Reporting party privacy policy

Information on the processing of personal data within the context of whisteblowing reporting

This information is provided to users/visitors who interact with the official web system of the Exprivia Group, for reports on potential illicit acts or irregularities that have come to their attention in the context of work and intends to promote a culture of ethics and legality against irregular conduct witnessed, accessible electronically at the address

The following information is provided, pursuant to:

  • the art. 13 of EU Regulation 2016/679;
  • Provision of the Italian Privacy Authority no. 229 of 8 May 2014 (Identification of the simplified procedures for the information and the acquisition of consent for the use of cookies);
  • the Guidelines of WP 29 of 10 April 2019, ratified by the European Committee for the protection of personal data and replaced by the Guidelines 05/2020 on consent under Regulation 2016/679 adopted on 4 May 2020;
  • Provision of the Italian Privacy Authority no. 231 of 10 June 2021 (Guidelines for cookies and other tracking tools) which supplements Provision no. 229 of 2014 and provides important clarifications in order to assist data controllers in the correct application of the current regulatory framework;
  • Recommendation no. 2/2001 of the Art. 29 Group, relating to the minimum requirements for online data collection in the EU;
  • Directive 2009/136/EC, amending Directive 2002/58/EC ( "E-Privacy Directive"), relating to the processing of personal data and the protection of privacy in the electronic communications sector;
  • law no. 179 of 30 November 2017, "Provisions for the protection of the authors of reports of crimes or irregularities of which they have become aware in the context of a public or private employment relationship", which entered into force on 29 December 2017, which provides for an article concerning the "Protection of employees or collaborators who report offences in the private sector ", and establishes, for the first time in our legal system, specific measures to protect whistleblowers in the private sector, adding co. 2-bis within art. 6 of the Italian Legislative Decree no. 231 of 8 June 2001, «Discipline on the administrative liability of legal persons, companies and associations also not recognised as legal entities, pursuant to article 11 of law no. 300 of 29 September 2000";
  • Opinion of the Guarantor of 4 December 2019, doc web no. 9215763, on the outline of the “Guidelines for the protection of the authors of reports of crimes or irregularities of which they have become aware due to an employment relationship pursuant to art. 54 bis of Italian Legislative Decree 165/2001 ("whistleblowing")" of ANAC;
  • Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, concerning the protection of persons who report violations of Union law (in OJEU L 305, 26.11.2019, p. 17–56).

The system is intended for employees of the Exprivia Group and all those who, in general, operate, in Italy and abroad, on behalf or for the benefit of the Group or who have business relationships with the latter through any type of contract or assignment. The events subject to reporting must generally concern the reasonable and legitimate suspicion or the awareness in good faith of illegal conduct or irregularities in the workplace that may harm the integrity of the Exprivia Group such as, for example, violations of the Code of Ethics, incidents that may include crimes or cause damage to property or reputation, violations of provisions or internal procedures. Therefore, facts based on "rumours" or "hearsay" or complaints of a personal nature should not be reported.

This policy describes the management methods of the official system of the Exprivia Group, but not of other external websites that may be consulted by the user via links. Additional information may be provided within specific sections.


1.1 Purpose of the processing

The system allows for reports to be made in total anonymity, but optionally the user (whistleblower) could provide their identity. The identity of the reported person is always required. Therefore, the processing of personal data concerns the identity of the reported subject and, only if the user so decides, the identity of the reporting party, whose identity will be maintained strictly confidential.
The processing is carried out with the objectives of:

  • 1) initiating the necessary investigative activities aimed at verifying the validity of the fact object of the report, learned in the execution of the employment relationship, in relation to illegal or fraudulent activities, relevant pursuant to decree 231/200 and subsequent amendments. and based on precise and consistent factual elements, or violations of the organization and management model of the companies of the Exprivia group, of which they have become aware due to the functions performed;
  • 2) Prohibiting retaliatory or discriminatory acts, direct or indirect, towards the reporting subject for reasons connected, directly or indirectly, to the report, also through communication to INPS;
  • 3) Adopting disciplinary sanctions on the part of the Employer in accordance with the organizational model referred to in Law 231/2001 both towards those who violate the protection measures of the reporting subject and towards those who make reports with intent or gross negligent reports that turn out to be unfounded.

The legal basis of the processing is inherent in the need to fulfil a legal obligation to which the Data Controller is subject, with reference to the provisions contained in Law no. 179 of 30 November 2017 ("Provisions for the protection of the authors of reports of crimes or irregularities of which they have become aware in the context of a public or private employment relationship") and in Italian Legislative Decree no 231 of 8 June 2001 ("Discipline of administrative liability of legal persons, companies and associations, including those without legal personality, pursuant to article 11 of law no. 300 of 29 September 2000").

In more detail, the processing of personal data carried out by the Data Controller is therefore necessary to fulfil a legal obligation to which the data controller is subject (Article 6, § 1, letter c) of the Regulation), and, with regard to particular categories of data (Article 9, § 2, letter b) of the Regulation in relation to art. 54-bis) or to data relating to criminal convictions and offences, may also be considered necessary for the performance of a task of public interest contemplated by the law (art. 6, § 1, lett. E) and art. 9, § 2, lett. g) and 10 of the Regulations.

