Privacy
PRIVACY POLICY
Art. 13 of Regulation (EU) 2016/679
relating to the processing of personal data of subjects who submit "Whistleblowing" reports (Italian Legislative Decree 24/2023)
Pursuant to art. 13 of Regulation (EU) 2016/679 (hereinafter also "GDPR") we provide you with the present information relating to the processing of personal data carried out through the internal channel for reporting violations of illicit acts or irregularities "Legality Whistleblowing", as provided and regulated by Italian Legislative Decree 24/2023 (so-called Whistleblowing).
DATA CONTROLLER
The Data Controller is Class Editori S.p.A., VAT number 08114020152, with registered office in Via Burigozzo n° 5, 20122 Milan (MI), Italy, registered at the Milano Monza Brianza Lodi Chamber of Commerce Company Register at n°08114020152, PEC: classeditorispa@legalmail.it; Telephone: 02582191 and the other companies belonging to the Class Editori Publishing House, indicated in the list at the bottom of this document (hereinafter, also "Joint Controllers").
For further information on this processing, the Data Subjects shall contact the DPO, in Via Burigozzo n° 5 - 20122, Milan (MI), email: dpo@class.it.
PLACE OF DATA PROCESSING
The data processed are not transferred to third countries outside the European Union or the European Economic Area (EEA) or to international organisations. Personal data is stored on servers located within the European Union.
In any case, it is understood that the Data Controller, if necessary, will have the right to process personal data on servers located outside the EU/EEA. In this case, the Data Controller hereby ensures that the transfer of non-EU data will take place in compliance with the applicable legal provisions, with particular reference to the articles. 44 et seq. of the GDPR.
DATA PROCESSORS
The Data Controller may make use of third parties to carry out activities and related processing of personal data of which he retains ownership.
In accordance with the provisions of the law, these subjects ensure levels of experience, ability and reliability such as to guarantee compliance with the current provisions on processing, including the data security profile.
The Data Controller, as an internal channel for the specific management activity of reports via the specific "Legality Whistleblowing" platform, makes use of the collaboration of the company DigitalPA S.r.l. appointed Data Processor pursuant to art. 28 of the GDPR with a specific act.
SUBJECTS AUTHORIZED TO PROCESSING
The personal data included in the reports are processed exclusively by previously authorized internal personnel competent to receive and/or follow up on the reports, who are given appropriate instructions pursuant to articles. 29 and 32 of the GDPR and pursuant to art. 2-quaterdecies of the Legislative Decree 196/2003 and subsequent amendments, regarding measures, precautions, modus operandi, for the protection of personal data, in compliance with the principles of necessity, minimization and relevance and for the time strictly necessary to achieve the purposes for which are collected.
PURPOSE OF DATA PROCESSING
The personal data provided are used for the sole purpose of managing the report made and the ancillary activities connected to it.
In particular, the purposes of the processing are exclusively the following:
1) The correct and complete management of the so-called procedure Whistleblowing in compliance with current legislation on the matter as required by Legislative Decree. 24/2023;
2) The necessary related investigative activities aimed at verifying the validity of the fact(s) being reported and the adoption of the consequent measures;
3) The protection in court of a right of the Data Controller;
4) Response to a request from the judicial authority or other public authorities.
NATURE OF THE PROCESSING
Given the provisions above, and without prejudice to the case of anonymous reporting, the provision of personal data is necessary for the fulfillment of the procedure and, therefore, their failure to process precludes the possibility for the Data Controller to correctly manage the report and give course towards the effective recognition of the protections provided by the relevant legislation.
Indeed, among the purposes of the relevant legislation is that of offering protection and ensuring the confidentiality of the identity of the whistleblower who brings to light illegal conduct and facts.
PROCESSED DATA
The procedure involves the collection of personal data entered when completing the form on the "Legality Whistleblowing" platform dedicated to receiving reports, as well as any personal data present in the report received, alternatively, via a dedicated e-mail inbox, or by post, including any documentation attached to it, or, finally, through oral communication through a direct meeting with a specifically authorized and trained person.
As part of the reports, data relating to the reported subject and/or other subjects involved in the report may also be processed and may concern common as well as particular data relating to crimes and convictions.
The information collected with the report concerns, specifically:
- (a) if not provided in detailed anonymous form, personal data (name, surname) and identification of the reporting party (tax code);
- (b) any personal and identifying data of the reported person(s) and/or third parties;
- (d) any particular data (art. 9 GDPR);
- (e) any data relating to crimes and convictions (art. 10 GDPR);
- (c) if not made anonymous, any e-mail address and IP of the reporting person.
LAWFULNESS OF PROCESSING
The processing is aimed at fulfilling a legal obligation to which the Data Controller is subject pursuant to art. 6, par. 1, letter. c); as regards the processing of particular data, the legal basis is constituted by the art. 9, par. 2, letter. b), and by art. 10 of Regulation (EU) 2016/679.
As for any particular processing that refer to operations connected to the art. 12 of the Legislative Decree. 24/2023 (“Obligation of confidentiality”), par. 2 and 5, and art. 14 (“Conservation of documentation relating to reports”), par. 2 and 4, the Data Controller reserves the right to acquire, with a specific deed, consent from the reporting person pursuant to art. 6, par. 1, letter. a) of Regulation (EU) 2016/679 to the related processing.
