Send a report with the outmost confidentiality.
Useful Links
What to report Learn more

INFORMATION NOTE PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679

This Information Note refers to personal data processing for managing “Whistleblowing” reports, pursuant to Legislative Decree no. 24 of 10 March 2023, “Implementation of Directive (EU) no. 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law” by UPMC Italy S.r.l., ISMETT S.r.l. (jointly with UPMC Italy S.r.l.), and Salvador Mundi International Hospital S.r.l., each in their capacity of independent data controller and with reference to data processing they are involved with.

1. DATA CONTROLLERS

The data controllers are UPMC Italy S.r.l., with registered office in Palermo, Via Discesa dei Giudici 4 (hereinafter referred to as “UPMCI”), Istituto Mediterraneo per i Trapianti e Terapie ad Alta Specializzazione, jointly with UPMC Italy S.r.l., with registered office in Palermo, Via Discesa dei Giudici 4 (hereinafter “ISMETT”), and Salvador Mundi International Hospital S.r.l., with registered office in Rome, Viale delle Mura Gianicolensi 67 (hereinafter “SMIH”).

2. DATA SUBJECTS

This Information Note refers to persons reporting a behaviour, act or omission that harms the public interest or integrity of the institution and of which they have learned in the workplace, relevant pursuant to Legislative Decree no. 24 of 10 March 2023, “Implementation of Directive (EU) no. 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law”, as well as to the facilitator, involved parties, or anyone mentioned in the above reports shared by means of communication channels, paper and electronic, prepared for managing the report by each data controller.

3. DATA PROTECTION OFFICER (DPO)

The UPMCI DPO can be reached at dpo@upmc.it.

The ISMETT DPO can be reached at dataprotectionofficer@ismett.edu.

The SMIH DPO can be reached at dataprotectionofficer@ismett.edu.

4. PROCESSED DATA, PURPOSE, AND LEGAL BASIS OF PROCESSING

Your personal data will be processed unless the report is submitted in an anonymous form. The joint controllers may process special categories of personal data, namely personal data revealing racial or ethnic origin, concerning health and sex life, or judicial data, only if you freely decide to provide them at the time of reporting or if you attach documents containing this information to the report.

The legal basis of processing coincides with the fulfilment by the joint controllers of Article 6.1(c) of the Regulation, with reference to Article 3 of Legislative Decree no. 24/2023, Article 6 of Legislative Decree no. 231/2001, and Law no. 179/2017.

Your personal data will be processed only to verify the admissibility of the report and to allow its management, pursuant to Article 13 of Legislative Decree no. 24/2023.

5. DATA STORAGE

The controllers will store the personal data contained in the report and the supporting documentation for the time necessary to manage the report, and in any case for no more than five years from the notification date of the final outcome of the reporting, pursuant to Article 14(1) of Legislative Decree no. 24/2023. After this mandatory period, the data will be anonymised or deleted. In the event that a disciplinary or legal proceeding is initiated on the basis of the reporting, your personal data will be stored until the proceeding is concluded.

6. DATA PROCESSING AND DATA SUBJECTS

The processing only refers to the data required to manage the specific report, and is carried out using both paper and electronic means. Personal data accidentally collected and not required to process a specific report are immediately deleted in accordance with the minimisation principle. The identity of the reporting person may not be disclosed to anyone other than those responsible for receiving and processing the report, unless there is an express consent from the reporting person. The identity of the facilitator, of the persons involved, and of the persons mentioned in the report may not be disclosed before the completion of the proceedings following the report, pursuant to Article 12 of Legislative Decree no. 24/2023.

Your personal data may be disclosed to the following subjects:

  • Under Article 29 of the Regulation, natural persons authorised by each data controller (i.e., members of the supervisory body and auxiliaries);
  • Under Article 28 of the Regulation, third parties appointed by each data controller as data processors.

7. DATA TRANSFER

The disclosure of personal data does not involve persons located outside the EU.

8. RIGHTS OF THE DATA SUBJECT

Data subjects have the right of access, right to rectification and integration, right to erasure, right to restriction of processing or opposition to processing (Article 15 and following of the Regulation), unless there may be actual and concrete prejudice to the confidentiality of the identity of the whistleblower and/or to the pursuit of the objectives of compliance with the law on reporting of unlawful conduct, pursuant to Article 13(3) of Legislative Decree no. 24/2023 and Article 2-undecies(1), letter (f) of Legislative Decree no. 196/2003.

The request for the exercise of rights may be submitted by data subjects contacting the DPO of ISMETT at the aforementioned e-mail addresses.

A model drafted by the Italian Personal Data Protection Authority to exercise personal data protection rights is available here.

Data subjects who believe their personal data processing is in breach of the provisions of the Regulation have the right to lodge a complaint with the Personal Data Protection Authority or to bring an action before the appropriate courts, without prejudice to the limits laid down in Article 2-undecies(1), letter (f) of Legislative Decree no. 196/2003.

 

Last update: July 2023