Pursuant to Legislative Decree No. 196/2003 and later amendments and additions thereto (Hereinafter the “Privacy Code”) and EU Regulation 2016/679 (hereinafter “GDPR” and collectively Privacy Code and GDPR “Applicable Regulations”) in relation to the management of the Whistleblowing system, we hereby inform you that any information and personal data voluntarily provided through or requested by the Whistleblowing system (the “Personal Data”) will be processed by Specialty Chemicals International Ltd as the Controller of the Personal Data (the “Data Controller”) in line with the said Applicable Regulations.
1. Purpose of data processing
The aim of the Whistleblowing system is to report breaches of our Code of Conduct or violations of the law (i.e. bribery and corruption, competition law, fraud, financial crime, food safety and quality issues, harassment and discrimination, international trade controls, protection of personal data, rights and protection of individuals, serious environmental damage or conflicts of interest) . In this view all Personal Data processed within the Whistleblowing system will be limited to the Personal Data which are strictly necessary to verify the legitimacy of the allegations made.
From this perspective we hereby inform you that it is possible to submit a whistleblowing report in an anonymous manner, but in case there should be a processing of Personal Data of the whistleblower or the reported person and//or any other third parties involved (““Data Subjects”) all Personal Data will be processed for the following purposes:
- in the event it is strictly necessary in order to manage the Whistleblowing system;
- in the event that it is strictly necessary in order to evaluate all facts reported in the reporting.
In the event it is strictly necessary in order to provide a response to the requests made by the Data Subject;
-in order to meet a legal obligations imposed by law, regulations or other national or international rules, or in case it is necessary in order to defend the rights of the Data Controller before judicial courts.
-in order to pursue a legitimate interest of the Data Controller in terms of article 6(1) (f) of the GDPR, in ensuring compliance with applicable laws throughout all of the Data Controller’s operations and facilitating the provision of information by Data Subjects to the Data Controller regarding a suspected breach of such compliance.
2. Manner of data processing
The Personal Data will be processed by Data Controller remotely, manually and using IT instruments accessible solely and exclusively by personnel appropriately authorized by the Data Controller through the grant of specific authorization to perform the data processing.
There are two ways to submit the reporting: anonymous or with identified reports.
In the first case also the registration of reports takes place anonymously in the system. The only thing that is registered is the report itself. There is no log made as to the IP address or machine ID of the computer on which the report is made.
If you provide your personal information, be aware that the organization can use your personal information when investigating the case and also during any subsequent lawsuit.
The organization guarantees that your Personal Data protection rights will be respected without limitations and will only be used as described above.
The organization will not share your personal information with third parties outside of the organization except for the cases as described below in the section ”Transfer and communication of Personal Data”.
Be aware that all Personal Data ( including the identity of Whistleblower and all other data provided by him/her) will remain strictly confidential and will not be shared to third parties outside of the organization (except for the cases as described above in the section ”Transfer and communication of Personal Data”)
Sometimes it might happen that the identity of the whistleblower needs to be disclosed for meeting legal obligation or in the event of a judicial proceeding subsequent the analysis of the report.
The whistleblowing reports as well as the information and the Personal Data included or inserted therein will be processed by the Internal Auditor and/or by Group General Cousel/Group Co-Director HR/IT both of whom have been nominated for this purpose by the Data Controller as persons specifically and internally appointed pursuant to articles 37 to 39 of the GDPR.
The Personal Data will be processed for the period of time strictly and objectively necessary for the achievement of the scope and the purposes identified in paragraph 1 above. Where your Personal Data are no longer required by us, we will either securely delete or anonymize the Personal Data in question.
3. Transfer and communication of Personal Data
All Personal Data may be shared with or disclosed to other companies of Specialty Chemicals International Ltd (affiliates, subsidiaries etc…) who can process Personal Data as processors of them (“Data Processors”). All of these entities are bound through Data Processing Agreement.
In case of a subsequent lawsuit or in case we need a specific advise in order to analyze the report received from the Whistleblowing system, we can share all Personal Data with our legal advisors or public authorities.
Anyway, Personal Data will be retained on the server of the Data Controller located in Europe.
Generally, Personal Data will be stored and processed within European Union (EU)/European Economic Area (EEA) or any other non-EEA country deemed by the European Commission to offer an adequate level of protection (the so-called ‘white-listed’ countries). In case it might be necessary transfer Personal Data to a non-EEA country not considered by the European Commission to offer an adequate level of protection we will implement adequate measures of security.
We hereby inform you that we put in place all possible and reasonable security measures during the collection and handling of your Personal Data, but, we shall accept no responsibility or liability whatsoever for the security of your data while in transit through the Internet unless Our responsibility results explicitly from a law.
Notwithstanding the above, the person against whom the accusations have been made may not have access to the whistleblower’s identity, but only to the content of the whistleblowing report. Moreover, where there is concrete risk that the disclosure of any information would jeopardize the assessments that are being carried out, notification to the Data Subject may be delayed as long as such risk exists.
4. Your rights
Pursuant to the Applicable Regulations, you are entitled to demand us, at any time, access to your Personal Data, rectification or erasure, or to object to their processing, to limit the processing, to request data portability and to receive in a structured format, of common use and readable from an automatic device, the personal data which concern you, except for such Personal Data as may be essential for us to fulfill its legal obligations. You may obtain this by a request in writing addressed to the Data Controller.
Pursuant to Applicable Regulations, the data subject will enjoy the right to lodge complaint with the relevant controlling authority (Authority for the Protection of Personal Data) should he believe his Personal Data have been processed in a manner contrary to current regulations, or sue in court.