Privacy - Exprivia

Privacy Policy and Cookies

Miriam Monza — Thu, 04 Jun 2026 04:36:02 +0000

This privacy policy and cookies is provided to users/visitors who interact with the official website of Exprivia Group, accessible by electronic means from the address https://www.exprivia.it which corresponds to the home page of the site, pursuant to:

Article 13 of EU Regulation 2016/679;
of the Italian Privacy Authority’s Provision No. 229 of May 8, 2014 (Identification of simplified procedures for information and acquisition of consent for the use of cookies);
of Italian Privacy Authority Provision No. 231 of June 10, 2021 (Guidelines cookies and other tracking tools), which supplements Provision No. 229 of 2014 and provides important clarifications in order to facilitate data controllers in the correct application of the current regulatory framework;
of the Art. 29 Working Party’s Recommendation No. 2/2001 on minimum requirements for online data collection in the EU;
of Directive 2009/136/EC, amending Directive 2002/58/EC (so-called e-Privacy Directive), concerning the processing of personal data and the protection of privacy in the electronic communications sector;
Of WP 29 Guidelines of April 10, 2019, ratified by the European Data Protection Board and superseded by Guidelines 05/2020 on consent under Regulation 2016/679 adopted on May 4, 2020

This policy describes how to manage only the official Exprivia Group website, but not other external websites that may be consulted by the user through links present on the Exprivia Group website. Additional information may be provided within specific sections.

The processing of personal data collected in certain formats of some sections of the website (examples include the “Newsletter”, Contact us, Whistleblowing and Employment Applications sections) are governed through specific disclosures, available in the relevant sections of the website.

Access to the Site does not require the user/visitor to provide any personal information.

1) TYPE OF DATA PROCESSED AND PURPOSE OF PROCESSING

1.1) Purpose of processing

The processing of personal data of users/visitors is aimed, exclusively, at enabling users to navigate within the Website. II personal data of users may, also, be used for the fulfillment of legal obligations. In some sections of the Website, where information services organized by the Data Controller are offered, additional personal data and preferences may be collected, which may be processed only after collecting the visitor’s express consent.

1.2) Data provided voluntarily by the user

The voluntary and explicit sending of electronic mail to the addresses indicated in the different access channels of this site entails the subsequent acquisition of the sender’s/user’s data, necessary to respond to the instances produced, as well as any other personal data entered by the same.

Personal data provided by users will be disclosed to third parties only if the disclosure is necessary to fulfill the users’ requests. Data collected will not be kept for a period of time longer than necessary to fulfill the purpose for which it was acquired. These retention periods generally apply to all personal data that have been collected to respond to the requests produced.

1.3) Navigation data

The “software” platform responsible for the operation of this website acquires, in the course of their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This is information that is not collected in order to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by third parties carried out only at the explicit request of the Judicial Authority, allow users to be identified.

This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning.

1.4) Cookie Policy

Cookies are small text files that sites visited by users send to their terminals, where information is stored that is then transmitted back to the same sites on subsequent visits. The terminals referred to are, for example, a computer, tablet, smartphone, or any other device capable of storing information. The information encoded in cookies can include personal data, such as an IP address, user name, unique identifier, or email address, but can also contain non-personal data, such as language settings or information about the type of device a person is using to browse the website.

In addition to the above information, a cookie typically contains the name of the Internet domain (the IP address of the site) from which the cookie originated, the “lifetime” of the cookie (i.e., an indication of when the cookie expires), and a numeric code, usually a single randomly generated number.

This site does not make use of passive tracking tools such as fingerprinting but makes exclusive use of active identifiers such as cookies.

1.4.1) Technical cookies used by this site and their purpose

This site uses technical cookies, which are automatically installed following access to the site, for the proper functioning of the website.

This type of cookies includes navigation or session cookies aimed solely at enabling the transmission of communication over an electronic communications network or to the extent strictly necessary for the provider of an information society service explicitly requested by the contractor or user to provide such service or, functionality cookies, which allow the user to navigate according to a set of selected criteria that, among other things, do not contain personal data (e.g., language, choices on certain types of cookies inherent in the type of non-technical device) in order to improve the service rendered to the user.

Technical cookies used by this site expire at the same time as the browser is closed unless those containing the user’s choice on non-technical cookie consents which have a 6-month expiration.

At any time, the user will still have the option of accepting or not accepting the use of cookies by changing their browser settings. Should the user use different computers in different locations, he/she will have to make sure that each individual browser is set correctly. The user can easily delete any cookies installed in the cookie folder by following the procedures provided by the browser used.

1.4.2) Advertising or profiling cookies.

Some sections of the website use third-party platforms that display content for which to offer certain types of advertising, including those related to information services offered through the website, as well as some advertising based on users’ interests. Specifically, said sections use cookies and tracking technologies provided by HubSpot, a marketing automation and CRM platform used for purposes of data collection, analysis of user behavior, and sending personalized communications. HubSpot’s cookies allow it to track user interactions with the website (e.g., filling out forms, downloading content, viewing specific pages) and to improve the quality and relevance of messages sent.

Information collected by HubSpot may include IP address, approximate geographic location, device type, and browsing behavior within the site. The data is processed by the Owner in accordance with the principle of minimization and is not shared with third parties for purposes other than those stated.

Authorized third parties may also set cookies when you interact with Exprivia’s services. Third parties include search engines, social media, and companies that provide advertising services. These third parties use cookies in the delivery of advertising content, including advertising defined by your interests, to assess the effectiveness of their ads, and to provide services on Exprivia’s behalf.

Personalized ads, sometimes known as interest-based ads, are part of the Exprivia Group website user experience. We show personalized ads to help you find and discover features, products, and services that might interest you. You may also see these ads on other Services and on third-party sites. The cookies used in this category are used for the purpose of selecting personalized ads, measuring the effectiveness of displayed ads, detecting and preventing fraud and reputational damage to brands and vendors who advertise with Exprivia, and developing, troubleshooting, and improving our advertising services.

