pursuant to Articles 13 and 14 of EU Regulation 679/2016
This privacy notice is provided to all data subjects involved in the procedures for managing reports of unlawful conduct pursuant to Legislative Decree No. 24/2023, including the reporting person (the so-called Whistleblower), facilitators, colleagues and/or individuals operating in the same work context, and the reported person.
1. Contact details
LCS S.p.A., represented by its legal representative, acting as Data Controller, provides data subjects with a dedicated email channel for reporting unlawful conduct pursuant to Legislative Decree No. 24/2023.
Specifically, the reference email address is: lcs.whistleblowing@bcand.it
2. Purpose and legal basis of processing
The personal data of the data subjects are processed in order to properly manage the procedure for handling reports of unlawful conduct, ensuring adequate protection for the Whistleblower and all persons involved.
Without prejudice to the Whistleblower’s right to disclose or not disclose their identity (in which case processing is based on the data subject’s consent), the legal basis for the processing described in this notice is compliance with the obligations set out in Legislative Decree No. 24/2023.
3. Source and categories of data
The personal data of the reported person, facilitators, and colleagues and/or individuals operating in the same work context are provided to the Data Controller by the reporting person (Whistleblower) through the reporting channels defined in the document [Management of Whistleblowing Reports].
Any data not relevant to the report that may be provided will not be subject to further processing.
To ensure the highest level of confidentiality and, where required, anonymity, the reporting channel (email) is managed internally by LCS S.p.A. and by duly appointed external parties pursuant to Article 18 GDPR, bound by confidentiality and authorized solely for purposes related to their assigned tasks.
Where the reporting person requests anonymity, LCS S.p.A. will take appropriate measures to prevent any possibility of identifying the Whistleblower by default, except in cases where anonymity cannot be upheld under applicable law.
4. Recipients of personal data
The personal data of data subjects may be processed by company personnel assigned to the post-report investigation activities.
If the reported conduct falls within the scope of predicate offences, LCS S.p.A. will communicate such data to the Supervisory Body (Organismo di Vigilanza) so that appropriate measures may be taken to ensure compliance with the Organization, Management and Control Model under Legislative Decree No. 231/2001.
Furthermore, the data of data subjects may be disclosed where such disclosure constitutes a necessary and proportionate obligation imposed by EU or national law in the context of investigations by national authorities or judicial proceedings.
5. Transfer of data to third countries or international organizations
The personal data of the data subjects will not be transferred to countries outside the European Union.
6. Data retention period
Reports and related documentation, including records of the subsequent investigations, will be retained for the time necessary to process the report and, in any case, no longer than five years from the date of communication of the final outcome of the reporting procedure.
7. Data subject rights
At any time, data subjects have the right to request access to their personal data, as well as rectification thereof, from the Data Controller.
A written response will be provided within 30 days (unless an oral reply is specifically requested), including by electronic means.
Data subjects also have the right to request restriction of processing or to object to it.
If they believe their data have been processed unlawfully, they have the right to lodge a complaint with the competent Supervisory Authority.
8. Nature of data provision and consequences of failure to provide data
The provision of data to the Data Controller is optional, as the legislation guarantees the Whistleblower’s anonymity.
However, in certain cases, complete anonymity may limit the availability of information necessary for a full investigation following the report.
