Reported party privacy policy

Information sheet on the processing of personal data as a part of the reporting procedure - whisteblowing 

People involved


The companies Exprivia S.p.A. and Exprivia Project S.r.l., each in its capacity as data controller, provide the following privacy information pursuant to art. 13 and 14 GDPR expressly referenced in art. 13 of Legislative Decree 24/2023 implementing EC Directive 2019/1937 of the European Parliament and Council of 23 October 2019, concerning the protection of persons who report violations of EU law and laying down provisions concerning the protection of persons reporting violations of national regulatory provisions.

The following information is provided for the purpose of transparency towards the reported person and any interested party potentially referred to in a report and therefore involved in the same (hereinafter jointly referred to as the "reported subject"), primarily to make them aware of the limitations imposed on the exercise of certain rights foreseen by (EU) Regulation 2016/679 of the European Parliament and Council of 27 April 2016 (GDPR):

  • Right to information - the right to be informed about the processing of personal data pursuant to articles 13 and 14 of the GDPR is restricted in light of the secrecy and confidentiality obligations imposed by Art. 12 of Legislative Decree no. 24/2023 which guarantees the confidentiality of the data, as well as the risk of undermining or seriously hindering the pursuit of the purposes of the processing connected to the reports filed as part of the whistleblowing system (see Article 14, paragraph 5, letters b) and d) of the GDPR).
  • Other rights of the data subject - the rights referred to in articles 15 to 22 of the GDPR are not ruled out in absolute terms for the interested party but cannot be exercised (by filing a request with the Data Controller or a complaint pursuant to article 77 of the GDPR) even regarding knowledge of the source of the data, if this might effectively and tangibly constitute a prejudice to the secrecy of the reporting party's identity (see article 2-undecies of the Privacy Code and article 23 of the GDPR). Art. 2-undecies of the Privacy Code, as of 15 July 2023 under paragraph 3, regarding the specific limitations on the rights of the interested party, effectively establishes that the rights cannot be exercised whenever the confidentiality of the identity of the person who reports the violations they have become aware of during their employment relationship or other functions as required by EU Directive 2019/1937 concerning the reporting of violations of European Union rules, or that reports the violations referred to in Articles 52 bis and 52 ter of Legislative Decree 385/1993 (i.e. violations of the Bank of Italy by bank personnel) or the reports presented before Consob or the Bank of Italy by bank personnel is effectively and tangibly threatened.

In particular, in fulfilling the obligation pursuant to art. 2 undecies paragraph 3 of the Privacy Code, the reported person and the other persons involved are informed that the exercise of their rights referred to in articles 15 - 22 of the GDPR:

  • may stand, where the source of the data and therefore knowledge of the whistleblower's identity is concerned, only if the whistleblower has given his/her consent or whenever knowledge of the whistleblower's identity is essential for the accused to be able to mount a defence. The reported party is informed that in this latter case the whistleblower has the right to know, in writing, the reasons behind the disclosure of the confidential data when knowledge of his/her identity is essential for the defence of the person involved (see Article 12, paragraphs 5 and 6 of Legislative Decree 24/2023);
  • may stand within the limits set forth in art. 2 undecies of the above Privacy Code (see art. 13 paragraph 3 of Legislative Decree 24/2023) and may be performed in accordance with the provisions of the law or regulation that govern the sector (including Legislative Decree 231/2001 );
  • may be delayed, limited or ruled out with a reasoned communication sent without delay to the interested party, unless the communication may compromise the purpose of the limitation, for the time and within the limitations required of a necessary and proportionate measure, having taken into due account the fundamental rights and legitimate interests of the interested party, in order to safeguard the confidentiality of the identity of the whistleblower and in order to safeguard certain interests inherent in the performance of defensive investigations or the exercise of rights to defence;

In such cases, the rights of the interested party may also be exercised through the Italian Data Protection Authority according to the provisions of Article 160 of the Privacy Code, in which case the Italian Data Protection Authority informs the interested party that it has carried out all the necessary checks or reviews, or the interested party may also exercise the right to lodge a judicial appeal.

The exercise of the rights by the reported person (including the right of access) may therefore be upheld within the limits foreseen by applicable law and, in particular, it is noted that the request will be assessed by the entities entrusted with this task in order to reconcile the need to protect the rights of individuals with the need to combat and prevent violations of the rules of good corporate management or of the regulations applicable in this field.

Categories of personal data and source of collection

The personal data related to the reported person is collected in the context of the report and the documentation provided by the reporting party. The following categories of personal data relating to the reported party may be collected:

  • personal data (e.g. name, surname, place and date of birth);
  • contact details (e.g. e-mail address, telephone number, postal address);
  • data of a professional nature (e.g. hierarchical level, affiliated business area, company role, type of relationship entertained with the companies of the Exprivia Group or other third parties, profession);
  • any other information referring to the reported party that the whistleblower decides to share with the Data Controller in order to better substantiate their report, regarding:
    • relevant unlawful conduct pursuant to Legislative Decree 24/2023 such as civil, criminal, administrative and accounting offences and violations of European Union regulations as well as significant unlawful conduct pursuant to Legislative Decree 231/2001 or violations of the entity's organisation and management model;
    • irregularities and/or unlawful conduct, whether through commission or omission, which constitute or may constitute a violation of the principles enshrined in the Code of Ethics of the Exprivia Group, in company policies and rules and/or which may result in fraud or damage, even of a potential nature, against colleagues, shareholders and stakeholders in general or which constitute acts of an illicit nature or that may be deemed detrimental to the interests and reputation of the company itself;
    • improper or suspicious activities and payments, other than expenses or contributions expressly provided for by the Data Controller companies, or even donations made by said Data Controller companies to public officials or donation requests that such public officials or private entities may make.

