Whistleblowing

Whistleblowing procedure

The new law governing whistleblowing entered into force with Law n. 179 of 30 November 2017, updates Law 231 relating to the administrative liability of legal people, companies and associations, introducing protection for individuals who voluntarily report illicit acts. The purpose of the law is to protect those who report any illicit acts or violations of the Code of Ethics and the Model for Organization and Management they became aware of in the course of their work. Based on the law, the party who reports on the illicit acts should be protected and remain anonymous in order to avoid any possible repercussions and discrimination. One or more channels should be established for reporting on the incidents constituting crimes or illicit acts in respect of the anonymity of the party making the report.

IGD’s reply

IGD adopted The “Whistleblowing Procedure” approved by the Board of Directors of 17 December 2019. The procedure governs the way the discosures of violations, known or suspect, of the law, the Organizational Model, the Code of Conduct, the Anticorruption Policy, the corporate procedures, as well as any other self-regulation tool adopted by the IGD Group.

IGD developed the following communication channel to be used for submitting disclosures:

via an online portal through the following link, that can be accessed only by members of the Supervisory Board;
reports sent in a closed envelop, with “personal confidential” written on it, to Via Trattati Comunitari Europei 1957-2007, n. 13 in Bologna to the attention of IGD’s Supervisory Board, in the event it is not possible to submit the disclosure online.

Prohibition of any forms of retaliation

All the organizational units in IGD and its subsidiaries who receive and process the reports guarantee maximum confidentiality, as well as the anonymity of the reporting parties.

All acts of retaliation and any form of discrimination harming the party who, in good faith, reported on the illicit behavior are expressly prohibited.

Those who report on acts in bad faith, or maliciously or negligently, which prove to be groundless will be subject to disciplinary action.

Summary of the Agreement for joint control

Subject and purpose of the agreement

The purpose of the Agreement for Joint Control (hereinafter “the Agreement”) is to govern the ways with which and conditions under which the personal data relative to the following Gruppo IGD companies is processed:

IGD SIIQ S.p.A., with registered offices in Bologna (BO), Via Trattati Comunitari Europei 1957-2007, n. 13 C.F./P.I. 00397420399 (hereinafter also referred to as “IGD SIIQ” or “Joint Controller”)
IGD Management SIINQ S.p.A., with registered offices in Bologna (BO), Via Trattati Comunitari Europei 1957-2007, n. 13, C.F./P.I. 13174580152, (hereinafter also referred to as “Joint Controller”)
IGD Service S.r.l., with registered offices in Bologna (BO), Via Trattati Comunitari Europei 1957-2007, n.13, C.F./P.I. 03961741208 (hereinafter also referred to as “Joint Controller”)
Porta Medicea S.r.l., with registered offices in Bologna (BO), Via Trattati Comunitari Europei 1957-2007, n.13, C.F./P.I. 01591140494 (hereinafter also referred to as “Joint Controller”)

hereinafter also referred to as the “Joint Controllers”, who are the joint controllers of the data processed as part of the whistleblowing activities carried out by the latter (hereinafter the “activities”, described in greater detail in Art. 26 of Gruppo IGD’s Whistleblowing Procedures, adopted by the Joint Controllers).

More in detail, the Agreement identifies and describes the responsibilities for compliance with the obligations under current regulations relative to the processing of personal data, specifically Art. 26 of the GDPR.

General guidelines for carrying out the activities

The Joint Controllers agreed that the whistleblowing reports will be gathered by IGD SIIQ S.p.A., through the platform found at https://www.gruppoigd.it/en/governance/business-ethics/whistleblowing/ or received by mail, who will manage them accordingly.

During this phase, the Joint Controllers will process, with the support of the respective Supervisory Boards, the whistleblower’s personal data, as well as the personal data of the individuals identified in the report. The personal data above will be processed using paper supports and/or IT procedures by members of the Joint Controllers’ Supervisory Boards. These individuals will have access to the personal data solely to the extent needed to carry out the data processing.

Responsibilities of the joint controllers when processing personal data

Each Joint Controller will:

process, jointly with the other Joint Controllers, the personal data in accordance with the principles of lawfulness, fairness and transparency called for in the GDPR;
implement processing solely for the purposes of carrying out the activities called for in this Agreement;
determine the ways in which the interested parties may exercise the rights referred to in Articles 15, 16,17, 18, 20 and 21 of the GDPR, as described in greater detail in Art. 8 below;
provide the information called for in Articles 13 and 14 of the GDPR in accordance with the limits and methods defined in Art. 9 below;
adopt the technical and organizational measures needed to guarantee secure data processing, as described in greater detail in Art. 6 below.

More in detail, IGD Siiq S.p.A., as Joint Controller and as agreed together with the other Joint Controllers, will:

manage the IT platform used for reporting, described in greater detail above;
make information about the data processing carried out by the Joint Controllers available to the interested parties;
act as the contact for inquiries made by the interested parties.

Rights of the interested party

The Joint Controllers will implement the measures needed to provide the interested party with all the information and communications made relating to the processing in accordance with current applicable laws in a manner that is concise, transparent, comprehensible and easy to access, as well as expressed using simple and direct terms, in accordance with the means and limits referred to in this Agreement and the information made available by the interested parties.

The information will be provided in writing or using other methods, including, if called for, electronic means.

The interested parties may contact the Joint Controllers at the following address: privacy@gruppoigd.it

At any rate, each Joint Controller will advise the other Joint Controllers of any requests received from interested parties in order to provide the interested parties with a reply, including jointly, by the legal deadline.

Do you want to send a disclosure to the Supervisory Board?

Whistleblowing

Whistleblowing procedure

Related document

IGD’s reply

Prohibition of any forms of retaliation

related documents

Summary of the Agreement for joint control

Read more