Information for the processing of personal data deriving from the management of reports

Per leggere questa pagina in italiano: Informativa per il trattamento dei dati personali derivante dalla gestione delle segnalazioni whistleblowing

1. Data controller and data protection officer

The Data Controller is Italdesign Giugiaro S.p.A., with registered office in Turin, via San Quintino 28 and operational headquarters in Moncalieri (TO), via Achille Grandi 25, which can be contacted by writing to privacy@italdesign.it or by sending a registered letter to the attention of the Legal & Governance Manager, c / o Italdesign – Giugiaro S.p.A., via Achille Grandi, 25, Moncalieri (TO).

The Data Protection Officer (DPO) can be contacted by sending an email to dpo@italdesign.it.

 

2. Categories of data subjects

Data subject is the identified or identifiable natural person to whom the personal data refers (see Article 4, paragraph 1, no. 1 GDPR).

For the purposes of this information pursuant to art. 13 GDPR, the following are considered as data subjects, and, therefore, the subjects to whom this information is addressed:

  • The reporting person: the natural person who reports on breaches acquired in the context of his or her work context;
  • The facilitator: a natural person who assists a reporting person in the reporting process, operating within the same work context and whose assistance must be kept confidential;
  • The affected person: the natural person mentioned in the report as the person to whom the breach is attributed or as a person otherwise involved in the reported breach.

 

3. Object of the data processing

The Data Controller will process the personal data of the data subjects described below:

  • Identification and contact data, such as name and surname, e-mail address or telephone number;
  • Data relating to the relationship with the Data Controller;
  • Other data entered by the reporting person in the reporting form or acquired during investigations.

In the management of reports, data belonging to special categories referred to in Article 9 GDPR, as well as data relating to criminal convictions pursuant to art. 10 GDPR, may be processed.

 

4. Purpose and legal basis of the processing

The Data Controller will process the personal data of the data subjects only for the following purposes:

  • Taking charge of the report;
  • Sending any requests and/or receiving feedback related to the report;
  • Preliminary checks on the validity of the report;
  • Management of measures, including disciplinary actions.

The legal basis can be found in Article 6, paragraph 1, letter c) GDPR, Legislative Decree no. 24/2023, Article 9, paragraph 2, letters b) and g) GDPR, and Article 10 GDPR.

 

5. Processing methods and storage times

The personal data will be processed according to art. 5 GDPR, ensuring lawfulness, correctness, and transparency. Data will be retained for up to five years from the closure of investigations or longer in case of documented legal needs.

Data not useful for processing specific reports will be deleted immediately.

 

6. Recipients of the data

Personal data will be made accessible only to authorized internal subjects, third-party service providers designated as Data Processors, and public entities if legally required. The reporting person’s identity will remain confidential unless explicitly agreed or necessary for defense purposes in disciplinary proceedings.

 

7. Data transfer

Data will not be transferred to non-EU countries. If necessary, the Data Controller ensures compliance with Chapter V GDPR.

 

8. Rights of the data subjects

Data subjects may exercise the following rights under GDPR:

  1. Right of access (art. 15 GDPR): Obtain confirmation of data processing and a copy of the data.
  2. Right of rectification (art. 16 GDPR): Correct inaccurate data or request completion of incomplete data.
  3. Right to erasure (art. 17 GDPR): Request deletion of personal data, subject to legal limitations.
  4. Right to restriction (art. 18 GDPR): Limit data processing under specified conditions.
  5. Right to data portability (art. 20 GDPR): Receive personal data in a structured, machine-readable format and transmit it to another controller.
  6. Right to lodge a complaint (art. 77 GDPR): Submit a complaint to the Data Protection Authority.

Requests will be addressed within 30 days, with justifications provided for any refusals.

 

9. How to exercise your rights and communications

To exercise the above rights, contact the DPO at dpo@italdesign.it.

 

Sincerely,

Italdesign-Giugiaro S.p.A.