Reporting party privacy policy

Information sheet on the processing of personal data as part of the reporting procedure - whisteblowing


This information is provided to users/visitors who interact with the official web system of the Exprivia Group, for reports on potential illicit acts or irregularities that have come to their attention in the context of work and is aimed at promoting a culture of ethics and lawfulness against irregular conduct witnessed, accessible electronically at the address

The following information is provided, pursuant to:

  • 13 of EU Regulation 2016/679;
  • Italian Legislative Decree 24 of 2023, which repealed paragraph 2 bis of Art. 6 of Italian Legislative Decree 231/2001 and specifically introduced in art. 13, the obligation to issue privacy disclosures to whistleblowers as well as to the persons involved;
  • Resolution no. 311 of 12 July 2023 - “Guidelines on the protection of whistleblowers reporting violations of EU law and protection of whistleblowers reporting violations of national regulatory provisions. Procedures for the submission and management of external reports", better known as the Whistleblowing Guidelines, published in the Official Journal General Series no. 172 of 25 July 2023;
  • the Opinion of the Personal Data Protection Authority, issued on 6 July 2023, regarding the Guidelines Information Sheet on the protection of whistleblowers who report violations of EU law and the protection of whistleblowers who report violations of Italian regulatory provisions. Procedures for the presentation and management of external whistleblowing reports adopted by ANAC (docweb no. 9912239);
  • the Operating Guide for private entities entitled “New whistleblowing regulations” adopted by Confindustria in October 2023;
  • the Directive (EU) 2019/1937 of the European Parliament and the Council of 23 October 2019, concerning the protection of whistleblowers who report violations of EU law (OJEU L. 305 of 26/11/2019, p. 17–56).
  • law no. 179 of 30 November 2017, "Provisions for the protection of the authors of reports of crimes or irregularities of which they have become aware in the context of a public or private employment relationship", which entered into force on 29 December 2017, which provides for an article concerning the "Protection of employees or collaborators who report offences in the private sector ", and establishes, for the first time in our legal system, specific measures to protect whistleblowers in the private sector, adding para. 2-bis within art. 6 of the Italian Legislative Decree no. 231 of 8 June 2001, «Regulations on the administrative liability of legal persons, companies and associations also not recognised as legal entities, pursuant to art. 11 of law no. 300 of 29 September 2000"; This paragraph 2-bis was replaced by art. 24 of Italian Legislative Decree no. 24 of 2023, which establishes that the Organisational Models 231 provide for internal whistleblowing channels, for the prohibition of retaliation and for the disciplinary system;
  • Opinion of the Personal Data Protection Authority of 4 December 2019, doc web no. 9215763, on the outline of the “Guidelines for the protection of the authors of reports of crimes or irregularities of which they have become aware by reason of an employment relationship pursuant to art. 54 bis of Italian Legislative Decree 165/2001 ("whistleblowing") of ANAC.


The system is intended for employees of the Exprivia Group and all those who in general operate in Italy and abroad, on behalf or for the benefit of the Group, or who have business relationships with the latter through any type of contract or assignment and who have become aware of the unlawful act that will be reported within the work context.

The events to be reported must concern, in general, the reasonable and legitimate suspicion or awareness in good faith of unlawful conduct or irregularities of which one has gained knowledge in the context of the work activity that may be detrimental to the integrity of the Exprivia Group, such as, for example, the violation of Italian laws which include violations of the predicate offences under Legislative Decree 231/2001, violation of the Organisational Model 231 as well as the violation of the directly applicable European regulations and implementing rules on public contracts; services, products and financial markets and prevention of money laundering and terrorist financing; products and services safety and compliance with the law; transport safety; environmental protection; radiation protection and nuclear safety; animal food and feed safety as well as animal health and welfare; public health; consumer protection; privacy and personal data protection and the security of networks and information systems, as well as other specifically identified European regulations. 

On the other hand, the following should not be the subject of whistleblowing reports:

  • requests related to a personal interest of the whistleblower, or of the person who has filed a complaint with the judicial or accounting authority that relate to his/her individual employment or employment relationships;
  • reports of violations already governed by other European Union acts stated in Part II of the Annex to Legislative Decree 24/2023;
  • reporting on national security, defence systems and similar matters.

