INFORMATION ON THE PROCESSING OF PERSONAL DATA ON THE WHISTLEBLOWING PLATFORM
pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)
Dear User,
The company Metropolitan S.p.A., with registered office in Riva degli Schiavoni 4149, Venice (VE), Italy, in its capacity as data controller (‘Company’ or ‘Controller’), is required to provide you with some information regarding the processing of personal data collected through the channels accessible through the ‘VarWhistle’ platform (‘Platform’) of a specialist provider (Serenissima Informatica S.p.A.) and which the Company has made available to those who intend to send, in accordance with the provisions of the whistleblowing procedure (hereinafter, the ‘Whistleblowing Procedure’ or ‘Procedure’), a report with the related documentation (‘Report’) of the breaches indicated in the Procedure itself, in implementation of the provisions of Legislative Decree No. 24 of 10 March 2023 (‘Decree’).
1. WHAT PERSONAL DATA MAY BE COLLECTED?
If a Report is made, the Company will, through the internal committee comprising Marta Ardit and Roberta Rampazzo (Administration Manager and Personnel Office Manager respectively), and the external health and safety officer (RSPP) Sergio Maroli (‘Report Manager’ or ‘Manager’) as well as additional persons authorised with reference to the following data subjects (‘Data Subjects’) already defined by the Decree:
(a) person making the report (the ‘Reporting Person’)
(b) person concerned, person reported, person mentioned in the report and the facilitator, collect and process the relevant personal data entered by the Reporting Person (e.g. via the free text fields in the registration form) in the Report, such as:
• identifying data and contact data, e.g. name and surname, home address, email, date of birth. The Reporting Person’s identifying data will not be collected if an anonymous report is made that contains the essential elements required by the Procedure;
• employment data, e.g. occupation, position, company role;
• facts, acts and any other content of the Report;
• financial and economic data, e.g. information on current accounts, credit cards, sums of money, emoluments;
• images, photos, audio and voice recordings;
(collectively ‘Personal Data’).
Reports may be made by accessing the Platform at the following address https:// hotelmetropole.com. Reports are made in written form on the Platform.
Outside of the Platform, Reports may be made verbally by telephone or by voice message or, upon the request of the Reporting Person, at a face-to-face meeting scheduled within a reasonable time frame.
Reports made verbally during a meeting requested by the Reporting Person will be documented, subject the consent of the Reporting Person, or be recorded on a device suitable for both storage and listening or be minuted.
The Report must not contain facts that are not relevant for the purposes of the Report, nor special categories of personal data, pursuant to Article 9 of the GDPR (‘Special categories of data’ are data that could reveal, among other things, a person’s racial and ethnic origin, religious or philosophical beliefs, political party or trade union membership, data concerning a person’s health, sex life or sexual orientation), nor data relating to criminal convictions and offences, pursuant to Article 10 of the GDPR, except in cases where this is inevitable and necessary for the purposes of the Report.
Without prejudice to the above, the Controller hereby makes available to the Data Subjects the information concerning the processing of their personal data, reserving the right to provide it again to the Data Subjects after the Report is made, in order to ensure the effectiveness of the Whistleblowing Procedure and not to compromise any investigations launched by the Company or the Authorities.
2. FOR WHICH PURPOSES MAY PERSONAL DATA BE USED?
A. Except in cases of anonymous Reports, where the Reporting Person’s identifying data are not collected, in all other cases Personal Data will be processed for purposes related to the receipt and management of the Report in accordance with the Decree and the Whistleblowing Procedure.
Basis for processing is compliance with a legal obligation to which the Controller is subject under Article 6(1)(c) of the GDPR as set out in the Decree.
Providing Personal Data is compulsory, since failure to do so would make it impossible for the Company to fulfil its specific legal obligations relating to managing the Reports and, consequently, it would be unable to guarantee the protection measures for Data Subjects required by the Decree.
B. Personal Data will be processed for purposes related to the need to defend rights in the course of judicial, administrative or out-of-court proceedings, and in the context of disputes arising in connection with the Report made. In addition, Personal Data may be processed by the Company for the purpose of taking legal action or asserting claims. Basis for processing is the legitimate interest of the Company under Article 6 (1)(f) of the GDPR in order to protect its rights. In this case, a new and specific consent is not required, since the Company will pursue this additional purpose, where necessary, by processing the Personal Data collected for the purposes above, which are deemed compatible with this one (also by reason of the context in which the Personal Data was collected, the relationship between you and the Company, the nature of the Personal Data itself and the appropriate safeguards for its processing, as well as the link between purpose A and this additional purpose).
As stated in section 1 above, the Report must not contain Special Categories of data, except where unavoidable and necessary for the purposes of the Report itself. In this case, the lawfulness of the processing of such Personal Data is based on Article 9(2)(b) of the GDPR in relation to purpose A, and on Article 9(2)(f) of the GDPR in relation to purpose B.
