Dear Sir/Madam,

The Company TIV Valves S.r.l., in its capacity as Data Controller (hereinafter also referred to as the “Company” or “Data Controller”), wishes to inform you of the purposes and methods of processing of the personal data provided by you through the Company’s platform for the management of reports of wrongdoing (hereinafter referred to as “whistleblowing”).

1. Contact

The Data Controller can be contacted at the dedicated e-mail address privacy.tiv@fiorentini.com or at the Headquarters located at 17 Via Fratelli Rosselli, Rescaldina (MI).

2. Purpose of this information document

This information notice enables you to know the nature of your personal data, the purposes and methods of their processing, their recipients (if any), and your rights.

3. Categories of personal data processed

Personal data: The categories of data to be processed are ordinary personal contact data, professional data or other personal identification data provided by the reporting person about him/herself or about third parties. The reports and in any documents annexed thereto may contain personal information, as well as any data acquired during the investigation by the body in charge.

Since suspected violations can also be reported anonymously, the reporting parties are not required to disclose their personal data.

Special categories of data and data relating to offences: As part of the handling of reports, the Company may process certain special categories of personal data provided on the whistleblowing platform, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to a person’s health or sexual life or sexual orientation, or data relating to offences.

4. Purpose of data use and basis of legitimacy

The data provided by the reporting person are processed for the purpose of carrying out the necessary investigative activities aimed at verifying the merits of the reported fact and the adoption of the consequent measures. The reports concern violations of national or EU regulatory provisions that harm the public interest or the integrity of the public administration or of the private entity in a public or private employment context.

Below are the purposes of the processing with the relevant legal basis:   

In addition, the aforementioned data are used to carry out all activities that are instrumental and ancillary to these and in any case necessary for the furtherance of the purposes.

5. Possible collection of data in addition to the indicated categories

In the course of examining the report, it cannot be ruled out that the persons and bodies in charge will receive information containing identification data, professional data, or other categories of personal data, which will in any case be processed in accordance with this information notice.

6. Methods of data use

In relation to the aforementioned purposes, the processing will be carried out using both manual and IT tools in compliance with the regulations in force and the principles of fairness, lawfulness, transparency, relevance, completeness, accuracy and with organisational and processing logics strictly related to the purposes pursued and in any case in such a way as to guarantee the security, integrity and confidentiality of the processed data, pursuant to Art. 32 of GDPR 2016/679. The security measures include, among others, encryption of communications.

The personal data will be processed exclusively by the staff in charge of handling reports or by staff who need them because of their duties or by virtue of their hierarchical position within the organisational unit responsible for handling the reports. The authorised persons will act under a confidentiality obligation, taking appropriate security measures.

Any personal data identifying the reporting person are stored separately from the reports made by the latter, so as to ensure anonymity. The reporting person’s identity can, in fact, only be associated with the report by the staff responsible for handling reports. In addition, the reporting person is given a unique identification code that guarantees his or her anonymity in order to “converse” with the person responsible for handling the report in a depersonalised manner and to be constantly informed of the processing status of the report sent.

7. Scope of data circulation

The Company collects personal data through the wrongdoing reporting platform and processes them, either directly, as Data Controller, or by availing itself of the work of other persons, duly designated and instructed for the purpose, who will act as Persons Authorised to carry out processing operations, as well as of external companies that perform services of various kinds on behalf of the Company, also in their capacity as Data Processors pursuant to Art. 28 of the GDPR (e.g. companies providing IT or legal services) only for the purposes described in this information notice.

Some information may be disclosed to autonomous Data Controllers, such as public bodies or law firms, only when the legal requirements are met.

The list of Data Processors can be provided on request by contacting the Data Controller as indicated in section “1. Contact”.

8. Nature of the provision

The provision of personal data is compulsory for the performance of the activities envisaged in the preceding paragraph “Purposes of data use and basis of legitimacy”, and any refusal to provide such data will make it impossible to execute and regularly handle your report. However, you may decide to remain anonymous when filing your report.

9. Consent

Pursuant to Articles 6 and 7 of the GDPR, the Company may use the identity of the reporting person and any other information from which that identity may be inferred, directly or indirectly, for the purposes of disciplinary proceedings requiring disclosure, only with the reporting person’s express consent to the processing of the personal data. Please see the purpose of paragraph 4, number 4.

The consent of the reporting person is not required for the handling of the report and any disciplinary proceedings or court cases; therefore, the report will be handled in accordance with the law and company procedures.

We inform you that consent may be revoked at any time by following the procedures set out in the section “Exercise of rights”. Withdrawal of consent does not affect the lawfulness of processing based on it prior to withdrawal.

10. Non-dissemination of the data

The data will not be disseminated to unspecified persons.

11.  Transfer of the data abroad

The data are stored and in any case processed within the European Union. Within the scope of the above-mentioned purposes, the aforementioned personal data will not be transferred to non-EU countries.

12. Data retention period

The reports and the related documentation are kept for as long as necessary to process the report and in any case no longer than 5 years from the date of the communication of the final outcome of the reporting procedure, in compliance with the confidentiality obligations set out in European and national data protection legislation.

13. Exercise of rights

You may at any time obtain from the Data Controller, if the conditions are met, access to and the rectification, erasure or restriction of the processing of the personal data concerning you (Articles 15 et seq. of the GDPR). You may also revoke your consent at any time.

The application should be addressed to the contact points indicated in section “1. Contact”, preferably by including the words “Request to exercise privacy rights” in the subject line.

Data subjects who consider that the processing of their personal data carried out in this way violates the provisions of the data protection regulations have the right to lodge a complaint with the Italian Data Protection Authority pursuant to Art. 77 of the GDPR (https://www.garanteprivacy.it/reclamo) or address the courts (Art. 79 of the GDPR and Art. 140-bis, of (It.) Legislative Decree no. 196/2003 - Privacy Code).