This policy describes the management methods of the official system of the Exprivia Group, but not of other external websites that may be consulted by the user via links. Additional information may be provided within specific sections.

Italian Legislative Decree 24/2023, art. 12, requires that the identity of the whistleblower and any other information that may be inferred, directly or indirectly, be protected, unless the whistleblower has given his/her consent to the disclosure of his/her report to third parties.

In the context of disciplinary proceedings against the reported person, the identity of the whistleblower may not be disclosed if the allegation of the disciplinary charge is based on further investigations beyond the report.

It should be noted that if the knowledge of the whistleblower is essential for the defence of the reported person, the whistleblowing report may be used in the disciplinary proceedings against the reported person only if the whistleblower gives his/her consent to the disclosure of his/her identity or the set forth legal conditions are met. This disclosure is issued as of now, also pursuant to art. 12 paragraphs 5 and 6 of Legislative Decree 24/2023.

With regard to the cases in which it is necessary to identify the whistleblower, please refer to the Whistleblowing Reporting Procedure prepared by the Data Controllers.

It should be noted that to protect privacy, whistleblowing reports are exempt from the accessing procedures set forth in Italian Law 241/1990 as well as other civic access procedures.

Please indicate in your report that you wish to keep your identity confidential and that you wish to make use of the regulatory protection system also against retaliation.


Please be reminded that for reporting purposes you may use all the whistleblowing channels adopted by the Data Controller companies, such as:

  • The IT platform accessible from the website of the Data Controller companies;
  • The telephone number of the company switchboard to be used depends on whether or not you wish to release information on your identity, although we would remind you that the telephone in any case allows your voice to be heard and that it is a type of personal data for which you may be identifiable;
  • Request for a meeting that can be sent, through the company switchboard, to the reporting management office set up at the Data Controller companies and that can be contacted directly in person or by telephone at the dedicated number activated by the Data Controller companies;
  • Submission on paper by post. If you choose this method, please use a double envelope and insert the report in a separate envelope addressed to the whistleblowing office.

On the other hand, please avoid sending your reports by email or by certified email, given that, as highlighted by the Personal Data Protection Authority in its Opinion of 6 July 2023 on the ANAC Guidelines of 2023 regarding whistleblowing reports, such methods do not allow us to protect the confidentiality of your identity in view of the technical security measures protecting such methods.

The internal reporting channels are established, in the private sector, in compliance with the Organizational Model 231 or an internal deed (e.g. Regulation) based on said Model.


We remind the whistleblower that if he/she chooses to do so, he/she will always be able to retract the whistleblowing report by means of a notice to be sent through the channel originally selected for submitting the report. The investigation may continue in any event, if it concerns a serious matter.


The processing is carried out in order to:

  • fulfil all the obligations set forth in Legislative Decree 24 of 2023 on whistleblowing, which ratified EU Directive 2019/1937;
  • initiate the necessary investigative activities aimed at verifying the validity of the reported fact, learnt during the course of the employment relationship and regarding unlawful or fraudulent activities, as specified in Legislative Decree 24/2023, which may concern:
  1. administrative, accounting, civil or criminal offences;
  2. unlawful conduct relevant for the purposes of Italian Legislative Decree no. 231/2001;
  3. offences falling within the scope of European Union law;
  4. acts or omissions that harm the financial interests of the European Union, including violations of European Union rules;
  5. internal market acts or omissions or acts or omissions that undermine the acts of the European Union stated in the preceding points.
  • prohibiting retaliatory or discriminatory acts pursuant to art. 19 of Legislative Decree 24/2023, direct or indirect, against the whistleblower and the facilitators for reasons related, directly or indirectly, to the whistleblowing report, also through communication to INPS;
  • adopting the disciplinary sanctions foreseen by the Employer in accordance with the organisational model referred to in Law 231/2001 both with regard to those who violate the measures introduced to protect the reporting subject and those who file reports with malicious intent or through gross negligence that turn out to be unfounded;
  • fulfilling legal obligations (e.g. Euro Reg. 679/2016, Italian Legislative Decree 24 of 2023 on whistleblowing, etc.).

