Pivacy policy on the processing of personal data of persons submitting reports via My Whistleblowing
---
1. DATA CONTROLLER
The data controller is Wonder Spa, with registered office in via N. Sauro 12, 26100 Cremona, VAT/Tax Code 00106500192.
2. DATA PROCESSED, PURPOSE AND LEGAL BASIS OF PROCESSING
Processing concerns only the following personal data:
- name;
- surname;
- email address.
The personal data collected are used for the sole purpose of handling the Whistleblowing report.
The legal basis for the processing of personal data is the legal obligation arising from art. 6 of Legislative Decree no. 231 of 2001, as amended by Law no. 179 of 2017, containing "Provisions for the protection of whistleblowers reporting offences or irregularities of which they become aware in a public or private employment relationship".
3. NATURE OF DATA PROVISION
This policy is provided pursuant to art. 13 of Legislative Decree 196/2003 of the Code regarding the protection of personal data (hereinafter, also, the "Privacy Code") and pursuant to art. 13 of Regulation (EU) no. 679/2016 (hereinafter, also, the "GDPR").
4. PLACES AND METHODS OF PROCESSING – PERIOD OF DATA STORAGE
Data are processed in Italy and are not transferred or disseminated abroad or in non-EU countries. No data are communicated or disclosed other than for statistical purposes and in any case anonymously and/or in aggregate form.
Personal data will be deleted within 5 years from their collection.
Personal data are processed using both automated and manual tools and for the purposes indicated above. Specific security measures are implemented to prevent data loss, illegal or incorrect use and unauthorised access.
5. AUTHORISED PERSONS, DATA PROCESSORS AND COMMUNICATION OF DATA
Employees tasked with investigating Whistleblowing reports and members of the Supervisory Body can access personal data pursuant to Legislative Decree no. 231/2001. Moreover, since Whistleblowing reports are submitted via the My Whistleblowing software, personal data may also be accessed by the provider of the aforementioned application, appointed for this purpose as data controller pursuant to art. 28 of the GDPR. In line with the principle of protecting the whistleblower’s confidentiality under Law 179/2017, personal data will be shared solely where strictly necessary, thereby ensuring the whistleblower’s confidentiality.
6. DATA TRANSFER TO NON-EU COUNTRIES
The data collected will not be transferred outside the European Union.
7. RIGHTS OF DATA SUBJECTS
In relation to their personal data, data subjects may:
a. (art. 7.3, Regulation (EU) 679/2016 – GDPR) withdraw their consent;
b. (art. 15, Regulation (EU) 679/2016 – GDPR) access and request a copy of their data;
c. (art. 16, Regulation (EU) 679/2016 – GDPR) request data rectification;
d. (art. 17, Regulation (EU) 679/2016 – GDPR) request data erasure ("right to be forgotten");
e. (art. 18, Regulation (EU) 679/2016 – GDPR) obtain restriction of processing;
f. (art. 20, Regulation (EU) 679/2016 – GDPR) receive data in a structured, commonly used and machine-readable format for the purpose of exercising their right to portability;
g. (art. 21, Regulation (EU) 679/2016 – GDPR) object to data processing.
Data subjects may exercise their rights and request further information regarding their personal data by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it., specifying the content of their request in the subject line and attaching the relevant request form which may be downloaded from the links available in the list above. Any breaches of the regulation must be reported on the appropriate platform that can be accessed from the page https://www.wonder.auto/en/contacts.
Requests regarding the exercise of data subjects’ rights will be processed without undue delay and, in any case, within one month from their receipt; such deadline may be extended by a further 2 (two) months only in particularly complex cases or due to the high number of requests.
Lastly, data subjects have the right (art. 77, Regulation (EU) 679/2016 – GDPR) to lodge a complaint with the Italian Data Protection Authority, based in Rome, Piazza Venezia 11, 00187, email This email address is being protected from spambots. You need JavaScript enabled to view it..
***
Last updated: December 20, 2023