Privacy Policy*
Information pursuant to Article 13 of EU Regulation 679/2016 ("GDPR") on the processing of personal data carried out in the context of the management of whistleblowing reports.
In accordance with Article 13 of EU Regulation no. 2016/679 (Regulation), ENEDO S.p.A provides, hereinafter, information on the processing of personal data of whistleblowers (where identified or identifiable), reported individuals, and any other third parties involved ("Data Subjects"), carried out in relation to the management of whistleblowing reports pursuant to Legislative Decree 24/2023, in accordance with the procedures outlined in ENEDO Spa's Whistleblowing Policy. For matters not covered herein, reference is made to the information provided to employees of ENEDO Spa in relation to the employment relationship.
Therefore, we provide you with the following information:
Identity and contact details of the data controller
The data controller is the company ENEDO SPA, located at Via Ancona, No. 59 – 60027 Osimo (An) – VAT number and registration in the Companies Register No. 02085400428 – C.C.I.A.A. No. 03475270264. For any inquiries regarding the processing of personal data, you can write to the address provided, or send an email to the following Certified Electronic Mail (PEC) address: enedospa@pec.it.
Data Protection Officer (DPO) is Attorney Andrea Giaccaglia, reachable via email at dpo@enedopower.com for information regarding data processing. Enedo SPA has also appointed the Manager of the whistleblowing process, governed by the Whistleblowing Procedure, who can be contacted at the email address whistleblowing@enedopower.com.
Types of Processed Data
The personal data subject to processing fall into the following categories:
A) Common personal data as per Article 4, point 1, of the GDPR, of the reporting person in case of non-anonymous reports made through the dedicated platform:
- Mandatory: name, surname, relationship with ENEDO SPA.
- Optional: position, role/qualification, contact phone, email address
B) Personal data of the reporting person in case of non-anonymous reports made through the telephone channel:
- The processed personal data are those voluntarily communicated by the reporting person.
C) Personal data related to the individual(s) involved in the report:
▪ The data and special categories of data as per Article 4, point 1, and Article 9 of the GDPR that the reporting person has chosen to provide to represent the facts described in the report. It is specified that in this case, ENEDO S.p.A. is not able to determine in advance the data subject to the report, which may therefore include special categories of data (such as criminal convictions, offenses, etc.).
Purpose of the processing:
The processing of your personal data, including data belonging to special categories, is carried out in accordance with the principles of fairness, lawfulness, and transparency and is solely aimed at the following activities:
a) Management of the report made in accordance with Legislative Decree no. 24/2023;
b) Fulfillment of obligations provided by law or EU regulations;
c) Defense or assertion of one's own right in civil, administrative, or criminal litigation.
The legal basis for data processing is constituted as follows:
- For the purpose stated in letter a), by the fulfillment of a legal obligation to which the data controller is subject (Art. 6, para. 1, letter c) of the GDPR); furthermore, for reports recorded through telephone or vocal messaging systems or in oral form, by the consent of the Reporter (Art. 6, para. 1, letter a) of the GDPR);
- For the purposes stated in letter b), by the fulfillment of a legal obligation to which the data controller is subject (Art. 6, para. 1, letter c) of the GDPR).
- For the purposes stated in letter c), by the legitimate interest of the data controller (Art. 6, para. 1, letter f) of the GDPR).
Processing methods:
Personal data will be processed in paper, computerized, and telematic form manually and/or through automated computer and telematic tools to achieve the above-mentioned purposes. The whistleblowing management system ensures, at every stage, the confidentiality of the reporter's identity, the individuals involved and/or mentioned in the report, the content of the report, and its documentation, except as provided for in Article 12 of Legislative Decree no. 24/2023. All data processing operations are carried out to ensure the integrity, confidentiality, and availability of personal data.
Location of Data Processing:
The data is currently processed and stored at the legal headquarters located at Via Ancona, No. 59 – 60027 Osimo (An). Additionally, on behalf of the Data Controller, professionals and/or companies are tasked with performing technical, development, legal, managerial, and administrative-accounting activities.
Data Retention Period:
Reports and related documentation are kept for the time necessary for processing the report and, in any case, not exceeding five years from the date of communication of the final outcome of the reporting procedure, in compliance with confidentiality obligations. In the case of reports outside the scope/complaints (e.g., disputes, claims, or requests related to the personal interests of the reporting person, communications or complaints related to commercial activities or public services), they are retained for a period not exceeding 8 months from their archiving.
