Whistleblowing Privacy Notice

Information pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 on the Processing of Personal Data within the Whistleblowing Reporting System

AVR S.p.A. has implemented a specific internal procedure titled “Management of Reports of Unlawful Acts and Irregularities” as part of its internal control system. This procedure, designed to govern the receipt and management of whistleblowing reports, ensures that all necessary measures are applied to protect the individuals involved, in accordance with Article 6, paragraphs 2-bis and 2-ter of Legislative Decree 231/2001, as well as the provisions of the General Data Protection Regulation (EU Regulation 2016/679 – GDPR) and the Italian Privacy Code (Legislative Decree 196/2003).

  1. DATA CONTROLLER

For reports concerning the parent company AVR S.p.A., the data controller is AVR S.p.A., with registered office at Via Francesco Tensi, 116, 00133 Rome, represented by its legal representative.
For reports submitted to AVR S.p.A. but concerning other companies of the AVR Group, the data controller is the company to which the report refers. In such cases, AVR S.p.A. will process the report as a data processor.

  1. DATA PROTECTION OFFICER (DPO)

The Data Protection Officer is Dr. Elisa Moretti, domiciled for the position at Via Francesco Tensi, 116 – 00133 Rome (RM),
Phone: +39 06.20944, Email: elisa.moretti@avrgroup.it

  1. PURPOSE AND LEGAL BASIS OF THE PROCESSING

The Company processes personal data for the following purposes:

  • To comply with the legal obligations under Article 6 of Legislative Decree 231/2001 and Legislative Decree No. 24 of 10 March 2023;
  • On the basis of the legitimate interest of the Group, pursuant to Article 6(1)(f) of the GDPR, to prevent and address unlawful conduct, including violations of the Anti-Mafia Code of Conduct, the Code of Ethics, and the Supplier Code of Conduct.

These purposes constitute the legal basis for processing the personal data of the individuals involved in the report.

  1. CATEGORIES OF DATA PROCESSED AND CONSEQUENCES OF FAILURE TO PROVIDE DATA

In compliance with the principle of data minimization, AVR S.p.A., as data controller or processor, will only process personal data necessary to assess and manage the report. Such data may include, by way of example, personal details (e.g., name, surname, etc.), special categories of data that may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life, and judicial data (i.e., data relating to criminal convictions, offences, or related security measures).

The Controller will process these data strictly for purposes related to verifying the authenticity of the report or for compliance with specific legal obligations. Any personal data not deemed necessary will not be processed and, if provided, will be deleted.

Providing personal data necessary for verifying the authenticity of the report or for fulfilling legal obligations is mandatory. Therefore, refusal to provide such data, in whole or in part, may result in the impossibility of processing and managing the report.

 

  1. RECIPIENTS OF PERSONAL DATA

The recipients of personal data are the Whistleblowing Committee and, where applicable, the Supervisory Body (Organismo di Vigilanza), both of which are required under applicable law and the Company’s whistleblowing procedure to ensure the confidentiality of the whistleblower’s identity.

During the verification phase, if necessary for the investigation, personal data may be shared with other departments and/or company functions. In such cases, confidentiality obligations will also apply to those supporting the Supervisory Body. Personal data may be disclosed to the head of the relevant disciplinary function and/or the reported party only if:

  • the whistleblower has expressly consented to such disclosure, or
  • the disciplinary charge is based exclusively on the report and knowing the identity of the whistleblower is strictly essential for the defense of the accused.

Personal data will not be disseminated or transferred to non-EU countries. However, the Controller reserves the right to use non-EU cloud services, provided that the service providers offer adequate safeguards as required under Article 46 of the GDPR.

  1. DATA PROCESSING METHODS

In accordance with Article 5 of Regulation (EU) 2016/679 (GDPR), personal data collected through the procedure must be:

  • Processed lawfully, fairly, and transparently in relation to the data subject;
  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • Adequate, relevant, and limited to what is necessary for the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date, with every reasonable step taken to ensure that inaccurate data are erased or rectified promptly;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed;
  • Processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.
  1. DATA RETENTION PERIOD

Data will be retained by the Controller for the entire duration of the report management procedure or for the time necessary to comply with other legal obligations or to protect the legitimate interests of the Controller or third parties as referred to in section 3.

  1. DATA SUBJECT RIGHTS

Under Articles 15–23 of Regulation (EU) 2016/679, data subjects may exercise the following rights:

  • Right of access to personal data, including the right to obtain a copy of the data being processed;
  • Right to receive personal data in a structured, commonly used, machine-readable, and interoperable format;
  • Right to request the update, rectification, or completion of the data;
  • Right to request the erasure, restriction, anonymization, or blocking of data processed unlawfully, including data whose retention is no longer necessary in relation to the purposes for which they were collected or processed;
  • Right to object, in whole or in part, on legitimate grounds, to the processing of personal data, even if relevant to the purpose of collection and to processing carried out for purposes provided by current legislation.

All information, communications, and actions taken by the Controller in response to such requests are free of charge. However, in cases of clearly unfounded, excessive, or repetitive requests, the Controller may charge a reasonable administrative fee or refuse to act on the request.

  1. COMPLAINTS

Data subjects have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) by following the procedure available on the Garante’s website (www.garanteprivacy.it) in case of any violation of data protection laws or to request an official review by the Authority.