Whistleblowing

In this section, we indicate the types of data we process:

Personal data subject to processing falls into the following categories:

Personal data of the whistleblower in case of reports made non-anonymously through the dedicated platform and/or through the dedicated telephone line with automatic voice response system integrated with the same platform (subject to obtaining the express consent of the whistleblower to record the call):

• Common:

  • Mandatory: name, surname, company and employee id number (only if internal of the FS Group).

  • Optional: position, job title/relationship, personal telephone contact, personal e-mail address.

Personal data of any facilitator in case of reports made non-anonymously through the dedicated platform and/or through the dedicated telephone line with automatic voice response system integrated with the same platform (subject to obtaining the express consent of the whistleblower to record the call):

• Common:

  • Mandatory: name, surname, company and employee id number (only if internal of the FS Group).

  • Optional: position, job title/relationship, personal telephone contact, personal e-mail address.

Personal data of the whistleblower in case of reports made non-anonymously through other channels:

reports may also be sent through alternative channels, such as ordinary mail and e-mail, as well as verbally, through a statement made at a specific hearing, to the Ethics and Reporting Committee/the Supervisory Body of Grandi Stazioni Rail S.p.A. In these cases, the personal data processed is that which is voluntarily disclosed by the whistleblower. 

 

Personal data relating to the person(s) involved in the report:

the data that the whistleblower intends to provide in relation to the facts described in the report. It should be noted that, in this case, Grandi Stazioni Rail S.p.A. is unable to determine in advance the data covered by the report, which may also include particular data (for example, data relating to criminal sentences, offences, etc.). 

Finally, in order to ensure monitoring of the employment situation of the whistleblower/facilitator employee, data relating to the management of the employment relationship of Grandi Stazioni Rail S.p.A. employees will be processed (pursuant to article 17 of Legislative Decree 24/2023).

The data referred to above will be processed by IT systems and on paper in a way that guarantees their safety and confidentiality. The use of paper documents is kept to a minimum and stored with adequate security measures.

The transmission and storage of data provided by the whistleblower are protected with advanced encryption, cutting-edge security technologies and rigorous security measures, guaranteeing maximum confidentiality and protection at every stage of processing. Reports acquired through the dedicated telephone line with automatic voice response system are entered into the platform after applying a masking algorithm which makes the voice of the whistleblower unrecognizable.

Cookies are not used to transmit personal information, and persistent cookies to track users are not used. Only technical cookies are used to the extent strictly necessary for the correct and efficient use of the platform. Session cookies (which are not permanently stored on the user's computer and disappear when the browser is closed) are strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server), which are necessary for the safe and efficient browsing of the platform. 

In this section, we indicate the purposes of the processing and the underlying legal basis:

The purpose of processing is to receive, analyse, investigate and manage reports and any consequent actions, and in particular to ascertain the facts reported and to take any necessary measures. Pursuant to Article 6, paragraph 1, letter c) and f) of the European Regulation No. 679/2016 (hereinafter also referred to as the "Regulation"), all personal data collected within the scope of this processing are strictly functional and necessary for the pursuit of the provisions of Legislative Decree 24/2023, as well as for any possible internal auditing purposes, the monitoring of business risks, the defence of a right in court or for further legitimate interests of the Data Controller. Furthermore, where the whistleblower and/or facilitator (if any) is an employee of Grandi Stazioni Rail S.p.A. and declares his or her identity, Grandi Stazioni Rail S.p.A. will be able to ensure that his or her employment situation is monitored (pursuant to article 17 of Legislative Decree 24/2023).

Depending on the reporting channel chosen, specific consents pursuant to Article 6, paragraph 1, letter a) may be required for certain purposes, as regulated by Legislative Decree 24/2023 and better specified in this personal data protection policy.

Any contact information provided by the whistleblower will be used if direct contact with the whistleblower is necessary and for updates regarding the report.

 

If reports pertaining to another FS Group company are received by Grandi Stazioni Rail S.p.A., they will be forwarded to the relevant company, which shall act as independent Data Controller. 

In this section, we indicate who will process your data and to whom it will be communicated:

To pursue the above-mentioned purposes, the personal data provided is made accessible only to individuals within the Company who are authorised to receive or follow up on the analysis, investigation and management of reports and any consequent actions. These persons are duly instructed to avoid loss, access to data by unauthorised persons or unauthorised processing of data and, more generally, in relation to personal data protection obligations. The data may also be processed by external Consultants and Third Parties with technical functions (e.g. the IT platform provider), who act as Data Processors/Sub-Processors and have signed a specific contract that punctually regulates the processing entrusted to them and the obligations regarding data protection and security of processing pursuant to Article 28, paragraph 3 of the Regulation.

