Privacy policy for processing of data related to reports of presumed unlawful conduct in accordance with Legislative Decree No. 24/2023, referred to as “WHISTLEBLOWING”



Pursuant to Regulation 2016/679/UE (General Data Protection Regulation), the company F.lli Menabò srl (VAT no. 00176860351), in the person of its legal pro-tempore representative with registered office in Via 8 Marzo, no 3, Cavriago (RE) – email address: – certified email: – tel. 0522 1750280 - 0522 942840, is providing the following information on the processing of personal data related to the reception and management of whistleblowing reports.

The whistleblowing procedure is published on the corporate website of the Data Controller:    through the following link: https://

The privacy policy is an integral and substantial part of the “Whistleblowing procedure” applied by the Data Controller.

The company  F.lli Menabò srl,  as Data Controller, is the entity that "determines the purposes and means of the processing of personal data" (Article 4, no. 7 of the General Data Protection Regulation)- GDPR) regarding the “Whistleblowing procedure”.

With Legislative Decree No. 24 of 10 March 2023, Italy implemented Directive (EU) 2019/1937 of the European Parliament and of the European Council concerning the protection of individuals who report violations of Union law and violations of national legislative provisions. EU legislation aims to harmonize individual national legislations regarding  whistleblowing,  through the introduction of adequate protection for individuals in enterprises of both the public and private sector who intend to report misconduct of various nature, administrative, accounting, civil or criminal, of which they have - clearly - become aware in the course of their work activities.

Legislative Decree 24/2023 has widened the subjective scope of the whistleblowing discipline, extending the protection previously provided solely for employees to include freelancers, self-employed professionals, paid and unpaid trainees, interns,  clients, suppliers, business partners, distributors, agents, shareholders, administrators, shareholders, management, individuals in supervisory and/or control bodies, former employees, former collaborators, individuals in the selection phase and all other individuals specifically indicated by Legislative Decree 24/2023. 

Those who receive and manage reports are required to ensure absolute confidentiality for the whistleblowers and the individual  reported, as well as for the content of the reports.  We wish to make it clear that there will be no negative consequences for those who, in good faith, have made a report and the confidentiality of the whistleblower's identity is ensured according to specific internal procedures, subject to legal obligations.

  1. DATA CONTROLLER: The Data Controller is the Company F.lli Menabò srl (VAT no. 00176860351), represented by their pro-tempore legal representative, with registered office in Via 8 Marzo, no. 3, Cavriago (RE) – email addresses: – Certified email: – tel. 0522 1750280 - 0522 942840
  2. SUBJECT OF PROCESSING AND REPORTING CHANNELS: The data controller will process your personal identification and contact information, as well as any other data voluntarily provided by you in the report or in the accompanying documentation. There is also the possibility that the Data Controller will process special categories of data, as referred to in Articles 9 and 10 of the GDPR.

 You can make a report by one of the following methods (written or oral):

In written form, through the dedicated internet channel/web platform at the link:  https://

  • by completing the special form; 
  • in verbal form, with a report in audio format, which can be submitted through the web platform where the whistleblower can record a voice message.

The platform provider is designated as the processor pursuant to Article 28 of the GDPR under a specific contract signed by the parties; pursuant to Article 28 of the GDPR, the Processor has a general authorization to appoint sub-processors for data processing on behalf of the Client, for whom they will be fully responsible.   The reporting system through the platform operates as follows: a) in writing with form completion; You can submit the report through a dedicated web page, filling out the appropriate form; the report can also be submitted anonymously if you prefer not to disclose your identity; the person designated and authorized  to receive the report (the so-called whistleblowing manager) receives a notification and at this point, examines the report received, acknowledges its receipt to the whistleblower within the legal terms (7 days) and conducts the relevant investigation if the report is deemed to be grounded; b) verbally with a report in audio format submitted by recording a voice message through the platform. The recipient who receives and manages the report lodged by the whistleblower in writing or verbally shall be a person from outside the Data Controller's organization acting autonomously (whistleblowing manager).  The dedicated internet channel guarantees confidentiality for the whistleblower, the individuals mentioned in the report and the content of the report.  The Whistleblowing procedure is designed to ensure protection against retaliatory or discriminatory conduct in every phase, in addition to the confidentiality/privacy of the report. It should also be noted that in special cases, the data subject may make a report through the external Anac (Italian National Anti-Corruption Authority) channel, may resort to public disclosure or report the case to the judicial authority.

  1. LEGAL BASIS FOR DATA PROCESSING: The Data Controller will process the personal data you supply for the following purposes only:
  • management of the report by the recipients (whistleblowing manager);
  • sending requests and/or receiving responses to requests sent by the whistleblower and by the recipients of the report;
  • investigation management: verifying the validity of the report;
  • providing feedback on the outcome of the report; prevention and repression of unlawful acts, including disciplinary measures.

The legal basis for the aforementioned processing activities is fulfilment of the legal obligation provided for by Legislative Decree no. 24/2023 as well as the Data Controller's legitimate interest in preventing and repressing unlawful acts and, if necessary, protecting the rights and legitimate interests of the Data Controller and/or third parties, including in judicial proceedings (Article 6 (1) (f) of the GDPR). As regards the processing of special categories of data, the legal basis is found in Article 9 (2) (b) of the GDPR, as processing is necessary for the fulfilment of specific obligations and the exercise of specific rights of the data controller or the data subject in the area of labour law, social security and social protection, as well as in Article 9 (2) (g) of the GDPR, as processing is necessary for reasons of substantial public interest.

