Continental Hotel Terme

Lawyer Francesco Cecchinato – Whistleblowing Reporting Manager.

Tel. 049.4907098

Availability Monday through Friday from 10 a.m. to 1 p.m. and 3 p.m. to 6 p.m.

Outside the above hours and in case of absence, the answering service is active

WHISTLEBLOWING POLICY

DISCLOSURE – SYSTEM FOR REPORTING ALLEGED WRONGDOING

“WHISTLEBLOWING”

Pursuant to Legislative Decree No. 196 of June 30, 2003 and EU Reg. 2016/679

In relation to personal data of which TERME CONTINENTAL S.P.A. (P.IVA 00674680285), with headquarters in Via Neroniana, 8, Montegrotto (35036 -PD), will come into possession in the performance of the contractual relationship and the legitimate and proper use of which the said company is responsible, we inform you of the following:

1. PURPOSE OF DATA PROCESSING

Personal Data are processed exclusively for the purposes of investigation and ascertainment of the facts that are the subject of the Report and the adoption of any consequent measures, in accordance with the provisions of Legislative Decree. 24/2023. In particular, the Personal Data collected are personal data, personal identification numbers, any contact data and, in any case, all and only the personal data necessary and relevant for the achievement of the above-mentioned purposes, based on the “principle of minimization.” It is possible that judicial data or data referring to offenses and/or crimes may also be processed. With respect to these data, their provision is voluntary and the Interested Party is requested to provide only the data necessary to describe the facts that are the subject of the Report without communicating redundant and additional personal data to those necessary with respect to the purposes indicated above. In case they are provided, the Data Controller will refrain from using such Data and delete them. Personal Data are processed on the legal basis of the legal obligation, ex art. 6, co.1 lett. b) (Legislative Decree 24/2023 – Legislative Decree 231/01), and of the legitimate interest of the Data Controller, ex art. 6, co.1, lett. f) of the GDPR (provided that the interests or fundamental rights and freedoms of the Data Subject do not prevail), to handle Reports of wrongdoing, of which the Reporting Party has become aware for work reasons, within the scope of its work context or for other reasons, as well as to protect internal and external Data Subjects involved in the “Whistleblowing” process.

2. MODE AND LEGAL BASIS OF PROCESSING

Processing may be carried out with or without the aid of electronic or otherwise automated tools. The processing is carried out by the specifically appointed individual data processors under the supervision and according to the instructions of the Data Controller and/or the various specifically appointed data processors. The legal basis for the processing can be found in the legal obligations set out in the above-mentioned regulations and related or connected provisions and in the legitimate interests of the Data Controller, also with reference to the defense of the Data Controller or third parties in judicial or equivalent proceedings. Further legal basis is the consent of the interested party; specifically, in the case of reporting by means of a recorded telephone line, the user will be notified in advance about the registration through a brief information note issued by recorded voice. If he/she does not intend to terminate the phone call, the principle of “continuation of the phone call/consent” to the recording will be understood to be manifested.

Data are collected through the following means:

• in written form: the Report may be sent by registered letter to the following postal address: Francesco Cecchinato, c/o ADM Associati, 82 San Crispino Street, 35129 Padua (PD) . The Reporting Officer must place the Report in two sealed envelopes, including, in the first, his or her identifying information (the non-anonymous reporting procedure is in fact preferable, due to the greater ease of ascertaining the Violation) and in the second, the subject of the Report; both envelopes must then be placed in a third envelope that bears, on the outside, the words “confidential to the Reporting Officer.”
• orally: the Report may be communicated through recorded telephone line (only in case of voicemail message due to absence of the Report Manager) and, at the request of the Reporting Officer, through a face-to-face meeting with the Report Manager.

Data collected by means of the electronic/telematic tools will not be subject to fully automated processing as specified in Art. 22 GDPR. Specific security measures are observed to prevent data loss, unlawful or incorrect use and unauthorized access. In addition, specific technical-organizational measures are taken in accordance with Article 32 GDPR to ensure the protection of the identity of the Data Subjects, as well as their possible anonymity.

3. PROVISION OF DATA

The provision of common personal data (master data) is optional but necessary in order to achieve the purposes mentioned in point 1.

4. REFUSAL TO PROVIDE DATA

Any refusal on the part of the person concerned to provide personal data as stipulated in point 3, or the incorrect communication of such data, will result in the impossibility of carrying out the activities referred to in point 1, at least in adequate terms and within the required timeframe.

5. COMMUNICATION AND DISSEMINATION OF DATA

Within the specific limits provided by Legislative Decree 24/2023 as amended and by the provisions connected or related to it (in particular with reference to the confidentiality of the reporter), personal data may be disclosed for the purposes referred to in point 1 to consultants and freelancers, also in associated form and specifically appointed, public/private entities for which communication is mandatory or necessary in fulfillment of legal obligations (such as Institutions and/or Public Authorities, Judicial Authorities, Police Bodies). Personal data are not subject to dissemination.

6. STORAGE OF PERSONAL DATA

Personal data according to the terms provided for in Article 14 of Legislative Decree No. 24/2023, that is, for the time necessary for the processing of the report and in any case for no longer than 5 years from the date of communication of the final outcome of the report.

Personal data that are manifestly not useful for processing a specific report are not collected or, if accidentally collected, are promptly deleted by the Report Manager.

7. RIGHTS OF THE DATA SUBJECT

Reg. EU 2016/679 gives the data subject specific rights, including the right to access their personal data and to have them made available in an intelligible form; the data subject also has the right to obtain the updating, rectification (if erroneous), integration (if incomplete) or deletion of data (in case of unlawful processing), data portability (the right to receive or have data transmitted to another data controller in a structured, commonly used and machine-readable format) revocation of consent (if legal basis for processing) transformation into anonymous form or blocking/limitation of data processed in violation of the law; the data subject has the right to object, for legitimate reasons, to the processing of data. With reference to the processing of the data provided, in the event that the Data Subject identifies violations of privacy regulations, he/she will have the right to file a complaint with the Privacy Guarantor. The Interested Party may exercise his or her rights by making a request to the Data Controller or Data Protection Officer (also by requesting the latter to receive appropriate forms and, if necessary, the complete list of appointed data processors).

8. DATA CONTROLLER AND R.P.D.

The data controller is TERME CONTINENTAL S.P.A. (P.IVA 00674680285 – PEC [email protected] – e-mail [email protected]), located in Via Neroniana, 8, Montegrotto (35036 -PD). Data Protection Officer is Avv. Francesco Cecchinato (PEC [email protected] – e-mail [email protected]).