Dear User,
Below you will find key information regarding the processing of your personal data collected during the receipt and management of your whistleblowing report.
DATA CONTROLLER
The Data Controller is the specific Caronte & Tourist Group company to which the report is addressed.
Caronte & Tourist S.p.A. also acts as data processor for each of its subsidiaries.
For any inquiries, the Data Controller and Data Processor may be contacted at:
- E-mail: privacy.gruppo@carontetourist.it
- Phone: +39.090.9038201
The Group has appointed a Data Protection Officer (DPO) in accordance with Article 39 of the GDPR.
The DPO can be contacted at the controller's registered office or via email at dpo@carontetourist.it.
TYPES OF DATA PROCESSED
The processing may involve the following personal data as defined under Article 4(1) of the GDPR:
- Data relating to the subject(s) of the report and/or other individuals mentioned therein.
In the case of non-anonymous reports, the following personal data of the reporting party will also be processed:
- Personal identification data (full name)
- Contact details (e-mail address, phone number)
- Factual circumstances and/or personal status information
PURPOSE AND LEGAL BASIS OF DATA PROCESSING
Your personal data is processed for the following purposes:
| Purpose | Legal Basis of Processing |
| Management of spontaneous reports of alleged crimes or irregularities that the data subject has become aware of (so-called whistleblowing), pursuant to Law No. 24/2023. | Processing necessary to comply with a legal obligation to which the data controller is subject (Article 6(1)(c) of the GDPR). |
MANDATORY OR OPTIONAL NATURE OF DATA PROVISION
Providing personal data for the above purpose is mandatory to process your report.
Failure to provide such data will prevent the handling of your report.
RECIPIENTS OF PERSONAL DATA
Personal data may be disclosed, strictly in relation to the purposes outlined above, to the following parties or categories of recipients:
a) Any public authority that requests such data in connection with administrative or judicial proceedings that may be initiated.
METHOD OF PROCESSING
Personal data is collected at the time the report is submitted via the dedicated whistleblowing platform.
Data is processed, in accordance with legal provisions and the company’s internal procedure on the matter, by the Whistleblowing Committee appointed for this purpose.
Processing is carried out using both paper-based and electronic tools, in compliance with data protection regulations and with appropriate technical and organizational measures as set out in Article 32(1) of the Regulation. All necessary precautions are taken to ensure the integrity, confidentiality, and availability of the data.
Personal data stored in the digital database is accessible only to specifically appointed individuals, designated exclusively for this purpose, through personal access credentials.
DATA RETENTION PERIOD
Your personal data will be retained for the time strictly necessary to manage and process the report and, in any case, no longer than 5 years from the date of communication of the outcome of the reporting procedure.
In the event of legal disputes between the Company/Data Controller and the data subject, the retention period shall be extended for the entire duration of the dispute and for 10 years after its definitive resolution (e.g., settlement agreement or final judgment).
DATA SUBJECT RIGHTS UNDER ARTICLES 15–22 OF THE GDPR – EU REGULATION 2016/679
In accordance with applicable regulations, you are entitled to exercise the following rights:
- Right of Access – You may request information at any time regarding the type of data held, its origin, purpose, categories, recipients, whether profiling is involved, and the data retention period.
- Right to Rectification – You may request the correction or update of your data at any time. The Data Controller is also required to notify third parties with whom your data has been shared of such updates.
- Right to Erasure (“Right to Be Forgotten”) – You may request the deletion of your personal data if: the purpose of processing has been fulfilled; consent has been withdrawn; you object to processing; or the data has been processed unlawfully. The Data Controller will also notify any third parties who have received the data.
- Right to Restriction of Processing – You may request restriction of processing: in cases of inaccurate data (pending correction); in the event of a dispute (pending resolution); or upon your request as an alternative to deletion.
- Right to Object – You have the right to object to the processing of your personal data, including processing for automated decision-making purposes.
- Right to Data Portability – You may exercise this right for data processed by automated means and for contractual purposes, provided it does not infringe on the rights and freedoms of others.
HOW TO EXERCISE YOUR RIGHTS
You may exercise any of the above rights at any time by using the same channel through which the report was submitted or by writing to: privacy.gruppo@carontetourist.it.
You also have the right to lodge a complaint with the Italian Data Protection Authority via the following link https://www.garanteprivacy.it/garante/doc.jsp?ID=4535524 or with any other competent supervisory authority.
