Whistleblowing under Legislative Decree 231/01 Privacy Policy pursuant to EU Regulation 2016/679

Data Processor and Data Protection Officer (DPO)

The data controller is the person who defines the purposes of the processing of personal data and, after having collected the data, "uses" the data in compliance with the principles of the GDPR. The Data Controller is

FINWAVE S.p.A. Tax code and VAT number 03368590968

Corso Italia, 22 – 20121 Milan (MI)
Tel. +39 02 02 8490 7101
Certified E-mail: finwave@legalmail.it

FINWAVE S.p.A. has appointed its Data Protection Officer, who can be contacted at the following e-mail address: dpo-finwave@finwave.it

Legal Basis and Processing Methods

The legal basis on which the processing is based is the legal obligation resulting from the implementation by the Data Controller of Legislative Decree 231/2001 and Law 179/2017.

Transfer of personal data

Your data will always be processed by the Supervisory Board.

(*) We will not transfer your personal data to any person other than those indicated among the recipients and, always and in any case, according to the cases established in the operational management of reports (whistleblowing) and reporting to the Supervisory Board.

Automated decision making

Any personal data included in the report is not subject to any automated decision-making process that may have significant legal effects on you or that may affect your ability to exercise your rights under the GDPR.

Data will be processed using manual and/or computerised and electronic instruments with organisational and processing logics strictly related to the purposes and, in any case, in a way that guarantees the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures provided for by the provisions in force.

Security Measures

Any data you provide us with will be processed according to the principles of lawfulness, transparency and fairness, in accordance with current legislation, the company's security policies, and the secure processing of personal data.

The security measures applied to the processing and to protect the whistleblower's identity will include, among others:

• User authentication and authorisation
• Perimeter security (antivirus, firewall, WAF)
• Regular backups
• Business Continuity Plan / Service Continuity Availability Plan
• Security Information & Event Management (FortiSIEM)
• Regular scans (Qualys VM)
• Microsoft Office 365 ATP module
• Cabinet / Drawers locked with a key
• Office / Premises locked with a key
• MFA authentication

We will promptly notify you should there ever be a risk of a breach under Article 34 of the GDPR.

Rights of the Data Subject

In addition to guaranteeing the right to lodge a claim with the Supervisory Authority, which for Italy is the Italian Data Protection Authority, the GDPR grants you the following rights:

• Right of access (Article 15): Possibility for the Data Subject to obtain from the Controller confirmation as to whether or not his or her personal data is being processed and to obtain further information, including the purposes of the processing, the categories of personal data and the recipients.
• Right to rectification (Article 16): Possibility for the Data Subject to obtain rectification of inaccurate personal data from the Data Controller.
• Right to be forgotten (Article 17): Possibility for the Data Subject to request the deletion of his or her personal data if one of the reasons provided for in the article exists, including: revocation of consent, unlawful processing and exercising the right of defence.
• Right to restriction of processing (Article 18): Possibility for the data subject to obtain the restriction of processing, which can be configured as a total or partial suspension of the processing of the data or also, in some cases, as a blocking of the same. This can only be requested in exceptional cases expressly determined by the rule, including the period necessary to establish the accuracy of personal data, unlawful processing, the exercise of a right in a court of law.
• Right to data portability (Article 20): The Data Subject has the right to request that his or her data be disclosed to him or her, when exercising his or her rights, in an easily comprehensible format.
• Right to object (Article 21): Possibility for the Data Subject for reasons relating to his or her particular situation to object to the processing of his or her data pursuant to Article 6, paragraph 1, letters e) and f).
• Right not to be subject to automated decision-making (Article 22) Possibility for the data subject to object to processes based solely on automated processing if they have legal effects on him or her or significantly affect him or her.

We inform you that should you decide to exercise one or more of the above-mentioned rights, the Data Controller will disclose your personal data to the processors for related fulfilments (Article 19 GDPR).

If you have any doubts or need clarification, or if you wish to exercise your rights, please contact us at the following address:  dataprivacy@finwave.it

Personal Data Retention Times

Your data will be retained in our systems:

• if archived, up to 5 years from the date of receipt of the report following the conclusion of the investigation by the Supervisory Board
• or until the disciplinary or judicial proceedings (the final decision has become final) possibly connected with and/or resulting from the report are concluded

to ensure that both of them can fulfil all obligations resulting from the proper management of any proceedings.