The legal basis of the processing is inherent in the need to fulfil a legal obligation to which the Data Controller is subject, with reference to the provisions contained in Legislative Decree 24 of 2023 on the ratification of EU Directive no. 2019/1937 regarding whistleblowing, as well as in Law no. 179 of 30 November 2017 ("Provisions for the protection of the authors of reports of crimes or irregularities of which they have become aware in the context of a public or private employment relationship") and in Italian Legislative Decree no 231 of 8 June 2001 ("Regulations governing the administrative liability of legal persons, companies and associations, including those without legal personality, pursuant to art. 11 of law no. 300 of 29 September 2000").

In more detail, the processing of personal data carried out by the Data Controller is therefore necessary to fulfil a legal obligation to which the Data Controller is subject (art. 6, § 1, letter c) of Regulation 679/2016), and, with regard to particular categories of data (art. 9, § 2, letter b) of Regulation 679/2016) or to data relating to criminal convictions and offences, may also be considered necessary for the performance of a task of public interest contemplated by the law (art. 6, § 1, lett. e) and art. 9, § 2, lett. g) and 10 of the Regulations.

The personal data of those reported may also be used for the fulfilment of legal obligations. The data of the reporting parties may be processed only in the cases provided for by current legislation.

The provisions for protecting the privacy and security of personal data processed on the sites linked from or to the Exprivia Group site are not covered by this privacy policy. Therefore, Exprivia is not responsible for the privacy practices of these sites.


Personal data is processed with automated means (e.g. using electronic procedures and media) and/or manually (e.g. in hard copy format) for the time strictly necessary to achieve the purposes for which it was collected and, in any case, in compliance with the applicable legal provisions on the matter and therefore no later than five years from the date of the communication of the final outcome of the whistleblowing procedure, as provided for in art. 14 of Legislative Decree 24/2023.

Specific security measures are followed to prevent data loss, unlawful or incorrect use, and unauthorised access. No automated decision-making and profiling will be applied to the collected data.

After this period, the data will be deleted or anonymised, unless further retention is required to fulfil legal obligations or to comply with orders issued by public authorities or to exercise the right of defence.


The Data Controllers do not track whistleblowers who use the IT channel.


The whistleblower, pursuant to art. 13 of Legislative Decree 24/2023, may request to be heard by the Internal Whistleblowing Office to submit the report through a direct meeting.

In this case, in accordance with the provisions of Italian Legislative Decree 24/2023, art. 14, paragraph 4, the minutes of the meeting shall be drawn up.

If the minutes are drawn up, the whistleblower has the right to verify, rectify and confirm the minutes of the meeting by signing them.


The whistleblower may also submit his/her allegations of an unlawful act by telephone.

The whistleblowing report is documented in writing through a report of the conversation, by the Internal Whistleblowing Office; the whistleblower verifies, rectifies or confirms the content of the detailed report by signing it.

In the short statement issued over the phone, reference is made to the link where this extended statement can be found.


Independent Data Controllers of personal data relating to identified or identifiable persons collected through this system are the Companies belonging to the Exprivia Group:

  • Exprivia S.p.A. with registered offices in Via A. Olivetti, 11- Molfetta (BA);
  • Exprivia Projects S.r.l. with registered offices in Via della Bufalotta 378 – Rome.

The Data Controllers have appointed a person responsible for the protection of personal data or Data Protection Officer in compliance with Art. 37 and following of EU Regulation 2016/679, who may be contacted:

The processing connected to the web services of this site are exclusively handled by technical personnel, appointed/authorised and trained in the correct processing of personal data which, under no circumstances, will be disseminated.

For the purposes of managing the whistleblowing procedure, the persons authorised to the data processing were also identified as the parties who make up the Whistleblowing Report Office pursuant to art. 2 quaterdecies of the Privacy Code.

The whistleblowing report management office is an internal office. For contact details and composition of said office, see the Whistleblowing Procedure published on the websites of the Data Controller companies.