You can request deletion of your personal information from our advertising systems at any time. If you do not request deletion, we will retain your personal information for as long as necessary to pursue the advertising purposes described in this Policy, such as selecting personalized ads or detecting fraudulent activity.

Unless manually deleted, advertising cookies remain in your browser for up to 13 months from when you provided us with consent to use these cookies.

We use personal information about your interactions with the Information Services available on Exprivia’s website to personalize ads. We create groups of visitors, based on interests identified from their browsing.

We may also use cookies and similar identifiers, such as IP address, to select personalized ads and understand which ads are clicked on or displayed. For example, we may use IP address to limit the number of times the same ad is shown to you.

The Exprivia website uses third-party advertising and profiling cookies for which your explicit and specific consent is required.

By default, all advertising and profiling cookies are disabled. The user can at any time consent to their use or disable them using the “Cookie Settings” link located at the footer of each web page. In case the visitor has logged in to the website for the first time or the website does not find the technical cookie inherent in the choices made about cookies, the website will present a banner with a short information and give the possibility to accept all of them, deny all of them or customize them individually.

1.4.3) Third Party and Social Plug-in Cookies.

Exprivia Group website pages may contain plug-ins, such as those from Social Networks. If you access one of our web pages that has such a plug-in, your Internet browser connects directly to the social and the plug-in is displayed on your screen through your browser connection.

Exprivia uses the AddToAny Plug-in to enable the user to share informational content posted on the website in a variety of Social platforms. For more information about the AddToAny Plug-in please refer to the following link AddToAny Privacy Policy. Prior to the use of such Plug-ins the interested party is encouraged to consult the privacy policy of the social networks themselves, on their official pages. In some cases the Plug-ins may make use of third-party cookies.

The Exprivia website makes use of third-party cookies from YouTube in order to show Exprivia Group videos posted in Exprivia Channel. Please refer to the following YouTube Privacy Policy link for more information.

In addition, Exprivia’s website uses analytical cookies. Google Analytics cookies capture information about how the visitor uses the website. The data collected include the number of visitors, the source from which they came, and the pages they visited. Exprivia acquires them in aggregate and anonymous form for the sole purpose of analyzing the sections of the site of greatest interest and improving its offerings through the site. For more information please refer to the following link http://tools.google.com/dlpage/gaoptout.

By default, all third-party and social plug-in cookies are disabled. The user can at any time consent to their use or disable them using the “Cookie Settings” link located at the footer of each web page. In case the visitor has logged in to the website for the first time or the website does not find the technical cookie inherent in the choices made about cookies, the website will present a banner with a brief information and give the possibility to accept them all, deny them all or customize them individually. In some cases, disabling them may not allow you to use certain features.

We also inform you, that by not accepting marketing cookies you will not be able to view the thematic videos also published on the YouTube channels of the Group companies and processed by them (e.g. podcasts). For this reason, on each web page where such videos are present should you attempt to access them, without having previously enabled marketing cookies, a notice will appear explaining the reason for the video’s inaccessibility and reminding you of the possibility to change your choices regarding marketing cookies. To that end, to facilitate your browsing you will also find a link to the “Setting About Cookies” web page that allows you to enable such cookies. This enablement may also be temporary since, immediately after viewing the video of your interest, and in any case at any time, you will be able to disable marketing cookies again.

1.4.4) Resubmission of the consent request banner.

The reiteration of the request for consent in the presence of a previous failure to provide it is an illegitimate activity that, therefore, Exprivia will not carry out.

The consent acquisition banner may be resubmitted to you in the following cases:

Where at least six months have elapsed since the previous submission of the banner;
In cases where the conditions of processing have changed significantly and, therefore, the banner also fulfills the information function in regard to the changes that have occurred (e.g., in the case of changing third-party cookies);
When Exprivia cannot have knowledge of the fact that a cookie has already been previously stored on the device to be transmitted in a subsequent visit of the same user, to the site that generated it (e.g., hypothesis in which the user chooses to delete the cookies legitimately installed in his device without the holder being able to keep track of the will to maintain the default settings and, therefore, to continue browsing without being tracked).

1.4.5) How to control cookie settings.

You can also remove existing cookies and block the installation of new cookies through your browser settings.

Users/visitors can decide from time to time whether or not to accept cookies by configuring their browser to generate a warning each time a cookie is saved. Most popular browsers provide the ability to block only third-party cookies, accepting only the site’s own cookies. Refer to the informational websites of the browser you are using.

1.4.6) LINKS TO OTHER SITES

Browsing Exprivia Group’s website provides access through links to other websites operated by third parties. These sites may collect personal information about the data subject. Exprivia does not control the sites that are operated by such parties and cannot be held responsible for their conduct.

Requirements to protect the privacy and security of personal data processed on sites linked to or from the Exprivia Group site are not covered by this privacy policy. Exprivia, therefore, is not responsible for the privacy conduct of these sites.

2) MODE OF DATA PROCESSING AND STORAGE

Personal data are processed by automated means (e.g., using electronic procedures and media) and/or manually (e.g., on paper) for the time strictly necessary to achieve the purposes for which they are collected and, in any case, in accordance with the relevant regulations. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.

No automated decision making will be applied to the data collected.

After this period, the data will be deleted or transformed into anonymous form, unless their further storage is necessary to fulfill legal obligations or to comply with orders issued by Public Authorities.

3) OPTIONAL NATURE OF PROVIDING DATA

The provision of personal data by the interested party, for the purposes described in the previous paragraph (1.2), is to be considered optional. Failure to provide them may result in the inability to navigate in certain sections of the site or to follow up on any requests submitted.

4) OWNER, DATA PROTECTION OFFICER (DPO) AND APPOINTEES

The Data Controllers of personal data, relating to identified or identifiable persons who have consulted this site are the Companies belonging to the Exprivia Group:

Exprivia S.p.A. with registered office in via A. Olivetti, 11- Molfetta (BA);
Exprivia Projects Srl with registered office in Viale del Tintoretto 432 – Rome.

