Big Cover Legal&Policies

Reports of Unlawful Actions Statement Ex Legislative Decree 231/01

Pursuant to Regulation (EU) 2016/679

Who we are

The Data Controller is Lutech S.p.A and each its subsidiary companies that has decided to adhere to the Legislative Decree 231/01 (“Data Controller Companies”)

Who is the Data Protection Officer (DPO)

LCA Servizi Srl

Legal Basis

The legal obligation resulting from the application by the Controller of Italian Legislative Decree 231/2001 (as amended), as well as Italian Law 179/2017.

Personal Data and Purposes

Nella tabella che segue sono riportate le categorie dei tuoi dati trattati ed i soggetti a cui sono destinati per ciascuna finalità di trattamento a cui è applicabile questa informativa.

Processing porposes


Personal Data categories


Categories of Recipients

The enforcement of legal obligations determined by the application of Italian Legislative Decree no. 231 of 8 June 2001 “Rules on the administrative liability of legal persons, companies and associations including those not having legal personality, in accordance with Article 11 of Italian Law no. 300 of 29 September 2000”, as well as Italian Law 179/2017 “Provisions to protect those reporting crimes or misconduct brought to their attention in the working environment”.

  • Common data including personal details, telephone numbers, email addresses and contact information
  • Special categories of personal data including data connected to trade union membership, health and/or legal information
  • Lutech Compliance Office
  • Supervisory Board of each Data Controller Companies
  • Legal consultants of the Supervisory Board for each Data Controller Companies

any (in the cases provided for by law)*:

  • Police and/or public authorities*
  • Employer/HR*
  • Reported*

Only in the case of exercise of rights:

  • Data Privacy Management Department

Transfer of Personal Data

Your data will always be processed by the Compliance Office and the Supervisory Board of the Data Controller Companies to which the reports are addressed. (*) We will not transfer your personal data to any party other than those specified as recipients, and always and in any case in accordance with the situations laid out in operating procedure Whistleblowing Management and Method of Notification of the SB.

Automated Decisions

All personal data contained in the report which are not subject to any automated decision[1]making process that can cause significant legal side-effects for the person or which can affect your ability to exercise your rights under the GDPR. The processing will be performed with both manual and ICT tools, with the application of organisational and processing principles strictly correlated to the same purposes, and in all cases in a manner which guarantees the security, integrity and confidentiality of the data in accordance with the organisational, physical and logical measures required by the relevant legislation.

How we protect your personal data

All personal data that you provide will be processed in accordance with principles of lawfulness, fairness and transparency, pursuant to applicable legislation, with special reference to personal protection measures provided by legislation for each whistleblowers, and to company policies on security and secure processing of personal data. Should there be a risk of breach pursuant to GDPR article 34, we will notify you promptly of it. You can exercise your right to access to obtain any information about the security measures adopted on your personal data.

Personal Data Retention Period

Your personal data will be stored on our systems:

- In the event of archiving, up to five (5) years from the date of receipt of the report at the end of the investigation by the Supervisory Board
- Or until the definition of any disciplinary or legal proceedings (handing down of court sentence) connected to or following the report in order to guarantee to both parties the opportunity to be able to comply with all obligations deriving from the correct management of any consequent proceedings The retention period of personal data collected into storage and/or backup systems follows the same roles defined by business continuity plan and disaster recovery policies. You can exercise your right to access to obtain any information you need.

Rights of the Data Subject

  • Right of Access (article 15): The Data Subject may obtain from the Controller confirmation as to whether or not personal data concerning them are being processed and may obtain further information, including the purposes of the processing, the categories of personal data and the recipients.
  • Right to Rectification (article 16): The Data Subject may obtain from the Controller the rectification of inaccurate personal data.
  • Right to Erasure (article 17): The Data Subject may request the erasure of personal data concerning them where one of the grounds provided by that article applies, including: withdrawal of consent, unlawful processing and exercise of the right of defence.
  • Right to Restriction (article 18): The Data Subject may obtain the restriction, configurable as a total or partial suspension of the data processing or even in some cases an immobilisation of the same. This may be requested only in exceptional cases expressly determined by the rule, including the period enabling the Controller to verify the accuracy of the personal data, unlawful processing, exercise of a right during legal proceedings.
  • Right to Data Portability (article 20): The Data Subject has the right to ask that the data concerning them be disclosed, in the exercise of their rights, in an easily comprehensible format.
  • Right to Object (article 21): The Data Subject may, on grounds related to their particular situation, object to the processing concerning them pursuant to Article 6 para. 1, e) and f).
  • Right not to be Subjected to Automated Processes (article 22) The Data Subject may object to being subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them.

We inform you that, if you decide to exercise one or more of the above rights, your personal data will be communicated by the Controller to the processing recipients for the connected fulfilments (article 19, GDPR). If you have any doubts or require clarifications and also to exercise your rights, please contact us by writing to the following address:

You have the right to lodge a complaint with the competent supervisory authority (for Italy is the Italian Data Protection Authority) and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules. You can find more information into the to the Italian Data Protection Authority website:

v01 del 15/03/2024

Download the statement