Send a report with the outmost confidentiality.
Useful Links
What to report Learn more

Privacy

Information on the processing of personal data pursuant to Articles 13 and 14

of Regulation (EU) 679/2016 ('GDPR')

 

This information notice on the processing of personal data is provided, pursuant to and for the purposes of Articles 13 and 14 of the GDPR, to all persons who make a report of which they have become aware or have witnessed, as part of their relationship with Socrate S.p.A., as well as to other persons involved in the report for any reason whatsoever.

The disclosure therefore applies whenever a report is made by one of the methods indicated in the Whistleblowing Procedure adopted by the Controller and as updated from time to time.

  1. Data controller

The data controller is Socrate S.p.A., with registered office in Via Papa Giovanni XXIII, 5 - Rodano (MI), Italy, VAT no. 07210150152, R.e.a. no. MI-1146454 (hereinafter, for brevity, 'Data Controller')

 

  1. Categories of personal data and their collection

As part of the receipt and assessment of reports, the Controller may process the following data:

  1. Common personal data of whistleblowers and, where present, of reported persons (e.g. name, surname, contact details);
  2. Personal data contained in reports (including, where applicable, data belonging to special categories under Article 9 GDPR and personal data relating to criminal convictions and offences under Article 10 GDPR).
  3. Personal data of reported persons and any third parties involved.
  1. Data source

The processed data are collected by the Data Controller through the report and through any subsequent contact of the reporter with the Data Controller, or may be collected by the Data Controller itself from third parties - internal or external - , from public databases, from other freely accessible sources, online and offline, and in general from any other source to enable the Data Controller to carry out the necessary checks for handling the report, in accordance with the provisions of the Whistleblowing Procedure adopted by the Data Controller.

  1. Purpose and legal basis of processing
  • Purpose 1: to implement the Whistleblowing Procedure and, therefore, with the aim of carrying out the necessary investigative activities aimed at verifying the merits of the fact being reported and the adoption of the consequent measures. Furthermore, the adoption of an internal computerised reporting channel constitutes an obligation for the Data Controller pursuant to Legislative Decree no. 24 of 10 March 2023, which transposes and implements in Italy Directive (EU) 2019/1937. Legal basis of the processing: the processing is necessary for the fulfilment of legal obligations. Period of data retention: for the time necessary to process the report. In any case, the data are retained for the period of time necessary for the processing of the report and in any case no longer than 5 years from the date of the communication of the final outcome of the reporting procedure in compliance with the confidentiality obligations set out in Article 12 of Legislative Decree no. 24/23. If the data collected are clearly unnecessary or excessive for the processing of the report, they will be immediately deleted by the Data Controller.
  • Purpose 2: purposes of judicial protection, to prevent or prosecute offences. Legal basis of the processing: the legitimate interest of the Controller to protect its rights and to prevent unlawful acts. Period of data retention: without prejudice to the above, in the event of legal proceedings, data may be processed for defence purposes until the judgment/judgment becomes final.  If the data collected is manifestly unnecessary or excessive for the processing of the report, it will be immediately deleted by the Data Controller.
  1. Obligation to provide data and consequences of refusal

The provision of the data of the reporter, which will be treated confidentially as required by law and in particular by Legislative Decree 24/23, and those contained in the report is necessary so that the report can be received, verified and processed.

  1. Disclosure of personal data

For one or more of the above purposes, we may share data with the following recipients:

  • service providers;
  • Judicial authorities or independent administrative authorities.

With the exception of the Judicial Authority and independent administrative authorities, all of the aforementioned recipients process data under a specific agreement on the processing of personal data pursuant to Article 28 GDPR, as data controllers. You can obtain the updated list of data processors at any time by contacting the Controller at the addresses indicated above.

  1. Transfer of personal data to a third country

The data will be processed and stored within the European Union, at the systems of the Data Controller's suppliers, who act as data controllers according to agreements in accordance with Article 28 GDPR.

  1. Rights of the data subject

We inform you that, as a data subject, pursuant to Articles 15 to 22 of the GDPR, you have the right to:

  1. request access, rectification, deletion, restriction of data concerning you;
  2. object to the processing of their data;
  3. obtain data portability, i.e. to receive the data from the Controller in a structured, commonly used and machine-readable format and to transmit them without hindrance to another controller, including by direct transmission of the data, if technically feasible;
  4. revoke consent to the processing of data if it constitutes the legal basis for the processing. In this case, the data processing carried out before the revocation remains lawful;
  5. file a complaint with the competent supervisory authority;
  6. requesting information on: the purposes of the processing; the categories of data; the recipients or categories of recipients to whom the data have been or will be disclosed, in particular if the data are transmitted to recipients in third countries or international organisations; the data retention period; if the data are not collected from the data subject, all available information on their origin.

You may exercise these rights by contacting the Controller at privacy@socrate.it.

The exercise of these rights may be subject to limitations in the cases provided for in Article 2-undecies of Legislative Decree 196/2003, as last amended by Legislative Decree 24/2023.

We would also like to inform you that, as a data subject, you have the right to lodge a complaint under Article 77 GDPR with the Data Protection Authority as supervisory authority.