PRIVACY STATEMENT - Whisteblowing

The International Telematic University UNINETTUNO (hereinafter “UNINETTUNO”) has established an internal communication channel for reporting breaches of national or European Union laws or regulations, learned in the context of a work-related activity by the reporting person, also known as “whistleblowing reports,” in implementation of Legislative Decree No. 24 of 10 March 2023, which transposes Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019.

UNINETTUNO is required to process personal data contained in such reports in compliance with Regulation (EU) 2016/679, Legislative Decree No. 196/2003, and Legislative Decree No. 51/2018.

This document aims to provide the legal information required by Articles 13 and 14 of Regulation (EU) 2016/679 regarding how personal data of natural persons involved in whistleblowing reports are processed.

Pursuant to Regulation (EU) 2016/679, UNINETTUNO, with its registered office in Rome, Corso Vittorio Emanuele II, No. 39, acts as the Data Controller for the personal data of individuals involved in whistleblowing reports.

UNINETTUNO has delegated the management of whistleblowing reports to an external service provider, appointed as Data Processor pursuant to Article 28 of Regulation (EU) 2016/679.

Whistleblowing reports and the related investigation activities involve the processing of personal data of the persons concerned. These may include identifying and contact data (physical and email addresses, telephone numbers) of the reporting person, the reported person, and any other persons involved (witnesses, colleagues, supervisors, suppliers, professionals, family members, etc.), as well as information on their role, duties, and other work-related details connected to the reported breach. In certain cases, special categories of data may be processed, such as remuneration data or judicial data.

Such personal data may be provided by the reporting person to describe the circumstances of the alleged violation known to them in the context of their employment relationship. They may also be contained in documents attached to the report or collected by the appointed Manager during the ensuing investigation activities. Personal data that are clearly not relevant to the specific report shall not be collected, and if provided, shall be deleted immediately.

The personal data collected through UNINETTUNO’s internal whistleblowing channels (digital, written, or oral) or through the investigation activities of the appointed Manager are processed solely for the purpose of assessing the admissibility of the report, communicating the outcome to the reporting person, and, if necessary, informing the competent bodies or public authorities responsible for evaluating the reported facts, actions, or conduct.

Providing personal data is not mandatory; however, incomplete or insufficient information may render the report unusable or too generic. For this reason, the reporting person is encouraged, also in their own interest, to provide detailed and, where possible, documented information. Anonymous reports, if sufficiently substantiated, are treated in the same way as those submitted by identified persons.

The processing of personal data is carried out mainly by electronic means (communication, recording, and storage of reports—including oral reports—and of information collected during preliminary investigations through the online reporting platform), as well as by manual means (recording and storage of reports submitted by mail or orally in person and of information collected during investigations).

The processing of the above personal data is based, pursuant to Article 6(1)(c) of Regulation (EU) 2016/679, on the necessity for the Data Controller to comply with legal obligations established by Legislative Decree No. 24 of 10 March 2023.

Disclosure of the identity of the reporting person to individuals other than the appointed Manager or competent bodies responsible for handling the report is based, pursuant to Article 6(1)(a) of the Regulation, solely on the explicit consent of the reporting person.

Personal data processed in the context of whistleblowing activities and procedures may be disclosed to competent public authorities in the event of a complaint, judicial action, or administrative proceedings.

The above personal data will not be transferred outside the European Union or the European Economic Area, nor to any international organization.

In accordance with Article 14(1) of Legislative Decree No. 24 of 10 March 2023, personal data processed in the context of whistleblowing activities and procedures will be retained by the Data Controller for as long as necessary to manage the specific report and, in any case, for no longer than five years from the date of notification of the final outcome of the reporting procedure.

The data subject has the right to request:

• access to and rectification of inaccurate personal data concerning them;
• completion of incomplete data;
• erasure of data if unlawfully processed or when necessary to comply with a legal obligation;
• restriction of processing to personal data whose accuracy is not contested, pending verification, and to be informed before such restriction is lifted;
• receipt of the personal data they have provided, in a structured, commonly used, and machine-readable format, or transmission of those data to another controller, where technically feasible. This right does not apply to personal data not provided by the data subject or processed in the performance of a task carried out in the public interest or under official authority vested in the Data Controller.

Furthermore, the data subject may, at any time, object pursuant to Article 21 of Regulation (EU) 2016/679 to the processing of their personal data carried out on the basis of legitimate interests, providing reasons relating to their particular situation.

All requests may be addressed to UNINETTUNO at its registered office, or via the following contact details:
Tel. +39 06 69207670 / +39 06 69207671 – Email: info@uninettunouniversity.net If the data subject believes that the processing of their personal data infringes Regulation (EU) 2016/679 or that the Data Controller has not fulfilled its obligations related to the exercise of their rights, they have the right, under Article 77 of the Regulation, to lodge a complaint with the supervisory authority of the Member State of their habitual residence or place of work, or where the alleged infringement occurred, without prejudice to any other administrative or judicial remedy.

Pursuant to Article 13(3) of Legislative Decree No. 24 of 10 March 2023, the person concerned or mentioned in the report may not exercise the rights listed above (Articles 15–22 of Regulation (EU) 2016/679) regarding their personal data processed in connection with the report, disclosure, or complaint, for the time and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject. Consequently, in such cases, UNINETTUNO will decide on the request based on a “balancing of interests” and may lawfully refrain from responding to the data subject.

UNINETTUNO has appointed a Data Protection Officer (DPO), who can be contacted at the following email address: dpo@uninettunouniversity.net or by phone/fax at +39 06 37511524.
Data subjects may contact the DPO for any matters relating to the processing of their personal data or the exercise of their rights under the Regulation. The DPO is bound by confidentiality in the performance of their duties.