Società sottoposta alla attività di direzione di GB Holding SPA in liquidazione ai sensi dell'art. 2497 bis del codice civile Cap. Soc. euro 3.563.182,00 Int. Vers. C.C.I.A.A. NR. R.E.A. 327915 - C.F./Reg. Imprese 01930221203
Via di Mezzo 67/a
41015 Casette di Nonantola (MO)
Tel: 059 583111 - Fax: 059 281364
P.IVA 02754390363
Cod. Doc. 9133.51.470543.2671944

Information notice

Privacy Policy concerning the processing of personal data pursuant to articles 13-14 of (EU) Regulation 2016/679 and Legislative Decree 24/23 Whistleblowing

Data subject: Whistleblower and people involved - Whistleblowing.

GB RICAMBI S.p.A. in its capacity of Data Controller with regard to the processing of your personal data pursuant to (EU) Reg. 2016/679 (hereinafter the 'GDPR') and Legislative Decree 24/23 hereinafter "Whistleblowing", hereby informs you that the said regulation protects data subjects with regard to the processing of their personal data and that the said processing will take place in a fair, lawful, transparent manner which protects your privacy and your rights.

Your personal data will be processed in accordance with the legislative provisions of the aforementioned legislation and the confidentiality obligations set out therein.

Type of data processed
The personal data being processed fall into the following categories:
of a common nature (e.g. name, surname, type of relationship with the Company, classification, role, qualification, telephone contact, email address, etc.), of a particular nature (ex "sensitive data" Art. 9 of the GDPR) and judicial (such as criminal convictions and crimes Art. 10 GDPR), possibly contained in the report and in the deeds and documents attached to it, relating to all natural persons - identified or identifiable - involved in various capacities in the events
reported (reporter, reported, facilitator, any other third parties), so-called interested.

How do we collect your personal data?
If you act as a Reporting Person, most of the personal data relating to you are provided to us directly by you through the report or during any investigation initiated by the Manager.
If, however, you are acting as an Involved Person, most of the personal data relating to you are provided to us by the Reporting Person.
Furthermore, whether you act as a Reporting Person or as an Involved Person, we may collect some of your personal data also from third parties (for example, people interviewed during any investigation initiated by the Manager), public registers or open sources .
We do not use any form of exclusively automated decision-making in relation to the processing of your personal data

Purposes and legal basis of processing: specifically, your data will be processed for the following purposes, relating to the fulfilment of legal obligations:

  • Execution of investigative activities and possible adoption of measures. The data will be processed for the purpose of carrying out the necessary investigative activities aimed at verifying the validity of the fact being reported and the adoption of any measures that may become necessary. to implement the legal obligations established by the Whistleblowing regulations, compliance with which is a condition for the lawfulness of the processing pursuant to art. 6, par. 1, letter. c) and par. 2 and 3, art. 9, par.2, letter. b) and articles. 10 e. 88 of the GDPR (see Opinion of the Privacy Authority).

Further to your consent, your personal data may be used for the following purposes:

  • disclosure of your identity to people other than those competent to receive or follow up on the reports (paragraph 2 of art. 12 Legislative Decree 24/2023) or in the context of the procedure, where the dispute is founded, in whole or in part , on the reporting and knowledge of his identity is essential for the defense of the accused (paragraph 5 of art. 12 Legislative Decree 24/2023).

Your contribution of data is optional with regard to the abovementioned purpose, and any refusal of consent will not affect the continuation of the relationship or the congruency of the processing.

Processing procedures. Your personal data may be processed by the following ways:

  • on paper that guarantees its security and confidentiality, and orally.

All data are processed in compliance with the procedures specified in articles 6 and 32 of the GDPR and with the adoption of the appropriate security measures required.

In accordance with the relevant legislation, maximum confidentiality of all personal data contained in the report is guaranteed, therefore the same will be processed only by personnel expressly authorized by the Data Controller and, in particular:

  • if you act as a Reporting Person, your personal data will be processed exclusively by the Manager and its possible auxiliaries, who will act as persons authorized to process pursuant to articles. 29 and 32(4) of the GDPR and art. 2-quaterdecies of the Legislative Decree. n. 196/2003, and will not be communicated to third parties without your consent, without prejudice to the provisions of the art. 12 of Legislative Decree no. 24/2023 and any further exceptions provided for by law;
  • if you act as an Involved Person, your personal data may be processed by any auxiliaries of the Manager who are authorized to process;
  • Internal investigation bodies;
  • Report Manager, i.e. the person(s) in charge of receiving and managing reports, appointed in accordance with Article 4(2) of Legislative Decree 24/2023.

