An external report may be made through the channels established by the competent authorities if at least one of the following conditions is met:
- an internal report has not been followed up;
- there are reasonable grounds to believe that an internal report would not be effectively followed up or it could lead to a risk of retaliation against the reporting person;
- there are reasonable grounds to believe that the violation may constitute an imminent or manifest danger to the public interest.
The following are the current reporting channels currently set up by the competent authorities for the activities of MBFACTA, in force at the time of publication of this notice.
It is advisable to consult the websites of the authorities directly in order to check for any additional external reporting requirements and updates on the reporting channels.
Autority
Website
ANAC
https://www.anticorruzione.it/-/whistleblowing
ECB –Europe Central Bank
https://www.bankingsupervision.europa.eu/banking/breach/html/index.en.html
Bank of Italy
https://www.bancaditalia.it/compiti/vigilanza/whistleblowing/index.html
As far as possible, MBFACTA undertakes to protect the confidentiality of the reporting person and to protect them against retaliation, even in the case of an external report.
8. Data protection information notice
Information notice pursuant to Articles 13 and 14 of EU Regulation 2016/679 and current national legislation on personal data protection - Reports of violations of national and European regulations (so-called whistleblowing)
Please be informed that, in accordance with Regulation (EU) 2016/679 (hereinafter referred to as the "GDPR") and the current national legislation on personal data protection (hereinafter, together with the GDPR, the "Privacy Regulations"), MBFACTA S.p.A., with registered office in Milan, Via Siusi 7 (hereinafter, the "Company" or the "Controller"), as the Data Controller, is required to provide information regarding the use of your personal data.
The Controller may process your personal data within the channels established in compliance with applicable regulations to allow for the reporting of violations of national and European regulations that harm the public interest or the integrity of the Company (so-called whistleblowing), as well as for the management of such reports.
This information notice should be read in conjunction with the "Whistleblowing Notice" and, for employees, the "Politca su Whistleblowing", which contain information on the violations that can be reported, the conditions for making a report, and the protections provided by the applicable regulations for individuals involved in the reporting.
This information notice applies to individuals reporting the aforementioned violations, individuals reported as alleged offenders, individuals involved in the violations, and individuals aware of the facts or mentioned in the report.
Purpose and methods of processing: The Controller may process personal data for the receipt and management of reports, including the investigation and examination thereof, the application of corrective measures, monitoring their implementation, and updating the reporter on the results of the proceedings.
The processing of data is carried out through manual, computerized, and telematic tools strictly related to the stated purposes, ensuring the security and confidentiality of the data, in compliance with the provisions of the current legislation.
Legal basis: the processing activities are carried out based on a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR), as provided by the applicable regulations regarding whistleblowing. If special categories of data are provided within a report, the Controller will process them based on the following exceptions provided for in Article 9 of the GDPR: (i) the necessity of fulfilling obligations and exercising specific rights of the Data Controller or the data subject in the field of employment law, social security, and social protection (Article 9(2)(b) of the GDPR); and (ii) the necessity of establishing, exercising, or defending legal claims or whenever the judiciary exercises its judicial functions (Article 9(2)(f) of the GDPR) concerning the processing of personal data necessary for litigation or pre-litigation purposes to assert or defend a right, including the rights of the Controller or a third party, in judicial, administrative, or arbitration and conciliation proceedings.
Categories of personal data and sources of data: based on the Controller's experience, the following personal data of the data subjects may be processed:
- identifying data;
- contact information;
- data relating to alleged reported conduct attributed to the reported party in which the data subject may be involved or of which they may be aware;
- images and other documentation attached to the reports;
- special categories of personal data, if contained in the reports;
- content of communications exchanged between the reporter and the parties handling the reports.
Personal data of individuals other than the reporter are usually provided by the reporter through the report or by other individuals involved (if they are interviewed during the investigation or examination of the reports).
Communication and dissemination of data: only authorized individuals of the Company, who may be involved in the analysis, investigation, or processing of the report, will have access to the data. However, the identity of the reporter and any other information from which their identity can be inferred may be disclosed to individuals other than the Company's employees or authorized external parties responsible for handling the report or conducting the investigation, only with the reporter's authorization or when required or legitimate under applicable regulations. In exceptional cases, if disclosing the identity is necessary for the defense of the reported party (in the context of disciplinary proceedings) or the involved individual (in internal procedures), the reporter will be informed in writing by the Company regarding the reasons for such communication. The confidentiality of information is also guaranteed to other parties involved, until the conclusion of proceedings initiated as a result of the report, and in compliance with the same guarantees provided to the reporter. However, if the reports are reported to the competent authorities, the obligation to keep the identity of the individuals involved or mentioned in the report confidential may be waived according to the methods and conditions provided by applicable regulations.
Furthermore, the data may be shared with the following external parties, depending on the case, acting either as independent data controllers or data processors:
- lawyers and consultants providing advisory or investigative services;
- judicial, supervisory, regulatory, or police authorities, in cases provided by law.
To the extent strictly necessary and subject to appropriate safeguards, the data may also be processed by companies providing information systems to the Controller and/or companies involved in their maintenance and security.
Personal data will not be disclosed, transferred outside the European Economic Area, or subject to fully automated decision-making processes.
Data retention: in accordance with the principles of proportionality and necessity, personal data will be kept in a form that allows the identification of the data subjects for the time necessary to process the report, but no longer than five years from the date of communication of the final outcome of the reporting procedure to the reporter. Specific legal obligations or the subsequent need for the Controller to act or defend itself in legal proceedings may require the processing and retention of data for additional periods.
Mandatory provision of data: it is possible to submit a report anonymously or non-anonymously. In the case of an anonymous report, the Controller may not be able to effectively investigate the report and adequately protect the confidentiality of the identity. Therefore, if applicable, we invite you to report any violation by providing all the requested information (including your identity), allowing the Controller to request further information. In any case, the Controller will ensure that all personal data processed in the context of the report remains strictly confidential.
Data subject rights: You have the right to obtain confirmation of the existence or non-existence of your data at any time and to know their content and origin, verify their accuracy, or request their integration, updating, or rectification (Articles 15 and 16 of the GDPR). Furthermore, you have the right to request erasure, restriction of processing, withdrawal of consent, data portability, lodge a complaint with the supervisory authority, and object to their processing in any case, for legitimate reasons (Articles 17 et seq. of the GDPR).
These rights can be exercised by written communication to be sent to: privacy@mbfacta.it.
The Controller, also through the designated structures, will take charge of your request and provide you with information concerning the actions taken regarding your request, without undue delay. However, please note that the exercise of your rights may be limited or excluded, as provided by Privacy Regulations, if the exercise of such rights could result in an actual and concrete prejudice to the confidentiality of the reporter's identity.
Data Controller and Data Protection Officer: the data controller is MBFACTA S.p.A. with its registered office in Milan, Via Siusi 7.
MBFACTA has appointed a Data Protection Officer. The Data Protection Officer can be contacted at the following addresses: dpo.mediobanca@mediobanca.com; dpomediobanca@pec.mediobanca.com.
Last update March 2024