Data Controllers have appointed a Data Protection Officer or Data Protection Officer in accordance with Articles 37 ff. of EU Regulation 2016/679 who can be contacted:

for Exprivia SpA at the following e mail address: dpo_expriviaspa@exprivia.com
for Exprivia Projects Srl at the following e mail address: dpo_expriviaprojects@exprivia.com.

Treatments related to the web services of this site are handled exclusively by technical personnel, appointed/authorized and instructed to the proper processing of personal data that, in no case, will be subject to dissemination.

5) COMMUNICATION AND/OR DISSEMINATION OF DATA

Except as stated in Section 1.2, the personal data provided by you will not be disclosed to third parties or disseminated and will not be transferred to third countries (outside the EU) without the explicit consent, if any, provided by the data subject.

6) DATA RECIPIENTS

For the pursuit of the purposes described, or in the event that this is indispensable or required by provisions of the law or by authorities with the power to impose it, the Controllers reserve the right to communicate the data to recipients belonging to the following categories:

the Data Protection Officer, to follow up on privacy claims of data subjects and for any further eventualities that fall within his or her duties as outlined in Article 39 of the EU Regulation 2016/679;
Control Authorities and, in general, subjects, public or private, with functions of public relevance (e.g.: Prefecture Police Headquarters, Judicial Authority, in any case only to the extent that the prerequisites established by the applicable regulations are met);
other parent, subsidiary or associated companies, pursuant to Article 2359 of the Civil Code;
professional firms or companies as part of service and consulting relationships;
Individuals who carry out control, audit and certification duties of the activities put in place by the Holders;
Owner’s suppliers, formally appointed as data controllers.

7) RIGHTS OF INTERESTED PARTIES

“Data subjects,” i.e., natural persons to whom the data refer, have the right, at any time, to access the information concerning them and to request that it be updated, rectified and supplemented, as well as erased, transformed into anonymous form or blocked, limited in its processing, and portability of the data, as well as to object in any case in whole or in part to its processing, for legitimate reasons, in accordance with Articles 15 to 22 of EU Regulation 2016/679.

Moreover, data subjects, if the processing of their data is based on consent, may revoke it at any time. Revocation of consent does not invalidate previous processing. Please note that the data subject may always object to processing for promotional purposes.

Processing of personal data carried out for cybersecurity purposes or for defensive needs are among the processing for the legitimate interest of the Data Controller, in which case the data subject may object only for reasons related to his or her particular situation, which the Data Controller will evaluate without prejudice to the execution of defensive purposes.

For any information regarding the processing of data, as well as for exercising their rights under Articles 15-22 of EU Regulation 2016/679, users can send an email to the DPO addresses above.

In addition, data subjects have the right to appeal to the Garante per la protezione dei dati personali, based in Rome at Piazza Venezia, 11, or another authority to lodge a complaint about the processing of their personal data under Article 77 if they believe there has been a violation of their personal data v. www.garanteprivacy.it.

8) CHANGES TO THE PRIVACY POLICY

This Privacy Policy may be subject to change over time – also related to the possible entry into force of new sector regulations, the updating or provision of new services or to intervening technological innovations – so we invite the user/visitor to periodically consult this page.

Respect for your confidentiality is our priority.

Exprivia and selected third parties use cookies or similar technologies for technical purposes and, with your consent, for other purposes as specified in the cookie policy, in order to ensure technical functionality, measure content performance, analyze our audiences, and improve our products and services.

You may freely give, refuse or revoke your consent, at any time, by accessing the preference panel, via the “Show Details” link on the banner or the “Cookie Settings” link at the bottom of the web page, or you may consent to the use of these technologies using the “Accept All” button, reject them using the “Reject” button, or manage them according to their class by using the “Accept Selected” button. Your preferences will apply only to this website and will not affect your browsing.

Your consent applies to the following websites: www.exprivia.it

L'articolo Privacy Policy and Cookies proviene da Exprivia.

Privacy Policy & Cookies Exprivia Group

Marco Mina — Fri, 22 May 2026 17:57:26 +0000

Data Controller

We inform you that your personal data will be processed by Exprivia S.p.A., with its registered office in Molfetta (BA) at Via A. Olivetti, 11, in its capacity as Data Controller.

Purposes

Your data, including your email address, will be collected directly from you when you complete the form and will be processed for the purpose of sending you the information you have requested, including requests for documents published on the Exprivia website (e.g. papers, white papers, reports) or to manage your registration requests for participation in events organised by Exprivia (e.g. webinars).

Should you give your specific consent, your data, including your email address, may also be used for promotional purposes to send you advertising material, commercial communications, or to carry out direct marketing or market research activities. The sole consequence of not giving your consent will be that we will not send you advertising material, promotional brochures, invitations to workshops or other events. However, failure to provide consent for direct marketing purposes will in no way affect the processing of your request for information.

Your data is also processed to comply with legal obligations and, where necessary, for defence purposes or to comply with orders from the authorities.

Legal basis for processing

The legal basis for the processing consists of pre-contractual purposes, legal obligations, and legitimate interest, which in this case consists of defence (purely hypothetical) or IT security purposes, and to process your request for information or your request to register for events organised by Exprivia. With regard to processing carried out on the basis of legitimate interest, you may object on grounds relating to your particular situation. Should you exercise your right to object, the Data Controller shall refrain from further processing your personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Furthermore, another legal basis, with regard to processing for direct marketing purposes, is consent, which may always be withdrawn easily and free of charge by using the email addresses provided below. Any withdrawal of consent shall not affect the lawfulness of processing based on consent prior to such withdrawal.

Transfer

The processing of your personal data to fulfil your requests for information will not be subject to transfer to third parties or to countries outside the EU. However, intra-group transfers may take place if necessary to fulfil your request.

In the case of requests to participate in events organised by Exprivia, third parties invited by Exprivia as speakers may become aware of your data and will process it as independent data controllers.

Your data will not, under any circumstances, be disclosed.