Communication: Personal data will also be processed by subjects other than the Data Controller necessary for the management of Reports of violations of illicit acts or irregularities who operate in the capacity of External Data Processor or Independent Data Controller:

  • ;
  • The data relating to the person involved
    - people interviewed during any investigation initiated by the Manager;
    - our employees or collaborators in any capacity;
    - service providers and consultants (for example, lawyers, accountants, employment consultants, private investigators, etc.);
    - judicial and police authorities.

The detailed list of the aforementioned subjects can be requested at any time by writing to the Data Controller's contact details

Diffusion: Your personal data will not be disclosed in any way.

Transfer of personal data: The data will not be transferred

  • towards subjects located outside the EU.

Data Storage Period (or criteria for determining it). We inform you that, in compliance with the principles of lawfulness, limitation of purposes and minimization of data, pursuant to art. 5 of the GDPR the data will be stored

  • for the time necessary to process the report for the pursuit of the purposes for which they were collected, in accordance with the provisions of legal obligations or in any case to allow the Company to protect its own rights and interests or those of third parties (e.g. defense in court ). The data is deleted from the platform 5 years after the closure of the report. Personal data that is clearly not useful for processing a specific report is not collected, or, if collected accidentally, is deleted immediately. It is understood that, in the event that the Data Controller subsequently decides to initiate disciplinary proceedings or to promote judicial or administrative proceedings or an arbitration or conciliation procedure, your personal data will be retained for a period equal to the duration of the proceedings or the period of limitation of the rights for the assessment, exercise or defense of which the processing is necessary, even if longer than the retention periods indicated above.

Data Controller: the Data Controller, as defined by the Law, is GB RICAMBI SPA (Via di Mezzo 67/a , 41015 Casette di Nonantola (MO), VAT no. 02754390363, contactable as follows: e-mail, telephone 059 583111) in the person of its current legal representative.

As a reporting person, you have the right to obtain from the owner the cancellation (right to be forgotten), limitation, updating, rectification, portability, opposition to the processing of personal data concerning you, and in general you can exercise all rights provided by the articles. 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR by addressing any requests to the addresses indicated above, you may also lodge a complaint with the competent supervisory authority if you believe that the processing of your data is contrary to the legislation in force. force.

The people "involved" pursuant to art. 2 sixth paragraph letter l of Legislative Decree 24/2023 will be able to exercise the rights referred to in the articles. 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR by contacting the Privacy Guarantor directly, at the following addresses:
Guarantor for the protection of personal data - Piazza Venezia n. 11 - 00187 Rome Telephone switchboard: (+39) 06.696771 Fax: (+39) 06.69677.3785., certified (this address is configured to receive only communications from certified e-mail).

You may also examine whenever you like the updated version of the present report by connecting to the following web site

Regulation (EU) 2016/679: Articles 15, 16, 17, 18, 19, 20, 21, 22 - Rights of the Data Subject

1. The data subject has the right to obtain confirmation as to whether or not personal data concerning him or her exist, regardless of their being already recorded, and disclosure of such data in intelligible form, and the right to lodge a complaint with the supervisory authority.

2. The data subject has the right to be informed of:

  1. the source of the personal data;
  2. the purposes and methods of processing;
  3. the logic applied if the data are processed by electronic devices;
  4. the identification data concerning the Data Controller, the Data Processors and the representative designated as per article 5, comma 2;
  5. the entities or categories of entity to whom or which the personal data may be disclosed and who or which may get to know said data as designated representative in the State's territory, as data processors or as persons in charge of the processing.

3. The data subject is entitled to obtain:

  1. the updating, rectification or, where interested therein, integration of the data;
  2. the erasure, anonymisation or blocking of data that have been unlawfully processed, including data whose retention is not necessary for the purposes for which they were collected or subsequently processed;
  3. certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were disclosed or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared to the right that is to be protected;
  4. the portability of the data.

4. The data subject has the right to object, in whole or in part:

  1. on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
  2. to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.