CIAC S.c.r.l. whistleblower channel

Start

Step 1/5 Categorize concern

To facilitate the further handling of your submission, please help us to categorise it as best as possible.

In which category does your submission best fit?

Competition

Consumer protection

Corporation tax

Environmental Protection

Financial interests of the Union (expenses, income collection and funds)

Food safety

Prevention of money laundering

Product safety

Protection against radiation and nuclear safety

Protection of personal data and privacy

Public health

Public procurement

Security of networks and information systems

Transportation security

Others

Do you suspect any of the following people?

Administrative Director

board of auditors

CEO

CIO

Competent Doctor pursuant to Law 81/08

Data Protection Officer

Delegate for Occupational Risk Prevention

Director / Attorney General – Commercial Services

HR Director

Operations Headquarters Director

President of the Supervisory Body pursuant to Law 231/01

R&D Director - Employment Services - Training for companies

I am not aware of any involvement of these persons

I have read the Terms of use and agree to them in accordance with the notice.

Information

Step 2/5 Personal information

If you prefer not to give your personal details, you can do so by indicating that you want the report to be anonymous.

What is your relationship with the company being reported?

Do you wish to report anonymously?

Yes

This channel requires the whistleblower's identification data are mandatory.

The selected category requires the identification data to be mandatory

First name

Last name

Contact telephone number

This channel is confidential. Your personal data will not be shared. If someone from the organisation needs to know your data, they will request it through the channel and they will only be able to see it if you authorise it.

Details

Step 3/5 Detailed information

Describe in as much detail as possible the event you wish to report, giving as much information and attaching evidence, if available.

Indicate which person or persons are the subject of the report

First and last name

Position

Are there any witnesses? Please indicate their names.

First and last name

Position

Tell us what you want to report in detail

Would you like to attach any additional documents?

Image (png, jpg, gif), Audio (wav, mp3), Video (ogg, mp4, mov, avi, wmv, mpg, mpeg) or PDF document up to 20Mb. Attention! If you report anonymously, make sure that the attachments do not include information in the content or metadata that could identify you.

Confirm

Step 4/5 Confirmation

As the last step of the process, you must indicate a secret code that only you will know. This password, together with the identification code that we will give you at the end of the process, will be the only way to follow the progress of your submission

Password

Password confirmation

Finish

Step 5/5 Finalize

You have now entered all the information necessary to start the report management process.

The information is ready to initiate the process of determining accountability. The persons or facts reported will be investigated and the resulting actions will be taken.

The whistleblower undertakes that the information provided in this submission is true. Otherwise, the company reserves the right to take legal action against the whistleblower.

This is the last form in the process. When you click on Send, the investigation will begin and the resolution of your claim will be shown on the platform within a maximum period of 3 months.

I have read the Data Protection and Consent Notice and agree to the processing of my personal data in accordance with the provisions of this notice.

Terms of Use

In compliance with the Law on Services of the Information Society and Electronic Commerce, as well as in compliance with current regulations on data protection, it is reported that the owner of the website ithikios.com and canaldenunciasanonimas.com and all its subdomains ( hereinafter, "the Web") is DIGITAL PRODUCTS DEVELOPMENT SL (hereinafter, ithikios), registered in the Mercantile Registry of Barcelona, with CIF B02767010, and with registered office at c / Mont Blanc 17, Sant Cugat del Valles, Spain.

ithikios is the owner of all rights to the Website. The simple access, navigation and use of the Website attributes the condition of user of the same (hereinafter, the "User") and implies the acceptance of this clause of terms and conditions. The information available through this website is not subject to contract and may be modified without prior notice.

ithikios will not be held responsible for problems arising from the consultation or use of this Website. To this end, access is obliged to comply with this, having to act in accordance with current Law, good faith and public order and, refraining from using the Website in a way that could prevent or impair its proper functioning.

This service can only be used to send complaints or inquiries to companies that have contracted the service with ithikios, guaranteeing confidentiality and anonymity (if the user so chooses), regarding the personal data of the complainant.

