Privacy Policy*
INFORMATION ON THE PROCESSING OF PERSONAL DATA OF SUBJECTS INVOLVED IN REPORTS OF UNLAWFUL ACTS AT THE UNIVERSITY OF VERONA (WHISTLEBLOWING) BASED ON THE PROVISIONS CONTAINED IN LEGISLATIVE DECREE NO. 24/2023
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679
WHY THIS INFORMATION?
Pursuant to Regulation (EU) 2016/679 (hereinafter referred to as the "Regulation"), this page describes the methods for processing the personal data provided by the reporting person in order to represent the alleged unlawful conduct of which he/she has become aware due to his/her service relationship or collaboration with the University of Verona (hereinafter "University") committed by the subjects working at the University and those collected as part of the checks carried out at by the Head of Corruption Prevention and Transparency of the University (hereinafter "RPCT"), in accordance with the provisions contained in Legislative Decree no. 24 of 10 March 2023 (hereinafter "Legislative Decree no. No. 24/2023").
CATEGORIES OF DATA SUBJECTS
- Signaling
- Marked
- Third parties included in the reports
DATA CONTROLLER
The Data Controller is the University of Verona, with registered office in Via dell'Artigliere n. 8, IT-
37129, Verona (e-mail: privacy@ateneo.univr.it, PEC: ufficio.protocollo@pec.univr.it, tel. +39 045.8028777).
DATA PROTECTION OFFICER
The Data Protection Officer can be reached at the following address: dpo@ateneo.univr.it.
DATA PROCESSOR
For the processing of personal data carried out through the electronic platform univir.segnalazioni.net (hereinafter referred to as the "platform"), the University has appointed as Data Processor, pursuant to Article 28 of the Regulation, the supplier company: DigitalPA S.r.l. with registered office in Cagliari, via s. Tommaso d'Aquino 18/A, P. I/ C.F. 03553050927.
TYPE OF PERSONAL DATA
The data that may be processed can be classified into the following types:
- Personal and contact data
- Special data
- Judicial data
PURPOSE AND LEGAL BASIS OF THE PROCESSING
Personal data related to the processing of reports of facts deemed unlawful are processed by the University through the platform and its RPCT, in the performance of its tasks in the public interest or in any case related to the exercise of its public powers (Article 6, paragraph 1, letter e) of the Regulation), with particular reference to the obligation to acquire the elements aimed at allowing the ascertainment of any reported offenses in the interest of integrity of the Administration pursuant to Legislative Decree no. no. 24/2023 (art. 6, par. 1, letter c) of the Regulation).
The processing of special categories of personal data, where appropriate, is necessary for reasons of important public interest on the basis of Union or Member State law, proportionate to the purpose pursued, to respect the essence of the right to data protection and to provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject (Art. 9, par. 2, lett. g) of the Regulation).
Any data relating to criminal convictions and offences will be processed only in cases where it is provided for by law (Article 10 of the Regulation).
PROCESSING METHODS
The personal data provided to the University by the whistleblower are processed in compliance with the principle of minimisation, relevance and non-excess, in order to carry out the necessary investigative activities aimed at verifying the validity of the facts reported as well as for the adoption of the consequent measures by the University or, if the conditions are met, by the competent authorities indicated in art. 11, d.lgs. No. 24/2023.
The whistleblower's personal data shall be provided by
- platform, in accordance with the procedures described in the procedure published on the following web page: https://www.univr.it/ (hereinafter referred to as the "Procedure")
- oral communication through the RPCT, in accordance with the procedures set out in the procedure referred to in the previous point
- acquired from third parties (e.g. witnesses) or from publicly accessible sources as part of the pre-checks that the RPCT is required to carry out.