Data Controller, data protection officer and appointees

The Data Controllers responsible for the processing of the personal data related to identified or identifiable persons collected through reporting are the Companies belonging the Exprivia Group:

  • Exprivia S.p.A. with registered offices in Via A. Olivetti, 11- Molfetta (BA);
  • Exprivia Projects Srl with registered offices in Via della Bufalotta 378 – Rome.

The Data Controllers have appointed a person responsible for the protection of personal data or Data Protection Officer in compliance with Art. 37 and following of EU Regulation 2016/679, who may be contacted:

The data processing connected to the report is handled exclusively by specifically appointed/authorised personnel, trained in the correct processing of personal data which, in no case, shall be disclosed.

You may contact the Data Controllers or the DPO at the emails indicated above to exercise these rights.

Purpose of the processing

The processing is carried out in order to:

  • undertake the necessary investigative activities aimed at establishing the validity of the reported facts, acquired in the execution of the employment relationship and related to illegal or fraudulent activities that may consist of civil, criminal, administrative or accounting offences or the failure to comply with the organisation model pursuant to decree 231/2001 and based on precise and consistent factual elements, or on violations of the organisation and management model of the Companies of the Exprivia Group, that have come to light as a result of the functions performed;
  • Ensure compliance with the prohibition to engage in direct or indirect retaliatory or discriminatory acts against the reporting party for reasons directly or indirectly connected to the report, also through communication to ANAC or the National Labour Inspectorate;
  • Adopt the disciplinary sanctions foreseen by the Employer in accordance with the organisational model referred to in Law 231/2001 both towards those who violate the measures introduced to protect the reporting subject and towards those who file reports with malicious intent or through gross negligence that turn out to be unfounded.

The legal basis of the processing, for all reports that concern civil, criminal, administrative and accounting offences as prescribed by national legislation or the European Union rules provided for in Directive 2019/1937, should be identified in fulfilment of the legal obligations of the data controller referred to in Legislative Decree 24/2023 implementing the aforementioned Directive. The legal basis is, therefore, constituted by art. 6 lett. C of the GDPR and where reports are made relative to the performance of activities for the provision of services in favour of public bodies the legal obligation is based on art. art. 54 bis, paragraph 2, of Italian Legislative Decree 165/2001.

With reference to the "special" data foreseen by art. 9 of the GDPR (e.g. data on health, race, ethnicity, sexual orientation, political, trade union and religious beliefs, genetic data, biometric data, etc.) the legal basis is to be found in the provisions of art. 9, par. 2 lett. f), which relates to the ascertainment, exercise or defence of a right in court, it being understood that, with regard to some aspects related to the employment relationship, the legal basis can be found in lett. b) of the same provision.

On the other hand, with regard to judicial data, collection can be carried out if it is designed to prevent the criminal liability of the company in accordance with the rationale of law 231/2001 and in compliance with the provisions of art. 10 of the GDPR.

Methods of data processing and storage

Personal data is processed with automated means (e.g. using electronic procedures and media) and/or manually (e.g. in hard copy format) for the time strictly necessary to achieve the purposes for which it was collected and, in any case, in compliance with the applicable legal provisions on the matter. Specific security measures are followed to prevent data loss, unlawful or incorrect use, and unauthorised access.

No automated decision-making and profiling will be applied to the collected data.

The documentation will be retained for a period of five years in accordance with the provisions of art. 14 of Legislative Decree 24/2023 and taking into account the provision related to administrative sanctions in the event of various non-compliances envisaged by art.   21 of Legislative Decree 24/2023 which make it therefore necessary to proceed with retention. Once this term has elapsed, the data will be erased or anonymised, unless their further retention is required to fulfil legal obligations or to comply with orders issued by Public Authorities or for defence-related needs.

Data transfer

The recipients of the data collected as a result of the report, where appropriate, are the Companies' internal whistleblowing offices, the Supervisory Authority, the Judicial Authority, the Court of Auditors (for reports made that refer to the activities of the entities in favour of which the Group companies provide public services), ANAC and the National Labour Inspectorate.

In particular, data may be transmitted to:

  • external consultants (e.g. law firms) possibly involved in the investigative phase of the report;
  • The Internal Office responsible for managing reports set up in compliance with the obligation pursuant to Legislative Decree 24/2023 and the corporate functions involved in the examination and evaluation of reports;
  • manager(s) of the department(s) involved in the report (e.g. Internal Audit department, Legal department, Supervisory Body or other reference departments for the reported subject);
  • organisational positions tasked with carrying out investigations on reports in cases where their knowledge is essential in order to understand the reported events and/or to conduct the relative related investigation and/or processing activities;
  • institutions and/or Public Authorities, Judicial Authorities, Police Entities, investigative Agencies;
  • supervisory body appointed pursuant to Legislative Decree 231/2001 exclusively for the predicate offences and in instances that involve the violation of the organisational models, of the specific approved procedures and of the Code of Ethics;
  • manager responsible for the prevention of corruption and transparency (RPCT), where appointed;
  • ANAC and National Labour Inspectorate when retaliatory acts against the reporting party have been confirmed.

The personal data collected are also processed by the Data Controller's personnel, who act on the basis of specific instructions provided in relation to the purposes and procedures of the same processing having first been appointed as an authorised data processor pursuant to art. 2 quaterdecies of the Privacy Code. The personal data collected will not be disseminated, nor will it be transferred to third countries (outside the EU).

You may exercise the rights referred to in art. 15 - 22 of the GDPR, without prejudice to the limitations of which you have also been informed in this information sheet, such as the right of access, rectification, erasure (right to be forgotten), limitation or portability through the Data Controllers at their offices or by email also to the DPO. Using the same methods, you can request the list of managers appointed pursuant to Art. 28 GDPR in relation to the processing referred to in this information sheet.