Conditions for the user

As a user, you are obliged to make correct and lawful use of the platform.
You will use the platform for the purposes it has been designed for, and in no case will you use it for purposes contrary to the law.
The ithikios channel / canaldenunciasanonimas is not an emergency service. In case of emergency contact local authorities.
You must fill in all the information defined as mandatory in order to be able to send it.
Reflect and review the information you send to ensure that if you do not want it, you do not reveal your identity.
You will be able to choose between sending the communication indicating your contact details or without indicating them. In both cases, the platform will provide you with a unique identification number and a password. It is important that you write them down in a safe place, only with them will you be able to check the status of the communication. If you lose them, you will not be able to access it again. For security reasons, ithikios will not be able to provide access to lost codes.
If the organization proves that there has been bad faith when making the report, it reserves the right to take legal action if the complainant has been identified.
You will be able to download a certificate issued by ithikios in which you will have all the information that has been sent to the company, as well as the result once the investigation is completed.
The Complainant expressly understands and agrees that ithikios will not be responsible for any direct or indirect, anticipated or unforeseen damage, interest or loss, including, among others, moral damage resulting from the use or inability to use this service.
The Complainant is responsible for the veracity of the information communicated, assuming the consequences of having acted in bad faith or sent false information or documentation.
You will be liable for any loss or damage of any kind that ithikios may suffer, directly or indirectly, as a result of improper use of the product, a breach of the terms and conditions of use or a breach of the law in force on your part.

Data protection and consent to CIAC S.c.r.l.

This information is published pursuant to and for the purposes of articles. 13 and 14 of EU Regulation n.679/2016 (hereinafter GDPR), by C.IA.CSCRL (hereinafter CIAC) and concerns the processing of personal data collected through the whistleblowing portal (hereinafter, the "Portal") which CIAC has made available to those (employees, customers, suppliers, commercial partners, consultants, collaborators, etc.) who intend to make a report (hereinafter also "Reporting") of illicit conduct in violation of national or supranational legislation, of violations of the Code of Ethics or of the Organizational Model pursuant to Legislative Decree 231/2001 and of the internal procedures adopted by CIAC, pursuant to and for the purposes of the Legislative Decree 24/2023.

CIAC has entrusted the activities of receiving and managing reports to a multi-person body, characterized by an internal and an external component, in order to guarantee greater independence and impartiality. The internal component has been identified in a General Management Representative identified by the Board of Directors and selected by virtue of his specialist expertise, reliability and availability of resources suitable for carrying out this task. The second is represented by an external professional, appointed to carry out control activities as President of the Supervisory Body pursuant to Legislative Decree 231/2001. In the event of conflicts of interest between the Report and the figures identified for the management of the reports, the Board of Directors has identified the external figure of the DPO, the Data Protection Officer, as the person who must evaluate the specific Report.

Through a single link, https://ciacformazione.ethic-channel.com/home, which can also be reached from a link on the CIAC institutional website, www.ciacformazione.it, the whistleblower can manage their report.

1 Data Controller and DPO

The data controller is C.IA.C. SCRL, with registered office in Valperga (TO), Via Mazzini n. 80, in the person of the General Director, domiciled for the function at the headquarters in Rivarolo Canavese (TO), Corso Re Arduino n. 50.

The Data Protection Officer (DPO) is domiciled for the function at the headquarters in Rivarolo Canavese (TO), Corso Re Arduino n. 50.

The names of the aforementioned subjects and the list of Managers can be consulted in the "privacy" section of the website www.ciacformazione.it.

2 Data type

The Personal Data that the reporting party has voluntarily intended to provide to represent the facts described in the report will be processed. The Company will collect and process the following information which may include the personal data of the reporting party (hereinafter also "Reporting Party") such as name, surname, company role or relationships with CIAC, as well as further information contained in the Report, including the personal data of the subject(s) reported or of the persons mentioned (hereinafter also "Personal Data").

The acquisition and management of reports gives rise, in fact, to the processing of personal data, including those belonging to particular categories of data and relating to criminal convictions and crimes, possibly contained in the report and in deeds and documents attached to it, referring to interested parties ( identified or identifiable natural persons) and, in particular, the whistleblowers or the people indicated as possible responsible for the illicit conduct or those involved in various capacities in the reported events. Interested parties can therefore be:

· The Reporter who voluntarily provides personal data (personal data collected from the interested party)

· Persons involved in the report, whose personal data are provided by the Reporter, under his responsibility, in the context of the description of the reported fact, such as for example people indicated as possible perpetrators, witnesses, victims (personal data not obtained from the interested party)

CIAC is not able to determine a priori the data covered by the report, which may therefore also include particular data (pursuant to art. 9 GDPR) or data relating to criminal convictions and crimes (pursuant to art. IO GDPR). The aforementioned data will be processed using IT media that guarantee its security and confidentiality, including encryption of the electronic archives used.

