Privacy Policy and Whistleblowing Report Management

In implementation of the relevant legislation in force (Legislative Decree 24/2023 – ‘Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of Union law and on provisions concerning the protection of persons reporting breaches of national laws’) Autostrade per l’Italia S. p.A. and the other Companies of Autostrade per l’Italia Group (listed in Annex 1 and hereafter jointly referred to as the ‘Company’ or the ‘Data Controller’) have implemented a system for the reception and management of reports of alleged unlawful acts, which allows the management of the report (‘Report’) submitted by you to the Company through the Company’s specific dedicated channel. The system is designed for receiving and handling reports, including anonymous ones, sent to the Company by its staff and/or third parties, and relating to potential breaches of national or European Union regulations, breaches of internal rules (rules of conduct set forth in the Code of Ethics, in the Anti-Bribery Guidelines, in the 231 Model and, more generally, in the corporate body of regulations), unlawful conduct and irregularities concerning the performance of Company activities. 

Pursuant to Articles 13 and 14 of the European Regulation 2016/679 (hereinafter referred to as ‘GDPR’), each of the Companies listed above, as independent Data Controller, hereby provides information on the processing of personal data/information (‘Data’) concerning you (as a ‘Whistleblower’), acquired directly or indirectly, in relation to the ‘Report’ submitted by you, as well as on the processing of data/information of the persons concerned by the Report itself (hereinafter also ‘Whistleblowing Report’). 

This Policy is hereby made available and accessible to potential data subjects through publication on the Controller’s institutional website. 

At its convenience, the Data Controller reserves the right to change, amend, add or delete any part of this Policy at any time. In order to facilitate the identification of any amendments, the date of revision will be indicated at the bottom of this Policy. 

1. DATA CONTROLLER

Autostrade per l’Italia, or any other Company of Autostrade per l’Italia Group to which the Report is submitted, shall be the independent Controller of the processing of your personal data, as Whistleblower, and/or of the other parties involved in the Report for Whistleblowing management activities.

For more information on the Company acting as Data Controller for the Report you have submitted and on the Data Protection Officer (DPO) that each Data Controller has appointed, we kindly invite you to refer to Annex 1 of this Policy ‘List of Data Controllers and Data Protection Officers (DPOs)’ where you can find the addresses and contact details of the Data Controllers.

Should the Report, received through the ‘internal reporting channel’, fall under the responsibility of another Data Controller, it shall be addressed to the same by the competent Company acting as an independent Data Controller.

2. TYPES OF DATA PROCESSED

In the context of the ‘Whistleblowing’ procedure, the personal data/information subject to processing are the Data of the ‘Whistleblower’ (or ‘Data Subject’), of the ‘Reported Party’ and of the persons involved and/or connected to the facts alleged in the ‘Whistleblowing Report’, such as, for instance, any witnesses (hereinafter, “Data Subjects”).

Such Data, collected and processed by the Data Controller, include ‘common’ personal data of the Data Subject/Whistleblower, of the Data Subjects (personal details, job position held in the Company, contact details such as: email address, postal address, telephone number), any other information contained in your Report, and, possibly, in some cases, where necessary, also data belonging to particular categories pursuant to Art. 9 GDPR or data relating to criminal convictions and offences under article 10 of the GDPR for the reasons of relevant public interest referred to in the Privacy Policy to the Whistleblowing Decree and, in any case, within the limits of the provisions of the relevant legislation, including articles 9 and 10 of the GDPR.

Data may be collected either directly from the Data Subject or through other parties involved in the Report, through the ‘internal reporting channel’ indicated above or through the other communication channels indicated in point 4 below.

The data are provided voluntarily by the Data Subject/Whistleblower, also in anonymous form, to the Data Controller, who may not process data that are not strictly necessary for the purposes set out in point 3 below.

By way of example and without limitation, the ‘Report’ may be submitted by: employees of the Data Controller and/or third parties who have a relationship with the Data Controller.

3. PURPOSE AND LEGAL BASIS OF THE PROCESSING

Personal Data are processed exclusively for the purposes of investigating and verifying the facts alleged in the Report and adopting any consequential measures, in accordance with the provisions of Legislative Decree 24/2023.

