Whistleblowing

In this section, we indicate the types of data we process:

Personal data subject to processing falls into the following categories:

Personal data of the reporting person in case of reports made in a non-anonymous form via the dedicated platform:

• Common:

  • Mandatory: name, surname, relationship with the FS Group

  • Optional: job title, role/qualification/relationship, phone contact, email address

Personal data of the reporting person in case of reports made in a non-anonymous form via other channels:

Reports can also be submitted through alternative channels such as regular mail, email, or verbally, through a statement made in a specific hearing to the Ethical Committee and Reports to the Supervisory Body of Grandi Stazioni Rail S.p.A. In this case, the personal data processed are those voluntarily communicated by the reporting person.

Personal data relating to the person(s) involved in the report:

These are the data that the reporting person has chosen to provide in order to describe the facts in the report. It is specified that, in this case, Grandi Stazioni Rail S.p.A. is not able to determine in advance the data covered by the report, which may also include special categories of data (for example, criminal convictions, relationships, etc.).

The aforementioned data will be processed using both electronic and paper-based systems that ensure security and confidentiality. Paper documents are kept to a minimum and stored in locked cabinets and secure rooms.

The transmission of data provided by the reporting person through access to the platform is managed using the HTTPS protocol. Encryption techniques based on the AES algorithm are also applied, and all data is fully encrypted, ensuring the confidentiality of the transmitted information.

No cookies are used to transmit personal information, nor are persistent cookies used for user tracking. Only technical cookies are used to the extent necessary for the proper and efficient use of the platform. The use of session cookies (which are not persistently stored on the user's computer and disappear when the browser is closed) is strictly limited to transmitting session identifiers (made up of random numbers generated by the server) needed to allow safe and efficient navigation of the platform.

In this section, we indicate the purposes of the processing and the underlying legal basis:

The processing is aimed at receiving, analyzing, investigating, and managing reports and any subsequent actions, specifically for determining the facts reported and taking any necessary measures. Pursuant to Article 6, paragraph 1, letter f) of the European Regulation No. 679/2016 (hereinafter also referred to as the "Regulation"), all personal data collected in the context of this processing are strictly functional and necessary for the pursuit of the purposes established by Legislative Decree No. 24/2023, as well as for any internal control needs, monitoring of business risks, defense of a right in legal proceedings, or other legitimate interests of the Data Controller.

In cases where reports within the competence of another FS Group company are received by Grandi Stazioni Rail S.p.A., these will be forwarded to the relevant company, which will act as an autonomous Data Controller.

The contact details possibly provided by the reporting person will be used if direct contact with the person becomes necessary and for updates regarding the status of the report.

In this section, we indicate who will process your data and to whom it will be communicated:

For the pursuit of the aforementioned purposes, the personal data provided will only be made accessible to those within the Company who are competent to receive or follow up on the activities of analysis, investigation, and management of the reports and any subsequent actions. These individuals are appropriately trained to avoid loss, unauthorized access to the data by unauthorized persons, or unauthorized processing of the data, and more generally, regarding the obligations related to the protection of personal data. The data may also be processed by external consultants and third parties with technical functions (e.g., the IT platform provider), who act as Data Processors/Sub-Processors and have signed an appropriate contract that specifically regulates the processing entrusted to them, as well as the obligations regarding data protection and security of the processing as per Article 28, paragraph 3 of the Regulation.

Finally, the personal data may also be transmitted to other autonomous data controllers, based on legal or regulatory provisions (e.g., public authorities, judicial authorities, etc.).

The identity of the reporting person and any other information from which such identity can be inferred, directly or indirectly, may be revealed to persons other than those responsible for receiving or following up on the reports only with the express consent of the reporting person, in accordance with the provisions of Legislative Decree No. 24/2023.

The updated list of recipients of the data can be requested from the Ethical Committee / Supervisory Body at the following email addresses: comitatoetico@grandistazioni.it and organismodivigilanza@grandistazioni.it.

In this section, we guarantee that your data will not be disseminated:

The personal data subject to processing will never be published, exposed, or made available/consulted by undefined subjects.

In this section, we indicate how long we will retain your data:

Reports and related documentation are kept for the time necessary to process the report and, in any case, no longer than five years from the date of communication of the final outcome of the reporting procedure, in compliance with confidentiality obligations. In the case of reports outside the scope (such as complaints, claims, or requests related to the personal interest of the reporting person, communications, or complaints related to commercial activities or public services), they are retained for a period not exceeding 8 months from the archiving of the report.

In this section, we inform you about the rights we guarantee:

The EU Regulation 2016/679 (Articles 15 to 22) grants data subjects the exercise of specific rights. In particular, in relation to the processing of their personal data covered by this notice, the data subject has the right to ask Grandi Stazioni Rail S.p.A:

• Access: The data subject may request confirmation as to whether or not personal data concerning them is being processed, and may ask for more details regarding the information provided in this notice.

• Rectification: The data subject may request the correction or integration of the data they have provided if it is inaccurate or incomplete.

• Erasure: The data subject may request the deletion of their data if it is no longer necessary for the above purposes, in case of withdrawal of consent or objection to the processing, in case of unlawful processing, or if there is a legal obligation to delete it.

• Restriction: The data subject may request that their data be processed only for the purpose of storage, excluding other types of processing, for the period necessary for rectifying their data, in case of unlawful processing where they oppose deletion, if they need to exercise their rights in judicial proceedings, and the data stored may be useful, and finally, if they oppose the processing and there is an ongoing verification of the balance of Grandi Stazioni Rail S.p.A.'s legitimate interests versus theirs.

• Objection: The data subject may object at any time to the processing of their data, unless there are legitimate grounds for processing that override their interests, such as for the exercise or defense of rights in judicial proceedings.

• Portability: The data subject may request to receive their data or have it transmitted to another data controller they indicate, in a structured, commonly used, and machine-readable format.

Furthermore, the data subject has the right to file a complaint if they believe their rights have been violated, with the Supervisory Authority, which in Italy is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).

Pursuant to Article 2-undecies of Legislative Decree No. 196/2003 and subsequent amendments (hereinafter "New Privacy Code") and in accordance with Article 23 of the Regulation, it is informed that the aforementioned rights cannot be exercised by individuals involved in the report if the exercise of these rights could result in a real and concrete prejudice to the confidentiality of the identity of the whistleblower.

In particular, the exercise of these rights:

• Will be carried out in accordance with the legal or regulatory provisions governing the sector (Legislative Decree No. 24/2023);

• May be delayed, limited, or excluded with a motivated communication promptly made to the data subject, unless such communication would compromise the purpose of the restriction, for the time and to the extent necessary and proportionate, considering the fundamental rights and legitimate interests of the data subject, to safeguard the confidentiality of the whistleblower’s identity;

• In such cases, the data subject’s rights may be exercised also through the Italian Data Protection Authority, in the manner provided for in Article 160 of the New Privacy Code, in which case the Authority will inform the data subject that it has carried out all necessary checks or conducted a review, as well as the data subject’s right to seek judicial remedy.

At any time, the data subject may request to exercise their rights by contacting Grandi Stazioni Rail S.p.A. through the Data Protection Officer, who can be reached at the email address: protezionedati@grandistazioni.it.