WHISTLEBLOWING PRIVACY NOTICE

Categories of data subjects • Whistleblower (reporting person) who will submit reports of misconduct;

• Reported person; and

• Third party subjects included in the reports.

Data Controller “Bologna University Business School” (hereinafter “BBS” or “Data Controller”)

Villa Guastavillani, Via degli Scalini 18, Bologna (BO-Italy)

Entry in Reg. Legal Persons at the Prefecture of Bologna No. 729, p. 118 vol. 5.

VAT No. 02095311201

Data Protection Officer BBS has appointed its Data Protection Officer, who can be contacted at the following e-mail address:
dpo@bbs.unibo.it

1. INFORMATION ON THE PROCESSING OPERATIONS PERFORMED

SECT. A

Purposes

Personal data will be processed for the purpose of managing, to be understood as receiving, analyzing and possibly further processing, reports of alleged unlawful conduct, acts or omissions, consisting of administrative, accounting, civil or criminal offenses, unlawful conduct relevant under Legislative Decree 231 of June 8, 2001, violations of the Organizational, Management and Control Model and/or the Code of Ethics adopted by the Data Controller, as well as national and European legislation as indicated by Legislative Decree 24 of March 10, 2023.

Reports may be submitted through the channels indicated in section 2 of this notice.

Legal base

Personal data will be processed in accordance with Art. 6(1)(c) GDPR. In fact, the processing of personal data described here is necessary for the fulfilment of the following legal obligations:

– Art. 6 paragraph 2-bis, Legislative Decree 231/2001, which requires the Data Controller to provide in the management model, where adopted, for appropriate channels for submitting reports, and

– Legislative Decree 24/2023, which also provides for the activation and management of internal reporting channels. The processing of special categories of personal data is merely possible and is based on the fulfillment of obligations and the exercise of specific rights of the Data Controller and the data subject in the field of labor law pursuant to Article 9, Paragraph 2 (b) of the GDPR. Since it is impossible to predict which personal data will be included by the Whistleblower in the report, it is also clarified that if the report contains special categories of personal data unrelated to the fulfillment of obligations and the exercise of rights in the field of labor law, the processing will be based on the establishment, exercise or defense of a right in court pursuant to Article 9, Paragraph 2 (f) GDPR. Any data relating to criminal convictions and offenses will be processed only in cases where it is required by law under Art. 10 GDPR.

Personal data collected Data retention period
Personal data, if any, included in the report by the Whistleblower, including identification and contact data of the Whistleblower, identification data of the Reported Person or Third Parties, personal data provided as part of the description of the circumstances and fact being reported.

The provision of one’s personal data by the Whistleblower is optional.

In particular, in case of failure to provide the Identifying Data of the Whistleblower, the report will be considered as rendered anonymously.

In case the Whistleblower chooses to specify his/her name, thus resulting in a nominal report, his/her personal data will be associated with the report. The Whistleblower may indicate his/her personal data and, specifically, biographical and contact data, as well as information pertaining to the relationship with the Data Controller. In this case, all appropriate measures shall be taken to protect the identity of the Whistleblower. Neither the identity of the Whistleblower nor any other information from which such identity may be inferred, directly or indirectly, may be disclosed, without the express consent of the Whistleblower himself/herself, to persons other than those competent to receive or follow up the reports.

As for the information regarding the violations contained in the report (e.g., the circumstances and description of the fact that is the subject of the report with reference to the Reported Person and/or Third Parties), this is necessary to enable the Data Controller to acquire, manage and initiate the possible investigation phase pursuant to Legislative Decree 231/01 as amended and Legislative Decree 90/2017 as amended and Legislative Decree 24/2023.

The Data Controller does not require, for reporting purposes, the indication of special categories of data and/or judicial data. Where these are sent by the Whistleblower, the Data Controller may process them only in the presence of the conditions indicated in this notice. In the absence of such conditions, they will be immediately deleted.

For further guidance, please refer to point 3 of this notice.

In any case, all personal data that are manifestly not useful for the processing of a specific report shall not be collected or, if accidentally collected, shall be deleted immediately.

The data shall be retained for the time necessary for the processing of the report and anyway not longer than 5 years starting from the date of the communication of the final outcome of the reporting procedure, in compliance with the obligations of confidentiality set forth in Article 12 of Legislative Decree 24/2023 and the principle set forth in Article 5, 1st paragraph, (e) GDPR.

If the report results in the initiation of litigation or disciplinary proceedings against the Reported Person or the Whistleblower, the data will be retained for the duration of the litigation or out-of-court proceedings until the expiration of the time limit for appeal actions.