Specifically, the Personal Data collected are only those necessary and pertinent for the achievement of the purposes indicated above, on the basis of the ‘principle of minimisation’.

As far as these data are concerned, their provision is voluntary and the Data Subject is kindly invited to provide only the data necessary to describe the facts alleged in the Report without communicating personal data that are redundant and additional to those necessary for the purposes indicated above. Should they be provided, the Data Controller will refrain from using such Data and will delete them.

Personal Data are processed on the legal basis of the legal obligation, under article 6, par. 1 lett. b) (Legislative Decree 24/2023 – Legislative Decree 231/01), and of the legitimate interest of the Data Controller, under article 6, par. 1, lett. f) of the GDPR (provided that the interests or the fundamental rights and freedoms of the Data Subject do not prevail), to handle Reports of unlawful acts, of which the Whistleblower has become aware for professional reasons, within the context of their work or for other reasons, as well as to protect internal and external Data Subjects involved in the ‘Whistleblowing’ procedure.

4. DATA PROCESSING METHODS

The data are collected in compliance with the regulations in force through computer-based, IT and manual tools, following procedures strictly related to the purposes indicated above, to guarantee the security and confidentiality of the data provided.

More specifically, data are collected through the following computer-based/IT tools:

• the ‘internal reporting channel’ online platform, pursuant to Article 4 of Legislative Decree 24/2023, provided by a selected external provider and adopting a system for reporting corporate wrongdoing in compliance with Directive (EU) 2019/1937, which guarantees data security and protection as well as the confidentiality of information, through an advanced communication and database encryption system, in line with the provisions of the reference legislation. This platform allows the submission of written reports, both anonymous and non-anonymous, while maintaining discussions with the Whistleblower and providing feedback to the Report, in compliance with the deadlines provided for by the legislation. The report is handled promptly by internal departments with dedicated and specifically trained autonomous staff to ensure that the reported case is handled in accordance with the requirements of the relevant legislation, as set out in paragraph 6 below;
• registered telephone line, in compliance with article 14, par. 2) of Legislative Decree 24/2023.

Data collected through computer-based/IT tools will not be subject to fully automated processing as defined in article 22 of the GDPR.

Specific security measures shall be complied with to prevent data loss, unlawful or incorrect use and unauthorised access.

Furthermore, specific technical-organisational measures, such as encryption, are adopted, pursuant to article 32 of the GDPR, to guarantee the protection of the identity of the Data Subjects, as well as the possible anonymity of the Whistleblower and complete anonymity in accessing the platform (no log).

5. DATA RETENTION PERIOD

Personal data will be retained only for the period necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to article 5.1., c) of the GDPR and, in particular, for the purposes of the management of the preliminary investigation, the conclusion of the activity to define the Report and the adoption of the relevant measures, in the event of an assessment, and in any case no longer than 5 years from the date of communication of the final outcome of the reporting procedure, in accordance with the provisions of Article 14, paragraph 1 of Legislative Decree 24/2023 and Article 5, paragraph 1 of the GDPR.

6. DATA RECIPIENTS

Within the Company, only individuals tasked with the processing by the Data Controller and authorised to carry out the processing operations within the scope of the aforementioned activities may access the Personal Data provided, in accordance with the provisions of Article 4, par. 2) of Legislative Decree 24/2023.

Personal Data may be disclosed to the supplier managing the operation and maintenance of the IT tools on which the Report can be entered, as indicated in paragraph 4 above, and who is required to process the data for the same purposes as set out in paragraph 3 above, and who is, for this purpose, appointed ‘Data Processor’, pursuant to Article 28 of the GDPR.

Pursuant to a specific assignment, the activities of assistance and management of the Reports are carried out on behalf of some of the Companies mentioned above by Autostrade per l’Italia S.p.A. with registered office in Via A. Bergamini 50, Rome, appointed for this purpose as Data Processor by the Companies themselves, pursuant to Article 28 of the GDPR.

The Data may also be disclosed to the Data Controller’s Supervisory Board, where appropriate, for the performance of its tasks in the context of Whistleblowing matters, pursuant to Article 13 of Legislative Decree 24/2023, the Anti-Corruption Authority (ANAC), the Judicial Authority and other competent Entities/Bodies in relation to the reported case.

