PERSONAL DATA PROCESSING PRIVACY POLICY
pursuant to Article 13 of Regulation EU 2016/679
Whistleblowing (Article 54 bis of Legislative Decree 165/2001)
Introduction
European Regulation EU 2016/679 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (hereinafter “GDPR”), provides for the protection of persons with regard to the processing of personal data.
MUSE – Museo delle Scienze (“MUSE Science Museum”, “MUSE”), as the “Data Controller”, wishes to explain the purposes and methods with which your personal data are collected and processed. More specifically, the following information is provided.
IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
The data controller is MUSE Science Museum, with headquarters at Corso del Lavoro e della Scienza no. 3, 38122 Trento (TN), Italy. You can contact the data controller using the following contact details:
telephone +39 0461.270311
- E-mail: amministrazione@muse.it
- Certified e-mail (locally known as PEC): museodellescienze@pec.it
IDENTITY AND CONTACT DETAILS OF THE DATA PROTECTION OFFICER
The Data Protection Officer for MUSE Science Museum is QSA S.r.l. – ENGINEERING CONSULTING TRAINING, having its registered office in via alla Marcialonga, 3 – 38030 Ziano di Fiemme (Trento, Italy). Below are the contact details where the Data Protection Officer may be reached:
- E-mail: privacy@qsa.it
- Certified e-mail (locally known as PEC): privacy.qsasrl@pec.it
LEGAL BASIS FOR PROCESSING
Personal data are processed by the Head of Corruption Prevention and Transparency (RPCT) in the discharge of his or her duties in the public interest or in any case connected to the exercise of his or her public powers, with special reference to the task of establishing any offences reported in the interest of the integrity of the Organisation, as under Article 54-bis of Legislative Decree 165/2001, by persons who, by virtue of their employment relationship with the Organisation, become aware of unlawful conduct, including in particular:
(a) Employees of other organisations placed at the disposal of/seconded to MUSE;
(b) Self-employed workers, including those referred to in Chapter I of Law No. 81 of 22 May 2017, as well as workers hired under a collaboration agreement as referred to in Article 409 of the Code of Civil Procedure and Article 2 of Legislative Decree No. 81 of 2015, who carry out their work activity at MUSE;
(c) Employees or collaborators who work for organisations that provide goods or services or perform work for MUSE;
(d) Freelancers and consultants working at MUSE;
(e) Volunteers or trainees (paid or unpaid) working at MUSE;
(f) Persons carrying out administration, management, control, supervision or representation functions, whether such functions are carried out on a purely de facto basis, at MUSE (e.g. members of bodies performing Independent Evaluation Organisation functions);
Reports may be submitted concerning:
(a) Employees of other organisations placed at the disposal of/seconded to MUSE;
(b) Self-employed workers, including those referred to in Chapter I of Law No. 81 of 22 May 2017, as well as workers hired under a collaboration agreement as referred to in Article 409 of the Code of Civil Procedure and Article 2 of Legislative Decree No. 81 of 2015, who carry out their work activity at MUSE;
(c) Employees or collaborators who work for organisations that provide goods or services or perform work for MUSE;
(d) Freelancers and consultants working at MUSE;
(e) Volunteers or trainees (paid or unpaid) working at MUSE;
(f) Persons carrying out administration, management, control, supervision or representation functions, whether such functions are carried out on a purely de facto basis, at MUSE (e.g. members of Board of Directors and bodies performing Independent Evaluation Organisation functions);
In the event that an employee is transferred or seconded to another organisation, the employee may also report facts that have occurred in an organisation other than the one where he/she is employed at the time of the report. In this case, the report must be submitted to the organisation to which the facts refer or to the ANAC (National Anti-Corruption Authority).
