PRIVACY POLICY MANAGEMENT REPORTS

Disclosure pursuant to Articles 13 and 14 of the European Regulation 2016/679 on the Processing of Personal Data under the System for Reporting Alleged wrongdoing (“Whistleblowing”)

In implementation of the relevant legislation in force (Legislative Decree 24/2023 – “Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and on provisions concerning the protection of persons who report breaches of national laws”) Autostrade per l’Italia S. p.A. and the other Companies of the Autostrade per l’Italia Group (listed in Annex 1 and hereinafter jointly referred to as the “Company” or the “Holder”) have implemented a system for the receipt and management of reports of alleged wrongdoing, which allows the management of the report (“Report”) submitted by you to the Company through specific dedicated channel of the Company itself. The system is dedicated to the reception and management of reports, also in anonymous form, received by the Company from Company personnel and/or third parties and relating to possible violations of national or European Union regulatory provisions, violations of internal rules (rules of conduct contemplated in the Code of Ethics, the Anti-Corruption Guideline, Model 231 and more generally in the Company’s body of regulations), unlawful conduct and irregularities about the conduct of the Company’s business activities.

Pursuant to Articles 13 and 14 of the European Regulation 2016/679 (hereinafter referred to as “GDPR”), each of the above-mentioned Companies, as an autonomous Data Controller, renders this Information Notice on the processing of personal data/information (“Data”) concerning you (as a “Whistleblower”), acquired directly or otherwise, in reference to the “Whistleblowing” made by you, as well as on the processing of data/information of the individuals affected by the Whistleblowing itself (hereinafter also referred to as “Whistleblowing”).

This Notice shall be made available and known to potential data subjects by publication on the institutional website of the Data Controller.

The Owner reserves the right, at its discretion, to change, modify, add or remove any part of this Notice at any time. In order to facilitate verification of any changes, this Notice will contain at the bottom an indication of the date it was updated.

1. DATA CONTROLLER

Autostrade per l’Italia or other Company of the Autostrade per l’Italia Group to which the Report is addressed is the Autonomous Data Controller of the processing of your personal data, as a Whistleblower, and/or of the other subjects affected by the Report for Whistleblowing management activities. For more information about the Company acting as the Data Controller for the Report you have made and the Data Protection Officer (DPO) that each Data Controller has appointed, please refer to Annex 1 of this policy “List of Data Controllers and Data Protecion Offices (DPOs)” in which the addresses and contact details at which to contact them are provided. If the Report, received through your own “internal reporting channel”, is the responsibility of another Data Controller, it will be addressed to the same by the relevant Company which will act as an autonomous Data Controller.

2. TYPES OF DATA PROCESSED

As part of the “Whistleblowing” process, the personal data/information subject to processing are the Data of the “Whistleblower” (or “Interested Party”), the “Whistleblower” and the persons involved and/or related to the facts that are the subject of the Whistleblowing”, such as, for example, any witnesses (hereinafter “Interested Parties”). This Data, collected and processed by the Data Controller, includes “common” personal data of the Interested Party/Signalant, the Interested Parties (personal details, the job position held in the Company to which they belong, contact details such as: email address, postal address, telephone number), any other information in Your Report, and, possibly, in some cases, where necessary, also data belonging to particular categories ex art. 9 GDPR or data relating to criminal convictions and offenses ex art. 10 GDPR for the reasons of relevant public interest referred to in the Whistleblowing Decree and in any case to the extent permitted by the relevant legislation, including articles 9 and 10 GDPR. The Data may be collected either directly from the Data Subject or through other parties involved in the Whistleblowing, through the special “internal reporting channel” indicated above or through the other communication channels indicated in point 4 below. The data are provided voluntarily by the Interested Party/Signalant, also in anonymous form, to the Data Controller, who will not process data that is not strictly necessary for the purposes set out in point 3 below. By way of example and without limitation, the “report” may be made by: employees of Autostrade per l’Italia S.p.A. or other Autostrade per l’Italia Group Company, freelancers/consultants/self-employed workers, including those with a collaborative relationship, who have relations with the Data Controller.

