WHISTLEBLOWING

Who decides why and how personal data is processed?

The Data Controller is the Company Ferroli S.p.A., with registered office in via Ritonda 78/a,37047, San Bonifacio (VR), email: privacy@ferroli.com (the "Company" or "Data Controller"). 

What personal data do we collect?

If a report is made by a Whistleblower ("Reporting Person"), the Company will process the following personal data:

• identification and contact data of the Reporting Person, such as name, surname, contact details, company position, if the report has been sent in a non-anonymous form;
• identification and contact data of the “Assimilated Subjects” (intended as subjects who could be subject to retaliation due to the role assumed or particular proximity to the Reporting Person), such as name, surname, contact details, company role, where the report contains personal data of the same;
• identification and contact data of the person presumed to have committed the offence (“Reported Person”), such as name, surname, contact data and company position;
• other personal data contained in the report and/or in documents annexed to it;
• additional data that may become available to the Data Controller, even as a result of activities aimed at verifying the validity of the report.

Where contained in the report and/or in documents annexed to it, the Company may process special categories of data and data relating to criminal convictions and offences. In accordance with the Company's defined Whistleblowing Policy, it will always be possible for the Reporting Person to send an anonymous report, that will be processed in accordance with the provisions of the Speak-Up Policy defined by the Company.

For what purposes do we process personal data and under what conditions are we entitled to do so?

The Company may process the data referred to in the previous section for the following purposes and conditions of lawfulness (legal basis) of processing:

• To carry out the necessary investigations aimed at verifying the processability, admissibility, verification of the report validity of the report and, in general, to manage the report made by the Reporting Person in accordance with the Whistleblowing Policy defined by the Company. Legal basis: the need to fulfil a legal obligation to which the Company is subject, in particular Legislative Decree no. 24 of 2023 on “Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and laying down provisions concerning the protection of persons reporting breaches of national law” -art. 6, par. 1, lett. c) of GDPR-; furthermore, for reports collected orally, by the consent of the Reporting Person -art. 6, par. 1, lett. a) of GDPR-
• To fulfil the obligations established by law or community legislation. Legal basis: the need to fulfil a legal obligation to which the Company is subject, in particular Legislative Decree no. 231 of 2001 on “Discipline of the administrative responsibility of legal persons, companies and associations even without legal personality, pursuant to article 11 of Law 29 September 2000, no. 300” -art. 6, par. 1, lett. c) del GDPR-; furthermore, for reports collected orally, by the consent of the Reporting Person -art. 6, par. 1, lett. a) of GDPR-
• To exercise or defend rights during judicial, administrative or extrajudicial proceedings in the context of disputes arising in relation to, or as a result of, the report. In addition to this, personal data may be processed by the Company in order to take legal action related to or arising from the report. Legal basis: the legitimate interest of the Company to protect its rights -art. 6, par. 1, lett. f) of GDPR-
• IV. To use the report in any disciplinary proceedings against the Reported Person if the breach is certain. Legal basis: the legitimate interest of the Company to protect its rights -art. 6, par. 1, lett. f) of GDPR-.

The provision of data is optional, and, in the absence of such data, there will be no consequences other than the impossibility of following up a report in accordance with the provisions of the Whistleblowing Policy.

How is personal data processed?

The processing of personal data will be based on the principles of lawfulness, correctness, transparency, purpose and storage limitation, accuracy, integrity and confidentiality, in accordance with current regulations on the protection of personal data. The data will be processed manually and/or using electronic means. In any case, the data is protected by appropriate security measures to ensure its confidentiality, integrity and availability.

Who do we share personal data with?

In line with the principle of protecting the confidentiality of the Reporting Person, the disclosure of personal data will be limited to what is strictly necessary to ensure his/her confidentiality. If cases where the report has been sent anonymously, the identity of the Reporting Person will only be disclosed if there is a legal obligation to do so, for example in the context of investigations by competent authorities or legal proceedings. Personal data may be accessed by the subject expressly authorised to process it by the Company which is responsible for managing reports, i.e. the Whistleblowing Manager. The Whistleblowing Manager may avail itself of the support and cooperation of Company functions when, due to the nature and complexity of the verifications, it becomes necessary to involve them. The staff of the Company functions involved will be provided with adequate operating instructions and appointed as a subject in charge of processing personal data. Personal data may also be disclosed to the Company's supervisory bodies, which will act as independent data controllers, and to consultants, lawyers and professional firms providing legal assistance to the Data Controller, as well as to competent authorities (including courts).

Will personal data be transferred outside the EU?

Data may be transferred to some non-EU countries to the Companies of the Ferroli Group based in Russia, Belarus, India, China and Vietnam. In this case, the Company undertakes to ensure adequate levels of protection, even of a contractual nature, in accordance with applicable regulations, including the drafting of standard contractual clauses pursuant to art. 46, para. 2, lett. c) of the GDPR, supplemented, if necessary, by additional measures required to ensure that the level of protection of personal data is equivalent to that of the EU.

How long do we retain personal data?

Personal data is retained by the Company only for the time required to fulfil the purposes for which it was collected or any other related legitimate purpose. Therefore, if personal data is processed for two different purposes, it will be kept until the purpose with the longer retention period ends. In any case, personal data will no longer be processed for the purpose whose retention period has expired. Any personal data that is no longer necessary, or for which there is no longer a legal basis for retention, is irreversibly made anonymous (and thus can be retained) or safely destroyed. In particular, data will be retained for the following periods:

• no more than 60 days after the closing date of the investigation regarding the report, if no further action is required at the end of the investigation;
• until the final closure of the procedures activated on the basis of the report, if the report proves to be well-founded and further action is taken (including any legal proceedings or disciplinary action) In the event of judicial or extrajudicial disputes, the data will be retained until the expiry of the applicable status of limitations.

What rights can be exercised in relation to personal data?

If the necessary conditions are met and if the limitations provided for by law are not applicable, the data subjects may exercise their rights of access, rectification, cancellation, restriction and opposition. In addition to this, the data subjects may also lodge a complaint with the Supervisory Authority, the Guarantor for the protection of personal data. Pursuant to art. 2 -undecies of the Italian Legislative Decree 196/2003 as amended by the Italian Legislative Decree 101/2018 (“Privacy Code”), the above mentioned rights may not be exercised by the Reported Person as the exercise of such rights may compromise the protection of the confidentiality of the identity of the Reporting Person. In any case, the Reported Person may exercise his/her rights through the Guarantor for the protection of personal data, following the procedures set out in art. 160 of the Privacy Code. The Data Controller has appointed a Data Protection Officer, who can be contacted at the following address: Ferroli S.p.A., via Ritonda, n. 78/A – 37047 San Bonifacio (VR) Italy; or by sending an email to privacy@ferroli.com.