Nature of Data Provision and Consequences of Refusal:
The provision of data is necessary to achieve the above-mentioned purposes; failure, partial, or inaccurate provision may result in the impossibility of managing the report.
Recipients and Scope of Data Communication and Disclosure:
Without prejudice to communications made to fulfill legal and contractual obligations, all collected and processed data may be communicated exclusively for the purposes specified above to the following subjects: In addition, some processing may be carried out by additional third parties, to whom ENEDO S.p.A. entrusts certain activities (or parts thereof) for the purposes mentioned in point 2); these subjects will operate as independent Data Controllers or will be appointed Data Processors and are essentially included in the following categories:
- Consultants of ENEDO S.p.A (Organization, Litigation, Legal Studies, etc.)
- Companies responsible for personnel administration and management
- Audit/auditing companies
- Investigative agencies
- Institutions and/or Public Authorities, Judicial Authorities, and consultants appointed by them, Law Enforcement Agencies
Transfer of Data Abroad:
The provided data may be transferred abroad to non-European countries, particularly to:
a) Non-EU countries "whose level of data protection has been deemed adequate by the European Commission under Article 45 of the GDPR."
b) Non-EU countries other than those mentioned above, "upon the signing of standard contractual clauses adopted/approved by the European Commission under Article 46, 2, letters c) and d)."
All necessary precautions will be taken to ensure the complete protection of personal data.
Rights of the Data Subject:
We inform you that as a "data subject," you can submit a request to the Data Controller, the Data Protection Officer (DPO), or the Manager for whistleblowing reports at the addresses provided, to exercise the rights of access, rectification, erasure, and oblivion, limitation of data processing, and objection to their processing for legitimate reasons under Articles 15, 16, 17, 18, 20, 21, and 22 of the GDPR UE 2016/679, as detailed below, within the limits of Article 23 of the same Regulation:
PART III "RIGHTS OF THE DATA SUBJECT" GDPR UE 2016/679
Article 15 - Right of access:
The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed and, if so, access to the personal data and information regarding the processing.
Article 16 - Right to rectification:
The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning them without undue delay. Considering the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.
Article 17 - Right to erasure (right to be forgotten):
The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the data controller has the obligation to erase personal data without undue delay.
Article 18 - Right to restriction of processing:
The data subject has the right to obtain from the data controller the restriction of processing in certain circumstances: a) the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of such personal data; b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) although the data controller no longer needs the personal data for the purposes of the processing, they are required by the data subject for the establishment, exercise, or defense of legal claims; d) the data subject has objected to processing pursuant to Article 21, paragraph 1, pending the verification whether the legitimate grounds of the data controller override those of the data subject.
Article 20 - Right to data portability:
The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided. In exercising their right to data portability, the data subject has the right to have the personal data transmitted directly from one data controller to another, where technically feasible.
Article 21 - Right to object:
The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Article 6, paragraph 1, letters e) or f), including profiling based on those provisions.
Article 22 - Automated individual decision-making, including profiling:
1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
2. Paragraph 1 shall not apply if the decision: a) is necessary for entering into, or the performance of, a contract between the data subject and a data controller; b) is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests; c) is based on the data subject's explicit consent.
3. In the cases referred to in paragraph 2, letters a) and c), the data controller shall implement suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the data controller, to express their point of view, and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9, paragraph 1, unless Article 9, paragraph 2, letters a) or g), apply and suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests are in place.
Right to Lodge a Complaint with the Supervisory Authority:
As the "data subject," if you believe that the processing of data concerning you violates Regulation 679/2016 (GDPR), you have the right to lodge a complaint with the Data Protection Authority using the methods available on the website: www.garanteprivacy.it, in accordance with Articles 77 and following of the GDPR. Additionally, by writing to the address or PEC mailbox mentioned above, you can request the complete and updated list of data processors.
In the event that the Data Controller or the Data Processor intends to process your personal data for purposes other than those for which they were collected according to this information, you will be informed in advance of the different purposes, also for the purpose of obtaining the necessary explicit consent.
DECEMBER 2023