3. PURPOSE AND LEGAL BASIS OF PROCESSING

Personal Data are processed exclusively for the purposes of investigation and ascertainment of the facts that are the subject of the Report and the adoption of any consequent measures, in accordance with the provisions of Legislative Decree 24/2023. In particular, the Personal Data collected are only those necessary and relevant for the achievement of the above-mentioned purposes, based on the “principle of minimization.” With respect to these data, their provision is voluntary and the Interested Party is requested to provide only the data necessary to describe the facts that are the subject of the Report without communicating redundant and additional personal data to those necessary with respect to the purposes indicated above. In case they are provided, the Data Controller will refrain from using such Data and delete them.

Personal Data are processed on the legal basis of the legal obligation, ex art. 6, co.1 lett. b) (Legislative Decree 24/2023 – Legislative Decree 231/01), and of the legitimate interest of the Data Controller, ex art. 6, co.1, lett. f) of the GDPR (provided that the interests or fundamental rights and freedoms of the Data Subject do not prevail), to handle Reports of wrongdoing, of which the Reporting Party has become aware for work reasons, within the scope of its work context or for other reasons, as well as to protect internal and external Data Subjects involved in the “Whistleblowing” process.

4. METHODS OF PROCESSING

The data are collected, in compliance with current regulations, by means of electronic, telematic and manual tools, with logic strictly related to the purposes indicated above, so as to ensure the security and confidentiality of the data. In particular, they are collected through the following electronic/telematic tools:

  • the online platform “internal reporting channel”, ex art. 4 Legislative Decree 24/2023, provided by a selected external provider that adopts a system of corporate wrongdoing reporting in compliance with Directive (EU) 2019/1937, which guarantees the security and protection of data as well as the confi- dentiality of information, through an advanced encryption system of communications and database, in line with the provisions of the reference legislation. This platform enables the submission of reports in written form, both anonymously and non-anonymously, and makes it possible to maintain interlo- cutions with the Whistleblower and provide feedback to the Report, in accordance with the timeframes stipulated in the regulations. The Report is handled in a timely manner by internal offices with dedi- cated autonomous personnel specifically trained to ensure the handling of the reported case in accord- ance with the requirements of the relevant regulations, as set forth in Paragraph 6 below;
  • registered telephone line, in accordance with the provisions of Article 14, paragraph 2 of Legislative Decree 24/2023.

Data collected by means of the electronic/telematic tools will not be subject to fully automated processing as specified in Art. 22 GDPR. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access. In addition, specific technical-organizational measures, such as encryption, are taken, in accordance with Article 32 GDPR, to ensure the protection of the identity of the Data Subjects, as well as the possible anonymity of the Reporting Party and complete anonymity in accessing the platform (no log).

5. DATA RETENTION TIMES

Personal data will be kept only for the time necessary for the purposes for which they are collected in compliance with the principle of minimization ex art. 5.1. (c) GDPR and, in particular, for the purposes of management of the preliminary investigation, conclusion of the activity of definition of the Report and adoption of the relevant measures, in case of assessment, and in any case no longer than 5 years from the date of communication of the final outcome of the reporting procedure, in accordance with the provisions of Article 14, paragraph 1 of Legislative Decree 24/2023 and Article 5, paragraph 1 of the GDPR.

6. RECIPIENTS OF THE DATA

Within the Company, may come to the knowledge of the Personal Data provided exclusively the persons entrusted with the processing by the Owner and authorized to carry out the processing operations within the scope of the aforementioned activities in accordance with the provisions of Article 4, paragraph 2 of Legislative Decree 24/2023. May become aware of the aforementioned Data the supplier who manages the operation as well as the maintenance of the IT tools on which it is possible to enter the Report, as indicated in paragraph 4 above, required to process the data for the same purposes as in point 3 above, who is, for this purpose, appointed “Data Processor”, pursuant to Article 28 GDPR.

By virtue of a specific assignment, the activities of assistance and management of the Reports are carried out on behalf of some of the Companies mentioned above by Autostrade per l’Italia S.p.A. with registered office in Via A. Bergamini 50, Rome, appointed for this purpose as Data Processor by the Companies themselves, ex art. 28 GDPR. Such Data may also come to the knowledge of the Data Controller’s Supervisory Body, where appropriate, for the performance of its duties within the scope of its Whistleblowing tasks, pursuant to art. 13 of Legislative Decree 24/2023, the Anac, the Judicial Authority and other competent Bodies/Bodies in relation to the reported case. Under no circumstances will personal data be disseminated.