The recipients of the data collected following the whistleblowing report, if necessary, are the Judicial Authorities, the Court of Auditors and the ANAC.

In particular, data may be transmitted to:

  • external consultants (e.g. law firms) possibly involved in the investigative phase of the report;
  • the members of the Internal Whistleblowing Office and the corporate functions involved in the review and assessment of the reports;
  • organisational positions tasked with carrying out investigations on reports in cases where their knowledge is essential in order to understand the reported events and/or to conduct the relative related investigation and/or processing activities;
  • institutions and/or Public Authorities, Judicial Authorities, Police Entities, investigative Agencies;
  • supervisory body appointed pursuant to Legislative Decree 231/2001 where the report concerns a predicate offence or the violation of the Organisational Model 231;
  • manager responsible for the prevention of corruption and transparency (RPCT - Responsabile prevenzione corruzione e trasparenza ), where appointed;
  • the reported person where knowledge of the identity of the whistleblower is necessary for the defence of the reported person;
  • INPS and ANAC when retaliatory acts against the reporting party have been confirmed

The personal data collected are, above all, processed by the Data Controller's staff who make up the Internal Whistleblowing Office and act on the basis of specific instructions provided for the purposes and procedures of the same processing.

These instructions are contained both in the specific procedure published on the website and in the instructions prepared also for training purposes.

The personal data collected will not be disseminated, nor will it be transferred to third countries (outside the EU).


The Data Controllers are required to retain the whistleblowing report for no more than five years from the date of the final outcome of the reporting procedure (art. 14, paragraph 1, of the Decree). In the event that this outcome must be communicated to the whistleblower who provided his/her personal data, this term refers to the date of communication of the final outcome to the whistleblower as per the ANAC Guidelines resolution no. 211 of 11 July 2023.

The Data Controllers shall protect confidentiality during this period (without prejudice to the cases provided for in art. 12, paragraphs 3-5, of the Decree), and, after this period has elapsed, since the report would have to be cancelled, the possibility of tracing the identity of the whistleblower would in any case be removed (Part One, Section 4.1.3)

All data received in the whistleblowing report that are clearly irrelevant with respect to the reported matter will be erased.

Erasure shall take place in different ways depending on how the whistleblowing report is received, i.e. by deletion, destruction, etc.

Erasure from the IT platform, for example, will take place through deletion.

During the entire period of data storage, the whistleblower who has decided not to remain anonymous (and who may use the system of protection against retaliation), has the right of access to all documents relating to the investigation and proceedings until they are cancelled.


The “data subjects”, i.e. the natural persons to whom the data refers, have the right, at any time, to access the information concerning them and to ask for its updating, rectification and supplementation, as well as erasure, anonymisation or blocking, the restriction of processing, and data portability, as well as to object to, for legitimate reasons, data processing in full or in part, in accordance with articles 15 to 22 of EU Regulation 2016/679.

Furthermore, if the processing of their data is based on consent, the data subjects may withdraw it at any time (for example for the purpose of communicating the identity of the reported person, where this knowledge is not essential for his/her defence). The withdrawal of consent does not invalidate the previous processing. Please note that the interested party can always oppose the processing for promotional purposes.

Portability consists of the right of the interested party to receive, in a structured format, commonly used and readable by an automatic device, the personal data provided to the Data Controllers, as well as the transmission of the same to another data controller, and this at any time, even upon the termination of any relationships with the Data Controllers.

The processing of personal data for IT security purposes or for protection needs fall in the category of processing for the legitimate interests of the Controller, in which case the data subject may object only for reasons connected to his or her specific situation, which the Controller will evaluate without prejudice to the execution of the defensive purposes.

For any information regarding the processing of data, as well as to exercise the rights provided for in articles 15 to 22 of EU Regulation 2016/679, users can send an email to the addresses of the DPO specified above.

Furthermore, interested parties have the right to contact the Data Protection Authority for the protection of personal data or other authorities to lodge a complaint regarding the processing of their personal data, in the event of a breach of law, pursuant to art. 77 of the GDPR information.