Information
on the processing of personal data

Regulatory references

• art. 13 of EU Regulation 2016/679 of 27/04/2016 – General Data Protection Regulation (“GDPR”)
• Legislative Decree 24/2023 – Implementation of EU Directive 2019/1937 of 23 October 2019 on the protection of persons who report breaches of European law and on provisions for the protection of persons who report breaches of national law (“Whistleblowing Decree”)

Data controller

FF Factory S.r.l, with registered office in Via Eligio Brigatti, 60, 20885 Ronco Briantino (MB), tax code and VAT no 01212820136, in the person of its legal representative pro tempore.

Purpose of the processing and legal basis for the processing

The personal data will be processed exclusively for the following purposes:

• receipt, processing and management of the reports you send to the Data Controller in accordance with Whistleblowing Decree;
• fulfilment of the obligations provided for by the Whistleblowing Decree, by other applicable regulatory provisions and by provisions issued by supervisory and control authorities and bodies.

The processing of personal data for the aforementioned purposes does not require the data subject’s express consent; the legal basis for the processing is in fact the obligation of the Data Controller to fulfil specific regulatory obligations (Art. 6.1.c of the GDPR).

Compulsory or optional nature of the submission of data and consequences of a refusal to provide personal data

Reports may be anonymous. In this case, however, it may not be possible for the Data Controller to further process the report or the related investigation.
Otherwise, if the reporting person provides their identification and contact data in the report, these data will be processed by the Data Controller or persons authorised by the Data Controller for the further handling of the report and only for the purposes specified above.

The Data Controller will also process the personal data of the persons reported, i.e. any additional persons mentioned in the report, facilitators, and/or other persons involved within the company in handling the report.

Data processing methods

Personal data will be processed, for the above-mentioned purposes, on both paper and computer media, by means of electronic or automated tools, in compliance with the regulations in force in particular on confidentiality and security and in accordance with the principles of fairness, lawfulness and transparency provided for by the GDPR and further strengthened by the Whistleblowing Decree.
The processing is carried out by the Data Controller or by specifically appointed Data Processors and/or authorized persons; the list of Data Processors and/or authorized persons may be requested by you from the Data Controller.

Communication and dissemination

Personal data may be communicated to the following categories of subjects, within the limits strictly relevant to the obligations, the tasks and the purposes set out above and in compliance with current legislation:

1. subjects to whom such communication must be delivered in order to fulfill or to demand the fulfillment of specific obligations provided for by laws, regulations and/or EU legislation;
2. persons and/or legal entities that provide services that are instrumental to the activities of the Data Controller for the purposes referred above (consultants, supervisory body, board of statutory auditors etc.);
3. police forces, competent authorities (e.g., National Anticorruption Authority) and other public administrations, who will act as autonomous data controllers.
   Personal data will not be disseminated.

Data retention period

Personal data will be stored for the entire duration of the handling of the report and for a maximum of 5 years from the closing date of the report. After this period, the data will be deleted or anonymized.

Data transfer

Personal data are stored on servers located within the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to move the servers or the data even outside the EU. In this case, the Data Controller hereby ensures that the transfer of Data outside of EU will take place in accordance with the provisions of applicable law.

Rights of data subject

Data subjects have the rights set forth in art. 15 GDPR, and in particular:

1. to obtain confirmation of the existence of personal data concerning them, even if not yet registered, and their communication in an intelligible form;
2. to obtain the indication: a) of the origin of personal data; b) of the purposes and methods of the processing; c) the existence of an electronic decision-making process, including profiling, and of the logic applied, as well as of the importance and consequences envisaged for the interested party in case of processing carried out with the aid of electronic instruments; d) the contact details of the Controller and of the Data Processor; e) of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the territory of the State, as data processors or authorized persons;
3. to obtain: a) updating, rectification or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of unlawful data processed, including data that retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also with regard to their content, of those to whom the data have been communicated, except in the case in which this fulfillment proves impossible or involve a use of means manifestly disproportionate to the protected right;
4. to object, in whole or in part for legitimate reasons, to the processing of personal data concerning them, even if pertinent to the purpose of the collection.

Where applicable, data subjects are also entitled to exercise the rights referred to in Articles 16-21 GDPR (right of rectification, right to cancellation (“right to be forgotten”), right to limitation of processing, right to data portability, right of opposition), as well as the right to lodge a complaint with the Supervisory Privacy Authority (https://www.garanteprivacy.it/).

Pursuant to the provisions of paragraph 1, letters e and f, of Article 2-undecies of Legislative Decree 196/2003 (“Privacy Code”), the data subjects are informed that their rights identified in Articles 15 to 22 of the GDPR, and in particular the right of access, may not be exercised by request to the Data Controller, or by complaint to the Supervisory Privacy Authority pursuant to Art. 77 GDPR, where the exercise of such rights may result in actual and concrete prejudice to the confidentiality of the data subjects making a report, and/or to the conduct of investigations or the exercise of a right in court. Pursuant to paragraph 3, Art. 2-undecies of the Privacy Code, the exercise of such rights may, in addition, be delayed, limited or excluded for as long as this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subjects, in order to safeguard the defensive interests of the Data Controller and the confidentiality of the data subjects.

In such cases:
(i) data subjects will be informed by reasoned notice given without delay, unless such notice would undermine the purpose of the limitation of the exercise of rights;
(ii) data subjects will be able to exercise their rights through the Supervisory Privacy Authority, in the manner set forth in Article 160 of the Privacy Code. In this case, the Privacy Guarantor shall inform the data subjects that it has carried out all the necessary verifications or has conducted a review.

This is without prejudice to the right of the data subjects to file a judicial appeal.
To exercise the rights referred above or for questions or information regarding the processing of your data and the security measures adopted, you can send your request to the Data Controller.