PROCESSING OF PERSONAL DATA OF WHISTLEBLOWERS

BN DI NAVIGAZIONE S.P.A., in its capacity as Data Controller, provides you with information on the processing of the personal data you provide at the time of your report, and those subsequently acquired during the preliminary investigation phase, which will be processed, including by means of computer and electronic tools, exclusively by the person in charge of receiving and managing reports (hereinafter the RRGS) designated for this purpose. The aforementioned role is performed by the person in office at the time of the report, who acts as the Company’s appointee. The name of the RRGS can be requested at any time by writing to the company’s registered office, for the attention of the RRGS. The Controller hereby provides the information pursuant to Article 13, EU Regulation 2016/679 (hereinafter referred to as “the Regulation”).

1. Data Controller
The company BN DI NAVIGAZIONE S.P.A.
with registered office in CALATA ITALIA 24/A – 57037 – PORTOFERRAIO (LI) P.I.: 01968710994
PEC (certified email): [email protected] – E-MAIL: [email protected]
TEL.: +39 0565.269710 – FAX: +39 0565.919894 (hereinafter, the “Company”) hereby informs you that it is the Data Controller.

Your personal data will be processed by the Controller, through the RRGS, in order to implement what is known as the whistleblowing procedure, as amended by Legislative Decree No. 24 of 10 March 2023, in order to regulate the process of receiving, analysing and processing reports of wrongdoing as provided for in the aforementioned legislation. In particular, the data provided by you for the purpose of reporting unlawful conduct of which you have become aware by reason of your service relationship with the Company, committed by persons who interact with the Company in various capacities, are processed for the purpose of carrying out the necessary preliminary activities aimed at verifying the grounds of the fact being reported and the adoption of the consequent measures. The management and the preliminary verification of the grounds of the circumstances represented in the report are entrusted to the RRGS, who does so in compliance with the principles of impartiality and confidentiality, carrying out any activity deemed appropriate, including a personal hearing of the RRGS and of any other persons who may provide information on the facts reported.

The legal basis of the processing is the fulfilment of the law introduced by Legislative Decree No. 24 of 10 March 2023.

When a report is received, the personal data processed will be retained for 5 years from the date of notification of the final outcome of the reporting procedure.

The report may also be anonymous, but in the event of failure to provide the personal data necessary for its identification, if the report is not sufficiently detailed, is not adequately documented or is not made in sufficient depth to bring to light facts and situations relating them to specific contexts, it will not be taken into consideration.

The identity of the whistleblower may be disclosed to the persons responsible for the management of the entire disciplinary procedure and to the person accused in cases where: i) there is the whistleblower’s express consent (in writing); ii) the disciplinary charge is based, in whole or in part, on the report; iii) knowledge of the whistleblower’s identity is absolutely essential to the defence of the person accused. This is without prejudice, in any case, to the fulfilment, by the RRGS, and/or by the entities that, for operational reasons, need to know the identity of the reporter, complying with the legal obligations concerning the right to anonymity of the reporter. The Company MYGO S.r.l., with registered office in Rome, Piazza Crati no. 20, VAT and Tax Code 14356531005, supplier of the “My Whistleblowing” software, may also have access to the IT areas where the whistleblower’s data are stored, in its capacity as Data Processor pursuant to Article 28 of EU Regulation 2016/679.

The Data Controllers inform you that you have the right, within the limits prescribed by Regulation 2016/679, to: – obtain data and information on data processing, in particular in relation to the type of personal data processed, the purposes for which the personal data are processed, the period of processing and the persons to whom the data are communicated (so-called right of access);

– obtain the rectification or supplementation of inaccurate personal data that concern you (so-called right of rectification);

– obtain the deletion of personal data that concern you (so-called right of erasure) in the following cases: (i) the personal data are no longer necessary for the purposes for which they were collected; (ii) you have withdrawn your consent to the processing of personal data, if they are processed on the basis of such consent; (iii) you have objected to the processing of personal data that concern you if they are not processed for a legitimate interest of the Controller; (iv) the processing of personal data does not comply with the law. However, the retention of your personal data by the Controller is lawful if it is necessary to enable the Controller to fulfil a legal obligation or to establish, exercise or defend a right in a court of law;

– ensure that personal data concerning you are only retained without any other use in the following cases: (i) you contest the accuracy of the personal data, for the period necessary to allow the Controller to verify the correctness of such personal data; (ii) when the processing of the personal data is unlawful you nevertheless object to the deletion of the personal data by the Controller; (iii) the personal data are necessary for the establishment, exercise or defence of legal claims; (iv) you object to the processing and are awaiting verification as to whether the legitimate grounds of the Controller for processing prevail over your own ( so-called right of restriction);

– object at any time to the processing of your data (so-called right to object);

– receive, in a commonly used, machine-readable and interoperable format, the personal data that concern you, where they are processed pursuant to a contract or on the basis of your consent, and/or request that the data be transmitted to another data controller, if feasible (so-called right to portability).

You also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar way. The aforementioned rights may be exercised upon request to the Data Protection Manager by sending an e-mail to [email protected] or by writing by ordinary mail to the aforementioned person at the registered office of BN di Navigazione S.p.A. in CALATA ITALIA 24/A – 57037 – PORTOFERRAIO (LI).

The appointed Data Protection Officer may be contacted by e-mail, by writing to [email protected] or by ordinary mail, by writing to the Company’s registered office, for the attention of the Data Protection Officer.

Should you consider that the processing of your personal data by the Controller is in breach of the provisions of the Regulation, you have the right to file a complaint to the Office of the Privacy Guarantor (by e-mail, at the address: [email protected], or by post, to the Guarantor for the Protection of Personal Data, located in Rome (Italy), Piazza Venezia 11 Scala B, postcode 00187), as provided for by Article 77 of the Regulation, or to take legal action as provided for by Article 79 of the Regulation.