Whistleblowing reporting channel
bureau Plattner has activated a channel dedicated to reporting ("Whistleblowing”), in accordance with Legislative Decree 24/2023, which can be used by anyone who, anonymously or by providing their personal details, wishes to report any conduct that contravenes European Union regulations and the national provisions implementing them, the code of ethics and/or that harms the interests of the Firm.
How to make a report
Reports can be sent via the dedicated Whistleblowing portal, accessible at the following link:
https://whistlesblow.it/c/bureau-plattner/1
For further details on how reports are handled and the protections provided, please refer to the Privacy Policy available below.
Privacy Policy regarding the processing of personal data of individuals who submit reports via Whistlesblow.it
Pursuant to Article 13 of Legislative Decree No. 196/2003 of the Code regarding the protection of personal data (hereinafter also referred to as the ‘Privacy Code’) and pursuant to Article 13 of European Regulation No. 679/2016 (hereinafter also referred to as the ‘GDPR’), we provide you with this information.
The data controller
The data controller is Bureau Plattner, with registered office in Via Leonardo da Vinci, 12 – 39100 Bolzano, VAT number 00547870212 (‘Firm’), email bureau.plattner@bplm.it.
This policy is addressed to ‘Reporting Persons’ and, where applicable, to “Facilitators” (hereinafter both referred to as ‘Data Subjects’) within the whistleblowing system pursuant to Legislative Decree 24/2023 and subsequent amendments and additions.
Place of data processing
The related processing takes place in Italy and there is no transfer or dissemination abroad or to countries outside the EU. No data is communicated or disseminated, except for statistical purposes and in any case in an anonymous and/or aggregated form.
Purpose of data processing
The personal data of the Data Subjects are processed for the following purposes:
a) to allow the Reporting Person to make a report pursuant to Legislative Decree 24/2023;
b) to follow up on the report, and in particular to assess the existence of the reported facts, the outcome of the investigations and any measures taken;
c) inform the Reporting Person of the action that has been taken or is intended to be taken in response to the report;
d) inform the Reporting Person of the reasons why it is necessary to disclose confidential information and/or the reasons why it is essential, including for the purposes of defending the person involved, to disclose the identity of the reporting person;
e) communicate the personal data of the Reporting Person to third parties, with the consent of the Reporting Person, for the purposes of the proper management of the report.
In relation to the purposes described above:
- the legal basis for purposes a) to d) is Article 6(1)(c) of the GDPR, as the processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
- the legal basis for purpose e) is Article 6(1)(a) of the GDPR, as the processing is based on the consent of the data subject.
Data processed
The categories of data processed relating to the data subjects are as follows:
- personal identification data, where provided;
- personal contact details, where provided;
- other common or specific data freely shared in the report.
The provision of personal data is optional, given that reports may also be made anonymously, provided they are adequately documented.
Retention period
Personal data will be retained for the time necessary to process the report and in any case for no longer than 5 years from the date of notification of the final outcome of the reporting procedure.
Communication and dissemination of processing
Personal data will be processed exclusively by employees and collaborators of the Data Controller, as well as by third parties appointed as data processors pursuant to Article 28 of the GDPR. In particular, considering that whistleblowing reports are forwarded via the Whistlesblow.it software, access is also granted to the supplier of the aforementioned application, appointed for this purpose as data processor pursuant to Article 28 of the GDPR.
Personal data will not be disclosed in any way without the consent of the data subject.
The Data Controller may communicate the personal data of the data subject to third parties, independent data controllers, with the data subject's consent and for the sole purpose of processing the report.
Methods of processing
Personal data is processed with the aid of computerised and paper-based media in the manner necessary to pursue the purposes indicated above. Data processing is carried out using procedures that are suitable for protecting confidentiality and will consist of the collection, recording, organisation, storage, retrieval, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of the data, including the combination of two or more of the above activities.
Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorised access.
Rights of data subjects
Under certain conditions, you have the right to exercise the rights provided for in Articles 7, 8, 9 and 10 of the Privacy Code and Articles 15, 16, 17, 18, 19, 20, 21 and 22 of the GDPR and, in particular, to ask us for:
● access to your personal data;
● a copy of the personal data you have provided to us (so-called portability);
● the rectification of the data in our possession;
● the erasure of any data for which we no longer have any legal basis for processing;
● object to the processing where provided for by applicable law;
● withdraw your consent, if the processing is based on consent;
● restrict the way in which we process your personal data, within the limits provided for by the legislation on the protection of personal data.
The exercise of these rights is subject to certain exceptions aimed at safeguarding the public interest (e.g. the prevention or identification of crimes) and our interests (e.g. the maintenance of professional secrecy).
If you exercise any of the above rights, it will be our responsibility to verify that you are entitled to exercise them and we will respond to you, as a rule, within one month.
Anyone who has concerns about Bureau Plattner's privacy policy, its application, the accuracy of their personal data or the use of the information collected may contact us by email at: bureau.plattner@bplm.it.
Each data subject may submit their complaints or reports, pursuant to Article 77 of the GDPR, to the data protection authority, using the relevant contact details:
Garante per la protezione dei dati personali (Data Protection Authority) - Piazza di Monte Citorio n. 121 - 00186 ROME - Fax: (+39) 06.69677.3785 - Telephone: (+39) 06.696771 - E-mail: garante@gpdp.it - Certified email: protocollo@pec.gpdp.it