Information for the processing of personal data deriving from the management of reports

Per leggere questa pagina in italiano:
Informativa per il trattamento dei dati personali derivante dalla gestione delle segnalazioni whistleblowing

1. Data controller and data protection officer

The Data Controller is Italdesign Giugiaro S.p.A., with registered office in Turin, via San Quintino 28 and operational headquarters in Moncalieri (TO), via Achille Grandi 25, which can be contacted by writing to or by sending a registered letter to the attention of the Legal & Governance Manager, c / o Italdesign – Giugiaro S.p.A., via Achille Grandi, 25, Moncalieri (TO).

The Data Protection Officer (DPO) can be contacted by sending an email to

2. Categories of data subjects

Data subject is the identified or identifiable natural person to whom the personal data refers (see Article 4, paragraph 1, no. 1 GDPR).

For the purposes of this information pursuant to art. 13 GDPR, the following are considered as data subjects, and, therefore, the subjects to whom this information is addressed:

  • the reporting person: the natural person who reports on breaches acquired in the context of his or her work context;
  • the facilitator: a natural person who assists a reporting person in the reporting process, operating within the same work context and whose assistance must be kept confidential and any other person for whom protection under the legislation must be guaranteed;
  • the affected person: the natural person mentioned in the report as the person to whom the breach is attributed or as a person otherwise involved in the reported breach.

3. Object of the data processing

The Data Controller will process the personal data of the data subjects described below:

  • identification and contact data, such as name and surname, e-mail address or telephone number;
  • data relating to the relationship with the Data Controller;
  • other data that will be entered by the reporting person in the compilation of the reporting form or subsequently acquired by those who handle reports as part of the preliminary activity.

In the management of reports, data belonging to special categories of data referred to in Article 9 GDPR, as well as data relating to criminal convictions and crimes pursuant to art. 10 GDPR, may be processed.

4. Purpose and legal basis of the processing

The Data Controller will process the personal data of the data subjects only for the following purposes:

  • taking charge of the report by those who handle reports,
  • sending any requests and/or receiving feedback to requests sent by the whistleblower and by those who handle reports,
  • preliminary management: carrying out checks on the validity of the report,
  • management of the consequent measures, also from a disciplinary point of view.

The legal basis of the aforementioned processing can be found in the fulfillment of the legal obligation pursuant to Article 6, paragraph 1, letter c) of the GDPR as described in Legislative Decree no. 24/2023.

The legal basis is also found, with regard to the processing of special categories of data, in Article 9, paragraph 2, letter b) of the GDPR as the processing is necessary to fulfill the obligations and exercise the specific rights of the data controller or the interested party in the field of labor law and social security and social protection, as well as in Article 9, paragraph 2 letter g) of the GDPR as the processing is necessary for reasons of important public interest on the basis of art. 2-sexies of Legislative Decree no. 196/2003.

The processing of judicial data that may be necessary for the management of the report received is legitimate on the basis of art. 10 GDPR in correlation with art. 2-octies of Legislative Decree no. 196/2003.

5. Processing methods and storage times

The personal data of the data subjects will be processed by the Data Controller pursuant to art. 5 of the GDPR and in compliance with the principles of lawfulness, correctness and transparency.

The personal data of the data subjects will be kept for a period of time not exceeding five years from the closing date of the investigation relating to the report. If the Data Controller has documented the need to keep the data for a period e xceeding five y ears ( for e xample in t he event t hat t he cancellation may compromise the legitimate right of defense), further storage may take place by limiting access to the data only to those responsible for the Legal function until the closure of the related litigation.

It is understood that personal data that are manifestly not useful for the processing of a specific report are not collected or, if collected accidentally, are deleted immediately.

In any case, the adoption of all appropriate technical and organizational measures to guarantee the security of personal data pursuant to the GDPR is ensured.

6. Recipients of the data

The personal data of the data subjects made accessible to internal subjects, belonging to Group functions or third parties who provide services necessary for the fulfillment of the purposes referred to in point 4, which will be authorized to process by the Data Controller or expressly designated as Data Processors.

The reporting person is also informed that the data concerning him / her cannot be communicated to persons other than those competent to receive or follow up on reports, expressly authorized to process such data pursuant to articles 29 and 32, paragraph 4, of the GDPR and article 2-quaterdecies of Legislative Decree no. 196/2003, without your express consent.

Furthermore, subject to the express consent of the reporting person to the disclosure of his identity, the
data referable to him may be communicated as part of the disciplinary proceedings instituted against the reported person, if the complaint is based, in whole or in part, on the report and knowledge of the identity of the reporting person is indispensable for the defense of the accused. Otherwise, the report will not be usable for disciplinary proceedings.

The personal data of the data subjects may also be disclosed to public entities, for the fulfillment of legal obligations or to satisfy requests from judicial or public security authorities.

7. Data transfer

The personal data of the data subjects will not be transferred to non-EU countries. Where this is necessary, however, the Data Controller ensures compliance with one of the conditions set out in Chapter V of the GDPR.

8. Rights of the data subjects

In relation to the purposes of processing and as an interested party, you may exercise the following rights at any time:

  1. Right of access to personal data (Article 15 GDPR): obtain confirmation of the existence or not of processing of personal data concerning you, as well as to obtain a copy of the aforementioned data;
  2. Right of rectification (art. 16 GDPR): obtain, without undue delay, the correction of inaccurate personal data concerning you and the integration of incomplete personal data or cancellation;
  3. Right to cancellation (art. 17 GDPR): obtain from the Data Controller the cancellation, without undue delay, of data concerning you, in the cases provided for by the GDPR;
  4. Right to limit processing (Article 18 GDPR): obtain from the Data Controller the limitation of processing, in the cases provided for by the GDPR;
  5. Right to portability (art. 20 GDPR): receive in a structured format, commonly used and readable by an automatic d evice, t he p ersonal d ata c oncerning you and t o o btain t hat t he s ame a re t ransmitted to another holder without impediments, in the cases provided for by the GDPR;
  6. Right to lodge a complaint with the supervisory authority (art. 7 7 G DPR): lodge a complaint with the Guarantor Authority for the protection of personal data.

It should be noted that the requests made by each interested party may be denied in the cases provided for by current legislation. In any case, the Data Controller will provide feedback to the interested party within thirty days of receipt of the request, possibly giving evidence of the reasons for the refusal. The rights referred to in articles 15 to 22 of the GDPR may be exercised within the limits of the provisions of article 2-undecies of Legislative Decree no. 196/2003. A case that justifies the refusal is that in which the exercise of these rights may cause an effective and concrete prejudice for the conduct of defensive investigations related to the
management of reports or for the exercise of the right in court by the Data Controller and / or third parties limited to this period of time.

9. How to exercise your rights and communications

To exercise the rights referred to in the preceding paragraph, it is possible to use the reporting channels
provided for by the Procedures.
In any case, for any question relating to the processing of personal data, it is always possible to contact the DPO at


The Data Controller

Italdesign-Giugiaro S.p.A.