7. RIGHTS OF DATA SUBJECTS

Articles 15-22 GDPR give Data Subjects the possibility to exercise specific rights, such as, for example, the right of access, rectification, cancellation, restriction of processing. The above rights may be exercised by making a request addressed without formalities to the Data Protection Officer (DPO) of the Data Controller at the PEC address indicated in Attachment 1. The Data Subject may lodge a complaint pursuant to Article 57 letter f) GDPR with the Data Protection Authority. In the event that the exercise of the aforementioned rights by the Data Subject may result in actual and concrete prejudice to the protection and confidentiality of the Data Subject’s personal data, the Data Controller may limit, delay or exclude such exercise, pursuant to Article 2-undecies, para. 1, lett. f) of the Privacy Code (Legislative Decree 196/2003), and not act on the claim. In such cases, the rights of the Interested Party, pursuant to art. 2-undecies, co. 3 of the Privacy Code, may be exercised through the Guarantor in the manner set forth in art. 160 of the Privacy Code.

8. POSSIBLE TRANSFER ABROAD OF PERSONAL DATA

Data management and storage take place on servers of third party company appointed as Data Processor, as indicated in par. 6 above, located in Italy and within the European Union. Personal data are not transferred outside the European Union.

Annex 1 – List of Data Controllers and Data Protecion Offices (DPOs) and their contact information

  • Autostrade per l’Italia S.p.A. Registered office in via Alberto Bergamini 50, 00159 Rome – VAT No. 07516911000 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: dpo@pec.autostrade.it
  • Raccordo Autostradale Valle d’Aosta S.p.A. Registered office in Località Les Iles – 11010 Saint Pierre (AO) – VAT No. 01475961007 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: dpo@pec.ravspa.it
  • Società Autostrada Tirrenica p.A. Registered office in via Alberto Bergamini 50, 00159 Rome – VAT No. 04683251005 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: dpo@pec.tirrenica.it
  • Società Italiana per Azioni per il Traforo del Monte Bianco Registered office at Piazza Vittorio Emanuele II, 14, 11010 Pre-Saint-Didier (AO) – VAT No. 00081600074 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: dpo.sitmb@pec.autostrade.it
  • Tangenziale di Napoli S.p.A. Registered office in Via Cintia, Fuorigrotta junction 80126 Naples – VAT No. 01368900633 The Data Protection Officer (DPO) is domiciled for the office at the company’s registered office and contacted at the PEC address: DPO@pec.tangenzialedinapoli.it
  • Movyon S.p.A. Registered office in via Alberto Bergamini 50, 00159 Rome – VAT No. 09743081003 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: dpo@pec.movyon.com
  • Essediesse Società di Servizi S.p.A. Registered office in via Alberto Bergamini 50, 00159 Rome – VAT number 06130511006 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: dpo.essediesse@pec.autostrade.it
  • Giove Clear S.r.l. Registered office in via Alberto Bergamini 50, 00159 Rome – VAT No. 09521941006 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: dpo.gioveclear@pec.autostrade.it
  • Ad Moving S.p.A. Registered office in via Alberto Bergamini 50, 00159 Rome – VAT No. 09521941006 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: admoving@pec.autostrade.it
  • Elgea S.p.A. Registered office in via Alberto Bergamini 50, 00159 Rome – VAT number 16517551004 PEC address: elgea@pec.autostrade.it 
  • Free to X S.r.l. Registered office in via Alberto Bergamini 50, 00159 Rome – VAT No. 09743081003 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: dpo.freetox@pec.autostrade.it
  • Tecne Gruppo Autostrade per l’Italia S.p.A. Registered office in via Alberto Bergamini 50, 00159 Rome – VAT No. 15783681008 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: tecne.dpo@pec.autostrade.it
  • Amplia Infrastructures S.p.A. Registered office in Via Giulio Vincenzo Bona 95/101, 00156 Rome – VAT No. 00904791001 The Data Protection Officer (DPO) is domiciled for office at the company’s registered office and con- tacted at the PEC address: dpo.amplia@gmail.com