Data protection policy according to EU-GDPR for the BKMS® System (Whistleblower System)
Data protection policy
We take data protection and confidentiality very seriously and adhere to the provisions of the EU General Data Protection Regulation (EU-GDPR) as well as current national data protection regulations. Please read this data protection information carefully before submitting a report.
Purpose of the Whistleblower System and legal basis
The whistleblower system (BKMS
® Incident Reporting) serves the purpose of securely and confidentially receiving, processing and managing reports regarding violations of the compliance rules by the Data Controller.
In particular, the Data Controller will process the personal data of data subjects for the following purposes:
- the management of the report by the Reporting Managers.
- sending any requests and/or receiving feedback on requests from the whistleblower and the Reporting Managers.
- managing the investigation phase, i.e. conducting investigations into the substance of the report.
- Managing follow-up actions, including disciplinary actions.
The legal basis for the aforementioned processing is to be found in the fulfilment of a legal obligation pursuant to Article 6(1)(c) GDPR in accordance with Legislative Decree No. 24/2023.
The legal basis is also to be found, with regard to the processing of special categories of data, in Article 9(2)(b) GDPR to the extent that the processing is necessary to fulfil the obligations and exercise the specific rights of the Data Controller in the field of labour law and social security and social protection, as well as in Article 9(2)(g) GDPR to the extent the processing is necessary for reasons of relevant public interest on the basis of Article 2-sexies of Legislative Decree No. 196/2003.
The processing of judicial data that may be necessary for the management of the report received is legitimate on the basis of Article 10 GDPR in accordance with Article 2-octies of Legislative Decree no. 196/2003.
Responsible authority
Data Controller is Pavan SpA
Via Montegrappa n. 8
Galliera Veneta (Padova)
email registered e-mail pavan@legalmail.it
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons by Data Controller.
The Controller has appointed a data protection officer. Questions on data protection can be sent to ammministrazione@dataconsec.com.
Please note that the whistleblower data will not be disclosed to anyone other than those responsible for receiving the reports, without the express consent of the whistleblower.
The whistleblower's data may be disclosed, with the express consent of the whistleblower, in the context of disciplinary proceedings against the person responsible for the violation, if the charge is based in whole or in part on the whistleblower's report and knowledge of the whistleblower's identity is essential to the defence of the accused person. Otherwise, the report cannot be used for the purposes of disciplinary proceedings.
Data subjects' personal data may also be communicated to public authorities in order to comply with legal obligations or to respond to requests from judicial or public security authorities.
The data will not be diffused.
Categories of data subjects and type of personal data
The data subject is the identified or identifiable natural person to whom the personal data relates (Art. 4(1)(1) GDPR).
For the purposes of this Privacy Notice, the following are considered to be data subjects:
- the whistleblower: the natural person who makes the report on violation of which he/she becomes aware in the context of his/her work;
- the facilitator: a natural person who assists a whistleblower in the reporting process, who operates within the same work context and whose assistance must be kept confidential;
- the other persons referred to in Article 3(5) of Legislative Decree 24/2023 to whom the protective measures are extended;
- the person involved: the natural person identified in the report as the person to whom the violation is attributed or as the person who, in any case, is involved in the reported violation.
Use of the whistleblower system takes place on a voluntary basis. If you submit a report via the whistleblower system, we collect the following personal data and information:
- your name, if you choose to reveal your identity,
- data relating to the existing relationship with the Data Controller, and
- the names of persons and other personal data of persons that you name in your report, and
- other data that will later be acquired by the Reporting Manager as part its investigation activities.
Please note that data belonging to special categories of data under Article 9 GDPR, as well as data relating to criminal convictions and offences under Article 10 GDPR may be processed in the management of reports.
Confidential handling of reports
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the Data Controller and are always handled confidentially. The Reporting Managers will evaluate the matter and perform any further investigation required by the specific case.
During the processing of a report or the conduction of a special investigation, it may become necessary to share reports with employees of other group companies. We always ensure that the applicable data protection regulations are complied with when sharing reports.
All persons who receive access to the data are obligated to maintain confidentiality.
Rights of the data subjects
According to European data protection law, you and the persons named in the report have the right to inquiry, rectification, erasure, restriction of processing and the right to object to processing of personal data concerning them. If the right of objection is claimed, we will immediately examine to what extent the stored data is still necessary for the processing of a report. Data that is no longer required is deleted immediately. In addition, you have the right to lodge a complaint with a supervisory authority.
The rights referred to in articles 15 to 22 GDPR may be exercised in accordance with the provisions of Article 2-undecies of Legislative Decree no. 196/2003.
It should be noted that requests made by any data subject may be refused in the cases provided for by the legislation in force. A case justifying refusal is when the exercise of such rights may cause actual and concrete prejudice to the confidentiality of the whistleblower.
In order to exercise the aforementioned rights, it is possible to contact the DPO via mail ammministrazione@dataconsec.com.
Retention period of personal data
The personal data of the data subjects concerned will be kept for a maximum period of five years from the end of the investigation of the report.
It is understood that personal data which are clearly not useful for the processing of a specific report will not be collected or, if collected inadvertently, will be deleted immediately.
In any case, the adoption of all appropriate technical and organisational measures to ensure the security of personal data in accordance with the GDPR is guaranteed.
Use of the Whistleblower System
Communication between your computer and the whistleblower system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whsitleblower system. In order to maintain the connection between your computer and the BKMS
® Incident Reporting, a cookie is stored on your computer that merely contains the session ID (a so-called null cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the whistleblower system that is secured with an individually chosen pseudonym / user name and password. This allows you to send reports to Reporting Managers in a safe way. This system only stores data inside the whistleblower system, which makes it particularly secure. It is not a form of regular e-mail communication.
Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments.
Status: July 2024