As set forth by the Italian Law – notably the Decreto Legislativo 24/2023 on the protection of persons who report breaches of national and Union law –, Biffi Boutiques S.p.A. has set up an internal reporting channel, accessible at the following web address: Biffi Boutique Spa - Reclami , which allows also anonymous reporting.
Any natural person who became aware of breaches of National or Union law in the context of his or her work-related activities (regardless being an employee of the Company) is, then, invited to report any information about such breaches to the Company using the internal reporting channel. Please note that the expression “breach of National or Union law” stands for (i) any breaches of criminal law; (ii) any breaches of Company interest and (iii) any breaches affecting the public interests.
While the reporting person is free to decide whether to provide his or her personal data, the Company is committed to safeguarding the confidentiality of all the information (and so even personal data) provided in the reports.
For a better understanding on how the personal data are processed following an internal reporting, in accordance with Regulation (EU) 2016/679, article 13, the Company provides a proper statement.
PRIVACY STATAMENT
on reporting alleged wrongdoings (as per D.lgs 24/2023)
Biffi Boutique S.p.A. (“Biffi”) is aware of the importance to protect personal data. Thus Biffi declares to process the personal data involved in reports on alleged wrongdoing – as per the Italian Law, D.l.gs. 24/2023 - (“Reports”) in accordance with the relevant legislation.
Notably, in accordance with Articles 13 and 14 of Regulation (EU) No. 2016/679 (“Regulation”), Biffi provides the following information concerning the processing of personal data and reserves the right to update such statement upon communication to the data subjects.
1. Types of data collected. To manage a submitted Report, Biffi shall process the personal data therein involved and related to the reporting person (if not anonymus) as well as to any other person mentioned in the Report (such as witness, concerned person, facilitator, etc…) (“Data” and “Data Subjects”). Data may be gathered both from the Report and during the further investigation made by Biffi. The following types of data shall be processed: (i) identification data (such as name and surname); (ii) contact details (phone number and e-mail address); (iii) any further data collected in the Report and in the further investigation activities.
2. Purpose and legal basis of the processing. Biffi shall process the Data for the following purposes:
a. to manage the Report and carry out following investigation activities. Such processing is made according to the legals basis set forth by Art. 6 (1)(c) of the Regulation and by Art. 3 of the Italian Law, D.lgs. 24/2023, plus – if special categories of Data are involved – by the additional condition set forth by Article 9(2)(b) of the Regulation since it is necessary to carry out the obligations and exercising specific rights of Biffi or of the Data Subject in the field of employment and social security and social protection law in so far as it is authorised by national law;
b. to exercise or defend a legal claim before a judicial court. Such processing is made according to by the legals basis set forth by Art. 6 (1)(f) of the Regulation and – if special categories of Data are involved – by the additional condition set forth by Article 9(2)(f) of the Regulation, since the processing is necessary to establish, exercise or defend a legal claim.
3. Data retention period. Biffi shall retain the Data for the time necessary to manage the Report and carry out any eventually related investigation activities. To this aims the Data shall be retained for no more than 5 years since the closure of the investigation activities has been communicated.
Once elapsed such terms, the Data shall be cancelled except for those necessary to comply with administrative or to comply with other legal obligations and to document the activities performed. These Data will be deleted within the terms and in accordance with the above regulations.
4. Modalities of data processing. Duly authorised personnel shall process the Data on behalf of Biffi, by electronic means, stored on any suitable device and organised in a database. Specific security measures shall be implemented to prevent the loss of the Data, as well as any illegal or incorrect use thereof and unauthorised access thereto. The processing of the Data shall not involve automated decision-making methods.
5. Providing Data. The provision of Data for purposes referred to in Section 2 is not necessary, since the reporting person may submit anonyms reports as well. In such cases, however, Biffi may not be able to inform the reporting person on any updates on the Report submitted or to contact him/her for further clarification (if necessary).
6. Communication of Data. Data can be disclosed to (i) subjects having the right and interest to access the personal data of the Data Subjects under national or EU laws; (ii) companies, associations or professional firms that provide act on behalf of Biffi as “Data Processor” for the fulfilment of legal obligations as well as services for any other organisational and administrative requirements. The names of the Data Processors are reported in an updated list to be requested by using the contact details indicated in Section 9..
7. Transfer of Data to countries outside the European Economic Area (EEA) or to international organisations. Biffi shall not transfer Data outside the European Economic Area (EEA) or to international organisations.
8. Rights of Data Subjects. Data Subjects may at any time exercise their rights provided for in the Regulation as limited according to Art. 2 undecies D.lgs. 196/2003, including:
• to request information on: (i) origin of the Data; (ii) purposes and methods of processing; (iii) logic applied in the event of the use of electronic devices; (iv) the details of Biffi and of Processors;
• to obtain: (i) access to, the updating of, or the rectification or integration of the Data; (ii) the erasure, anonymisation or blocking of Data unlawfully processed; (iii) limitation of the processing of Data; (iv) a copy of the Data in standard format;
• to object, in whole or in part, to the processing carried out for the performance of a task of the public interest or in the exercise of official authority vested in Biffi or to pursue the legitimate interest of Biffi or of a third party;
• to revoke, at any time, the consent given and on the basis of which the processing has been allowed, without affecting the lawfulness of the processing already carried out on the basis of the consent given before revoking said consent;
• to submit a complaint to the supervisory authority of the Member State of their habitual residence or work, or to the place in which the alleged violation occurred, whenever they believe that the processing of their Data is against the law, the Data Subjects may submit.
The national Supervisory Authority can be contacted using the details provided on its own website.
9. Data Controller. The Data Controller is Biffi Boutique S.p.A. (VAT no. 05935720150), with registered office in Corso Genova, 6, 20123 – Milan - Italy, acting through its legal representative pro tempore.
Data Subject may submit their request – even to exercise the above-mentioned rights – by e-mail to: privacy@biffi.com.