Send a report with the outmost confidentiality.
Useful Links
What to report Learn more

Privacy

PRIVACY INFORMATION ON THE PROCESSING OF PERSONAL DATA IN MANAGEMENT OF WHISTLEBLOWING REPORTS.

This is to inform, pursuant to art. 13 of the Regulation (EU) 2016/679 on the "Protection of natural persons with regard to the processing of personal data and on the free movement of such data" and Legislative Decree 196/2003 as amended and supplemented (hereinafter " Regulation"), about the collection, processing and storage of your personal data carried out by “Fondazione Istituto Italiano di Tecnologia” (hereinafter "IIT"), within the management of Whistleblowing reports.

******************************************************************************

  1. Identity and contact details of the Data Controller

The Data Controller of your personal data is the Fondazione Istituto Italiano di Tecnologia, based in Via Morego, 30 - 16163 Genova - Tel.: +39 010 28961.

 

  1. CONTACT DETAILS OF THE DATA PROTECTION OFFICER

The Data Protection Officer is available at the following e-mail address: dpo@iit.it.

 

  1. OBJECT OF DATA PROCESSING AND TYPES OF PERSONAL DATA PROCESSED

Your personal data will be collected through the dedicated platform accessible at https://iit.segnalazioni.net or through other reporting channels made available by IIT (e.g. Supervisory Authority e-mail channel: organismodivigilanza@iit.it or ordinary mail: Fondazione – IIT – Organismo di Vigilanza – Via Guidubaldo del Monte 54, 00197 Roma) and will be processed by IIT through the reporting management platform.

In particular, the following personal data may be processed:

  • name, e-mail address and identification document of the reporting party (hereinafter “whistleblower”), including the voice in the case of reports made through the platform's voicemail, reports’ contents;
  • common, identifying data and data relating to the conduct of the reported subjects, as well as possible additional subjects involved in the reports;
  • special categories of personal data, relating to the whistleblower, reported people and/or other subjects possibly involved in the reports, which may be contained in the reports and in documents or records attached to them (e.g. health data).

It is specified that IIT also accepts anonymous reports (sent through an anonymous e-mail address, specifically created, or in paper form without indicating the sender, or via the platform, by ticking the relevant reference box), which must be documented and detailed, to provide useful elements to allow an appropriate verification activity on the validity of the reported facts.

 

  1. PURPOSE AND LAWFULNESS OF DATA PROCESSING

The data provided by the whistleblower, or collected by the Data Controller for the purposes of managing reports, will be processed exclusively for the management of reports in the Whistleblowing context based on the following lawfulness of data processing:

  • Fulfillment of legal obligations: Legislative Decree no. 24/2023, Legislative Decree 231/2001, Law no. 179/2017;
  • Your consent to the recording of your voice, exclusively in the event of a report made using the platform's voicemail, pursuant to art. 6 par. 1, letter a) of the GDPR, as provided for by art. 14.2 of Legislative Decree no. 24/2023;
  • Your explicit consent, exclusively to disclose the report to persons other than those competent to receive or follow up on reports and/or in disciplinary proceedings in the presence of the requirements set out in art. 12 of Legislative Decree no. 24/2023.

It is specified that whistleblower identity may be disclosed, in case of competent authorities’ investigations or in the event of legal proceedings, where this is a legal obligation. In any case, the whistleblower is notified by written communication of the reasons for any disclosure of confidential data.

 

  1. DATA PROCESSING METHODS

The data provided by the whistleblower for sending reports, as well as the data relating to the reported parties and/or other subjects possibly involved in the reports and contained in the reports themselves will be processed according to the principles of correctness, lawfulness, transparency and protection of confidentiality and rights, in compliance with the obligations imposed by the Regulations and the Whistleblowing provisions.

The processing will be carried out with IT and telematic tools with organizational and processing logics strictly related to the purposes indicated above, and in any case in a way that guarantees the security, integrity and confidentiality of the data itself in compliance with the organizational, physical and logical measures provided for by the provisions in force. In particular, your personal data provided in the registration form to the platform (name, email address and identification document) are separate from the content of the reports, and the association of your identity with the report can be carried out exclusively by the responsible subjects in charge of managing the reports, as defined in the following art. 6.

 

  1. ACCESS TO PERSONAL DATA

The reports will be managed by the following subjects designated by IIT as authorized to process personal data for whistleblowing reports, each for their own areas of competence:

  • Supervisory Authority (Organismo di Vigilanza)
  • Ombudsperson
  • Compliance Directorate Responsible
  • Ethic Committee
  • Human Capital and Organization Directorate

The content of the reports may also be shared with the Managers of the administrative and scientific functions of IIT to support the subjects responsible for evaluating them.

 

  1. Categories of recipients of personal data

Personal data will be communicated to subjects appointed as Data Processor pursuant to art. 28 of the Regulation. In this specific case Digital PA will be able to access for maintenance and assistance activities on the platform. Finally, the data may be communicated to other subjects for the fulfillment of legal obligations and to consultants and lawyers, including in associated form, who provide legal assistance to IIT and who process the data as independent data controllers, to ensure the exercise of IIT's right of defense, in the context of any legal disputes arising from the report transmitted.

 

  1. Extra EU data transfer

Your Personal Data will not be disclosed and will not be transferred outside the European Union.

 

  1. DATA STORAGE

Personal data relating to reports will be collected and stored for no longer as necessary to comply with the reporting management procedure, and in any case no longer than five years from the date of communication of the outcome of the reporting procedure. Personal data that are not manifestly useful for the processing of a specific report will not be collected or, if collected accidentally, will be deleted immediately.

 

  1. RIGHTS OF THE DATA SUBJECT

You may exercise the rights provided in Articles 15 and seq. of the Regulation at any time sending an e-mail at dpo@iit.it, within the limits of what is provided for by article 2-undecies of the Regulation, except in the case in which the exercise of rights may harm the confidentiality of the whistleblower’s identity. In particular, data subjects may request:

  • access to personal data, as provided in Article 15 of the Regulation;
  • rectification of personal data, as provided in Article 16 of the Regulation;
  • erasure of personal data ("right to be forgotten"), as provided in Article 17 of the Regulation;
  • restriction of personal data processing, as provided in Article 18 of the Regulation.

 

  1. COMPLAINT WITH THE SUPERVISORY AUTHORITY

Finally, pursuant to Article 77 of the Regulation, we remind that data subjects have the right to lodge a complaint with a Supervisory Authority (for Italy Garante per la Protezione dei dati personali, www.garanteprivacy.it, e-mail protocollo@gpdp.it, tel. +39 06.696771), if they believe that data processing infringes the provisions of the Regulation.

 

  1. NATURE OF THE PROCESSING AND MANDATORY NATURE OF PROVIDING DATA

Taking into account the purposes of the processing as illustrated above, the provision of your data for sending the report/registration to the platform (name, email address and identification document) is mandatory and failure to provide them will result in the impossibility of making a nominative report (not anonymous) through the platform or managing your additional channels report.

 

  1. Existence of automated decision-making processes

There is NO type of automated decision-making process for the data processing, pursuant to Article 22 of GDPR.

 

BRIEF COOKIES PRIVACY INFORMATION  

No personal data is implicitly acquired by the platform.

Cookies are not used to transmit personal information or to track users.

Only technical cookies are used for the correct and efficient use of the platform. The use of session cookies (which are not stored on the user's computer but deleted when the browser closed) is strictly limited to the transmission of session identifiers (random numbers generated by the server) necessary to allow safe and efficient exploration of the platform.