The personal data of those reported may also be used for the fulfilment of legal obligations. The data of the reporting parties may be processed only in the cases provided for by current legislation.

1.2 Navigation data

The computer systems and "software" procedures used to operate this web system acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This information is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, be carried out only upon explicit request from the Judicial Authority, and allow users to be identified.

1.3 Cookies

A cookie is a text file that a website sends to the browser on the user's computer. The browser saves the information and retransmits it to the site server when the browser accesses that website again.
A cookie generally contains the name of the Internet domain (the site IP address) from which the cookie comes, the "duration" of the cookie (i.e. the indication of when it expires), and a numerical code, usually a single randomly generated number.

1.3.1 Technical cookies

The system uses only first-party technical cookies necessary for navigation and does not allow the acquisition of the user's personal identification data.

At any time, the user will still have the right to accept or decline the use of cookies by changing the settings of their browser. If the user uses different computers in different locations, they must make sure that each browser is set up correctly. The user can easily delete each cookie installed in the cookie folder, following the procedures provided by the browser used.


Browsing the web system of the Exprivia Group allows access, through links, to other websites managed by third parties. These sites can collect personal information on the interested party. Exprivia does not control the sites that are managed by these subjects and cannot be held responsible for their conduct.

The provisions for protecting the privacy and security of personal data processed on the sites linked from or to the Exprivia Group site are not covered by this privacy policy. Therefore, Exprivia is not responsible for the privacy practices of these sites.


Personal data is processed with authorised tools (e.g. using electronic procedures and supports) and/or manual (e.g. in paper format) for the time strictly necessary to achieve the purposes for which it was collected and, in any case, in compliance with the applicable legal provisions on the matter. Specific safety measures are observed to prevent the loss of data, illicit or incorrect uses and non-authorised access.

Data collected will not be subject to any automated decision-making process nor any form of profiling.

After this term has elapsed, the data will be deleted or anonymised, without prejudice to their further storage being necessary to fulfil legal obligations or to comply with orders issued by Public Authorities.


The Data Controllers of personal data relating to identified or identifiable persons collected through this system are the Companies part of the Exprivia Group:

• Exprivia S.p.A. with registered office in Via A. Olivetti, 11- Molfetta (BA);
• Exprivia Projects Srl with registered office in Viale del Tintoretto 432 – Rome.

The Data Controller of the data processing have appointed a Data Protection Officer in compliance with article 37 et seq. of EU Regulation 2016/679, who may be contacted:

• through Exprivia SpA at the following address and email:
• through Exprivia Projects Srl at the following address and email:

The treatments connected to the web services of this site are handled exclusively by technical personnel, appointed/authorized and trained in the correct processing of personal data which, in no case, will be disclosed.


The recipients of the data collected following the report, where appropriate, are the Judicial Authority, the Court of Auditors (for reports made with reference to the activities of the entities in favour of which the Group companies provide public services) and ANAC.

In particular, data may be transmitted to:

• external consultants (e.g. law firms) possibly involved in the investigation phase of the report;
• company functions involved in the activity of receiving, examining and evaluating reports;
• manager(s) of the function(s) concerned by the report (e.g. Internal Audit function, Legal function, Supervisory Body or other reference function with respect to the reported subject);
• organisational positions with the task of carrying out investigations on reports in cases where their knowledge is essential for the understanding of the reported events and/or for the performance of the related investigation and/or processing activities;
• institutions and/or Public Authorities, Judicial Authorities, Police Bodies, investigative Agencies;
• supervisory body appointed pursuant to Italian Legislative Decree 231/2001;
• manager responsible for the prevention of corruption and transparency (RPCT), where appointed;
• INPS when retaliatory acts against the reporting party have been confirmed

Personal data so collected is also processed by the Data Controller's personnel, who act on the basis of specific instructions provided for the purposes and procedures of the same processing. Personal data so collected will not be object of distribution, nor will it be transferred to third countries (extra-EU).


The "interested parties", or the natural persons to whom the data refer, have the right, at any time, to access the information concerning them and request its updating, rectification and integration, as well as its cancellation, transformation into anonymous form or blocking, limitation of processing and portability of data, as well as to oppose in any case in whole or in part the processing, for legitimate reasons, to their processing pursuant to articles 15 to 22 of the Regulation EU 2016/679.

Furthermore, if the processing of their data is based on consent, interested parties may revoke it at any time. The withdrawal of consent does not invalidate the previous processing. Please note that the interested party can always oppose the processing for promotional purposes.

Portability consists of the right of the interested party to receive, in a structured format, commonly used and readable by an automatic device, the personal data provided to the Data Controllers, as well as the transmission of the same to another data controller, and this at any time, even upon the termination of any relationships with the Data Controllers.

The processing of personal data carried out for IT security purposes or for defensive needs are included among processing for the legitimate interest of the Data Controller. In this case the interested party can object only for reasons connected to their particular situation that the Data Controller will evaluate without prejudice to the execution of defensive purposes.

For any information regarding the processing of data, as well as for the exercise of the rights referred to in articles 15-22 of EU Regulation 2016/679, users can send an e-mail to the addresses of the DPO indicated above.

Furthermore, interested parties have the right to contact the Guarantor for the protection of personal data or other authorities to lodge a complaint regarding the processing of their personal data.