1.    Introduction

Pursuant to Articles 13 and 14 of the Regulation (EU) 2016/679 on the “protection of natural persons with regard to the processing of personal data” (hereinafter also “GDPR”), and D.Lgs. 196/2003 and subsequent amendments, information is provided on the processing and use of the personal data of whistleblowers, of the person under investigation and of any other third parties (hereinafter referred to as ‘Data Subject’) involved in connection with the handling of reports governed by the whistleblowing procedure of  Università Cattolica del Sacro Cuore (hereinafter also “University”).

2.    Identity and contact details of the Data Controller

The Data Controller is Università Cattolica del Sacro Cuore (hereinafter also “Controller”), with registered office in Largo Agostino Gemelli 1, 20123 Milan, telephone (+39) 027234.1.

3.    Categories of personal data

"Personal data", as specified in Article 4 of the GDPR, means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Subsequent to a non-anonymous report, the University, through its staff appointed for this purpose, may become aware of the following personal data (referring to the whistleblower or, possibly, to the reported person) - hereinafter “Data”:

• name and surname of the whistleblower together with other information that he/she freely releases such as telephone number, email address, postal address etc.;
• information on the reported person which may be entered in the appropriate channels activated by the University to enable the management of the report;
• data belonging to special categories (e.g. data relating to health status or trade union membership);
• judicial data.

Notwithstanding, the University will process these Data exclusively for purposes strictly connected with and instrumental to verifying the authenticity of reports or in order to fulfil specific legal obligations related to the purposes of the report.

4.    Purposes of  processing and legal basis

Data collected will be processed for the following purposes:

1. To carry out the obligations related to Italian Legislative Decree 231/2001 and Italian Legislative Decree 24/2023relating to reports of unlawful conduct that is relevant and based on precise and consistent factual elements, or violations of the Code of Ethics and the Organisation, Management and Control Model, as well as violations of national or European Union regulatory provisions that affect the public interest or the integrity of the University.
2. To manage the reports received, to ascertain the facts contained therein and to take the appropriate measures.
3. To enforce and/or defend the rights of the University in civil, criminal and/or administrative litigation cases.
4. To fulfil the purposes of security and protection of University assets.

The legal basis of the processing is constituted:

1. For purposes under a), by compliance with legal obligations;
2. For purposes under b), c) and d) by the legitimate interest pursued by the Controller.

5.    Processing methods

Data are processed manually, digitally and electronically applying logics strictly related to the purposes and, in any case, guaranteeing the security and confidentiality of the Data in compliance with the regulations in force.

6.    Data retention period

The University will process the Data for the time strictly needed to achieve the abovementioned purposes. Your Data shall be deleted or stored in a form that does not enable your identification, for 5 years after the conclusion of the procedure carried out by the Supervisory Body following the report, without prejudice to any retention periods provided for by law or regulations. Where necessary, the Data may be retained for further processing in the event that judicial and/or disciplinary action is taken against the reported person or against the whistleblower who has made false or defamatory statements or who has acted in bad faith; in such cases the Data may be retained until the final conclusion of the judicial and/or disciplinary proceedings.

7.    Subject to whom the Data may be disclosed

Except for the fulfilment of legal obligations, the Data you provide will not be communicated or disseminated in any way.

The recipient of the Data is the Supervisory Body of Università Cattolica del Sacro Cuore which, in compliance with the relevant legislation in force and with the whistleblowing procedure, is required to ensure the confidentiality of the identity of the whistleblower. The Data may be disclosed to the head of the institutional body in charge of disciplinary proceedings and/or to the person accused only in cases where there is the express consent of the whistleblower or where the  disciplinary charge is based solely on the report and, therefore, the knowledge of the whistleblower’s identity is absolutely essential for the accused’s defence.

Where applicable, the Data may also be disclosed to third parties included in the following categories: a) Consultants (Law Firms etc.), b) Companies in charge of the administration and management of personnel, of the retention of employees’ personal data, of the development and/or operation of information systems for the aforementioned purposes, c) Institutions and/or Public Authorities, Judicial Authorities, Police Bodies.

The subjects belonging to the categories to which the Data may be disclosed shall process such Data and use them, as the case may be, in their role as Data Processors expressly appointed by the Controller in compliance with the law, or rather as autonomous Data Controllers. The list of appointed Data Processors is constantly updated and available at the University's offices.

8.    Transfer of personal data to countries outside the EU

Without prejudice to specific requirements to be agreed upon in each case, the Data will not be transferred to non-EU countries.

9.    Data Protection Officer, D.P.O.

The University has appointed a Data Protection Officer, D.P.O., (Data Protection Officer, D.P.O.), who can be contacted at dpo@unicatt.it

10. Rights of the Data subject

The Data Subject has the right to know which data concerning him/her (as the whistleblower, the person under investigation, the witness etc.) are held by the University for the whistleblowing reporting process, as well as the methods of their use and to obtain, when the conditions are met, their cancellation, as well as their updating, rectification or, if relevant, integration.

The rights of the Data Subject (specifically, the reported person) may be limited pursuant to and for the purposes of art. 2-undecies, first paragraph lett. f) of Legislative Decree 196 / 2003 and subsequent amendments and in accordance with art. 23 of EU Regulation 2016/679, if the exercise of the aforementioned rights may result in a concrete and effective prejudice to the confidentiality of the identity of the whistleblower.

The assessment as to whether the Data Subject’s rights should be restricted is entrusted to the Controller who shall avail itself of the relevant competent functions. In such case, the Controller shall provide the Data Subject with reasoned notice, without delay, of  the rejection/delay/limitation/exclusion of the request to exercise the aformentioned rights, without prejudice to the provisions of art. 2-undecies paragraph 3 of Legislative Decree 196/2003 and subsequent amendments.

In the event that a Data Subject’s request for access to personal informationis granted, any personal information referring to third parties, such as the whistleblower, reported person or witnesses, will be removed from the documents, unless justified by exceptional circumstances.

To exercise the rights described in this paragraph, you can contact the Supervisory Body at odv@unicatt.it

Updated on: 11 October 2024