Menu

Whistleblowing Information Notice

(Last update December 19, 2024)

Data Controller

DATAFLOW SECURITY SRL with registered office in Via Jacopo Vittorelli, 3 – 36061 Bassano del Grappa, Vicenza (“Data Controller”) is the data controller of the personal data collected in the context of a Whistleblowing report (hereinafter “Report”).
This document must be considered as supplementary to any other privacy information that may have been received (e.g. employee, collaborator, supplier, etc.). Therefore, the information contained in these documents will not be repeated.
For any further information, please contact our DPO at [email protected].

Types of personal data processed
If you decide to reveal your identity, the personal data processed may include your identifying data (name, surname), your contact data (e.g. email address or phone number), and the identifying data of the reported person or the identifying data of other persons that may provide information on the reported person.

The acquisition and management of Reports leads to the processing of personal data, including those belonging to particular categories of data (that reveal racial or ethnic origin, sensitive data, political opinions, religious or philosophical convictions, trade union membership, genetic or biometric data that identify a person, health-related data or sexual life or sexual orientation) and related to criminal convictions and offenses, contained in the Report and in documents and attachments thereto, relating to data subjects (identified or identifiable physical persons) and, in particular, the reporters or persons indicated as possible responsible for the illegal conduct or those involved in the reported matters. However, we kindly invite you to refrain from providing these types of personal data if not strictly necessary for the purpose of the Report.

 
Purpose of the treatment

Your personal data will be processed for the following purposes:


a. Receipt, analysis, investigation and management of Reports and any subsequent actions, and in particular, to verify the facts reported and to take any necessary measures. The legal basis is the legal obligation (D.Lgs 24/2023). Moreover, for the reports collected telephonically or through voice messaging systems or otherwise orally, the legal basis is the consent of the Reporter. This consent is not mandatory, and if not provided, the Report will be transcribed to be processed in accordance with the law. You have the right to view and request modification or rectification of the transcribed Report.
b. Legal protection, whether judicial or extrajudicial, of the Data Controller. In this case, the legal basis of the processing activities is the legitimate interest of the Data Controller.
c. To fulfill obligations in matters of workplace safety and social security. In this case, particular data and judicial data may be processed.
d. The Report may also be used to take disciplinary or sanctioning actions if discriminatory, pretexts, or retaliatory behaviors are carried out against the reporter or the reported person, or to sanction retaliatory behaviors.

The treatment is based on D.lgs 24/2023.

The provision of data that enables the identification of the reporter is optional. However, their non-provision may prejudice the success of the investigative activity.

To pursue the aforementioned purposes, the personal data provided are made accessible only to those who are competent to receive or follow up on the activities of analysis, investigation, and management of Reports and any subsequent actions (person authorized in accordance with Articles 28, 29, 32(4) of the GDPR and 2 quaterdecies of the Privacy Code who have committed to confidentiality, except for the obligations of communication provided for by law). Such persons are formally appointed and properly trained to prevent the loss, access to data by unauthorized persons or non-consented data processing, and, more generally, in relation to the obligations regarding personal data protection.

 
Data recipients and legal basis

Your personal data and those subject to the Report may be communicated to:

  • Freelance professionals (lawyers, labor consultants) to verify the correct application of the applicable law;
  • Collegial bodies and subjects who must be strictly involved in the management of the Report, including the “facilitator”, if present;
  • Bodies, entities, or authorities to which it is mandatory to communicate personal data in accordance with legal provisions or orders from authorities;
  • National Anti-Corruption Authority (ANAC)
  • Whistleblowing platform providers as data processors in accordance with Article 28 of the GDPR.

 

The identity of the reporter and any other information from which the reporter’s identity can be inferred, directly or indirectly, may only be disclosed to persons other than those competent to receive or follow up on the Reports with the explicit consent of the reporter in accordance with D. Lgs. n. 24/2023.

The data processing activities will be carried out both manually and automatically, and according to modalities that ensure confidentiality and security, especially concerning the reporter’s data, which will be protected by anonymity if you decide not to reveal your identity.

 
Transfer of personal data

Some personal data processing activities may be carried out by the Data Controller also outside the European Economic Area. In this case, the transfer of data is carried out on the basis of the existence of a decision by the European Commission regarding the adequacy of the level of data protection in the country or on the basis of the appropriate and adequate guarantees provided for by Articles 46 or 47 of the GDPR (e.g. the adoption of the “model clauses” for data protection adopted by the European Commission) or of the additional grounds for lawful transfer provided for by Article 49 of the GDPR.

 
Data retention of personal data

The Report, as well as the data it contains and the relevant documents attached or otherwise cited or connected to it, will be kept for as long as necessary to manage the Report and for the time necessary for legal protection. In any case, according to the terms provided for by Article 14 of D.lgs. n. 24/2023, they will not be retained for a period exceeding five years from the final outcome of the Reporting procedure, in respect of the obligations of confidentiality provided for by D.lgs. 24/2023 and Article 5 of the GDPR.

 
Your rights

You have the right to:

  • Access your data. This right is not concretely exercisable by the person subject to the Report. In other cases, we will provide you with your personal data, which are subject to our treatment;
  • Portability of your data: if possible, we will provide an Excel file with your personal data;
  • Rectify your data if you believe they are incorrect or need to be updated;
  • Limit the processing of your data: for example, if you believe that the processing we are carrying out is illegal or that the treatments carried out by the Data Controller on the basis of legitimate interest are inappropriate;
  • Delete your personal data;
  • Oppose the processing of your data.

 

The time limit for response provided by the legislation to which the Data Controller is subject is one month from your request (extendable to a further two months in case of particular complexity).

Pursuant to Article 2 undecies of D.lgs. n. 196/2003, you are informed that the aforementioned rights cannot be exercised by the persons involved in the Report, if the exercise of such rights could result in a concrete and actual prejudice to the confidentiality of the identity of the reporting person. This prejudice will be evaluated on a case-by-case basis, and only where it is a necessary and proportionate measure. If the Data Controller avails itself of this limitation, you will be notified in writing. In particular, the exercise of these rights:

  • will be carried out in accordance with the provisions of the law or regulation governing the sector (D.lgs. 24/2023);
  • may be delayed, limited or excluded with motivated communication and made without delay to the interested party, unless the communication can compromise the limitation, for the time and extent necessary to constitute a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the interested party, in order to protect the confidentiality of the identity of the reporting person;

 

In any case, we remind you that your rights can also be exercised through the competent authority (Garante per la protezione dei dati personali) with the modalities provided for by Article 160 of D.lgs. 196/2003. You can exercise your rights by writing an email to [email protected]

In any case, you have the right to lodge a complaint with the competent supervisory authority (Garante per la protezione dei dati personali), in accordance with Article 77 of the GDPR.

Registered office:

Via Vittorelli, 3

Bassano del Grappa, 36061, Italy

 

VAT number: 04232280240

REA number: VI-389384

 

Privacy Policy: EN, IT

Compliance: EN, IT

Contact

Business enquires:

[email protected]

Found a vuln? 

[email protected]

Dataflow Security

About
Inventory
Services
Careers
Blog
Events

Dataflow Group

Dataflow Security
Dataflow Forensics

© 2025 Dataflow Security S.r.l, All Rights Reserved

© 2025 DFSEC. All rights reserved.