  1. STORAGE PERIOD: Your personal data will be kept for the time necessary for the processing of the report and in any case for a period not exceeding 5 years from the end of the investigation relating to the report. In any case, you are guaranteed that every technical and organizational measure adequate to ensure the security of personal data will be applied in accordance with the GDPR. Following the expiration of the five-year period, if there is a need to retain the data for judicial or extrajudicial protection, and/or for any disciplinary, criminal, civil proceedings, etc., the data may be retained, even beyond the limit of 5 years from the date of closure of the report.

Your personal data will be processed in accordance with Article 5 of the GDPR and in compliance with the principles of lawfulness, fairness, and transparency. The processing of your personal data is carried out either in paper or electronic format, as well as verbally, using procedures, tools and logic designed to ensure the security and confidentiality of the data The whistleblowing management system ensures, at every stage, confidentiality for the content of the report (including information about any individuals and/or third parties indicated by the whistleblower) and for the identity of the Whistleblower, also through the use of encrypted communications.  There will be no confidentiality of the content of the report and the identity of the whistleblower in the following cases: -if the Report is found to be groundless and made solely to harm the reported party or due to serious imprudence, negligence or incompetence of the Whistleblower; - if anonymity is not enforceable by law (e.g., criminal investigations, inspections by supervisory authorities, etc.); - if the Report discloses facts that, although unrelated to the company's operations, warrant reporting to the Judicial Authority (e.g., terrorism, espionage, attacks, etc.).

  1. CONFIDENTIALITY OF WHISTLEBLOWER’S IDENTITY: the whistleblowing procedure applied by F.lli Menabò srl, is structured in a way that protects the identity of the whistleblower. Should it be necessary, in cases strictly provided by law (Article 12, paragraphs 2 and 5 of Legislative Decree 24/2023), to disclose the identity of the whistleblower or any other information from which the identity of the whistleblower could be directly or indirectly inferred, the reporting manager will ask the whistleblower, and only at that moment, if they consent to disclosure of their identity (e.g. such necessity could arise to ensure defence rights to the individual reported who is involved in the disciplinary proceedings). It will be the reporting manager who asks for the whistleblower's explicit consent through a specific request.
  2. DATA RECIPIENTS: Your data will be made accessible to the platform provider responsible under Article 28 of the GDPR, to any subcontractors thereof, to authorized parties under Article 29 of the GDPR operating under the authority of the controller and any subcontractor, as well as to authorized parties under Article 29 of the GDPR operating under the authority of the Controller, based on specific instructions provided regarding the purposes and methods of data processing, as well as to external parties receiving and managing reports with autonomy from the Data Controller's organization. A complete list of external Data Processors and authorized data processors is constantly updated and available at the headquarters of F.lli Menabò srl. Your personal data may also be disclosed to public entities, to fulfil legal obligations or satisfy requests from judicial authorities or public security.
  3. DATA TRANSFER: The Data Controller will not transfer personal data outside the EU territory. The servers are located within the EU. Nevertheless, the Data Controller reserves the right to use cloud services, in which case the service providers will be selected among those who provide adequate guarantees in accordance with Article 46 of the GDPR.
  4. RIGHTS OF THE DATA SUBJECT: In relation to the processing purposes and as a Data Subject, you may exercise the following rights:
  5. Right of access to personal data (Article 15 GDPR): to obtain confirmation as to whether or not personal data concerning you is being processed, as well as to obtain a copy of such data;
  6. Right to rectification (Article 16 GDPR): to obtain, without undue delay, the rectification of inaccurate personal data concerning you and the completion of incomplete personal data or erasure;
  7. Right to erasure (Article 17 GDPR): to obtain from the Data Controller the erasure, without undue delay, of personal data concerning you, in the cases provided by the GDPR;
  8. Right to restriction of processing (Article 18 GDPR): to obtain from the Data Controller restriction of processing, in the cases provided by the GDPR;
  9. Right to data portability (Article 20 GDPR): to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance, in the cases provided by the GDPR;
  10. Right to object (Article 21 GDPR): to object at any time to the processing of personal data concerning you for reasons related to your particular situation;
  11. Right to lodge a complaint with the supervisory authority (Article 77 GDPR): to lodge a complaint with the data protection authority.

It should be noted that requests made by a Data Subject may be rejected in cases provided by current regulations.  In any case, the Data Controller will provide a response to the Data Subject, explaining the reasons in the event of rejection. A ground for rejection is where the exercise of such rights may cause actual and concrete prejudice to the conduct of defensive investigations related to the management of reports or to the exercise of rights in judicial proceedings by the controller and/or third parties, limited to that period of time.


 The data subject may exercise their rights in accordance with Article 12 of EU Regulation 2016/679, by sending a: - registered letter with return receipt to: F.lli Menabò srl,   with Registered Office in Via 8 Marzo, no. 3, Cavriago (Reggio Emilia),  or by email to the  following address: or certified email to the following address:

You are also entitled to lodge a complaint with the Data Protection Authority in accordance with article 13 (2) (d) of the above regulation as well as article 77 of the regulation.

The rights set forth in Articles 15 to 22 of the Regulation cannot be exercised by making a request to the data controller or by filing a complaint under Article 77 of the Regulation, if exercising such rights could result in actual and concrete prejudice to the interests listed in Article . 2-undecies of Legislative Decree no.196 30 June 2003 as amended and integrated.