NOTICE ON THE PROCESSING OF PERSONAL DATA (ART. 13 and ss. REG (EU) 2016/679) – WHISTLEBLOWING

1. Data controller

Data Controller - E-GAP S.r.l. Società Benefit, in the person of its legal representative, headquartered in Rome, Via Flavia n. 3, 00187, VAT number 14253861000, mail: gap@e-gap.com

The Data Controller has appointed an Internal Data Processor who can be contacted at the following e-mail address: privacy@e-gap.com.

2. Processed data

3. Purpose and legal basis of processing

Please note that, for all the purposes mentioned above, the potential processing of special personal data as defined by Art. 9 GDPR is based on the fulfilment of obligations and on the exercise of specific rights of the Data Controller and of the data subject in the field of labour law [Art. 9(2)(b), GDPR], as well as on the performance of a task of significant public interest assigned by law [Art. 9(2)(g), GDPR], by reason of Art. 2-sexies lett. dd) of Legislative Decree no. 196/2003.

In addition, again with reference to all the purposes indicated above, any processing of judicial data and of data relating to criminal convictions and offences as defined by Art. 10 GDPR is based on the legal obligation to which the Data Controller is subject [Art. 6(1)(c), GDPR] and on the performance of public interest tasks assigned by law [Art. 6(1)(e), GDPR], by reason of Art. 2-octies lett. a) of Legislative Decree 196/2003.

4. Method of Data Processing

The processing of data is carried out in full compliance with the Law and with the appropriate technical and organisational security measures adopted by the Data Controller in accordance with the provisions of Regulation (EU) 2016/679, so as to minimise the risks of unauthorised disclosure and access, accidental or unlawful access to transmitted personal data, destruction, modification, loss, unavailabilitỳ.

The processing is carried out through the use of IT, telematic and/or manual/paper tools, so as to ensure, first and foremost, the confidentiality of the data.

We inform you that the processing of data will also be carried out by means of IT and telematic tools of third party service providers or, in any case, of third parties appointed as Data Processors/Sub-Processors pursuant to Art. 28, EU Reg. 2016/679 or in accordance with appointments or agreements drawn up in compliance with the law.

The reporting management system provided by the third-party provider "DigitalPA S.r.l." guarantees, at every stage, the confidentiality of the identity of the reporter, of the persons involved and/or in any case mentioned in the report, of the content of the report and of the relevant documentation, without prejudice to the provisions of Article 12 of Legislative Decree no. 24/2023.

We inform you that, to the extent possible, your data will also be processed in anonymous, aggregated or pseudonymised form in compliance with the principles of minimisation and pseudonymisation set out in EU Regulation 679/2016.

The list of persons appointed as Data Processors is available upon request from the data subject.

5. Subject authorized to process data

The personal data of the reporter and the personal data contained in the report will be processed by the subjects entrusted with the management of the reporting channel. In addition, personal data may be processed by the persons in charge of receiving or following up reports (e.g. company supervisory bodies).

We inform you that the persons entrusted with the management and receipt of reports as well as with the follow-up of the same are primarily appointed as Data Processors pursuant to Article 28 EU Reg. 679/2016 or in any case authorised to process such data pursuant to Articles 29 and 32(4) of Regulation (EU) 2016/679 and Article 2-quaterdecies of the Personal Data Protection Code pursuant to Legislative Decree No. 196 of 30 June 2003 and thus adequately instructed and trained on the purposes and methods to be followed in the performance of the relevant task.

6. Disclousure, communication and possible recipients of the data

Should investigative needs require that other persons within the Data Controller's structure be made aware of the content of the report or of the documents annexed thereto, the identity of the author of the report will never be disclosed, nor will elements that might even indirectly allow the identification of the author of the report and of its content be disclosed. Such persons, who may in any case become aware of other personal data, are all specially instructed and trained and are required to keep secret what they learn in the performance of their duties, without prejudice to the reporting and whistleblowing obligations provided for by law.

It should be noted that in the event that the report leads to the initiation of disciplinary proceedings against the person responsible for the unlawful conduct, the identity of the whistleblower will never be disclosed. Where knowledge of the identity of the whistleblower is indispensable for the defence of the accused, the whistleblower shall be asked whether he/she intends to give his/her specific and free consent to the disclosure of his/her identity.

