In relation to the data processed for the purposes of receiving, analysing, investigating and managing reports and any consequent actions, Terminali Italia S.r.l. invites you to carefully read the personal data protection policy.
This section provides our contact details
This section outlines the types of data we process
The personal data subject to processing are included in the following categories:
Personal data of the whistleblower in case of reports made non-anonymously through the dedicated platform:
Mandatory: name, surname, relationship with the FS Group.
Optional: position, job title/relationship, telephone contact, e-mail address.
Personal data of the whistleblower in case of reports made non-anonymously through other channels:
Personal data relating to the individual(s) involved in the report:
The data referred to above will be processed by IT systems and on paper in a way that guarantees their safety and confidentiality. Paper documents are kept to a minimum and filed and stored in cabinets and rooms with security locks. The data provided by the whistleblower by accessing the platform are transmitted using the HTTPS protocol. Encryption techniques based on the AES algorithm are also applied and all data is fully encrypted, thus guaranteeing the confidentiality of the information transmitted. Cookies are not used to transmit personal information, and persistent cookies to track users are not used. Only technical cookies are used to the extent strictly necessary for the correct and efficient use of the platform. Session cookies (which are not permanently stored on the user's computer and disappear when the browser is closed) are strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server), which are necessary for the safe and efficient browsing of the platform.
This section outlines the processing purposes and the legal basis underlying the same
The purpose of processing is to receive, analyse, investigate and manage reports and any consequent actions, and in particular to ascertain the facts reported and to take any necessary measures. Pursuant to Article 6, paragraph 1, letter f) of the European Regulation No. 679/2016 (hereinafter also referred to as the "Regulation"), all personal data collected within the scope of this processing are strictly functional and necessary for the pursuit of the provisions of Legislative Decree 24/2023, as well as for any possible internal auditing purposes, the monitoring of business risks, the defence of a right in court or for further legitimate interests of the Data Controller.
If reports pertaining to another FS Group company are received by Terminali Italia S.r.l., they will be forwarded to the relevant company, which shall act as independent data controller.
Any contact information provided by the whistleblower will be used if direct contact with the whistleblower is necessary and for updates regarding the report.
This section outlines who will process the data and to whom they will be communicated
To pursue the above-mentioned purposes, the personal data provided is made accessible only to individuals within the Company who are authorised to receive or follow up on the analysis, investigation and management of reports and any consequent actions. These persons are duly instructed to avoid loss, access to data by unauthorised persons or unauthorised processing of data and, more generally, in relation to personal data protection obligations.
The data may also be processed by external Consultants and Third Parties with technical functions (e.g. the IT platform provider), who act as Data Processors/Sub-Processors and have signed a specific contract that punctually regulates the processing entrusted to them and the obligations regarding data protection and security of processing pursuant to Article 28, paragraph 3 of the Regulation. Finally, your personal data may also be transmitted to other independent data controllers, in accordance with the law or regulations (e.g. Public Authorities, Judicial Authorities, etc.).
The identity of the whistleblower and any other information from which such identity may be inferred, directly or indirectly, may only be disclosed to people other than those competent to receive or investigate reports with the express consent of the whistleblower in accordance with the provisions of Legislative Decree 24/2023.
The updated list of recipients of the data can be obtained from the Ethics and Reporting Committee/Supervisory Body by making a request to the e-mail addresses: firstname.lastname@example.org e email@example.com.
This section assures you that your data will not be disclosed
The personal data processed will never be published, displayed or made available/consulted by unspecified persons.
This section indicates the amount of time your data is retained
Reports and related documentation are kept for the time necessary to process the report and in any case no longer than five years from the date of the notification of the final outcome of the reporting procedure, subject to confidentiality obligations. If reports are received outside the scope of the reporting procedure (e.g. disputes, claims or requests related to a personal interest of the whistleblower, communications or complaints relating to business activities or services to the public), they are retained for a period not exceeding 8 months from the archiving of the report.
This section provides details on your guaranteed rights
In accordance with the provisions of articles 15 to 22 of Regulation (EU) 2016/679 the Data Subjects are entitled to exercise specific rights. Specifically, in relation to the processing of their personal data covered by this policy, the data subject has the right to request the following from Ferrovie dello Stato Italiane S.p.A:
Moreover, should the data subject consider that his or her rights have been violated, the data subject has the right to lodge a complaint with the Supervisory Authority, which in Italy is the Garante per la Protezione dei dati personali (Article 77 of EU Regulation 2016/679).
Pursuant to Article 2-undecies of Legislative Decree 196/2003 as amended and supplemented (hereinafter the "New Privacy Code") and in implementation of Article 23 of the Regulation, we inform you that the above-mentioned rights may not be exercised by the persons involved in the reporting, if the exercise of these rights may result in actual and concrete detriment to the confidentiality of the whistleblower's identity.
In particular, the exercise of these rights:
The Data Subject may ask Terminali Italia S.r.l. to exercise his or her rights at any time by contacting the Data Protection Officer, at the e-mail address firstname.lastname@example.org.