Change place of delivery

Privacy policy Whistleblowing

Privacy Policy - Whistleblowing


Pursuant to Articles 13 and 14 of Regulation (EU) no. 2016/679 (General Data Protection Regulation, hereinafter GDPR) and Legislative Decree 24/2023 Peck S.p.A. (hereinafter the Company or the Data Controller) hereby provides information on the processing of Personal Data carried out in relation to the management of Whistleblowing Reports, governed by the Company's Whistleblowing Policy.


1) Categories of Personal Data

Considering that the provision of Personal Data by the Whistleblower is optional, since the Whistleblower also has the option of making an anonymous report, the Personal Data that can be provided by the Whistleblower are:

a) Whistleblower’s Personal Data referred to in Article 4, point 1, of the GDPR (in the case of non-anonymous Reports) as well as of any Persons involved in or mentioned in the Report and Facilitators, as defined by the Whistleblowing Policy (hereinafter "Data Subjects"), such as: personal data (e.g. name, surname, date and place of birth), contact data e.g. landline and/or mobile telephone number, postal/e-mail address).

(b) Special categories of data referred to in Article 9 of the GDPR (by way of example but not limited to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data relating to a person's health or sexual life or sexual orientation and judicial data, such as criminal convictions and offences), if included in the report.

c) Data relating to criminal convictions and offences or related security measures, as referred to in Article 10 of the GDPR, if included in the alert..

2) Purposes of the processing and related legal basis

The aforementioned Personal Data are processed by the Data Controller for the following purposes

(a) correct and complete management of the investigative activities necessary to assess the merits of reports of offences or irregularities of which the Whistleblower has become aware in the context of the employment relationship with the Controller or in the performance of administrative, control, supervisory or representative functions pursuant to Legislative Decree No. 24/2023;

b) fulfilment of obligations provided for by law or EU regulations;

c) defence or ascertainment of a right in civil, administrative or criminal litigation;

d) (processing which only concerns whistleblowers and, in particular, data allowing, directly or indirectly, their identity to be inferred) disclosure of the identity of the whistleblower for the purposes of defending the reported person or the person involved in any disciplinary proceedings based on the whistleblower's report.

(e) (processing affecting only the Whistleblower during an oral meeting, in particular concerning all the information transmitted during the course of the report, including data allowing the identity of the Whistleblower to be inferred, directly or indirectly) transcription or recording on a device suitable for recording and listening. In the case of written minutes, the Whistleblower may in any case verify, rectify or confirm the minutes of the meeting by signing them; 

The legal basis for the processing is:

- for the purposes referred to in point (a), by the fulfilment of a legal obligation to which the Data Controller is subject (Art. 6(1)(c) of the GDPR); in addition, for recorded reports collected by telephone or via voice messaging systems or otherwise in oral form, by the consent of the Reporting Party (Art. 6(1)(a) of the GDPR)

- for the purposes referred to in point b), by the fulfilment of a legal obligation to which the Data Controller is subject (Art. 6(1)(c) of the GDPR).

- for the purposes referred to in point c), by the legitimate interest of the Controller (Art. 6(1)(f) of the GDPR)

- for the purposes referred to in points d) and e), by the data subject's provision of consent to the processing of his/her personal data for one or more specific purposes (Art. 6(1)(a) of the GDPR). In these cases, the data subject will be able to give or withhold such consent following written sharing by the Data Controller of the reasons that would require the aforementioned disclosure of identity;


The provision of data is necessary for the achievement of the above purposes; failure to provide such data, in part or inexactly, may result in the impossibility of handling the report..


3) Retention of personal data

Peck S.p.A. shall retain personal data according to the terms provided for in Article 14 of Legislative Decree no. 24/2023, i.e. for the time necessary to process the report and in any case for no longer than 5 years from the date of communication of the final outcome of the reporting procedure. Personal data that are clearly not useful for the processing of a specific report are not collected or, if accidentally collected, are promptly deleted. This is without prejudice to cases where processing is authorised by law or by a provision of the Italian Data Protection Authority (hereinafter, the 'Garante') or in any case by order of the Public Authority.


4) Modalities and logic of the processing

Data processing is carried out manually and/or by means of computerised and telematic automated tools with logics related to the above-mentioned purposes and, in any case, in such a way as to guarantee security and confidentiality.

The Whistleblowing management system guarantees, at every stage, the confidentiality of the identity of the Whistleblower, of the Persons involved and/or in any case mentioned in the Whistleblowing, of the content of the Whistleblowing and of the relevant documentation, without prejudice to the provisions of Article 12 of Legislative Decree no. 24/2023.

The personal data of the persons concerned will not be transferred outside the European Union.. 


5) Data Controller, Data Protection Officer and categories of persons authorised to process data

The Data Controller of personal data processing is Peck S.p.A., with registered office in via Spadari 9 - 20123 Milan.

The Data Controller has appointed a Data Protection Officer, who can be contacted at the following address:


6) Categories of third parties to whom data may be disclosed

Some processing operations may be carried out by other third parties, to whom Peck S.p.A. entrusts certain activities (or part of them) for the purposes referred to in point 2); these subjects will operate as autonomous Data Controllers or will be designated Data Processors and are essentially included in the following categories

(a) Whistleblowing Manager

b) Consultants (Organisation, Litigation, Law firms, etc.)

c) Companies in charge of personnel administration and management

d) Auditing companies

e) Investigation Agencies

f) Public Institutions and/or Authorities, Judicial Authorities, Police Bodies.

7) Rights of the interested parties

The data subject, in the persons of the Reporting Party or the Facilitator, has the right to access at any time the data concerning him/her and to exercise the rights provided for in Articles 15 to 22 of the GDPR, insofar as applicable (right of access to personal data, right to rectify them, right to obtain their deletion or so-called right to be forgotten, right to restriction of processing, right to portability of personal data or right to object to processing), by sending an e-mail to the address:

In addition, should he consider that the processing concerning him violates the Regulation, the data subject has the right to lodge a complaint with the Garante per la Protezione dei dati Personali, with offices in Piazza Venezia n. 11, 00187 - Rome (


The aforementioned rights may not be exercised by the person concerned or by the person mentioned in the report, for as long as and to the extent that this constitutes a necessary and proportionate measure, pursuant to Article 2-undecies of Legislative Decree No. 196/2003 as amended (hereinafter, Privacy Code), as the exercise of such rights could result in actual and concrete prejudice to the protection of the confidentiality of the identity of the person reporting the matter.

In cases where it is not possible to exercise such rights directly, data subjects may still exercise them through the Garante, in the manner set out in Article 160 of the Privacy Code. In such cases, the Garante shall inform the person concerned that it has carried out all the necessary checks or that it has conducted a review, as