Retention

The data collected via this form will be retained for the period strictly necessary to process your request.
Should you consent to the use of your data for direct marketing purposes, your data, including your email address, may be used for up to two years, unless you exercise your right to object, which you may always do regarding the use of your data for marketing purposes, or unless you provide new consent. In accordance with the principle of accountability, the documentation evidencing your consent may, however, be retained for up to ten years for evidential purposes.

Rights

You have the right to withdraw any consent you may have given at any time and to exercise the rights set out in Article 15 et seq. of the GDPR (access, correction, updating, objection to processing, rectification, integration, restriction, etc.) by contacting the Data Privacy Officer appointed by the Data Controller at dpo_expriviaspa@exprivia.com or directly at the Data Controller’s registered office or via email at ufficioprivacy@exprivia.com. You may also lodge a complaint with the Data Protection Authority in the event of a personal data breach www.garanteprivacy.it. To find out more about your rights, please read Exprivia’s privacy policy.

L'articolo Privacy Policy & Cookies Exprivia Group proviene da Exprivia.

Reported party privacy policy

Marco Mina — Fri, 22 May 2026 15:55:19 +0000

People involved

The companies Exprivia S.p.A. and Exprivia Project S.r.l., each in its capacity as data controller, provide the following privacy information pursuant to art. 13 and 14 GDPR expressly referenced in art. 13 of Legislative Decree 24/2023 implementing EC Directive 2019/1937 of the European Parliament and Council of 23 October 2019, concerning the protection of persons who report violations of EU law and laying down provisions concerning the protection of persons reporting violations of national regulatory provisions.

The following information is provided for the purpose of transparency towards the reported person and any interested party potentially referred to in a report and therefore involved in the same (hereinafter jointly referred to as the “reported subject”), primarily to make them aware of the limitations imposed on the exercise of certain rights foreseen by (EU) Regulation 2016/679 of the European Parliament and Council of 27 April 2016 (GDPR):

Right to information – the right to be informed about the processing of personal data pursuant to articles 13 and 14 of the GDPR is restricted in light of the secrecy and confidentiality obligations imposed by Art. 12 of Legislative Decree no. 24/2023 which guarantees the confidentiality of the data, as well as the risk of undermining or seriously hindering the pursuit of the purposes of the processing connected to the reports filed as part of the whistleblowing system (see Article 14, paragraph 5, letters b) and d) of the GDPR).
Other rights of the data subject – the rights referred to in articles 15 to 22 of the GDPR are not ruled out in absolute terms for the interested party but cannot be exercised (by filing a request with the Data Controller or a complaint pursuant to article 77 of the GDPR) even regarding knowledge of the source of the data, if this might effectively and tangibly constitute a prejudice to the secrecy of the reporting party’s identity (see article 2-undecies of the Privacy Code and article 23 of the GDPR). Art. 2-undecies of the Privacy Code, as of 15 July 2023 under paragraph 3, regarding the specific limitations on the rights of the interested party, effectively establishes that the rights cannot be exercised whenever the confidentiality of the identity of the person who reports the violations they have become aware of during their employment relationship or other functions as required by EU Directive 2019/1937 concerning the reporting of violations of European Union rules, or that reports the violations referred to in Articles 52 bis and 52 ter of Legislative Decree 385/1993 (i.e. violations of the Bank of Italy by bank personnel) or the reports presented before Consob or the Bank of Italy by bank personnel is effectively and tangibly threatened.

In particular, in fulfilling the obligation pursuant to art. 2 undecies paragraph 3 of the Privacy Code, the reported person and the other persons involved are informed that the exercise of their rights referred to in articles 15 – 22 of the GDPR:

may stand, where the source of the data and therefore knowledge of the whistleblower’s identity is concerned, only if the whistleblower has given his/her consent or whenever knowledge of the whistleblower’s identity is essential for the accused to be able to mount a defence. The reported party is informed that in this latter case the whistleblower has the right to know, in writing, the reasons behind the disclosure of the confidential data when knowledge of his/her identity is essential for the defence of the person involved (see Article 12, paragraphs 5 and 6 of Legislative Decree 24/2023);
may stand within the limits set forth in art. 2 undecies of the above Privacy Code (see art. 13 paragraph 3 of Legislative Decree 24/2023) and may be performed in accordance with the provisions of the law or regulation that govern the sector (including Legislative Decree 231/2001 );
may be delayed, limited or ruled out with a reasoned communication sent without delay to the interested party, unless the communication may compromise the purpose of the limitation, for the time and within the limitations required of a necessary and proportionate measure, having taken into due account the fundamental rights and legitimate interests of the interested party, in order to safeguard the confidentiality of the identity of the whistleblower and in order to safeguard certain interests inherent in the performance of defensive investigations or the exercise of rights to defence;

In such cases, the rights of the interested party may also be exercised through the Italian Data Protection Authority according to the provisions of Article 160 of the Privacy Code, in which case the Italian Data Protection Authority informs the interested party that it has carried out all the necessary checks or reviews, or the interested party may also exercise the right to lodge a judicial appeal.

The exercise of the rights by the reported person (including the right of access) may therefore be upheld within the limits foreseen by applicable law and, in particular, it is noted that the request will be assessed by the entities entrusted with this task in order to reconcile the need to protect the rights of individuals with the need to combat and prevent violations of the rules of good corporate management or of the regulations applicable in this field.

