Information provided pursuant to Articles 13-14 of the GDPR (General Data Protection Regulation) 2016/679

To Whom It May Concern, we would like to inform You that the Regulation (EU) 2016/679 of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data"(hereinafter “GDPR”) provides for natural persons' personal data protection.


IIT - Istituto Italiano di Tecnologia , The Personal data "controller", Informs You that, pursuant to Article 13 of the GDPR, Your data shall be processed as follows:

In accordance with the personal data protection code and the whistleblowing law, the processing of your personal data provided during your registration and report submission, will be based on the principles of correctness, lawfulness and transparency and on the safeguarding of your privacy and your rights and of those of all the persons involved.


Your personal data will be processed exclusively for purposes strictly connected to the law 179/2017 on Whistleblowing.


The platform of IIT - Istituto Italiano di Tecnologia only collects your registration data and those provided in the reports. Among the data voluntarily provided the following personal data can be acquired:

Name, email address, identity document, report contents. Your personal profile data are not directly viewable in the report.


We hereby inform You that, considering the above mentioned data processing purposes, the supply of Your registration data (name, e-mail address and identity document) is mandatory. Failure to provide Your data involves the impossibility of creating a Whistleblower's profile recognisable by the system. Please, note that the legislation provides the whistleblower to make themselves recognisable in order to take advantage of the granted protection system.

Therefore giving the consent to the data processing (by ticking the appropriate box) is necessary to proceed with registration (if required).

As regards the consent of the indicted or of any other individuals involved in the report, the personal data processing is permitted even without the consent of the person concerned, Data processing indeed, is necessary to pursue the Data Controller's legitimate interests, considered as prevailing in contrasting wrongdoings over the interests and the rights of the indicted.


Data processing shall be performed by IT and telematic tools, with organizational logics strictly related to the above mentioned purposes and, in any case, in such a way in such a way that data inviolability, security and confidentiality are guaranteed in compliance with the organizational, physical and logical methods provided for by the current regulations. Please note that your personal data provided in the registration form (name, e-mail address and identity document) is separate from any report and that the association of your identity with the report can only be made by the "Supervisor" responsible for managing the reports.


The personal data relating to the reports are kept and stored for the period of time necessary to carry out the report managing procedure. Then it shall be stored in the records. I dati personali relativi alle segnalazioni vengono conservati e mantenuti per tutto il tempo necessario in adempimento alla procedura di gestione delle segnalazioni e conservati agli atti.


At any time whatsoever, the whistleblower reserves the right to exercise their right:

  • to access their personal data;
  • to obtain the rectification or the erasure of the same data;
  • The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. the withdrawal of consent results in the impossibility for the whistleblower to access their profile. However, they will still be able to visualize the reports by using their codes; The right to withdraw does not exist if the processing is required to fulfill a legal obligation required by the law to which the controller is subjec;
  • to make a compliant to the Data Protection Authority

No personal data is implicitly acquired by the platform.

We do not use cookies to transmit information of a personal nature, nor are persistent cookies used to track users.

Only technical cookies are used to the extent strictly necessary for the correct and efficient use of the platform. The use of session cookies (which are not stored permanently on the user's computer and disappear when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to allow safe and efficient exploration of the platform.


The "Data Controller" is IIT - Istituto Italiano di Tecnologia Tel: +39 010 71781 with registered office in Via Morego, 30 16163 Genova


Loading loading