7. Categories of third parties to whom the data may be disclosed

Your personal data and those of the persons indicated as possibly responsible for the unlawful conduct, as well as of the persons involved in any way in the events reported, will not be disclosed.

Some processing may be carried out by further third parties, to whom the Data Controller entrusts certain activities (or part of them) for the purposes set out in point 3); these subjects will operate as autonomous Data Controllers or will be designated Data Processors and are essentially included in the following categories:

- Consultants (Organisation, Litigation, Legal firms, etc.)

- Companies in charge of personnel administration and management

- Auditing companies

- Investigation agencies

- Public Institutions and/or Authorities, Judicial Authorities, ANAC, Police Bodies.

8. Nature of data provision and consent

The provision of data relating to the identity of the reporter is not mandatory, as the report may also be anonymous. It is up to each reporter to decide which further personal data to provide.

9. Treatment duration and data retention

Pursuant to Article 14 of Legislative Decree 24/2023, the reports - and therefore the personal data contained therein, including any personal data of the reporter - are kept, in compliance with the confidentiality obligations provided for therein, for the time necessary to process the report and in any case no longer than five years from the date of communication of the final outcome of the reporting procedure.

As required by law, no personal data are collected that are clearly not useful for the handling of the report; if accidentally collected, such data are deleted immediately.

The personal data referred to in this notice will be processed within the European Union in compliance with the provisions of Legislative Decree 24/2023, adopted in implementation of Directive (EU) 2019/1937, and with the GDPR. The data relating to the content of the reports received in relation to the company E-GAP UK Limited may be transferred to the United Kingdom in compliance with the aforementioned regulatory provisions; in this regard, it should be noted that said transfer is assisted by guarantees that are equivalent to those specific to the transfer of personal data within the EU, as asserted by the European Commission with the adoption of the adequacy decision of 28 June 2021.

10. Rights of the data subject

The data subject, as reporter or facilitator, has the right at any time to obtain confirmation of the existence or non-existence of the data provided, to request, in the forms provided for by law, the rectification of inaccurate personal data and the integration of incomplete data and to exercise any other right pursuant to Articles 15 to 22 EU Reg. 679/2016, where applicable. The information is provided free of charge; pursuant to Art. 12 para. 5 Reg (EU) 2016/679, in the event of manifestly unfounded, excessive and/or repetitive requests, the data controller may charge a fee inherent to the costs incurred in providing the information, communication or taking the requested action or refuse to comply with the request.

The rights referred to in Articles 15 to 22 EU Reg. 679/2016 may not be exercised by the persons involved and/or mentioned in the report, for the time and to the extent that this constitutes a necessary and proportionate measure, pursuant to Article 2-undecies of Legislative Decree No. 196 of 30 June 2003, as the exercise of such rights could result in actual and concrete prejudice to the protection of the confidentiality of the identity of the person reporting the matter.

Should the Whistleblower or the Facilitator subsequently give consent to the disclosure of his or her identity in disciplinary proceedings, he or she shall have the right to revoke such consent at any time, without, however, affecting the lawfulness of the processing, based on the consent, carried out before the revocation.

11. Contact details

For the purposes of what is stated in this information notice or for the exercise of the rights - in accordance with point 10 above -, the data subject may send an e-mail to the following addresses:

- in relation to E-GAP Engineering S.r.l. and E-GAP S.r.l. at gestionesegnalazioni@proton.me.

- in relation to E-GAP France S.A.S., Green Arrow Power Spain S.L., E-GAP Germany GmbH and E-GAP UK Limited at ccianfriglia@e-gap.com and/or fdemichelis@e-gap.com.

12. Complaint

The data subject has the right to file a complaint with the Authority for the Protection of Personal Data in accordance with the procedures laid down by the same Authority, which can be found at www.garanteprivacy.it. The data subject may exercise his/her personal data protection rights, also with regard to processing carried out outside the EU, before the Italian national authorities and specifically before the Italian Data Protection Authority. For further information on your privacy rights, please visit the website of the Italian Data Protection Authority at www.garanteprivacy.it.

13. Amendments and updates

The Data Controller reserves the right to make amendments to this policy at any time. Amendments and updates will be posted on this page. We recommend that you consult this page in order to remain constantly informed of amendments and updates.

The Data Controller is not responsible for the updating, operation and content of all links to external pages indicated in this information notice and it is recommended that, in the event of malfunctioning of such links or unreachability of the page, reference be made to the relevant document and/or section of the websites referred to.