Categories of personal data and source of collection

The personal data related to the reported person is collected in the context of the report and the documentation provided by the reporting party. The following categories of personal data relating to the reported party may be collected:

personal data (e.g. name, surname, place and date of birth);
contact details (e.g. e-mail address, telephone number, postal address);
data of a professional nature (e.g. hierarchical level, affiliated business area, company role, type of relationship entertained with the companies of the Exprivia Group or other third parties, profession);
any other information referring to the reported party that the whistleblower decides to share with the Data Controller in order to better substantiate their report, regarding:
- relevant unlawful conduct pursuant to Legislative Decree 24/2023 such as civil, criminal, administrative and accounting offences and violations of European Union regulations as well as significant unlawful conduct pursuant to Legislative Decree 231/2001 or violations of the entity’s organisation and management model;
- irregularities and/or unlawful conduct, whether through commission or omission, which constitute or may constitute a violation of the principles enshrined in the Code of Ethics of the Exprivia Group, in company policies and rules and/or which may result in fraud or damage, even of a potential nature, against colleagues, shareholders and stakeholders in general or which constitute acts of an illicit nature or that may be deemed detrimental to the interests and reputation of the company itself;
- improper or suspicious activities and payments, other than expenses or contributions expressly provided for by the Data Controller companies, or even donations made by said Data Controller companies to public officials or donation requests that such public officials or private entities may make.

Data Controller, data protection officer and appointees

The Data Controllers responsible for the processing of the personal data related to identified or identifiable persons collected through reporting are the Companies belonging the Exprivia Group:

Exprivia S.p.A. with registered offices in Via A. Olivetti, 11- Molfetta (BA);
Exprivia Projects Srl with registered offices in Via della Bufalotta 378 – Rome.

The Data Controllers have appointed a person responsible for the protection of personal data or Data Protection Officer in compliance with Art. 37 and following of EU Regulation 2016/679, who may be contacted:

for Exprivia SpA at the following address and email: DPO_ExpriviaSpa@exprivia.com
for Exprivia Projects Srl at the following address and email: DPO_ExpriviaProjects@exprivia.com

The data processing connected to the report is handled exclusively by specifically appointed/authorised personnel, trained in the correct processing of personal data which, in no case, shall be disclosed.

You may contact the Data Controllers or the DPO at the emails indicated above to exercise these rights.

Purpose of the processing

The processing is carried out in order to:

undertake the necessary investigative activities aimed at establishing the validity of the reported facts, acquired in the execution of the employment relationship and related to illegal or fraudulent activities that may consist of civil, criminal, administrative or accounting offences or the failure to comply with the organisation model pursuant to decree 231/2001 and based on precise and consistent factual elements, or on violations of the organisation and management model of the Companies of the Exprivia Group, that have come to light as a result of the functions performed;
Ensure compliance with the prohibition to engage in direct or indirect retaliatory or discriminatory acts against the reporting party for reasons directly or indirectly connected to the report, also through communication to ANAC or the National Labour Inspectorate;
Adopt the disciplinary sanctions foreseen by the Employer in accordance with the organisational model referred to in Law 231/2001 both towards those who violate the measures introduced to protect the reporting subject and towards those who file reports with malicious intent or through gross negligence that turn out to be unfounded.

The legal basis of the processing, for all reports that concern civil, criminal, administrative and accounting offences as prescribed by national legislation or the European Union rules provided for in Directive 2019/1937, should be identified in fulfilment of the legal obligations of the data controller referred to in Legislative Decree 24/2023 implementing the aforementioned Directive. The legal basis is, therefore, constituted by art. 6 lett. C of the GDPR and where reports are made relative to the performance of activities for the provision of services in favour of public bodies the legal obligation is based on art. art. 54 bis, paragraph 2, of Italian Legislative Decree 165/2001.

With reference to the “special” data foreseen by art. 9 of the GDPR (e.g. data on health, race, ethnicity, sexual orientation, political, trade union and religious beliefs, genetic data, biometric data, etc.) the legal basis is to be found in the provisions of art. 9, par. 2 lett. f), which relates to the ascertainment, exercise or defence of a right in court, it being understood that, with regard to some aspects related to the employment relationship, the legal basis can be found in lett. b) of the same provision.

On the other hand, with regard to judicial data, collection can be carried out if it is designed to prevent the criminal liability of the company in accordance with the rationale of law 231/2001 and in compliance with the provisions of art. 10 of the GDPR.

Methods of data processing and storage

Personal data is processed with automated means (e.g. using electronic procedures and media) and/or manually (e.g. in hard copy format) for the time strictly necessary to achieve the purposes for which it was collected and, in any case, in compliance with the applicable legal provisions on the matter. Specific security measures are followed to prevent data loss, unlawful or incorrect use, and unauthorised access.

No automated decision-making and profiling will be applied to the collected data.

The documentation will be retained for a period of five years in accordance with the provisions of art. 14 of Legislative Decree 24/2023 and taking into account the provision related to administrative sanctions in the event of various non-compliances envisaged by art. 21 of Legislative Decree 24/2023 which make it therefore necessary to proceed with retention. Once this term has elapsed, the data will be erased or anonymised, unless their further retention is required to fulfil legal obligations or to comply with orders issued by Public Authorities or for defence-related needs.

Data transfer

The recipients of the data collected as a result of the report, where appropriate, are the Companies’ internal whistleblowing offices, the Supervisory Authority, the Judicial Authority, the Court of Auditors (for reports made that refer to the activities of the entities in favour of which the Group companies provide public services), ANAC and the National Labour Inspectorate.

In particular, data may be transmitted to:

external consultants (e.g. law firms) possibly involved in the investigative phase of the report;
The Internal Office responsible for managing reports set up in compliance with the obligation pursuant to Legislative Decree 24/2023 and the corporate functions involved in the examination and evaluation of reports;
manager(s) of the department(s) involved in the report (e.g. Internal Audit department, Legal department, Supervisory Body or other reference departments for the reported subject);
organisational positions tasked with carrying out investigations on reports in cases where their knowledge is essential in order to understand the reported events and/or to conduct the relative related investigation and/or processing activities;
institutions and/or Public Authorities, Judicial Authorities, Police Entities, investigative Agencies;
supervisory body appointed pursuant to Legislative Decree 231/2001 exclusively for the predicate offences and in instances that involve the violation of the organisational models, of the specific approved procedures and of the Code of Ethics;
manager responsible for the prevention of corruption and transparency (RPCT), where appointed;
ANAC and National Labour Inspectorate when retaliatory acts against the reporting party have been confirmed.

