PRIVACY POLICY RELATIVE TO THE WHISTLEBLOWING PROCEDURE
 
Protection relative to processing of personal information
 
The Data Controller for personal data with regards to the present privacy policy is Tamini Trasformatori S.r.l. (“Controller”) with registered office at Viale Cadorna, 56/A – 20025 Legnano (MI), Italy.
 
All personal information will be processed pursuant to the current personal data protection legislation, specifically Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Italian Legislative Decree no. 196/2003, as amended by Italian Legislative Decree no. 101/2018 (“Privacy Code”), and any other regulations regarding the protection of personal data applicable in Italy, including the provisions of the Data Protection Authority (hereinafter together with the GDPR, “Privacy Regulations”), with full respect for fundamental rights and freedoms, with particular regard for the confidentiality of the identities of involved subjects and the security of the processing.
 
The following information is provided for the purpose of transparency in relation to the party indicated in a report and any party involved potentially referred to in a report (hereinafter together the “reported party”), to inform them of the data-processing terms and methods adopted, along with exercise of associated rights and relevant limitations on such rights on the basis of Italian Legislative Decree 231/2001 and Italian Legislative Decree 24/2023.
 
Contact details of the Controller and DPO
 
The Controller can be contacted via email at privacy@tamini.it in order to exercise the rights established by articles 15 and subsequent of the GDPR (see paragraph “Rights of the data subject” below in this notice) and/or for other requests regarding processing of Personal Data.
 
For all information relating to the processing of personal data and exercise of the rights of the Data Subject, the Data Protection Officer (“DPO”) can be contacted at the following email address: dpo@tamini.it.
 
Purposes and legal basis of the Processing
 
Personal data is gathered and processed for purposes closely connected to manage reports of wrongdoing, relative to activities and/or behaviours in conflict with the procedures implemented by the company, understood specifically as the violation of national or European Union regulations that harm public interests or the integrity of the Controller, which are identified in a public or private working context, and, more generally, violation of professional behavioural norms and/or ethical principles referenced in current regulations, whether internal or external, and/or illegal or fraudulent behaviour traceable to employees, members of company bodies, or third parties (customers, suppliers, consultants, collaborators).
 
Therefore, the legal basis for processing is the need to fulfil a legal obligation upon the Controller, with specific reference to the provisions contained in Italian Legislative Decree no. 231 of 08 June 2001 (“Rules of administrative responsibility of legal persons, companies and associations, also those not classified as a legal person, in accordance with article 11 of Italian Law no. 300 of 29 September 2000”) and in Italian Legislative Decree no. 24 of 10 March 2023 (“Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union Law and containing provisions regarding protection of persons who violate national regulatory provisions)”.
 
Any additional specific purposes relative to individual processes may be indicated in a detailed manner in the context of the various access channels made available.
 
Additionally, note that should the report content fall outside the scope of applicable regulations, the corresponding data shall be processed by the Controller only if there is a regulatory obligation and/or a legitimate interest regarding the protection and/or exercise of its legal rights in the relevant contexts.
 
Categories of personal data and sources from which it is gathered
 
Personal data regarding the reported party are gathered via the report and relative documentation provided by the whistleblower. The personal data regarding the reported party will fall into the following categories:
 

• personal details (e.g. name, surname, place and date of birth);
• contact details (e.g. email address, mobile number, postal address);
• professional details (e.g. hierarchical level, area of the company to which they belong, role in the company, type of relationship with Terna Group Companies or other third parties, profession);
• all other information regarding the reported party that the whistleblower decides to share with the Controller to better detail their report, in relation to activities and/or behaviours in conflict with the procedures implemented by the company, understood specifically as the violation of national or European Union regulations that harm public interests or the integrity of the Controller, which are identified in a public or private working context, and, more generally, violation of professional behavioural norms and/or ethical principles referenced in current regulations, whether internal or external, and/or illegal or fraudulent behaviour;

 
Processing methods, conservation schedules and recipients
 
Note that the Controller undertakes to process, legally, properly and transparently, only that data needed to achieve the indispensable purposes in carrying out the activities relative to the report.
 
Processing is performed by the Controller also via the use of electronic tools, including automated tools.
 
Processing is not performed and/or is limited in cases in which the purposes pursued can be achieved through anonymisation or through methods which allow the data subject to be identified only in the case of necessity.
 
Report and documentation regarding their management will be stored for a maximum of five years from the date of communication of the final outcome of the reporting procedure, with the exception of further storage in the event of judicial proceedings or requests from the Authorities or opening of disputes. Regarding Reports of crimes not set out by Italian Legislative Decree 24/2023, the data will be stored for the time strictly necessary for pursuit of the purposes for which it was gathered and in compliance with the provisions protecting the rights of the data subject and in accordance with the statute of limitations envisaged by current laws.
 
It is noted that, if during the course of the reporting procedure personal data are acquired that are clearly irrelevant to the report, these will be immediately deleted.
 
Pursuant to art. 2-quaterdecies of the Privacy Code, the data will be only processed by authorised persons who have been given express instructions by the Controller with regards to the need to guarantee the protection of the personal information of the subjects involved in the reports.
 
Personal data shall also be processed by suppliers of services, also within the Terna Group, which are instrumental for the aforementioned purposes.
 
In addition, personal information may be processed to begin legal and/or disciplinary protections associated with the report or may be communicated to the relevant authorities in the case of violations of applicable regulations, as well as transmitted against a binding order by said Authorities.
 
Rights of the data subject
 
Pursuant to the GDPR, all rights detailed under the articles 15 to 22 of the GDPR are recognised to all data subjects, and can be exercised in relation to the Controller. However these rights may not be exercised (via request to the Controller or complaint pursuant to article 77 of the GDPR) if this may lead to an effective and real compromise of the confidentiality of the whistleblower (see art. 2-undecies of the Privacy Code) and/or the pursuit of goals to comply with legislation on reporting unlawful conduct.
 
Specifically, the reported party is informed that exercise of such rights:
 

• will be possible in compliance with the provisions of Law or regulations governing the relative sector (including Italian Legislative Decree 231/2001 and Italian Legislative Decree 24/2023);
• may be delayed, limited or excluded with a notification providing the reasons for this and given without delay to the data subject, unless such communication could compromise the purposes of the limitation itself, for the period of time and within the limits within which this represents a necessary and proportionate measure, considering the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the whistleblower’s identity;
• may be exercised also via the Data Protection Authority with the methods described in article 160 of the Privacy Code, in which case the Data Protection Authority informs the data subject that it has performed all necessary checks or re-examined the situation, as well as of the right of the data subject to take legal action.

 
Exercise of the rights by the reported party (including rights to access) may therefore be exercised within the limits granted under applicable law and, in particular, it should be noted that the request will be analysed by the relevant bodies in order to balance the need to protect the individual's rights with the need to fight against and prevent violations of the rules of proper corporate management or the relevant applicable regulations.