TYPES OF DATA PROCESSED AND PURPOSES OF PROCESSING
The data provided by the whistleblower in order to report any alleged unlawful conduct (i) committed by individuals interacting with the Organisation in any capacity, and (ii) of which such person has become aware as a result of his/her working relationship with the Organisation shall be processed for the purpose of carrying out the necessary investigations to establish whether such concern is well-founded and take the ensuing actions set out in Article 8 of the Organisational Deed. The management and the preliminary verification of the merits of the circumstances set out in the report shall be entrusted to the Head of Corruption Prevention and Transparency (RPCT), who shall do so in compliance with the principles of impartiality and confidentiality, discharging such activity as may be deemed appropriate, including the personal hearing of the whistleblower and of any other persons who may be able to give an account of the facts reported. If, upon completion of the verification process, the reported fact is not found to be manifestly groundless, then the RPTC shall submit the findings of such verification process for further investigation or for the adoption of the relevant measures to the:
(a) Head of the General Affairs and Accounting Service as well as to the Head of the organisational unit to which the offender belongs, so that disciplinary action may be taken, if appropriate;
(b) Relevant bodies and functions of the Organisation so that they may adopt any further measures and/or actions deemed necessary, including for the protection of the Organisation itself;
(c) Law enforcement authorities, the National Audit Office and the National Anti-Corruption Authority, where appropriate. In all such cases: (a) in criminal proceedings, the identity of the whistleblower shall be covered by secrecy in the manner and within the limits laid down by Article 329 of the Italian Code of Criminal Procedure; (b) in proceedings before the National Audit Office, the identity of the whistleblower shall not be disclosed until the preliminary investigation phase has been completed; (c) in disciplinary proceedings, the identity of the whistleblower may not be disclosed if the disciplinary action taken against the perpetrator is based on investigations that are different and additional to those referred to in the report, whether or not ensuing therefrom. If the charge is based, in whole or in part, on the report and knowledge of the identity of the whistleblower is essential for the defendant’s defence, then the report may be used for the purposes of disciplinary proceedings only if the whistleblower consents to the disclosure of his/her identity.
If the RPCT needs to rely on the Organisation’s staff to discharge whistleblowing-related formalities, such staff shall, in respect of this activity, be specifically authorised to process the personal data (pursuant to Article 4, paragraph 10, 29, 32, paragraph 4 of the Regulation and Article 2-quadeterdecies of the Privacy Code) and, consequently, the aforementioned staff shall be required to comply with the instructions given, as well as with more specific
instructions related to the particular processing operations, that may be provided from time to time by the RPCT. The foregoing shall, in any case, be without prejudice to the fulfilment – by the RPCT and/or the individuals who for official purposes need know the identity of the whistleblower – of the legal obligations in respect of which the right to anonymity of the whistleblower cannot be opposed. The RPCT shall, in a manner that ensures the confidentiality of the whistleblower’s identity, provide evidence of the number of concerns received and their progress in the annual report referred to in Article 1(14) of Legislative Decree 190/2012. The data collected shall be kept in a form that enables the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which they are processed.
RECIPIENTS OF PERSONAL DATA
Recipients of the data collected as a result of the concerns raised shall, where appropriate, include the employer, the law enforcement authorities and the National Audit Office.
The personal data collected shall also be processed by the Organisation’s staff, who shall act on the basis of specific instructions given regarding the purposes and methods of processing.
Whistleblowing Solutions Impresa Sociale S.r.l., in its capacity as service provider for the delivery and operational management of the digital whistleblowing technology platform as Data Processor pursuant to Article 28 of Regulation EU 2016/679.
RIGHTS OF DATA SUBJECTS
Data subjects shall, where appropriate, have the right to obtain from the Organisation access to their personal data and the rectification or deletion thereof or the restriction of processing concerning them or to object to processing (Article 15 et seq. of the Regulation). A specific application may be submitted to the Head of Corruption Prevention and Transparency by contacting him/her at the Muse-Museum – Data Protection Officer, Corso del Lavoro e della Scienza, 3 – 38122 Trento. E-mail: responsabileanticorruzione@muse.it).
RIGHT OF COMPLAINT
Data subjects who consider that the processing of personal data relating to them carried out through this website is in breach of the provisions of Regulation EU 2016/679 shall have the right to lodge a complaint, as set forth in Article 77 of the aforesaid Regulation, or to take legal action (Article 79 of the Regulation). Further information on personal data protection rights can be found on the website of the Data Protection Authority at www.garanteprivacy.it.