The personal data collected are also processed by the Data Controller’s personnel, who act on the basis of specific instructions provided in relation to the purposes and procedures of the same processing having first been appointed as an authorised data processor pursuant to art. 2 quaterdecies of the Privacy Code. The personal data collected will not be disseminated, nor will it be transferred to third countries (outside the EU).

You may exercise the rights referred to in art. 15 – 22 of the GDPR, without prejudice to the limitations of which you have also been informed in this information sheet, such as the right of access, rectification, erasure (right to be forgotten), limitation or portability through the Data Controllers at their offices or by email also to the DPO. Using the same methods, you can request the list of managers appointed pursuant to Art. 28 GDPR in relation to the processing referred to in this information sheet.

L'articolo Reported party privacy policy proviene da Exprivia.

Reporting party privacy policy

Marco Mina — Fri, 22 May 2026 15:44:29 +0000

REGULATORY PRINCIPLES

This information is provided to users/visitors who interact with the official web system of the Exprivia Group, for reports on potential illicit acts or irregularities that have come to their attention in the context of work and is aimed at promoting a culture of ethics and lawfulness against irregular conduct witnessed, accessible electronically at the address https://whistleblowing.exprivia.it/#/

The following information is provided, pursuant to:

13 of EU Regulation 2016/679;
Italian Legislative Decree 24 of 2023, which repealed paragraph 2 bis of Art. 6 of Italian Legislative Decree 231/2001 and specifically introduced in art. 13, the obligation to issue privacy disclosures to whistleblowers as well as to the persons involved;
Resolution no. 311 of 12 July 2023 – “Guidelines on the protection of whistleblowers reporting violations of EU law and protection of whistleblowers reporting violations of national regulatory provisions. Procedures for the submission and management of external reports”, better known as the Whistleblowing Guidelines, published in the Official Journal General Series no. 172 of 25 July 2023;
the Opinion of the Personal Data Protection Authority, issued on 6 July 2023, regarding the Guidelines Information Sheet on the protection of whistleblowers who report violations of EU law and the protection of whistleblowers who report violations of Italian regulatory provisions. Procedures for the presentation and management of external whistleblowing reports adopted by ANAC (docweb no. 9912239);
the Operating Guide for private entities entitled “New whistleblowing regulations” adopted by Confindustria in October 2023;
the Directive (EU) 2019/1937 of the European Parliament and the Council of 23 October 2019, concerning the protection of whistleblowers who report violations of EU law (OJEU L. 305 of 26/11/2019, p. 17–56).
law no. 179 of 30 November 2017, “Provisions for the protection of the authors of reports of crimes or irregularities of which they have become aware in the context of a public or private employment relationship”, which entered into force on 29 December 2017, which provides for an article concerning the “Protection of employees or collaborators who report offences in the private sector “, and establishes, for the first time in our legal system, specific measures to protect whistleblowers in the private sector, adding para. 2-bis within art. 6 of the Italian Legislative Decree no. 231 of 8 June 2001, «Regulations on the administrative liability of legal persons, companies and associations also not recognised as legal entities, pursuant to art. 11 of law no. 300 of 29 September 2000”; This paragraph 2-bis was replaced by art. 24 of Italian Legislative Decree no. 24 of 2023, which establishes that the Organisational Models 231 provide for internal whistleblowing channels, for the prohibition of retaliation and for the disciplinary system;
Opinion of the Personal Data Protection Authority of 4 December 2019, doc web no. 9215763, on the outline of the “Guidelines for the protection of the authors of reports of crimes or irregularities of which they have become aware by reason of an employment relationship pursuant to art. 54 bis of Italian Legislative Decree 165/2001 (“whistleblowing”) of ANAC.

PURPOSE OF THE WHISTLEBLOWING REPORTS

The system is intended for employees of the Exprivia Group and all those who in general operate in Italy and abroad, on behalf or for the benefit of the Group, or who have business relationships with the latter through any type of contract or assignment and who have become aware of the unlawful act that will be reported within the work context.

The events to be reported must concern, in general, the reasonable and legitimate suspicion or awareness in good faith of unlawful conduct or irregularities of which one has gained knowledge in the context of the work activity that may be detrimental to the integrity of the Exprivia Group, such as, for example, the violation of Italian laws which include violations of the predicate offences under Legislative Decree 231/2001, violation of the Organisational Model 231 as well as the violation of the directly applicable European regulations and implementing rules on public contracts; services, products and financial markets and prevention of money laundering and terrorist financing; products and services safety and compliance with the law; transport safety; environmental protection; radiation protection and nuclear safety; animal food and feed safety as well as animal health and welfare; public health; consumer protection; privacy and personal data protection and the security of networks and information systems, as well as other specifically identified European regulations.

On the other hand, the following should not be the subject of whistleblowing reports:

requests related to a personal interest of the whistleblower, or of the person who has filed a complaint with the judicial or accounting authority that relate to his/her individual employment or employment relationships;
reports of violations already governed by other European Union acts stated in Part II of the Annex to Legislative Decree 24/2023;
reporting on national security, defence systems and similar matters.

This policy describes the management methods of the official system of the Exprivia Group, but not of other external websites that may be consulted by the user via links. Additional information may be provided within specific sections.

Italian Legislative Decree 24/2023, art. 12, requires that the identity of the whistleblower and any other information that may be inferred, directly or indirectly, be protected, unless the whistleblower has given his/her consent to the disclosure of his/her report to third parties.

In the context of disciplinary proceedings against the reported person, the identity of the whistleblower may not be disclosed if the allegation of the disciplinary charge is based on further investigations beyond the report.

It should be noted that if the knowledge of the whistleblower is essential for the defence of the reported person, the whistleblowing report may be used in the disciplinary proceedings against the reported person only if the whistleblower gives his/her consent to the disclosure of his/her identity or the set forth legal conditions are met. This disclosure is issued as of now, also pursuant to art. 12 paragraphs 5 and 6 of Legislative Decree 24/2023.