With regard to any data relating to criminal convictions and offences, the lawfulness condition is found under Article 2-octies of Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 and by the Decree (‘Personal Data Protection Code’) – in fulfilment of the legal obligations set out in the Decree.
3. HOW DO WE KEEP YOUR PERSONAL DATA SAFE AND FOR HOW LONG?
Personal Data processing is governed by the principles of fairness, lawfulness, transparency, integrity and confidentiality. Processing is also carried out by means of automated methods designed to store, manage and transmit Personal Data. Processing will be carried out using appropriate instruments capable of guaranteeing security and confidentiality through the use of procedures designed to prevent the risk of loss, unauthorised access, unlawful use and dissemination. This takes place through the adoption of encryption techniques and the implementation of technical and organisational security measures defined, assessed and implemented also in the light of an impact assessment pursuant to Article 35 of the GDPR, such as the prohibition on the collection and/or storage of log files, IP addresses and forms of monitoring the Reporting Person.
The Personal Data contained in the Report will be kept for no more than 5 years from the date of communication of the final outcome of the Whistleblowing Procedure or until the conclusion of any judicial or disciplinary proceedings that may have been brought against the Person Reported or the Reporting Person, in compliance with the confidentiality obligations set out in Article 12 of the Decree and the principle set out in Article 5(1)(e) of the GDPR (storage limitation).
Personal Data that are manifestly not useful for processing a specific Report are not collected or, if accidentally collected, are deleted immediately.
4. WHO MAY WE SHARE YOUR PERSONAL DATA WITH?
Access to Personal Data will only be permitted by the Report Manager, whose staff have been authorised pursuant to Article 29 of the GDPR and Article 2-quaterdecies of the Personal Data Protection Code.
Subsequently, when ascertaining the merits of the Report, where necessary for the purposes of the investigation activities, Personal Data may be forwarded, in compliance with the principle of confidentiality, to staff or third parties (e.g. consultants) who are specifically authorised. More detailed information on the Report management process and the persons involved in it can be found in the Whistleblowing Procedure.
Personal Data may also be communicated, where necessary and appropriate, to public authorities (including administrative and judicial bodies and public safety agencies).
It should be noted that the Platform provider has been designated a processor by the Company under Article 28 of the GDPR.
5. INTERNATIONAL TRANSFER
Personal Data will be processed within the European Economic Area (EEA) and stored on servers located within the same EEA. However, as part of the processing in question, transfers of Personal Data to outside the European Union (EU) or the EEA may occur, also via service providers, albeit incidentally. Such transfer of Personal Data shall take place in compliance with Chapter V of the GDPR.
6. DATA PROTECTION RIGHTS AND THE RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY
Every Data Subject has the right to ask the Company, subject to the conditions set out in the GDPR and the Personal Data Protection Code, for:
a) access to Personal Data, as provided for under Article 15 of the GDPR;
b) rectification or integration of the Personal Data in the Company’s possession considered to be inaccurate, as provided for under Article 16 of the GDPR;
c) erasure of Personal Data for which the Company no longer has any legal basis for processing, as provided for under Article 17 of the GDPR;
d) restriction of the way the Company processes Personal Data if one of the cases provided for under Article 18 of the GDPR applies;
e) a copy of the Personal Data you provided to the Company in a structured, commonly used and machine-readable format and the transmission of such Personal Data to another controller (portability), as provided for under Article 20 of the GDPR.
Right to object: in addition to the aforementioned rights, the Data Subject has the right to object, on grounds relating to your situation, at any time to processing of Personal Data concerning you by the Company for the pursuit of its own legitimate interest, as provided for under Article 21 of the GDPR.
The Data Subject has the right to lodge a complaint with the Garante per la protezione dei dati personale (the Italian Personal Data Protection Authority) under Article 77 of the GDPR, using the contact information available on the website www.garanteprivacy.it, or to take appropriate legal action.
The above rights can be restricted pursuant to and for the purposes of Article 2-undecies(1)(f) of the Personal Data Protection Code, if the exercise of those rights may prove factually and concretely detrimental to the confidentiality of the person reporting breaches they have become aware of on account of their employment or the tasks they discharged, pursuant to the Decree.
In such cases, the rights of the Data Subject may also be exercised through the Garante (Italian Personal Data Protection Authority) in the manner set out in Article 160 of the Personal Data Protection Code. In this case, the Garante informs the Data Subject that it has carried out all the necessary checks or that it has conducted a review, and that the Data Subject has the right to seek redress before the courts.
7. CONTACT INFORMATION
The contact details of the Company, in its capacity as Controller, are the following: venice@hotelmetropole.com.
If you need any further information about the processing of Personal Data and to exercise your rights, you can contact the Company via email: venice@hotelmetropole.com.
https://whistleblowing.varhub.it/Azienda?code=METROPOLITANSPA