The provision of the Reporter's personal data is optional: the Reporter has the right to remain anonymous. However, the identity of the reporter could also be deduced from context elements or elements of the report, as such reporting cannot be considered anonymous in a technical sense.

In this case, the reporting person's desire to remain anonymous will prevail and the confidentiality of his or her identity will be guaranteed. Furthermore, it is not mandatory to indicate the Personal Data of the reported subject(s) or of other persons involved. In any case, the personal data contained in the report will be processed only if relevant and necessary for the analysis of the reported event.

Personal data that is clearly not useful for the processing of a specific report are not collected or, if collected accidentally because they were incorrectly entered by the reporter in the description of the report, are not processed and, where possible, are immediately deleted.

Not included in the reportable conduct are facts which are the subject of labor disputes, even in the pre-litigation phase, as well as discrimination between colleagues, interpersonal conflicts between the reporting person and another worker or hierarchical superiors, reports relating to data processing carried out in the context of the individual employment relationship in absence of harm to the public interest or the integrity of the public administration or private entity. Furthermore, reports referring to generic circumstances or attributable to a phase prior to the possible commission of possible crimes, or the result of mere indiscretions or unreliable rumours, as well as to hypothesis of attempted crime, could give rise to processing of personal data not fully attributable to the scope of processing envisaged by the sector regulations. Any reports attributable to these issues whose management involves the processing of personal data will be handled only where they refer to non-compliance with voluntary standards to which the company adheres (for example UNI EN ISO 9001 or Legislative Decree 231/2001), or non-compliance of company values and regulations on the basis of the legitimate interest of the Data Controller pursuant to art. 6, par. 1, letter. f) of the GDPR to ascertain the truthfulness of the Report and carry out all activities necessary to manage it.

At any time the Reporter can withdraw the report by communicating it through the same channel used to make it. In this case, the personal data collected will not be further processed, unless disciplinary proceedings have already been initiated and/or the owner has already communicated such data to a public authority, in accordance with the provisions of Legislative Decree 24/2023.

3 Legal basis and purpose of processing

The Personal Data will be processed for purposes related to the management and verification of the Report and to ensure adequate application of the Whistleblowing Procedure. The personal data of any subjects included in the description of the Report will be processed only and exclusively:

· if relevant to the report e

· for the exclusive purpose of verifying the same.

The prerequisite for processing is the fulfillment of a legal obligation to which the Data Controller is subject pursuant to art. 6, par. 1, letter c) of the GDPR as required by the legislation referred to in Legislative Decree 24/2023, which requires the Data Controller to equip itself with an information channel to receive reports of acts or conduct that harm a public interest or the integrity of the society.

The processing of personal data is, therefore, necessary to implement the legal obligations and public interest tasks envisaged by the sector regulations, compliance with which is a condition for the lawfulness of the processing (art. 6, par. 1, letter c ) and e) and pars. 2 and 3; art. 9, par. 2, letter. b) and g), art. 10 and art. 88 of the GDPR, as well as 2-ter and 2-sexies of the Code).

On the basis of the legitimate interest of the Data Controller pursuant to art. 6, par. 1, letter. f) of the GDPR to ascertain the truthfulness of the report and carry out all activities necessary for its management, the personal data contained in the reports will be processed which, not falling within the objective scope of Legislative Decree 24/2023, the Reporter declares they refer to failure to comply with voluntary rules to which the Company adheres, or internal company values and regulations.

4 Treatment methods

The processing of your personal data is carried out by means of the operations indicated in the art. 4 no. 2) GDPR and precisely: collection, recording, organisation, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data is subjected to both paper and electronic and/or automated processing.

The Data Controller has adopted and had its service providers adopt a wide variety of security measures to protect your data against the risk of loss, abuse or alteration. In particular: it has adopted suitable measures pursuant to art. 32 GDPR; uses, when necessary, pseudonymisation and data encryption technology and protected data transmission protocols.

5 Recipients

The personal data object of the report may be communicated to the corporate bodies competent to manage the specific report, guaranteeing the confidentiality of the identity of the person making the report and the content of the report (for example, reports under Legislative Decree 231/2001 will be communicated to the president of the Supervisory Body). The data may also be communicated to the competent authorities in accordance with the provisions of article 14 of Legislative Decree 24/2023 (in the context of criminal proceedings, the identity of the reporting person is covered by secrecy in the manner and within the limits provided for in Article 329 of the Code of Criminal Procedure; in the proceedings before the Court of Auditors, the identity of the reporting person cannot be revealed until the conclusion of the preliminary investigation phase).

