Reported party privacy policy

Information on the processing of personal data within the context of whisteblowing reporting

The following information is provided for the purpose of transparency towards the reported person and any interested party potentially referred to in a report (hereinafter jointly "reported"), first of all to make them aware of the limits on the exercise of certain rights provided for by Regulation (EU ) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR):

  • Right to information - the right to be informed about the processing of personal data pursuant to articles 12 and 14 of the GDPR receives a limitation in light of the obligations of secrecy and confidentiality imposed by Legislative Decree no. 231/2001, as amended by Law no. 179/2017, as well as the risk of making it impossible or seriously jeopardizing the achievement of the purposes of the processing connected to the reports in the context of the whistleblowing system (see Article 14, paragraph 5, letters b) and d) of the GDPR).
  • Other rights of the interested party - the rights referred to in articles 15 to 22 of the GDPR are not precluded in absolute terms to the interested party but cannot be exercised (with a request to the Data Controller or with a complaint pursuant to article 77 of the GDPR) also with regard to the knowledge of the source of the data, if this could result in an effective and concrete prejudice to the confidentiality of the identity of the reporting party (see article 2-undecies of the Privacy Code and article 23 of the GDPR). Art. 2-undecies of the Code, in fact, establishes in its paragraph 3, in relation to the specific limitations to the rights of the interested party provided for in paragraph 1 with reference to the institution of whistleblowing, that in this case the rights in question can be exercised through the Guarantor in the manner set out in art. 160 of the same Code.

In particular, we inform the reported that the exercise of these rights:

  • will be carried out in accordance with the provisions of the law or regulations governing the sector (including Legislative Decree 231/2001 as amended by Law no. 179/2017);
  • may be delayed, limited or excluded with a reasoned communication sent without delay to the interested party, unless the communication could compromise the purpose of the limitation, for the time and within the limits in which this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the interested party, in order to safeguard the confidentiality of the identity of the whistleblower and in order to safeguard certain interests such as carrying out defensive investigations or exercising the right of defence;
  • in such cases, the rights of the interested party can also be exercised through the Guarantor in the manner referred to in Article 160 of the Privacy Code, in which case the Guarantor informs the interested party that it has carried out all the necessary checks or has carried out a review, as well as the right of the interested party to lodge a judicial appeal.

The exercise of the rights by the reported person (including the right of access) may therefore be carried out within the limits in which the applicable law allows it and, in particular, it is noted that the request will be analysed by the responsible bodies in order to reconcile the need to protect the rights of individuals with the need to combat and prevent violations of the rules of good corporate management or of the applicable regulations on the subject.

Categories of personal data and source of collection

The personal data relating to the reported person is collected through the report and related documentation provided by the reporting party. The personal data relating to the reported will be included in the following categories:

  • personal data (e.g. name, surname, place and date of birth);
  • contact details (e.g. e-mail address, telephone number, postal address);
  • data of a professional nature (e.g. hierarchical level, business area of which they are part, company role, type of relationship entertained with the companies of the Exprivia Group or other third parties, profession);
  • any other information referring to the reported that the whistleblower decides to share with the Data Controller in order to better substantiate their report, in relation to:
    • unlawful relevant conduct pursuant to Legislative Decree 231/2001 or violations of the organization and management model of the entity;
    • irregularities and/or unlawful conduct, whether of commission or omission, which constitute or may constitute a violation of the principles enshrined in the Code of Ethics of the Exprivia Group, of company policies and rules and/or which may result in fraud or damage, even potential, against colleagues, shareholders and stakeholders in general or which constitute acts of an illicit nature or detrimental to the interests and reputation of the company itself;
    • improper or suspicious activities and payments, other than expenses or contributions expressly provided for by the Data Controller companies, or donations made by the holding companies to public officials or donation requests that such public officials or private entities may make.

Data Controller, data protection officer and appointees

The Data Controllers of personal data relating to identified or identifiable persons collected through reporting are the Companies part of the Exprivia Group:

  • Exprivia S.p.A. with registered office in Via A. Olivetti, 11- Molfetta (BA);
  • Exprivia Projects Srl with registered office in Viale del Tintoretto 432 – Rome.