RETENTION PERIOD
The Data Controller carries out a preliminary investigation of the report. If, following the activity carried out, it detects elements that are manifestly unfounded, it will arrange for it to be archived immediately with the deletion of any relevant personal data.
In the event that, following the preliminary investigation, the report proves to be well founded, the reports and the related documentation will be kept for the achievement of the purposes for which they were collected and for the period necessary to complete the administrative procedure related, and in any case they will be kept for a maximum period of 5 years, starting from the date of communication of the final outcome of the reporting procedure, in compliance with the confidentiality obligations set out in European and national legislation on the protection of personal data.
This is without prejudice to retention for a period longer than that indicated above in relation to any specific further regulatory provision.
CATEGORIES OF DATA RECIPIENTS
The data processing is carried out exclusively by personnel specifically authorized and trained in the management of reports and committed to confidentiality and responsible for the related activities in relation to the purposes pursued.
Only these subjects and not other personnel are allowed access to personal data to the extent and within the limits in which it is necessary for carrying out the processing activities in question.
Therefore, only the employees in charge of investigating the reports and the members of the Supervisory Body pursuant to Legislative Decree 231/2001 shall have access to the personal data.
Furthermore, if the reports are forwarded via the "Legality Whistleblowing" platform, the provider of the aforementioned application may also have access to the personal data, having been appointed, with a specific deed, as Data Processor pursuant to art. 28 of the GDPR.
PROCESSING METHODS
The processing, on the "Legality Whistleblowing" platform accessible at the following link: https://gruppoclasseditori.segnalazioni.net, or by post, e-mail or by direct meeting, takes place manually and/or computerized, in compliance with the fundamental rights and freedoms, and is based on the principles of correctness, lawfulness, transparency and protection of confidentiality, as provided for by the art. 5 of Regulation (EU) 2016/679.
The Data Controller, and on his behalf the Data Processor, implement adequate technical and organizational measures regarding the collection, use of personal data and the exercise of the rights of the Data Subject and take care to update the regulations and procedures adopted for the protection of personal data whenever this becomes necessary and in any case in the event of regulatory and organizational changes that may affect the processing of personal data.
Personal data will also be processed with automated tools for the time strictly necessary to achieve the purposes for which they were collected. The Data Controller implements suitable measures to ensure that the data provided are processed in an adequate manner and in accordance with the purposes for which they are managed and uses suitable security measures (file encryption), organisational, technical and physical, to protect the information from alteration, from destruction, loss, theft or improper or illegitimate use.
RIGHTS OF THE DATA SUBJECTS (articles 15 to 22 of Regulation (EU) 2016/679)
The Data Subjects can exercise the rights provided for by the articles from 15 to 22 of Regulation (EU) 2016/679 and namely: access to their personal data, rectification, cancellation, limitation of the processing, opposition to the processing, pursuant to and to the effect of articles 15 to 22 of Regulation (EU) 2016/679 by writing to dpo@class.it.
However, it is specified that the exercise of the above rights may be limited, pursuant to article 2-undecies of the Legislative Decree 196/2003 and subsequent amendments (implementing article 23 of the GDPR), if the exercise of the same could result in an effective and concrete prejudice to the confidentiality of the identity of the whistleblower.
RIGHT TO COMPLAIN
The Data Subject who believes that the processing of the personal data relating to her/him takes place in violation of the provisions of Regulation (EU) 2016/679 has the right to lodge a complaint with the Data Protection Authority, as provided for by the art. 77 of the Regulation, or to take action in the appropriate judicial offices (art. 79 of the GDPR).
Joint Data Controllers list
Campus Editori S.r.l.
Via Burigozzo, 5 20122 Milano
Class China eCommerce S.r.l.
Via Burigozzo, 5 20122 Milano
Class CNBC S.p.A.
Via Burigozzo, 5 20122 Milano
Class Editori S.p.A.
Via Burigozzo, 5 20122 Milano
Class Pubblicità S.p.A.
Via Burigozzo, 5 20122 Milano
Class Servizi Televisivi S.r.l.
Via Burigozzo, 5 20122 Milano
Class TV Service S.r.l.
Via Burigozzo, 5 20122 Milano
Country Class Editori S.r.l.
Via Burigozzo, 5 20122 Milano
MF Newswires S.r.l.
Via Burigozzo, 5 20122 Milano
Milano Finanza Editori S.p.A.
Via Burigozzo, 5 20122 Milano
PMF News Editori S.r.l.
Via Burigozzo, 5 20122 Milano
Radio Classica S.r.l.
Via Burigozzo, 5 20122 Milano
TV Moda S.r.l.
Via Burigozzo, 5 20122 Milano
Gambero Rosso S.p.A. Via Ottavio Gasparri, 13/17 00152 Roma
Telesia S.p.A. Via Ottavio Gasparri, 13/17 00152 Roma
Assinform/Dal Cin Editori S.r.l. Viale Dante Alighieri 12, 33170 Pordenone
Last update: 12 /12/2023