Finally, your personal data may also be transmitted to other independent Data Controllers, in accordance with the law or regulations (e.g. Public Authorities, Judicial Authorities, etc.).

The identity of the whistleblower and any other information from which such identity may be inferred, directly or indirectly, may only be disclosed to people other than those competent to receive or investigate reports with the express consent of the whistleblower in accordance with the provisions of Legislative Decree 24/2023. This consent will be requested from the whistleblower when drafting the report through the dedicated platform and/or the dedicated telephone line. For reports made through other channels, the aforementioned consent, if not provided with the report itself, may be requested from the whistleblower at a later stage.

The updated list of recipients of the data can be obtained from the Ethics and Reporting Committee/Supervisory Body by making a request to the e-mail addresses: comitatoetico@grandistazioni.it and organismodivigilanza@grandistazioni.it.

In this section, we guarantee that your data will not be disseminated:

The personal data subject to processing will never be published, exposed, or made available/consulted by undefined subjects.

In this section, we indicate how long we will retain your data:

Reports and related documentation are kept for the time necessary to process the report and, in any case, no longer than five years from the date of communication of the final outcome of the reporting procedure, in compliance with confidentiality obligations. In the case of reports outside the scope (such as complaints, claims, or requests related to the personal interest of the reporting person, communications, or complaints related to commercial activities or public services), they are retained for a period not exceeding 8 months from the archiving of the report.

In this section, we inform you about the rights we guarantee:

In accordance with the provisions of articles 15 to 23 of Regulation (EU) 2016/679 the Data Subjects are entitled to exercise specific rights. Specifically, in relation to the processing of their personal data covered by this policy, the data subject has the right to request the following from Grandi Stazioni Rail S.p.A.:

·         access: the data subject may request confirmation as to whether or not his or her data is being processed, along with further clarification of the information referred to in this policy (Article 15);

·         rectification: the data subject may ask that the data that he or she has provided be rectified or integrated if the data is inaccurate or incomplete (Article 16);

·         erasure: the data subject may ask that his or her data be deleted if it is no longer necessary for the purposes mentioned above, if consent is withdrawn or if the processing is opposed, in the event of unlawful processing, or if there is a legal obligation to delete the data (Article 17);

·         restriction of processing: the data subject may request that his or her data only be processed for the purposes of retention, with the exclusion of other processing operations, for the period necessary to rectify his or her data, in the event of unlawful processing for which he or she objects to the erasure, whereby he or she must exercise his or her rights in court, and the data stored may be of use to him or her and, finally, if he or she objects to processing and a check is being carried out as to whether the legitimate reasons of Grandi Stazioni Rail S.p.A. prevail over his or hers (Article 18);

·         portability - the data subject may request to receive his or her data or to sent to another Data Controller indicated by him or her in a structured, commonly used and machine-readable format (Article 20);

·         objection: the data subject may object at any time to the processing of his or her data, unless there are legitimate grounds for processing which override his or her own, for example for the exercise or defence of legal claims (Article 21).

Pursuant to Article 2-undecies of Legislative Decree 196/2003 as amended and supplemented (hereinafter the "New Privacy Code") and in implementation of Article 23 of the Regulation, we inform you that the above-mentioned rights may not be exercised by the persons involved in the reporting, if the exercise of these rights may result in actual and concrete detriment to the confidentiality of the whistleblower's identity.

In particular, the exercise of these rights:

§  will be carried out in accordance with the legal or regulatory provisions governing the sector (Legislative Decree 24/2023);

§  may be delayed, restricted or excluded by reasoned notice given without delay to the data subject, unless such notice would undermine the purpose of the limitation, for such time and to the extent that this constitutes a necessary and proportionate measure, having regard to the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the whistleblower's identity.

In such cases, the data subject's rights may also be exercised through the Garante per la Protezione dei dati personali in accordance with Article 160 of the New Privacy Code, in which case the Authority will inform the data subject that it has carried out all the necessary checks or has conducted a review, and that the data subject has the right to lodge a legal complaint.

 

The Data Subject may ask Grandi Stazioni Rail S.p.A. to exercise his or her rights at any time by contacting the Data Protection Officer/Data Protection Referent, at the e-mail address protezionedati@grandistazioni.it.

 

Moreover, should the data subject consider that his or her rights have been violated, the data subject has the right to lodge a complaint with the Supervisory Authority, which in Italy is the Garante per la Protezione dei dati personali (Article 77 of EU Regulation 2016/679).