The processing of personal data is carried out using paper and computerized methods. The data will be processed with the use of computerized procedures, equipped with encryption tools or, in any case, in such a way as to guarantee the confidentiality of the identity of the whistleblower and of all the subjects involved, of the content of the reports and of the related documentation, adopting appropriate technical and organizational measures to protect them from unauthorized or illegal access, destruction, loss of integrity and confidentiality, even accidental.
OPTIONAL PROVISION OF DATA
The provision of the whistleblower's data is optional, as the report can be transmitted anonymously.
As part of the reporting procedure, the University does not require the indication of special categories of data and/or judicial data. If sent by the whistleblower, the University will only be able to process them in the presence of the conditions listed above. In the absence of these conditions, they will be immediately deleted.
DATA RETENTION
As required by art. 14, d.lgs. No. 24/2023, personal data are processed and stored for the time necessary to process the report and no longer than five years from the date of communication of the final outcome of the reporting procedure.
DATA RECIPIENTS
As illustrated in the aforementioned procedure, the recipients of the data processed in relation to the report, as required by law, may be the competent judicial or accounting authority or ANAC.
The personal data collected may also be processed by the University staff responsible for disciplinary action, who act on the basis of specific instructions provided regarding the purposes and methods of processing.
In exceptional cases, if the University initiates disciplinary proceedings against the reported person based solely on the report, the whistleblower's data may be communicated to the reported person, exclusively to exercise the latter's right of defence with the whistleblower's consent. The identity of the whistleblower cannot be ascertained if the objection to the disciplinary charge is based on separate and additional investigations with respect to the report, even if consequent to the same. In the case of transmission of the report to other structures/bodies/third parties for the performance of investigative activities, only the content of the report must be forwarded, eliminating all references from which it is possible to trace, even indirectly, the identity of the whistleblower.
Furthermore, pursuant to art. 12, paragraphs 3 and 4, of Legislative Decree no. n. 24/2023, in the context of any criminal proceedings, the identity of the whistleblower is covered by secrecy in the manner and within the limits provided for by art. 329 of the Code of Criminal Procedure. In addition, in the context of proceedings before the Court of Auditors, the identity of the whistleblower cannot be revealed until the investigation phase has been closed.
Finally, personal data may be made accessible, brought to the attention or communicated to natural or legal persons, which the University uses to carry out activities instrumental to the achievement of the above purposes (e.g. for accounting and administrative purposes, legal defense, IT management of its archives, etc.).
DATA TRANSFER ABROAD
There are no data transfers to third countries.
SOURCE OF PERSONAL DATA
Any data of the whistleblower indicated are provided by the whistleblower himself (and therefore acquired by the University from the data subject pursuant to Article 13 of the Regulation). The personal data of the reported and/or third parties are provided to the University by the whistleblower (and therefore acquired by the University from third parties pursuant to Article 14 of the Regulations).
RIGHTS OF DATA SUBJECTS AND COMPLAINT
In general terms, data subjects have the right to obtain from the University, in the cases provided for, access to personal data relating to them and the rectification or cancellation of the same or the limitation of the processing that concerns them or to object to the processing (Articles 15 et seq. of the Regulation). The appropriate request to the University is submitted by contacting the Data Controller (e-mail: privacy@ateneo.univr.it). However, according to Art. 13, paragraph 3, d.lgs. No. 24/2023, the rights referred to in Articles 15 to 22 of the Regulation may be exercised within the limits of the provisions of Article 2-undecies, letter f), of Legislative Decree no. n. 196/2003 (Privacy Code), according to which, in the text amended by art. 24, paragraph 4, d.lgs. No. 24/2023, "may not be exercised by means of a request to the data controller or by complaint pursuant to Article 77 of the Regulation if the exercise of these rights may result in actual and concrete prejudice [...] the confidentiality of the identity of the person reporting breaches of which he or she has become aware by reason of his or her employment relationship or duties, pursuant to the Legislative Decree implementing Directive (EU) 2019/1937 [...], on the protection of persons who report breaches of Union law [...]"tag.
Last revised: February 2024