Privacy Policy

1. Introduction

This privacy policy describes how Whistlesblow (trade name of True Solutions S.r.l.) collects, uses, stores and protects personal information of users who use the whistleblowing platform. This policy is provided in accordance with Article 13 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter "GDPR") and applicable data protection laws.

2. Data Controller

The data controller is True Solutions S.r.l., with registered office at Foro Buonaparte 59, 20121 Milan (MI), Italy, VAT number 14288140966, registered in the Companies Register of Milan (MI) n. 2772480. For any communication regarding the processing of personal data, you can contact the Controller at the email address privacy@whistlesblow.it or at the phone number indicated in the "Contact" section of this policy.

3. Personal Data Collected

In the context of providing the whistleblowing service, Whistlesblow may collect and process the following categories of personal data:

• Identifying data: name, surname, email address, phone number (if voluntarily provided by the reporter)
• Report data: content of reports, documents and attached files, information relating to reported events, communications between the reporter and report management officers
• Technical and navigation data: IP address, browser type, operating system, date and time of access, pages visited, session duration, any errors encountered during navigation
• Registration and administration data: access credentials (username, encrypted password), data relating to the company account (company name, VAT number, address, billing data), roles and permissions of administrator users
• Service usage data: platform usage statistics, configuration preferences, logs of activities performed on the platform

4. Purposes and Legal Basis of Processing

Personal data is processed for the following purposes and on the basis of the respective legal bases:

• Provision of whistleblowing service: management of reports, communication with reporters, management of the whistleblowing process in compliance with EU Directive 2019/1937. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR)
• Ensuring anonymity and confidentiality of reporters: protection of the identity of anonymous reporters, implementation of security measures to prevent identity disclosure. Legal basis: compliance with legal obligations (Art. 6(1)(c) GDPR and EU Directive 2019/1937)
• Administrative and accounting management: invoicing, payment management, tax and accounting compliance. Legal basis: performance of a contract and compliance with legal obligations (Art. 6(1)(b) and (c) GDPR)
• Communication and support: responding to information requests, technical assistance, sending service-related communications. Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
• Service improvement and statistical analysis: analysis of platform usage to improve services offered, development of new features. Legal basis: legitimate interest of the controller (Art. 6(1)(f) GDPR), subject to balancing of interests assessment
• Legal compliance and defense in court: compliance with obligations provided by applicable legislation, defense of rights in judicial proceedings. Legal basis: compliance with legal obligations (Art. 6(1)(c) GDPR) and legitimate interest (Art. 6(1)(f) GDPR)

5. Legal Basis of Processing

The processing of personal data is based on the following legal bases provided by Art. 6 GDPR: (a) consent of the data subject, (b) performance of a contract or pre-contractual measures, (c) compliance with a legal obligation, (f) pursuit of a legitimate interest of the controller. With regard to whistleblowing report data, processing is necessary for compliance with obligations provided by EU Directive 2019/1937 and applicable whistleblowing legislation.

6. Data Retention Period

Personal data is retained for the time strictly necessary to pursue the purposes for which it was collected, in compliance with retention periods provided by applicable legislation. In particular: (a) data relating to whistleblowing reports are retained for the period provided by EU Directive 2019/1937 and in any case for a period not less than that necessary for the management and conclusion of the procedure relating to the report; (b) registration and administration data are retained for the entire duration of the contractual relationship and subsequently for the periods provided by tax and civil legislation (generally 10 years); (c) navigation and technical data are retained for a maximum period of 24 months; (d) data relating to support communications are retained for a maximum period of 3 years from the date of the last communication. At the end of the retention period, personal data will be deleted or anonymized securely and irreversibly.

7. Data Subject Rights

In accordance with Articles 15-22 of GDPR, the data subject has the right to:

• Obtain confirmation as to whether or not personal data concerning them exists and access to such data (right of access, Art. 15 GDPR)
• Request rectification of inaccurate personal data or completion of incomplete data (right to rectification, Art. 16 GDPR)
• Request erasure of personal data when the conditions provided by law are met (right to erasure, Art. 17 GDPR), it being understood that for data relating to whistleblowing reports, specific limitations provided by EU Directive 2019/1937 may apply
• Request restriction of processing in cases provided by law (Art. 18 GDPR)
• Receive personal data in a structured, commonly used and machine-readable format and transmit it to another controller without hindrance (right to data portability, Art. 20 GDPR)
• Object at any time to processing of personal data for reasons related to the particular situation of the data subject (Art. 21 GDPR)
• Withdraw consent at any time, without affecting the lawfulness of processing based on consent given before withdrawal (Art. 7(3) GDPR)
• Lodge a complaint with the competent supervisory authority (e.g., the Data Protection Authority in your country) if they consider that the processing of their personal data violates applicable legislation

8. Security Measures

Whistlesblow adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in order to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access. These measures include, by way of example: (a) encryption of sensitive data, in particular reports and communications; (b) two-factor authentication (2FA) for administrative accounts; (c) data access based on the principle of "minimum necessary privilege"; (d) logging and monitoring of data access; (e) regular backups and disaster recovery procedures; (f) regular security updates of systems; (g) training of personnel authorized to process data; (h) security incident management procedures. With regard specifically to whistleblowing reports, additional measures are implemented to ensure anonymity and confidentiality of reporters, in compliance with EU Directive 2019/1937.

9. Data Transfer

Personal data is processed mainly within the territory of the European Union. Should it be necessary to transfer personal data to third countries or international organizations, Whistlesblow will ensure that such transfer takes place in compliance with applicable legislation, adopting appropriate measures provided by GDPR (such as, for example, standard contractual clauses approved by the European Commission or adherence to recognized certification mechanisms).

10. Data Recipients

Personal data may be communicated to the following recipients: (a) employees and collaborators of True Solutions S.r.l. authorized to process data by reason of their functions; (b) technical service providers (such as hosting providers, cloud services, payment services) operating as data processors; (c) external professionals (lawyers, consultants) providing services to the Controller; (d) public authorities, when required by law or by a measure of the competent authority. Data relating to whistleblowing reports is communicated exclusively to subjects authorized to receive and manage them in accordance with EU Directive 2019/1937, ensuring maximum confidentiality.

11. Contacts and Exercise of Rights

To exercise the rights indicated above or for any question, request or report relating to the processing of personal data and this privacy policy, the data subject may contact the Controller: