Privacy - whistleblowing-EN - AC.MO Srl | Valves and Technologies for Water World

INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 AND 14 OF EU REGULATION 2016/679 AND LEGISLATIVE DECREE NO. 196/2003 AMENDED BY LEGISLATIVE DECREE NO. 101/2018 – REPORTING

FOREWORD

With EU Regulation 2016/679 and Legislative Decree 196/2003 amended by Legislative Decree 101/2018, containing provisions for the protection of natural persons with regard to the processing of personal data, AC. MO SRL, with registered office in via F. Michelini Tocci 93 – 00136 ROMA (RM), the data controller, is required to provide some information regarding the processing of personal data provided to us by you.

SOURCE OF DATA, PURPOSES AND METHODS OF PROCESSING

The data acquired by AC. MO SRL, the data controller, are provided directly by the data subject through a platform that can be reached through our website https://www.acmosrl.com, meeting with the Manager in charge of managing reports, or requested by us to supplement the report made.
The data you provide will be processed for the purposes strictly related to the management of reports (internal channel) of unlawful conduct, relating to activities and/or conduct that differ from the procedures implemented by our Company, meaning the violation of rules of professional conduct and/or principles of ethics referred to by current legislation – internal and external – and/or unlawful or fraudulent conduct referable to the subjects identified by the regulations of Reference
The processing will be carried out both through IT tools and manually by specially appointed subjects.

LEGAL BASIS FOR DATA PROCESSING

The legal basis for this processing is represented by art. 6, paragraph 1, letter c), of Regulation (EU) 2016/679 (fulfilment of a legal obligation to which the data controller is subject), in particular with reference to the legal obligation deriving from the provisions of Legislative Decree no. 24 of 10 March 2023 and additional current legislation applicable to the Data Controller.

PROVISION OF DATA AND CONSEQUENCES OF FAILURE TO PROVIDE IT

For the purposes indicated, the provision of data is optional, as reports can be made anonymously. However, it is specified that anonymous reports will only be taken into consideration if the subject of the report is sufficiently detailed to allow the establishment of an investigation.

The whistleblower is therefore required to know that if the report is made in a non-anonymous form, his data may be revealed to persons other than those competent to receive or follow up on the report. If the whistleblower decides to remain anonymous, the report will be shared (where applicable) only with the internal designated committee. Legal basis of the processing: the data subject has given consent to the processing of his/her personal data for one or more specific purposes – Article 6 paragraph 1 letter a) of Regulation (EU) 2016/679.

TYPE OF DATA PROCESSED

In order to manage reports, the following categories of data may be processed:

identification data, address and other contact details, tax code, role;
special categories of personal data;
personal data relating to criminal convictions and offences;
any other information referring to the reported person that the whistleblower decides to share with the Data Controller in order to better substantiate his or her report.

The data provided by the whistleblower in order to represent the alleged unlawful conduct of which he or she has become aware due to the working context with the Data Controller, are processed in order to carry out the necessary investigative activities aimed at verifying the validity of the reported fact and the adoption of the consequent measures, in compliance with current legislation. The figures responsible for the preliminary verification and management of the report will do so in compliance with the principles of impartiality and confidentiality by carrying out any activity deemed appropriate, including the personal hearing of the whistleblower and any other parties who may report on the reported facts

SCOPE OF DISSEMINATION AND CATEGORIES OF SUBJECTS TO WHOM THE DATA MAY BE COMMUNICATED

The data will not be disseminated to third parties;
If, at the end of the verification, there are elements of validity of the reported fact, the person in charge of managing the reports will transmit the outcome of the investigation to the competent person identified among the following according to concrete needs, for in-depth investigation or for the adoption of the relevant measures:

to the Company Management, so that disciplinary action or further measures and/or actions deemed necessary, also to protect our company, may be carried out, where the conditions are met;
to the Judicial Authority, the Court of Auditors and ANAC.
to any other subject provided for by the relevant legislation in force

TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

The data will be stored in our company servers and in our paper archives and in any case on the European territory for processing entrusted to third parties or for data center relocation services. No transfers of personal data to third countries or international organisations are envisaged.

DATA RETENTION PERIOD

The personal data collected for the above purposes will be kept for 5 years or the time necessary to ascertain the validity of the report and, if necessary, to adopt the consequent disciplinary measures and/or to the end of any disputes initiated following the report.

RIGHTS OF THE DATA SUBJECT

The rights referred to in Articles 15-22 of EU Regulation 2016/679 may be exercised within the limits of the provisions of Article 2 undecies letter f) of Legislative Decree No. 196 of 30 June 2003. Article 2 undecies, entitled “Limitations on the rights of the data subject” establishes that the rights provided for by EU Regulation 2016/679 in articles 15-22 cannot be exercised by request to the data controller, if the exercise of these rights may result in an actual and concrete prejudice to the “confidentiality of the identity of the person reporting violations of which he or she has become aware by reason of his or her employment relationship or the functions performed, pursuant to the Legislative Decree implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, or reporting breaches pursuant to Articles 52-bis and 52-ter of Legislative Decree No. 385 of 1 September 1993, or Articles 4-undecies and 4-duodecies of Legislative Decree 24 February 1998, No. 58.” (provision introduced into the Privacy Code by the same decree 24/2023 and which will be effective from 15 July 2023).

If you believe that your rights have been violated, you have the right and the right to lodge a complaint with the Data Protection Authority: www.garanteprivacy.it

DATA CONTROLLER

The data controller is: AC. MO SRL, with registered office in via F. Michelini Tocci 93 – 00136 ROME (RM) which can be contacted at the addresses indicated in this policy.

rev. 22.01.2026