An exception to the aforementioned five-year retention period are reports whose contents are completely unrelated to the purposes of use of the whistleblowing channel (by way of example but not limited to, complaints, insults, suggestions), which will be deleted within the period of two months from the completion of the analysis, documenting the reasons why they were not considered relevant.

SECT. B

Purposes

Personal data may be processed by the Data Controller for the purpose of ascertaining, exercising, or defending its rights in court or instituting disciplinary action against the Reported Person or the Whistleblower who has made false or defamatory statements.

Legal base

Personal data will be processed in accordance with Art. 6, para. 1, (f) GDPR, on the basis of the legitimate interest in the protection of one’s rights, as well as the possible imposition of disciplinary sanctions when the prerequisites are met.

Special categories of personal data will possibly be processed in order to ascertain, exercise or defend a right in court pursuant to Article 9 paragraph 2 (f) GDPR. The processing of data on criminal convictions and offenses, if sent, will be processed only in cases where it is required by law under Article 10 GDPR.

Personal data collected Data retention period
Identification data of the Whistleblower, identification data of the Reported Person or of Third Parties, personal data pertaining to the circumstances and the fact object of the proceedings.

In any case, as part of the possible disciplinary proceedings against the Reported Person, the identity of the Whistleblower may be disclosed only with the Whistleblower’s express consent, where the conditions outlined in point 6 of this information notice are met.

In addition, pursuant to Article 12, paragraphs 3 and 4 of Legislative Decree 24/2023, in the context of any criminal proceedings, the identity of the Whistleblower is protected by confidentiality in the manner and within the limits provided for in Article 329 of the Code of Criminal Procedure. In addition, within the framework of the proceedings before the Corte dei Conti (Italian fiscal court), the identity of the Whistleblower cannot be disclosed until the closure of the investigation phase.

In any case, the Data Controller shall protect the identity of the persons involved and the persons mentioned in the report until the conclusion of the proceedings initiated on account of the report, in compliance with the same guarantees provided in favor of the Whistleblower.

The data used to ascertain, exercise, or defend the rights of the Data Controller in court or to initiate disciplinary action shall be retained for the period of time during which the corresponding actions (including appeals).

2. FOCUS SECT. A: REPORTING METHODS

The Whistleblower may choose to submit the report through:

– the electronic platform on the BBS website https://www.bbs.unibo.it/, selecting “whistleblowing” (hereinafter “Whistleblowing Platform”), or

– ordinary mail (bearing the word “confidential”) to the at Bologna University Business School’s headquarters in Bologna – Via degli Scalini n. 18, to the kind attention of the Supervisory Body, or

– should the Whistleblower deem it appropriate, he/she may make his/her report orally. To this end, he/she may request an interview with the Supervisory Body by sending a request to odv@bbs.unibo.it.

 

3. FOCUS SECT. A: OPTIONAL PROVISION OF THE DATA OF THE WHISTLEBLOWER

As mentioned above, providing the data of the Whistleblower is optional since the report can be transmitted anonymously to the Supervisory Body. The information highlighted on the Whistleblowing Platform with an asterisk (*) is mandatory to enable the Data Controller to acquire, manage and initiate any investigation phase pursuant to Legislative Decree 231/01 as amended and Legislative Decree 90/2017 as amended and Legislative Decree 24/2023.

As part of the reporting procedure, the Data Controller does not require special categories of data and/or judicial data. If submitted by the Whistleblower, the Data Controller may process them only if the conditions listed above are met. In the absence of these conditions they will be immediately deleted.

 

4. PROCESSING METHODS

The processing of personal data is carried out by BBS using paper and computerized methods. The data will be processed using procedures, including computerized procedures, equipped with cryptographic tools or, in any case, in such a way as to ensure the confidentiality of the identity of the Whistleblower and of all the parties involved, of the content of the reports and related documentation, adopting appropriate technical and organizational measures to protect them from unauthorized or illegal access, destruction, loss of integrity and confidentiality, including accidental ones.

When, at the request of the Whistleblower, the report is made orally in the course of a meeting with the appropriate personnel, it shall, with the consent of the Whistleblower, be documented by the appropriate personnel either by recording on a device suitable for storage and listening or by minutes. In the case of minutes, the Whistleblower may verify, correct and confirm the minutes of the meeting by his/her own signature.

 

5. FATE OF DATA AT THE END OF THE RETENTION PERIOD

After the above retention periods have elapsed, the Data will be destroyed, erased, or anonymized. In any case, as previously mentioned, personal data that are manifestly not relevant to the processing of a specific report are not collected, or, if accidentally collected, are deleted immediately

 

6. PERSONS AUTHORIZED TO PROCESS, DATA PROCESSORS AND OTHER DATA RECIPIENTS

The personal data collected are processed by the BBS Supervisory Body, which acts on the basis of specific instructions given regarding the purposes and methods of such processing.