The identity of the reporting person and any other information from which such identity can be deduced, directly or indirectly, cannot be revealed, without the express consent of the reporting person himself, to persons other than those competent to receive or follow up on the reports, expressly authorized to process such data.

As part of the disciplinary proceedings, the identity of the reporting person cannot be revealed, where the contestation of the disciplinary charge is based on investigations that are distinct and additional to the report, even if consequent thereto. If the dispute is based, in whole or in part, on the report and knowledge of the identity of the reporting person is indispensable for the defense of the accused, the report will be used for the purposes of disciplinary proceedings only in the presence of the express consent of the reporting person to the revelation of one's identity. In this case and when the disclosure of the identity of the reporting person and the related information is also essential for the purposes of the defense of the person involved, notice is given to the reporting person by written communication of the reasons for the disclosure of the confidential data.

Without your express consent art. 6 lett. b) and c) GDPR), the Data Controller may communicate your data:

· to employees and collaborators of the Data Controller, in their capacity as formally appointed Data Protection Officers and/or Data Processors.

· to third-party companies or other subjects who carry out outsourced activities on behalf of the Data Controller, in their capacity as external data Processors.

6 Data transfer

The management and storage of personal data will take place within the EEA, on the servers of the Data Controller and/or third-party companies appointed and duly appointed as external data Processors.

7 Retention period

ln compliance with article 14 of Legislative Decree 24/2023 and, without prejudice to different legal obligations, the Reports and the related documentation are kept for the time necessary to process the report and in any case no later than five years from the date of the communication of the final outcome of the reporting procedure. When, at the request of the reporting person, the Report is made orally during a meeting with the relevant staff, it, with the prior consent of the reporting person, is documented by the relevant staff in minutes, the reporting person can verify, rectify and confirm the minutes of the meeting through your signature. This documentation is kept for the time necessary to process the report and in any case no later than five years from the date of communication of the final outcome of the reporting procedure. Irrelevant Reports may be deleted 90 days after receipt.

8 Rights of interested parties

By writing to [email protected], the interested party will be able to exercise their rights towards the Data Controller, pursuant to articles. 15 et seq. of the GDPR, summarized below:

Obtain confirmation of the existence or otherwise of personal data concerning you and their communication in an intelligible form;

Obtain information relating to: a) the purposes and methods of processing; b) the logic applied in case of processing carried out with the aid of electronic instruments; c) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as designated representatives in the territory of the State, Data Processors or Data Protection Officers;

Also obtain a) access to personal data processed by CIAC; b) updating, rectification or, when there is interest, deletion of data; c) the portability of the data provided;

Object, in whole or in part, for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of the collection.

The interested party also has the right to lodge a complaint with a supervisory authority, in the cases and for the effects expressed by current legislation.

However, the person involved or the person mentioned in the report, with reference to their personal data processed in the context of the report, public disclosure or complaint, may not exercise - for the time and to the extent that this constitutes a necessary and proportionate measure - the rights that Regulation (EU) 2016/679 normally recognizes to interested parties (the right of access to personal data, the right to rectify them, the right to obtain their cancellation or so-called right to be forgotten, the right to limit processing, the right to portability of personal data and the right to object to processing). The exercise of these rights could result in effective and concrete prejudice to the protection of the confidentiality of the identity of the reporting person. In such cases, therefore, the reported subject or the person mentioned in the report is also precluded from the possibility, where they believe that the processing that concerns them violates the aforementioned rights, of contacting the data controller and, in the absence of a response from the latter lastly, to lodge a complaint with the Guarantor for the protection of personal data (art. 2-undecies Legislative Decree 196/2003 "Privacy Code"). This limitation does not apply to reports that fall outside the objective scope of application of the Legislative Decree. 24/2023.

9 Minors

The Whisleblowing management that the Data Controller proposes is not intended for children under 16 years of age and the Data Controller does not intentionally collect personal information relating to subjects under 16 years of age unless included by the Whistleblower in the report. In the event that information on minors is involuntarily recorded, the Data Controller will delete it, where possible, in a timely manner, upon formal request from users proving their parental responsibility.

10 Changes to this Policy

The possible introduction of new sector regulations and the constant examination and updating of the service could lead to the need to change the methods of processing personal data. It is therefore possible that this information may undergo changes over time. Therefore, we invite you to periodically consult this page by viewing the revision date of the information. The new modified or corrected information will apply from the date of revision.

Last updated 12/15/2023