Under no circumstances will personal data be disseminated.

7. DATA SUBJECTS’ RIGHTS

Articles 15-22 GDPR grant Data Subjects the possibility to exercise specific rights, such as, for example, the right of access, correction, cancellation, restriction of data processing.

The above rights may be exercised by submitting a request without formalities to the Data Protection Officer (DPO) of the Data Controller at the PEC (registered mail) address indicated in Annex 1.

The Data Subject may lodge a complaint pursuant to Article 57 letter f) of the GDPR with the Data Protection Authority.

Should the Data Subject’s enjoyment of the aforementioned rights entail an actual and tangible prejudice to the protection and confidentiality of the Data Subject’s personal data, the Data Controller may limit, delay or exclude such exercise, pursuant to Article 2-undecies, para. 1, lett. f) of the Privacy Code (Legislative Decree 196/2003), and deny the request.

In such cases, the rights of the Data Subject, pursuant to Art. 2-undecies, para. 3 of the Privacy Code, may be exercised through the Privacy Authority under the terms set out in Art. 160 of the Privacy Code.

8. POSSIBLE TRANSFER OF PERSONAL DATA ABROAD

Personal Data shall be handled and retained on servers belonging to a third-party company appointed as Data Processor, as indicated in paragraph 6 above, located in Italy and within the European Union. Personal data may not be transferred outside the European Union.

Version 2.3 of 15 July 2023 

Annex 1 – List of Data Controllers and Data Protection Officers (DPOs) and their contact details

Autostrade per l’Italia S.p.A.
Registered office at via Alberto Bergamini 50, 00159 Rome – VAT number 07516911000The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: dpo@pec.autostrade.it

Raccordo Autostradale Valle d’Aosta S.p.A.
Registered office at Località Les Iles – 11010 Saint Pierre (AO) – VAT number 01475961007The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: dpo@pec.ravspa.it

Società Autostrada Tirrenica p.A.
Registered office at via Alberto Bergamini 50, 00159 Rome – VAT number 04683251005The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: dpo@pec.tirrenica.it

Società Italiana per Azioni per il Traforo del Monte Bianco
Registered office at Piazza Vittorio Emanuele II, 14, 11010 Pre-Saint-Didier (AO) – VAT number 00081600074The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: dpo.sitmb@pec.autostrade.it

Tangenziale di Napoli S.p.A.
Registered office at Via Cintia, Fuorigrotta junction 80126 Napoli – VAT number 01368900633The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: DPO@pec.tangenzialedinapoli.it

Movyon S.p.A.
Registered office at via Alberto Bergamini 50, 00159 Rome – VAT number 09743081003The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: dpo@pec.movyon.com

Essediesse Società di Servizi S.p.A.
Registered office at via Alberto Bergamini 50, 00159 Rome – VAT number 06130511006The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted atP
PEC: dpo.essediesse@pec.autostrade.it

Giove Clear S.r.l. 
Registered office at via Alberto Bergamini 50, 00159 Rome – VAT number 09521941006The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office
PEC: dpo.gioveclear@pec.autostrade.it

Ad Moving S.p.A. 
Registered office at via Alberto Bergamini 50, 00159 Rome – VAT number 09521941006The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: admoving@pec.autostrade.it

Elgea S.p.A.
Registered office at via Alberto Bergamini 50, 00159 Rome – VAT number 16517551004
PEC: elgea@pec.autostrade.it

Free to X S.r.l. 
Registered office at via Alberto Bergamini 50, 00159 Rome – VAT number 09743081003The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: dpo.freetox@pec.autostrade.it

Tecne Gruppo Autostrade per l’Italia S.p.A.
Registered office at via Alberto Bergamini 50, 00159 Rome – VAT number 15783681008The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: tecne.dpo@pec.autostrade.it

Amplia Infrastructures S.p.A. 
Registered office at via Giulio Vincenzo Bona 95/101, 00156 Rome – VAT number 00904791001The Data Protection Officer (DPO) is domiciled for the purpose at the company’s registered office and can be contacted at
PEC: dpo.amplia@gmail.com