With regard to the cases in which it is necessary to identify the whistleblower, please refer to the Whistleblowing Reporting Procedure prepared by the Data Controllers.

It should be noted that to protect privacy, whistleblowing reports are exempt from the accessing procedures set forth in Italian Law 241/1990 as well as other civic access procedures.

Please indicate in your report that you wish to keep your identity confidential and that you wish to make use of the regulatory protection system also against retaliation.

WHISTLEBLOWING CHANNELS

Please be reminded that for reporting purposes you may use all the whistleblowing channels adopted by the Data Controller companies, such as:

The IT platform accessible from the website of the Data Controller companies;
The telephone number of the company switchboard to be used depends on whether or not you wish to release information on your identity, although we would remind you that the telephone in any case allows your voice to be heard and that it is a type of personal data for which you may be identifiable;
Request for a meeting that can be sent, through the company switchboard, to the reporting management office set up at the Data Controller companies and that can be contacted directly in person or by telephone at the dedicated number activated by the Data Controller companies;
Submission on paper by post. If you choose this method, please use a double envelope and insert the report in a separate envelope addressed to the whistleblowing office.

On the other hand, please avoid sending your reports by email or by certified email, given that, as highlighted by the Personal Data Protection Authority in its Opinion of 6 July 2023 on the ANAC Guidelines of 2023 regarding whistleblowing reports, such methods do not allow us to protect the confidentiality of your identity in view of the technical security measures protecting such methods.

The internal reporting channels are established, in the private sector, in compliance with the Organizational Model 231 or an internal deed (e.g. Regulation) based on said Model.

THE RIGHT OF RETRACTING THE WHISTLEBLOWING REPORT

We remind the whistleblower that if he/she chooses to do so, he/she will always be able to retract the whistleblowing report by means of a notice to be sent through the channel originally selected for submitting the report. The investigation may continue in any event, if it concerns a serious matter.

TYPE OF DATA PROCESSED AND PURPOSE OF THE PROCESSING

The processing is carried out in order to:

fulfil all the obligations set forth in Legislative Decree 24 of 2023 on whistleblowing, which ratified EU Directive 2019/1937;
initiate the necessary investigative activities aimed at verifying the validity of the reported fact, learnt during the course of the employment relationship and regarding unlawful or fraudulent activities, as specified in Legislative Decree 24/2023, which may concern:

administrative, accounting, civil or criminal offences;
unlawful conduct relevant for the purposes of Italian Legislative Decree no. 231/2001;
offences falling within the scope of European Union law;
acts or omissions that harm the financial interests of the European Union, including violations of European Union rules;
internal market acts or omissions or acts or omissions that undermine the acts of the European Union stated in the preceding points.

prohibiting retaliatory or discriminatory acts pursuant to art. 19 of Legislative Decree 24/2023, direct or indirect, against the whistleblower and the facilitators for reasons related, directly or indirectly, to the whistleblowing report, also through communication to INPS;
adopting the disciplinary sanctions foreseen by the Employer in accordance with the organisational model referred to in Law 231/2001 both with regard to those who violate the measures introduced to protect the reporting subject and those who file reports with malicious intent or through gross negligence that turn out to be unfounded;
fulfilling legal obligations (e.g. Euro Reg. 679/2016, Italian Legislative Decree 24 of 2023 on whistleblowing, etc.).

The legal basis of the processing is inherent in the need to fulfil a legal obligation to which the Data Controller is subject, with reference to the provisions contained in Legislative Decree 24 of 2023 on the ratification of EU Directive no. 2019/1937 regarding whistleblowing, as well as in Law no. 179 of 30 November 2017 (“Provisions for the protection of the authors of reports of crimes or irregularities of which they have become aware in the context of a public or private employment relationship”) and in Italian Legislative Decree no 231 of 8 June 2001 (“Regulations governing the administrative liability of legal persons, companies and associations, including those without legal personality, pursuant to art. 11 of law no. 300 of 29 September 2000”).

In more detail, the processing of personal data carried out by the Data Controller is therefore necessary to fulfil a legal obligation to which the Data Controller is subject (art. 6, § 1, letter c) of Regulation 679/2016), and, with regard to particular categories of data (art. 9, § 2, letter b) of Regulation 679/2016) or to data relating to criminal convictions and offences, may also be considered necessary for the performance of a task of public interest contemplated by the law (art. 6, § 1, lett. e) and art. 9, § 2, lett. g) and 10 of the Regulations.

The personal data of those reported may also be used for the fulfilment of legal obligations. The data of the reporting parties may be processed only in the cases provided for by current legislation.

The provisions for protecting the privacy and security of personal data processed on the sites linked from or to the Exprivia Group site are not covered by this privacy policy. Therefore, Exprivia is not responsible for the privacy practices of these sites.

METHOD OF DATA PROCESSING AND STORAGE

Personal data is processed with automated means (e.g. using electronic procedures and media) and/or manually (e.g. in hard copy format) for the time strictly necessary to achieve the purposes for which it was collected and, in any case, in compliance with the applicable legal provisions on the matter and therefore no later than five years from the date of the communication of the final outcome of the whistleblowing procedure, as provided for in art. 14 of Legislative Decree 24/2023.

Specific security measures are followed to prevent data loss, unlawful or incorrect use, and unauthorised access. No automated decision-making and profiling will be applied to the collected data.

After this period, the data will be deleted or anonymised, unless further retention is required to fulfil legal obligations or to comply with orders issued by public authorities or to exercise the right of defence.

SPECIFIC NEWS FOR THE REPORTING CHANNEL CONSISTING OF THE IT PLATFORM

The Data Controllers do not track whistleblowers who use the IT channel.

SPECIFIC NEWS FOR THE WHISTLEBLOWING CHANNEL CONSISTING OF DIRECT MEETINGS

The whistleblower, pursuant to art. 13 of Legislative Decree 24/2023, may request to be heard by the Internal Whistleblowing Office to submit the report through a direct meeting.

