Privacy Notice

Privacy Notice pursuant to Article 13 of
Regulation (EU) 2016/679 of the European Parliament and of the Council 


Please note that should you report any alleged unlawful and/or irregular conduct which has come to your attention, any personal data that you provide may be processed through our Supervisory Body in compliance with the regulation stated herein and the confidentiality requirements provided for by said regulation.

About us

This notice is made available – pursuant to Article 13 of Regulation (EU) 2016/679 concerning the protection of personal data (“Regulation” or “GDPR”), Legislative Decree No. 196 of 30/06/2003 (“Privacy Code”), as amended and supplemented by Legislative Decree No. 101/2018, and subsequent amendments and addenda – by COMEC ITALIA SRL (VAT No. 02143650121), in the person of Manuele Baggini, with registered offices at 149 Piazzale del Lavoro, Cavaria Con Premezzo (VA), as the Controller of personal data processing. 


Categories of processed data 

  • Your personal information where appropriate, such as name, surname, gender, date and place of birth, nationality, tax code, postal and/or email addresses, and landline or mobile phone number;
  • Your current employment position (job title, position and name of the company where you are working);
  • Any other information included in your report.


Legal basis and purpose for which we process your data 

The company will process your data only if there are legal provisions or grounds for the specific purposes stated above.

The legal basis for processing is provided the requirements under Legislative Decree 231/2001, Legislative Decree 24/2023 and applicable regulations and legislation. 

Therefore, we will process your personal data only if:

  • processing is necessary for performing checks and investigations with regard to a report, the disclosure of alleged unlawful and/or irregular conduct, and for taking the necessary measures;
  • processing is necessary for compliance with the legal obligations or requirements of our supervisory authorities and for compliance under Legislative Decree 231/2001 and Legislative Decree 24/2023;
  • processing is necessary to protect your interests and fundamental rights or those of other people;
  • processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.


Sharing and transfer of personal data

The data collected by the Controller are shared only for the purposes stated above; we do not share or transfer your personal data to any third parties other than those stated in this Privacy Notice.

During our operations and solely for the same purposes as listed in this Privacy Notice, your personal data may be transferred to the following categories of recipients:

  • members of the Supervisory Body that are delegated to manage reports;
  • company employees charged with the preliminary investigation;
  • companies, bodies, groups and individuals that provide us with processing services or that perform activities that are linked with, instrumental to, or support the scope of the Privacy Notice;
  • individuals whose right to access your personal data is recognised by legal provisions or by Community legislation.


The updated list of data processors is available from the Controller’s registered offices and shall be provided upon written request.

This Privacy Notice is applicable should data be transferred to third countries in which the level of data protection differs from that of the European Union: each transfer of personal data to third parties shall be conducted only once you have been notified and, where necessary, after receiving your consent. Each transfer of personal data to countries other than those for which the European Commission has made an adequacy decision occurs based on agreements that use standard contractual clauses which are adopted by the European Commission or other appropriate safeguards in compliance with applicable laws. 

Personal data protection 

The Controller has implemented technical and organisational measures that are appropriate for providing an adequate level of data protection and confidentiality for personal data. 

These measures take into account:

  • the state of the art of technology; 
  • the costs of implementation; 
  • the nature of the personal data; and 
  • the risks inherent in processing. 

The aim is to protect personal data from accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access, and from other forms of unlawful processing. 

Furthermore, when handling your personal data, the Controller:

  • collects and processes personal data that are adequate, relevant and not excessive as is required to satisfy the abovementioned purposes: to this end, any data that clearly have no relevance to the management of a specific report are not collected. If accidently collected, this is guaranteed to be reported immediately;
  • ensures that such personal data are updated and accurate.

Data storage period

Without prejudice to your right to object to the processing of personal data and/or to request the erasure of personal data, the Controller shall store your personal data only for the period strictly necessary for the purpose for which they were collected or to meet legal or regulatory obligations.

The storage period is the amount of time for which data are actually used, plus the period of the time that may be required by any applicable data storage rules and/or regulations.

Once this period has ended, your personal data will be removed from the systems.

Your legal rights 

These are the rights associated with personal data processed by the Controller:

  • The right to rectification. You can obtain the rectification of personal data relating to you or that you have provided us. The Controller shall make reasonable efforts to ensure that the personal data in its possession are accurate, complete, updated and relevant based on the most recent information available;
  • The right to restriction. You can obtain a restriction of the processing of your personal data if:
    • you contest the accuracy of your personal data during the period in which the Controller must verify its accuracy;
    • the processing is unlawful and you request the restriction of processing or the erasure of your personal data;
    • the Controller no longer needs to keep your personal data, but they are required by you for the establishment, exercise or defence of legal claims. 


  • you object to processing while the Controller verifies whether the legitimate grounds of the company override those of you, the data subject. 
  • The right to access. You can ask for information about stored personal data relating to you, including information about which categories of personal data are held or controlled by the Controller, for which purpose they are used, where have they been collected (if not directly from you) and to whom they may have been disclosed;
  • The right to data portability. Should you so request, the Controller shall transmit your personal data to another controller, if technically possible, providing that the processing is based on your consent or is necessary for the performance of a contract;
  • The right to ERASURE. You can obtain the erasure of your personal data if:

    • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • you have the right to object to further processing of your personal data and exercise this right to object;
    • the personal data has been unlawfully processed;


unless the processing is necessary because of legal obligations, under law, or for the establishment, exercise or defence of legal claims.

  • The RIGHT TO OBJECT. You can object to the processing of your personal data at any time, providing that the processing is not based on your consent but on the legitimate interests of the Controller or a third party. In such instances, your personal data shall no longer be processed unless it is possible to demonstrate compelling legitimate grounds, an overriding interest in the processing, or for the establishment, exercise or defence of legal claims. Should you object to the processing, please kindly specify if you wish to erase your personal data or restrict their processing; 
  • The right to lodge a complaint. In the event of an alleged breach of the data protection legislation, you can lodge a complaint with the competent authorities in your country or in the place where the alleged breach occurred.

Changes to this Privacy Notice

Any future changes or additions to personal data processing as described in this Privacy Notice will be made known in advance via an individual notification through the usual communication channels used by the Controller (for example, by email or on its website).

Processing Controller and Data Protection Officer

If you wish to exercise your rights pursuant to Article 15 of the GDPR, you can contact the Controller COMEC ITALIA SRL (VAT No. 02143650121), with registered offices at 149 Piazzale del Lavoro, Cavaria Con Premezzo (VA), at this email address:


Processing Controller
Comec Italia spa