Disclosure pursuant to Articles 13 and 14 of European Regulation 2016/679 on the Processing of Personal Data in the context of the Whistleblowing System

Pursuant to articles 13 and 14 GDPR, Movyon S.p.A. (“Movyon” or “Owner“), as Data Controller, provides below the information on the processing of personal data of the persons concerned by the process of receipt and management of Reports of alleged wrongdoing (hereinafter also “Whistleblowing” or “Report“).

Preliminarily, Movyon informs the interested parties that Autostrade per l’Italia S.p.A., Movyon’s parent company, has introduced the Whistleblowing tool, as a System for reporting alleged wrongdoing by its own employees, employees of the companies of the “ASPI Group” and third parties (collaborators/suppliers), in compliance with the applicable law (Law 231/2001, as amended by Law 179/2017).

The “Procedure for the management of Reports”, prepared by Autostrade per l’Italia S.p.A. and implemented by Movyon, allows, within the performance of the process of receiving and managing Reports, to apply the measures aimed at protecting all the subjects involved in compliance with paragraphs 2-bis, 2-ter and 2-quater of art. 6 of L. 231/2001, as introduced by the aforementioned Law 179/2017 (“Provisions for the protection of Whistleblowers reporting crimes or irregularities of which they have become aware in the context of a public or private employment relationship”), the GDPR and the relevant national legislation on the protection of personal data, including Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 (“Privacy Code“).

Movyon has appointed Autostrade per l’Italia S.p.A. as Data Processor pursuant to art. 28 of the GDPR for the management of Reports, on behalf of Movyon.


The owner of the personal data is Movyon S.p.A. (VAT no. and Tax Code 09743081003), with registered office in Via A. Bergamini 50 – 00159, ROME.

The Data Controller has appointed a Data Protection Officer (“DPO“) domiciled for the purpose on Via A. Bergamini 50 – 00159, ROME, pursuant to art. 37 et seq. of the GDPR. The DPO who can be contacted for matters relating to the processing of the personal data of the data subjects at the following email address:


In the context of the “Whistleblowing” procedure, the personal data processed are the data of the “Whistleblower”, the “Reported” and the “persons involved and/or connected to the facts that are the subject of the Report” (hereinafter “Data Subjects“).

The personal data collected and processed as part of the proceedings include “common” personal data of the Data Subjects (personal details, functions, contact details such as: email address, postal address, telephone number) and, possibly, in some cases, where necessary, also data belonging to special categories pursuant to aticle 9 of the GDPR.

The data may be collected either directly from the Data Subject or through other persons involved in the Report, by means of a specific platform and/or the communication channels indicated in point 4 below.

The data are provided voluntarily by the Data Subjects/Whistleblowers, unless they choose anonymity, and only the data necessary for the purposes set out in point 3 below are processed.


Personal data are processed exclusively for the purposes of investigating and ascertaining the facts which are the subject of the Report and of adopting any consequent measures, within the framework of the “Whistleblowing” procedure.

The provision of personal data is voluntary and the Data Subject is requested to only provide the data necessary to describe the facts that are the subject of the Report without communicating redundant personal data in addition to those necessary for the abovementioned purposes. In case such additional and unnecessary data are provided, they will not be used by the Data Controller. In fact, Movyon only processes data necessary and relevant to achieve the above-mentioned purposes, on the basis of the “principle of minimisation” pursuant to art. 5 of the GDPR.

The personal data of the Data Subjects are processed on the legal basis of the legitimate interest of the Data Controller (art. 6, co. 1, lett. f) of the GDPR) to manage the Reports of alleged wrongdoing of which the Whistleblower has become aware for work reasons and/or as part of the employment relationship, as well as to protect the internal and external Data Subjects involved in the Whistleblowing procedure.

Pursuant to Art. 9 GDPR, Personal data may be processed, where necessary, on the legal basis of the legitimate interest of the Data Controller (pursuant to Art. 6, co. 1, lett. f) of the GDPR), for the establishment, exercise or defence of a right in court, as well as on the legal basis pursuant to art. 6, co. 1, lett. b) of the GDPR (“execution of the contract”) for certain aspects of the employment relationship.


In compliance with the applicable law, data are collected by means of electronic, computerised and manual tools, with logic strictly related to the above-mentioned purposes, in order to guarantee the security and confidentiality of the data.

In particular, they are collected through electronic and computerised tools:

  • the “Whistleblowing” online platform on the website of the parent company Autostrada per l’Italia SpA.,
  • e-mail:,

as well as by manual means of ordinary mail, to the address: Ethic Officer – ASPI Group Whistleblowing Team, via Bergamini, 50 Rome.

Data collected by means of electronic/computerised tools will not be subject to fully automated processing as specified in art. 22 of the GDPR.

Specific security measures are observed to prevent loss of data, unlawful or incorrect use and unauthorised access.

In addition, pursuant to art. 32 GDPR, specific technical and organisational measures are adopted to ensure the protection of the Interested Parties, as well as the possible anonymity of the Whistleblower and complete anonymity in accessing the platform (no log).


Personal data shall be kept only for the time necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to art. 5.1.c) of the GDPR and, in particular, for the purposes of managing the inquiry, concluding the activity of defining the Report and adopting the relevant measures, in case of assessment.


In order to carry out the activities relating to the “Whistleblowing” procedure, and again for the purposes set out in point 3, Movyon has appointed the parent company Autostrade per l’Italia S.p.A. as Data Processor pursuant to art. 28 of the GDPR, managing Whistleblowing on behalf of Movyon.

Where required, in accordance with the Group’s policy, i.e. the “Whistleblowing Management Procedure”, Atlantia S.p.A may learn of certain personal data of Data Subjects pursuant to recital 48 of the GDPR, always in compliance with the principle of relevance and minimisation.

The list of persons appointed as Data Processors pursuant to art. 28 GDPR can be requested from the DPO.
Under no circumstances will the personal data of the persons concerned be disseminated.


Articles 15-22 of the GDPR give data subjects the possibility to exercise specific rights, such as, for example, the right of access, rectification, erasure, restriction of processing.

The abovementioned rights may be exercised by making a request to the Movyon DPO at the certified email address, using the forms provided by the Data Controller on the website

The Data Subject may lodge a complaint pursuant to Art. 57 letter f) of the GDPR with the Italian Data Protection Authority (Piazza di Monte Citorio no. 121, 00186 ROMA), in order to assert his/her rights in relation to the processing of personal data.

 In the event that the above rights by the Reported Party may entail an actual and concrete prejudice to the protection and confidentiality of the Reported Party’s personal data, the Data Controller may limit, delay or exclude such exercise, pursuant to art. 2-undecies, para. 1, letter f) of the Privacy Code, and not proceed with the request.

In such cases, the rights of the Data Subject, pursuant to art. 2-undecies, paragraph 3 of the Privacy Code, may be exercised through the Guarantor in the manner set out in art. 160 of the Privacy Code.


Data management and storage takes place on the servers of the parent company Autostrade per l’Italia S.p.A., appointed as Data Processor pursuant to art. 28 GDPR and any third parties appointed by the latter as sub-controllers pursuant to art. 28 of the GDPR, all located in Italy and within the European Union.

Personal data are not transferred outside the European Union.

If necessary, the Data Controller shall be entitled to move the location of the archives and servers to Italy and/or the European Union and/or non-EU countries. In the latter case, the Data Controller assures as of now that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, stipulating, where necessary, agreements that guarantee an adequate level of protection and/or adopting the Standard Contractual Clauses envisaged by the European Commission.