In this case, in accordance with the provisions of Italian Legislative Decree 24/2023, art. 14, paragraph 4, the minutes of the meeting shall be drawn up.

If the minutes are drawn up, the whistleblower has the right to verify, rectify and confirm the minutes of the meeting by signing them.

SPECIFIC NEWS FOR THE REPORTING CHANNEL CONSISTING OF THE TELEPHONE LINE

The whistleblower may also submit his/her allegations of an unlawful act by telephone.

The whistleblowing report is documented in writing through a report of the conversation, by the Internal Whistleblowing Office; the whistleblower verifies, rectifies or confirms the content of the detailed report by signing it.

In the short statement issued over the phone, reference is made to the link where this extended statement can be found.

DATA CONTROLLER, DATA PROTECTION OFFICER (DPO) AND APPOINTEES

Independent Data Controllers of personal data relating to identified or identifiable persons collected through this system are the Companies belonging to the Exprivia Group:

Exprivia S.p.A. with registered offices in Via A. Olivetti, 11- Molfetta (BA);
Exprivia Projects S.r.l. with registered offices in Via della Bufalotta 378 – Rome.

for Exprivia S.p.A. at the following email address: DPO_ExpriviaSpa@exprivia.com
for Exprivia Projects Srl at the following email address: DPO_ExpriviaProjects@exprivia.com

The processing connected to the web services of this site are exclusively handled by technical personnel, appointed/authorised and trained in the correct processing of personal data which, under no circumstances, will be disseminated.

For the purposes of managing the whistleblowing procedure, the persons authorised to the data processing were also identified as the parties who make up the Whistleblowing Report Office pursuant to art. 2 quaterdecies of the Privacy Code.

The whistleblowing report management office is an internal office. For contact details and composition of said office, see the Whistleblowing Procedure published on the websites of the Data Controller companies.

COMMUNICATION AND/OR DISSEMINATION OF DATA

The recipients of the data collected following the whistleblowing report, if necessary, are the Judicial Authorities, the Court of Auditors and the ANAC.

In particular, data may be transmitted to:

external consultants (e.g. law firms) possibly involved in the investigative phase of the report;
the members of the Internal Whistleblowing Office and the corporate functions involved in the review and assessment of the reports;
organisational positions tasked with carrying out investigations on reports in cases where their knowledge is essential in order to understand the reported events and/or to conduct the relative related investigation and/or processing activities;
institutions and/or Public Authorities, Judicial Authorities, Police Entities, investigative Agencies;
supervisory body appointed pursuant to Legislative Decree 231/2001 where the report concerns a predicate offence or the violation of the Organisational Model 231;
manager responsible for the prevention of corruption and transparency (RPCT – Responsabile prevenzione corruzione e trasparenza ), where appointed;
the reported person where knowledge of the identity of the whistleblower is necessary for the defence of the reported person;
INPS and ANAC when retaliatory acts against the reporting party have been confirmed

The personal data collected are, above all, processed by the Data Controller’s staff who make up the Internal Whistleblowing Office and act on the basis of specific instructions provided for the purposes and procedures of the same processing.

These instructions are contained both in the specific procedure published on the website and in the instructions prepared also for training purposes.

The personal data collected will not be disseminated, nor will it be transferred to third countries (outside the EU).

DATA RETENTION

The Data Controllers are required to retain the whistleblowing report for no more than five years from the date of the final outcome of the reporting procedure (art. 14, paragraph 1, of the Decree). In the event that this outcome must be communicated to the whistleblower who provided his/her personal data, this term refers to the date of communication of the final outcome to the whistleblower as per the ANAC Guidelines resolution no. 211 of 11 July 2023.

The Data Controllers shall protect confidentiality during this period (without prejudice to the cases provided for in art. 12, paragraphs 3-5, of the Decree), and, after this period has elapsed, since the report would have to be cancelled, the possibility of tracing the identity of the whistleblower would in any case be removed (Part One, Section 4.1.3)

All data received in the whistleblowing report that are clearly irrelevant with respect to the reported matter will be erased.

Erasure shall take place in different ways depending on how the whistleblowing report is received, i.e. by deletion, destruction, etc.

Erasure from the IT platform, for example, will take place through deletion.

During the entire period of data storage, the whistleblower who has decided not to remain anonymous (and who may use the system of protection against retaliation), has the right of access to all documents relating to the investigation and proceedings until they are cancelled.

DATA SUBJECT RIGHTS

The “data subjects”, i.e. the natural persons to whom the data refers, have the right, at any time, to access the information concerning them and to ask for its updating, rectification and supplementation, as well as erasure, anonymisation or blocking, the restriction of processing, and data portability, as well as to object to, for legitimate reasons, data processing in full or in part, in accordance with articles 15 to 22 of EU Regulation 2016/679.

Furthermore, if the processing of their data is based on consent, the data subjects may withdraw it at any time (for example for the purpose of communicating the identity of the reported person, where this knowledge is not essential for his/her defence). The withdrawal of consent does not invalidate the previous processing. Please note that the interested party can always oppose the processing for promotional purposes.

Portability consists of the right of the interested party to receive, in a structured format, commonly used and readable by an automatic device, the personal data provided to the Data Controllers, as well as the transmission of the same to another data controller, and this at any time, even upon the termination of any relationships with the Data Controllers.

The processing of personal data for IT security purposes or for protection needs fall in the category of processing for the legitimate interests of the Controller, in which case the data subject may object only for reasons connected to his or her specific situation, which the Controller will evaluate without prejudice to the execution of the defensive purposes.

For any information regarding the processing of data, as well as to exercise the rights provided for in articles 15 to 22 of EU Regulation 2016/679, users can send an email to the addresses of the DPO specified above.

Furthermore, interested parties have the right to contact the Data Protection Authority for the protection of personal data or other authorities to lodge a complaint regarding the processing of their personal data, in the event of a breach of law, pursuant to art. 77 of the GDPR information.

L'articolo Reporting party privacy policy proviene da Exprivia.