controller has appointed San Marco Informatica S.p.A. as Data Protection Officer for the Signalethic platform, which the data subject may contact directly.

According to the setting of the regulations in question, personal data may be acquired by the Company as they are contained in whistleblowing reports, or in the forms and documents attached thereto, received by the Company through the channels provided for in the afore-mentioned Policy.
The receipt and management of such reports may result, depending on their content, in the processing of the following categories of personal data:

a) common personal data referred to in art. 4, point 1, of the GDPR, including, for example, master data (first name, surname, date and place of birth), contact data (fixed and/or mobile telephone number, postal/e-mail address), job role/task;

b) “special” personal data pursuant to art. 9 of the GDPR, including, for example, information relating to health conditions, political opinions, religious or philosophical beliefs, sexual orientation or trade union membership;

c) “judicial” personal data pursuant to art. 10 of the GDPR, relating to criminal convictions and crimes, or related security measures.

With regard to the afore-mentioned categories of personal data, it is important that the reports sent contain no information that is manifestly irrelevant for the purposes of the reference regulation, inviting in particular the reporting subjects to refrain from using personal data of a “particular” and “judicial” nature if not deemed necessary and essential for the purposes of the same, in compliance with art. 5 of the GDPR.

The afore-mentioned information will be processed by the Company – Data Controller – according to the provisions prescribed by Italian Legislative Decree no. 24/2023 and, therefore, in general, in order to perform the necessary investigative activities aimed at verifying the substantiation of the facts being reported and the adoption of the consequent measures.
In addition, the data may be used by the Data Controller for purposes related to defence requirements or for the ascertaining of own rights in the context of judicial, administrative or out-of-court proceedings and in the context of civil, administrative or criminal disputes that occur in relation to the report made.

The legal basis for the processing of personal data is mainly constituted by the fulfilment of a legal obligation to which the Data Controller is subject – art. 6, para. 1, lett. c) of the GDPR – that, in particular, by virtue of the afore-mentioned legislation, is required to implement and manage information channels dedicated to receiving reports of illegal conduct detrimental to the integrity of the Company and/or of the public interest.

The processing of “special” personal data, possibly included in the reports, is based on the fulfilment of obligations and the exercise of specific rights of the Data Controller and of the data subject in the field of labour law, pursuant to art. 9, para. 2, letter b) of the GDPR.
As for the purpose of ascertaining, exercising or defending a right in court, the relative legal basis for the processing of personal data is constituted by the legitimate interest of the Data Controller, in this regard, referred to in art. 6, para. 1, lett. f), of the GDPR; for the same purpose, the processing of personal data of a “particular” nature, if any, is based on art. 9, para. 2, letter f) of the GDPR.

The provision of personal data is mandatory as, in accordance with the company’s “Whistleblowing Policy”, anonymous reports are not considered, i.e. reports from which it is not possible to ascertain the identity of the whistleblower. The personal data provided will be processed to manage the report according to the limits and with the guarantees of confidentiality imposed by the relevant legislation.

The processing of personal data included in the reports submitted in accordance with the “Whistleblowing Policy” will be performed by the subjects “appointed-authorised” by the Company and will be based on the principles of correctness, lawfulness and transparency, referred to in art. 5 of the GDPR.

The processing of personal data may be performed in analogical and/or computer/electronic ways, functional to store, manage and transmit them, in any case in application of adequate measures, of a physical, technical and organisational nature, aimed at guaranteeing their security and confidentiality at every stage of the procedure, including archiving of the report and of the related documents – without prejudice to the provisions of art. 12 of Italian Legislative Decree no. 24/2023 with particular reference to the identity of the whistleblower, of the persons involved and/or in any case of anyone mentioned in the reports, the content of the same and the related documentation.

The reports received by the Company, together with the forms and documents attached, will be kept for the time necessary to manage them and, in any case, as required by law, for a period not exceeding five years from the date of communication of the related final results. After this period, the reports will be deleted from the system, or kept in anonymised form

Consistent with the indications provided in paragraph 1, the personal data included in the reports that are manifestly irrelevant for the purposes of the same will be immediately deleted.

In addition to the afore-mentioned internal figures specifically authorised by the Data Controller, the personal data collected may be processed, within the framework of the “Whistleblowing Policy” and in pursuit of the purposes indicated, also by the following third parties, formally designated as Data Processors if the conditions provided for by art. 28 of the GDPR are met:

• suppliers of consultancy and assistance services in implementation of the “Whistleblowing Policy”;
• companies and IT professionals in relation to the application of adequate technical, IT and/or organisational security measures on the information processed by the company system. In our case, S. Marco Informatica is the provider of the “Signalethic” reporting platform.

If the justification exists, personal data may be transmitted to the Judicial Authority and/or Police Bodies that request it in the context of judicial investigations.
Personal data will be processed within the European Economic Area (EEA) and stored on servers located there.
Under no circumstances will personal data be disclosed.

Each data subject is entitled to exercise the rights referred to in articles 15 et seq. of the GDPR in order to obtain from the Data Controller, for example, access to their personal data, correction or deletion of the same or limitation of the processing that concerns them, without prejudice to the possibility, in the absence of satisfactory feedback, to lodge a complaint with the Guarantor Authority for the protection of personal data.

To exercise these rights, it is also necessary to submit a specific request in free form to the following address of the Data Controller: privacy@bdfdigital.it or to send the form available on the website of the Data Protection Authority to the same address.

In this regard, it is hereby stated that the afore-mentioned rights of data subjects to the processing of personal data may be limited pursuant to and for the purposes of art. 2-undecies of Italian Legislative Decree no. 196 of 30 June 2003 (“Privacy Code”, as amended by Italian Legislative Decree no. 101/2018), for the time and within the limits in which this constitutes a necessary and proportionate measure, if exercising of these rights may result in concrete and effective harm to the confidentiality of the identity of the reporting parties.

In these cases, the data subjects will in any case have the right to contact the Guarantor Authority so that the latter can assess whether the conditions for acting in the manner provided for in article 160 of Italian Legislative Decree no. 196/2003 are met.