The Data Controller of the data processing have appointed a Data Protection Officer in compliance with article 37 et seq. of EU Regulation 2016/679, who may be contacted:

The processing connected to the report is handled exclusively by appointed/authorized personnel, trained in the correct processing of personal data which, in no case, will be disclosed.

Purpose of the processing

The processing is carried out with the objectives of:

  • initiating the necessary investigative activities aimed at verifying the validity of the fact subject to reporting, learned in the execution of the employment relationship, in relation to illegal or fraudulent activities, relevant pursuant to decree 231/2001 and subsequent amendments, and based on precise and consistent factual elements, or on violations of the organization and management model of the Companies of the Exprivia Group, of which they have become aware due to the functions performed;
  • Prohibiting retaliatory or discriminatory acts, direct or indirect, towards the reporting subject for reasons connected, directly or indirectly, to the report, also through communication to INPS;
  • Adopting disciplinary sanctions on the part of the Employer in accordance with the organizational model referred to in Law 231/2001 both towards those who violate the protection measures of the reporting subject and towards those who make reports with intent or gross negligent reports that turn out to be unfounded.

The legal basis of the processing must be identified in the legitimate interest of the data controller, (pursuant to Article 6 letter f) of the GDPR).

With reference to the "particular" data referred to in art. 9 of the GDPR (e.g. data on health, race, ethnicity, sexuality, political, trade union and religious beliefs, genetic data, biometric data, etc.) it must be considered that the legal basis is that provided by art. 9, par. 2 lett. f), that is the ascertainment, exercise or defence of a right in court, it being understood that, for some aspects related to the employment relationship, the legal basis can be found in lett. b) of the same provision.
On the other hand, with regard to judicial data, collection can be carried out if prior to the prevention of criminal liability of the company in accordance with the rationale of law 231/2001 in compliance with the provisions of art. 10 of the GDPR.

The personal data of the reported may also be used for the fulfilment of legal obligations in the case of reports made in relation to the performance of activities for the provision of services in favour of public bodies Exprivia carries out pursuant to art. art. 54 bis, paragraph 2, of Italian Legislative Decree 165/2001.

Methods of data processing and storage

Personal data is processed with authorised tools (e.g. using electronic procedures and supports) and/or manual (e.g. in paper format) for the time strictly necessary to achieve the purposes for which it was collected and, in any case, in compliance with the applicable legal provisions on the matter. Specific safety measures are observed to prevent the loss of data, illicit or incorrect uses and non-authorised access.

Data collected will not be subject to any automated decision-making process nor any form of profiling.

After this term has elapsed, the data will be deleted or anonymised, without prejudice to their further storage being necessary to fulfil legal obligations or to comply with orders issued by Public Authorities.

Data communication

The recipients of the data collected following the report, where appropriate, are the Supervisory Body, the Judicial Authority, the Court of Auditors (for reports made with reference to the activities of the entities in favour of which the Group companies provide public services) and the ANAC.

In particular, data may be transmitted to:

  • external consultants (e.g. law firms) possibly involved in the investigative phase of the report;
  • corporate functions involved in the activities for the receipt, examination and assessment of reports;
  • manager(s) of the function(s) involved in the report (e.g. Internal Audit function, Legal function, Supervisory Body or other reference function with respect to the reported subject);
  • organisational positions with the task of carrying out investigations on reports in cases where their knowledge is essential for the understanding of the reported events and/or for the performance of the related investigation and/or processing activities;
  • institutions and/or Public Authorities, Judicial Authorities, Police Bodies, investigative Agencies;
    supervisory body appointed pursuant to Italian Legislative Decree 231/2001;
  • manager responsible for the prevention of corruption and transparency (RPCT), where appointed;
  • INPS when retaliatory acts against the reporting party have been confirmed.


Personal data so collected is also processed by the Data Controller's personnel, who act on the basis of specific instructions provided for the purposes and procedures of the same processing. Personal data so collected will not be object of distribution, nor will it be transferred to third countries (extra-EU).