SPEAK UP

Who decides why and how personal data is processed?

The Data Controller is the Company Ferroli S.p.A., with registered office in via Ritonda 78/a,37047, San Bonifacio (VR), email: privacy@ferroli.com (the “Company” or “Data Controller”).

What personal data do we collect?

If a speak-up report is made by a reporting person (“Reporting Person”), the Company will process the following personal data:

• identification and contact data of the Reporting Person, such as name, surname, contact details, company position, if the report has been sent in a non-anonymous form;
• identification and contact data of the person presumed to have committed the offence (“Reported Person”), such as name, surname, contact data and company position;
• other personal data contained in the report and/or in documents annexed to it;
• additional data that may become available to the Data Controller, even as a result of activities aimed at verifying the validity of the report.

Where contained in the report and/or in documents annexed to it, the Company may process special categories of data and data relating to criminal convictions and offences.

In accordance with the Company's defined Speak Up Policy, it will always be possible for the Reporting Person to send an anonymous report.

For what purposes do we process personal data and under what conditions are we entitled to do so?

The Company may process the data referred to in the previous section for the following purposes and conditions of lawfulness (legal basis) of processing:

• To carry out the necessary investigations aimed at verifying the validity of the fact being reported and to manage the report made by the Reporting Person in accordance with the Speak Up Policy defined by the Company. Legal basis: the legitimate interest of the Company in repressing unlawful conduct or conduct contrary to the Group Code of Ethics or any Policy/Regulation of the Company and to protect its rights. The provision of data for this purpose is optional and, in the absence of such data, there will be no consequences other than the impossibility of following up a report; with reference to identification and contact data, the Speak Up Policy allows the Reporting Person to send the report anonymously.
• To take disciplinary measures and defend and exercise rights during judicial, administrative or extrajudicial proceedings in the context of disputes arising in relation to, or as a result of, the report. In addition to this, personal data may be processed by the Company in order to take legal action related to or arising from the report. Legal basis: the legitimate interest of the Company in repressing unlawful conduct or conduct contrary to the Code of Ethics or any Policy/Regulation of the Company and to protect its rights.
• To use the report - where it is not anonymous - in any disciplinary proceedings against the Reported Person if the claim is based on the report and knowing the identity of the Reporting Person is essential for the Reported Person's defence. Legal basis: the consent of the Reporting Person to the disclosure of his/her identity. The provision of data for this purpose is optional and, in the absence of it, there will be no consequences other than the impossibility of proceeding with disciplinary proceedings against the Reported Person.

How is personal data processed?

The processing of personal data will be based on the principles of lawfulness, correctness, transparency, purpose and storage limitation, accuracy, integrity and confidentiality, in accordance with current regulations on the protection of personal data. The data will be processed using manually procedures and/or electronic means, in particular for what concerning the electronic means, through the following channels:

• mailbox: speakup@ferroli.com
• online form available at the following address: www.ferroli.com

The data is protected by appropriate security measures to ensure its confidentiality, integrity and availability

Who do we share personal data with?

In line with the principle of protecting the confidentiality of the Reporting Person, the disclosure of personal data will be limited to what is strictly necessary to ensure his/her confidentiality. If cases where the report has been sent anonymously, the identity of the Reporting Person will only be disclosed if there is a legal obligation to do so, for example in the context of investigations by competent authorities or legal proceedings.

Personal data may be accessed by the people expressly authorised to process it by the Company which is responsible for managing reports, i.e. the members of the Corporate Speak Up Committee.

Moreover, in light of the fact that the Corporate Speak Up Committee is able to receive and manage reports of conduct sent to individual Companies of the Ferroli Group, established within and outside the EU, it may avail itself, where deemed appropriate, of the support of locally competent interlocutors (belonging to the individual Companies of the Group), who are entrusted with the task of carrying out investigations and formulating any corrective actions.

Finally, the Corporate Speak Up Committee may avail itself of the support and cooperation of corporate functions when, due to the nature and complexity of the verifications, it becomes necessary to involve them. Personal data may also be disclosed to Company’s controls bodies, consultants, lawyers and professional firms providing legal assistance to the Data Controller, as well as to competent authorities (including courts).

Will personal data be transferred outside the EU?

Data may be transferred to some non-EU countries to the Companies of the Ferroli Group based in Russia, Belarus, India, China and Vietnam. In this case, the Company undertakes to ensure adequate levels of protection, even of a contractual nature, in accordance with applicable regulations, including the drafting of standard contractual clauses pursuant to art. 46, para. 2, lett. c) of the GDPR, supplemented, if necessary, by additional measures required to ensure that the level of protection of personal data is equivalent to that of the EU.

How long do we retain personal data?

Personal data is retained by the Company only for the time required to fulfil the purposes for which it was collected or any other related legitimate purpose. Therefore, if personal data is processed for two different purposes, it will be kept until the purpose with the longer retention period ends. In any case, personal data will no longer be processed for the purpose whose retention period has expired. Any personal data that is no longer necessary, or for which there is no longer a legal basis for retention, is irreversibly made anonymous (and thus can be retained) or safely destroyed. In particular, data will be retained for the following periods:

• no more than 60 days after the closing date of the investigation regarding the report, if no further action is required at the end of the investigation;
• until the final closure of the procedures activated on the basis of the report, if the report proves to be well-founded and further action is taken (including any disciplinary action or legal proceedings). In the event of judicial or extrajudicial disputes, the data will be retained until the expiry of the applicable status of limitations.

What rights can be exercised in relation to personal data?

If the necessary conditions are met and if the limitations provided for by law are not applicable, the data subjects may exercise their rights of access, rectification, cancellation, restriction and opposition. In addition to this, the data subjects may also lodge a complaint with the Supervisory Authority, the Guarantor for the protection of personal data.

Pursuant to art. 2 -undecies of the Italian Legislative Decree 196/2003 as amended by the Italian Legislative Decree 101/2018 (“Privacy Code”), the above mentioned rights may not be exercised by the Reported Person as the exercise of such rights may compromise the protection of the confidentiality of the identity of the Reporting Person. In any case, the Reported Person may exercise his/her rights through the Guarantor for the protection of personal data, following the procedures set out in art. 160 of the Privacy Code. To exercise these rights, the interested parties can send an email to the following address: privacy@ferroli.com.