Whistleblowing Privacy

INFORMATION NOTICE PURSUANT TO ARTICLES 13 AND 14 OF REG. EU 2016/679

(GDPR - GENERAL DATA PROTECTION REGULATION)


DATA SUBJECTS TO WHOM THIS INFORMATION IS ADDRESSED
Whistleblower (or reporter) is the natural person who reports alleged unlawful conduct pursuant to Law 231/01 through the “whistleblowing” channels provided by the company.
Reported Person (or accused) is the natural person who is the subject of the report, accused of the aforementioned alleged violations.
Third Party is a natural person, other than the whistleblower and the reported person, whose personal data may be included in the report or acquired.

Health and Happiness (H&H) Italy, a company registered with the Milan Companies Register (no. 10223130963), with registered office at Viale Sarca, 235, Tax Code and VAT no. 10223130963 (“H&H”), through its legal representative pro tempore, as the “Data Controller” of personal data processing, hereby informs you about the features and methods of processing personal data provided through the “Unlawful Conduct Reporting Platform”, or through the traditional channel by sending a communication to the addresses indicated in the Whistleblowing Procedure adopted by the company and available to employees on the corporate intranet and, in any case, on the company's website www.swisse.it

The personal data provided by the whistleblower when submitting the report and the information contained in the reports and any attached documents, as well as data possibly acquired during the investigation by the designated body, will be processed in accordance with the principles of fairness, lawfulness, transparency, and protection of confidentiality and the rights of all data subjects (whistleblower, reported person, and any involved third parties), in compliance with privacy regulations and Law no. 179 of November 30, 2017, “Provisions for the protection of individuals who report crimes or irregularities of which they have become aware in the context of a public or private employment relationship.”

As suspected violations may also be reported anonymously via the platform adopted by the company, individuals who submit them are not required to disclose their personal data. However, anonymous reporting may expose the whistleblower to potential retaliation by the reported person, without allowing the Company to apply the protection tools provided for non-anonymous but still confidential reports. Furthermore, it will not be possible to use anonymous reports for managing any disciplinary proceedings against the reported person, except for evidence obtained by the investigating body during independent investigations.

However, even in the case of anonymous reports, it cannot be excluded that, during their review, the designated body may receive information containing identifying data, professional data, or financial data regarding the aforementioned categories of data subjects (reported person, third parties), which will be processed in accordance with this information notice.

PURPOSE AND LEGAL BASIS OF DATA PROCESSING

The personal data provided by the whistleblower and acquired by the designated body during the investigation will be processed in relation to the obligations under the aforementioned Law 179/2017.

Specifically, such data will be processed for the following purposes:

- Managing the reports (ascertaining the facts reported). The primary legal basis for processing is the legitimate interest of the Data Controller [Art. 6 para.1 lit. f) GDPR] to align its organization with the changes introduced by the aforementioned whistleblowing law. This legitimate interest outweighs the right to personal data protection enjoyed by the data subjects, considering the significant objective pursued by legislation on the administrative liability of entities for predicate offenses.

- Managing any disciplinary proceedings based wholly or partly on the report. To ensure the right of defense of the accused, the information contained in the report may be used, together with other supporting evidence, in the context of disciplinary proceedings against the reported person. However, the whistleblower’s identity may only be disclosed in disciplinary proceedings – and thus also to the reported person – if such proceedings are based solely on the content of the report, in order to ensure the reported person's right of defense and only with the express consent of the whistleblower. The whistleblower's consent to disclose their identity in disciplinary proceedings is not mandatory, but refusal to give it will prevent proceedings against the reported person in cases based solely on the whistleblower’s statements.

TYPES OF DATA PROCESSED

The unlawful conduct reporting platform adopted by H&H only collects the identifying data of the whistleblower (if provided) and data included in the reports. However, the following personal data may be acquired during the procedure:

- identification document, any other contact details provided by the whistleblower;

- information on the reported person contained in the report or acquired during the investigation;

- information related to third parties that may be included in the report or in any attached or acquired documents during the investigation.

The identifying data of the whistleblower are stored in such a way as to be accessible only to the designated body managing the report. The company adopts all legal safeguards to protect the confidentiality of the whistleblower’s identity, so it will not be disclosed to third parties without their express consent, except in cases of malicious or defamatory reports.

As stated in the Whistleblowing Procedure adopted by the company, reports must not contain excessive data, but only data necessary to demonstrate the validity of the report. Therefore, special categories of personal data or data revealing health status or judicial data will generally not be included. If such data are present in the reports and are not necessary to pursue the aforementioned purposes, the company will destroy them or, if not possible, obscure them, unless otherwise authorized by law or a measure of the Data Protection Authority.

DATA PROCESSING METHODS

Processing will be carried out in paper format for reports sent by regular mail and through the use of an IT platform accessible via the Company’s website at https://eu.deloitte-halo.com/HHspeakup/ from any browser (including mobile devices).

Processing will follow organizational and processing logic strictly related to the purposes mentioned above and in a way that ensures the security, integrity, and confidentiality of the data, in accordance with applicable organizational, physical, and logical security measures.

In particular, the transmission of data provided by the whistleblower via the platform is managed with HTTPS protocol. Encryption techniques are also applied, thus ensuring the confidentiality of the transmitted information.

Finally, note that the identifying personal data of the whistleblower are stored in such a way as to ensure their confidentiality. The association between the whistleblower's identity and the report can only be made by the designated body managing the reports.

DATA RETENTION PERIOD

Personal data relating to reports are stored and retained for the period necessary to complete the verification of the facts reported and for 5 years after the report is closed, unless proceedings (disciplinary, criminal, accounting) are initiated against the reported person or whistleblower (for malicious, false, or defamatory statements). In that case, the data will be retained for the duration of the proceedings and until the expiry of the appeal deadlines for the related decision. Reports deemed manifestly unfounded will be deleted without delay.

RECIPIENTS OF PERSONAL DATA

To pursue the purposes outlined above, the information sent through the unlawful conduct reporting platform is managed under its responsibility by the Report Manager, appointed by the company as the recipient of the reports.

It is reiterated that only this body will have access to the identifying data of the whistleblower, collected at the time of the report submission. The members of the Report Manager’s team are bound by a strict confidentiality regime.

The reported data may also be processed by H&H employees who are authorized and act under the instructions of the Data Controller. Such data may also be processed by external consultants or service providers designated as Data Processors pursuant to Art. 28 GDPR, acting on instructions from the Data Controller, particularly with regard to adopting appropriate security measures to ensure data confidentiality and safety. Deloitte, which provides the platform and processes the information uploaded on it, is also included among the Data Processors. It should be noted that the provider supplies the infrastructure necessary for the platform’s implementation but does not access the contents (whistleblower identity, report subject, attached documents, messages exchanged between whistleblower and investigating body, etc.). The contents are encrypted and not accessible to the provider, even during maintenance.

Personal data contained in the reports may also be disclosed to the relevant H&H offices and/or Group companies for initiating judicial and/or disciplinary protection measures related to the report, or to the competent Authorities in the event of violations of applicable laws.

If the report does not fall under the competence of the Report Manager according to the procedure's objective scope definition, the data subject will be invited to forward it to the competent company area/body and/or the competent Authorities.