Send a report with the outmost confidentiality.

Privacy

INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR THE MANAGEMENT OF REPORTS OF VIOLATIONS REFERRED TO IN D.LGS. 24/2023 (CD. WHISTLEBLOWING)

1. Identity and contact details of the Controller
The Controller of personal data processing is Fondazione Human Technopole, with registered office in Viale Rita-Levi Montalcini 1, 20157, Milan (MI), Italy, Tel. +39/02-30247001, e-mail: gdpr@fht.org

2. Contact details of the Data Protection Officer
The Data Protection Officer (DPO) of Fondazione Human Technopole can be contacted at the following e-mail address: dpo@fht.org.

3. Purpose and legal basis of the processing
The processing of personal data will take place exclusively for purposes connected and consequent to the management of reports. These purposes include the carrying out of the preliminary investigation, the adoption of the consequent measures and any further activities necessary for the protection of the interest and integrity of HT according to the methods and limits established by the aforementioned relevant legislation.
The legal basis of the processing is the fulfillment of a legal obligation to which the data controller is subject. Furthermore, with reference to the adoption of any measures resulting from the report and further activities to protect the interest and integrity of HT, the pursuit of the relative legitimate interest of the controller and the need to ascertain, exercise or defend a right in court - in the forms and with the limits established by the aforementioned relevant legislation - may be relevant.

4. Data processed
HT will process the personal data that will be communicated by the whistleblower within the report as well as the additional data that HT may acquire as a result of the related investigation.
Such data may include the identity of the reporting person, the person concerned by and the person otherwise mentioned in the report, as well as the information contained in the report and related documentation.

5. Means of processing and security measures
The data will be processed using IT means that, in accordance with the aforementioned reference legislation, guarantee the confidentiality of personal data, also through the use of encryption.

7. Categories of recipients of personal data
The processing of data will take place only through duly authorized and instructed persons.
HT may use data processors (such as possible external parties responsible for the management, maintenance and administration of the reporting system) solely though specific agreements and appointments, as well as in the presence and in compliance with the conditions established by regulations in force (ref. Article 28 GDPR and Legislative Decree 24/2023).

The data may be communicated to other recipients where required or foreseen under applicable regulations (for example, upon request from the Judicial Authority).
The transfer of data outside the European Economic Area is not foreseen. If this proves necessary or appropriate, possible transfers can solely take place in the presence and in compliance with the conditions established by the regulations in force (ref. articles 44 and following of the GDPR).

9. Data retention
Personal data will be kept for the purpose of receiving and managing the report only for the time necessary to process the report itself and in any case no later than five years from the date of communication of the final outcome of the reporting procedure, in compliance with the confidentiality obligations referred to in the aforementioned reference legislation and referred to in the legislation on the protection of personal data.
Personal data that are manifestly not useful for the management of a specific report are not processed or, in any case, are deleted without delay.
10. Rights of the interested party
The interested parties may at any time exercise the rights provided for in articles 15 and following of the GDPR, by contacting the Controller at the contacts indicated in par. 1 of this information notice.

11. Complaint to the Supervisory Authority
Pursuant to art. 77 GDPR; data subjects have the right to lodge a complaint with a Supervising Authority (for Italy, the l’Autorità Garante per la Protezione dei Dati Personali).

* * *

Milan, 14 July 2023