Privacy policy on reports
Pursuant to Regulation (EU) 2016/679
Who we are
The Data Controller is Lutech S.p.A and each its subsidiary companies that has decided to adhere to the Legislative Decree 231/01 (“Data Controller Companies”)
Who is the Data Protection Officer (DPO)
LCA Servizi Srl
e-mail: DPO@lutech-group.com
Legal Basis
The execution of legal obligations resulting from the application by the Controller of Italian Legislative Decree 24/2023.
The execution of obligations aimed at ensuring compliance with the voluntary Standards to which Lutech adheres.
Personal Data and Purposes
Below the processing purposes, the categories of personal data and subject to which the personal data are disclosed.
| Processing purposes |
| Personal Data categories |
| Categories of Recipients |
Fulfilment of the legal obligations resulting from the application:
|
| The Case Manager of the Controller Company and if competent:
| ||
Compliance with SA8000 Standard of Lutech S.p.A. |
|
|
Transfer of Personal Data
Your data will always be processed by the Case Manager of the Data Controller Company to which the reports are addressed.
(*) We will not transfer your personal data to any party other than those specified as recipients, and always in accordance with Whistleblowing Policy (Management of Reports of Unlawful Actions) and according to the method of notification to the SB.
Automated Decisions
Your personal data won’t be subject to a decision based solely on automated processing, profiling included, that produces significant legal side-effects for you, or which affects your ability to exercise your rights under the GDPR.
How we protect your personal data
All personal data that you provide will be processed in accordance with principles of lawfulness, fairness and transparency, in accordance with current legislation and measures to protect persons who report infringements of European Union law, and with the relevant company policies on reporting and processing of personal data
We will promptly notify you of any breach of your personal data.
You can exercise your right to access to obtain any information about the security measures adopted on your personal data.
Personal Data Retention Period
Your personal data will be stored on our systems:
- In the event of archiving, up to five (5) years from the date of receipt of the report at the end of the investigation by the Supervisory Board
- Or until the definition of any disciplinary or legal proceedings (handing down of court sentence) connected to or following the report
in order to guarantee to both parties the opportunity to be able to comply with all obligations deriving from the correct management of any consequent proceedings
The retention period of personal data collected into storage and/or backup systems follows the same roles defined by business continuity plan and disaster recovery policies.
You can exercise your right to access to obtain any information you need.
Rights of the Data Subject
- Right of Access (article 15): The Data Subject may obtain from the Controller confirmation as to whether or not personal data concerning them are being processed and may obtain further information, including the purposes of the processing, the categories of personal data and the recipients.
- Right to Rectification (article 16): The Data Subject may obtain from the Controller the rectification of inaccurate personal data.
- Right to Erasure (article 17): The Data Subject may request the erasure of personal data concerning them where one of the grounds provided by that article applies, including: withdrawal of consent, unlawful processing and exercise of the right of defence.
- Right to Restriction (article 18): The Data Subject may obtain the restriction, configurable as a total or partial suspension of the data processing or even in some cases an immobilisation of the same. This may be requested only in exceptional cases expressly determined by the rule, including the period enabling the Controller to verify the accuracy of the personal data, unlawful processing, exercise of a right during legal proceedings.
- Right to Data Portability (article 20): The Data Subject has the right to ask that the data concerning them be disclosed, in the exercise of their rights, in an easily comprehensible format.
- Right to Object (article 21): The Data Subject may, on grounds related to their particular situation, object to the processing concerning them pursuant to Article 6 para. 1, e) and f).
- Right not to be Subjected to Automated Processes (article 22) The Data Subject may object to being subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them.
We inform you that, if you decide to exercise one or more of the above rights, your personal data will be communicated by the Controller to the processing recipients for the connected fulfilments (article 19, GDPR).
If you have any doubts or require clarifications and also to exercise your rights, please contact us by writing to the following address :
https://lutech.group/it/privacy-rights/
You have the right to lodge a complaint with the competent supervisory authority (for Italy is the Italian Data Protection Authority) and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules.
You can find more information into the to the Italian Data Protection Authority website: https://www.garanteprivacy.it/
v02 del 21/06/2024