Such personal data may be processed by BBS personnel, who act on the basis of specific instructions as to the purposes and methods of processing and who will in any case be involved only in cases that are strictly necessary, taking care to preserve the absolute confidentiality of the persons concerned.

If appropriate, the Judicial Authority, the Corte dei Conti [the Italian fiscal court] and ANAC [the Italian National Anticorruption Authority] and other public entities entitled to request them may be recipients of the data collected.

In exceptional cases, if a disciplinary proceeding is initiated against the reported person by BBS that is based solely on the report, the data of the Whistleblower may be disclosed to the Reported Person, solely for the purpose of having the latter’s right of defense exercised, subject to the Whistleblower’s consent. The identity of the Whistleblower may not be disclosed where the allegation of the disciplinary charge is based on investigations separate and additional to the report, even if consequent to it. In the case of transmission of the report to other structures/organizations/third parties for the performance of investigation activities, only the content of the report must be forwarded, eliminating all references from which it is possible to trace, even indirectly, the identity of the Whistleblower.

In addition, as previously mentioned, pursuant to Article 12, paragraphs 3 and 4 of Legislative Decree 24/2023, within the framework of any criminal proceedings, the identity of the Whistleblower is protected by confidentiality in the manner and within the limits provided by Article 329 of the Code of Criminal Procedure. In addition, within the framework of the proceedings before the Corte dei Conti [the Italian fiscal court], the identity of the Whistleblower cannot be revealed until the closure of the investigation stage.

Finally, personal data may be made accessible, brought to the attention of or communicated to natural or legal persons, which the Data Controller uses for the performance of activities instrumental to the achievement of the above purpose (by way of example, for accounting and administrative purposes, legal defense, management, including IT-based management, of its archives). Among the aforementioned subjects designated as external data processors, we indicate herewith the Company Whistleblowing Solutions I.S. S.r.l., with registered office in Milan, Viale Aretusa 34, as well as the subjects who, each time, will carry out the activities indicated above.

 

7. DATA PROTECTION OFFICER

BBS appointed its Data Protection Officer, who can be contacted at the following address: dpo@bbs.unibo.it

You may contact the Data Protection Officer for all matters relating to the processing of your personal data and the exercise of your rights under European Regulation No. 679/2016.

 

8. PLACE OF PROCESSING

BBS carries out the processing of your data in Italy.

 

9. DATA SUBJECTS’ RIGHTS

Data subjects may exercise the rights recognized under and within the limits of Articles 15 – 22 GDPR, including the right to obtain from BBS, in the cases provided for, access to their personal data and the rectification or deletion thereof or the restriction of the processing concerning them.

Pursuant to Art. 2-undecies Legislative Decree 196 of June 30, 2003, as amended, expressly recalled by Art. 13, paragraph 3 of Legislative Decree 24/2023, the rights set forth in Articles 15-22 of European Regulation No. 679/2016 may not be exercised if their exercise may result in actual and concrete prejudice to the confidentiality of the identity of the employee reporting the misconduct, pursuant to Law No. 179/2017, of which he/she has become aware due to his/her position. In such a case, the aforementioned rights may be exercised in the manner set forth in Article 160 of the Privacy Code through the Garante della Privacy [Privacy Guarantor], who will inform the person concerned that all necessary verifications have been carried out or that a review has been conducted, and also of his/her right to seek judicial redress.

 

9.1 RIGHT TO LODGE A COMPLAINT

Data subjects who believe that the processing of personal data relating to them is taking place in violation of the provisions of the Regulation have the right to lodge a complaint with the Autorità di Controllo [Supervisory Authority], as provided for in Article 77 of the Regulation itself, or to take appropriate legal action (Article 79 of the Regulation).

 

9.2 METHODS FOR EXERCISING RIGHTS

The exercise of rights can be performed by sending a communication to the headquarters of the Bologna University Business School, Villa Guastavillani, Via degli Scalini 18, Bologna (BO-Italy) to the attention of the Supervisory Body or to the e-mail address gdpr@bbs.unibo.it

 

10. SOURCE OF THE PERSONAL DATA

The data of the Whistleblower possibly indicated are provided directly by the Whistleblower himself/herself (and therefore acquired by the Data Controller from the person concerned pursuant to Art. 13 of the GDPR). The personal data of the Reported Person and/or Third Parties were provided to the Data Controller by the Whistleblower (and thus acquired by the Data Controller from third parties pursuant to Article 14 of the GDPR).