Agriplast’s Compliance with Whistleblowing Regulations
All personal data processing resulting from the reporting of misconduct is subject to mandatory data protection regulations, without any exceptions. The confidentiality of reports is ensured through the use of dedicated software and platforms already available on the IT services market, given that whistleblowing obligations have been in place for the public sector since 2001.
Agriplast has adopted the WhistleblowingSoftware platform, which guarantees the confidentiality of reports and the secure storage of all text or multimedia documents transmitted by the whistleblower to the Supervisory Body (Organismo di Vigilanza – OdV), who is the sole administrator of the software platform.
The platform also enables and records encrypted chat communications between the OdV and the whistleblower.
The Data Controller for Agriplast S.p.A. is Mr. Salvatore Cascone, in his capacity as the company’s legal representative. The Data Protection Officer (DPO) is Dr. Giuseppe Ridolfo, as formally appointed by resolution of the Board of Directors.
The data processor for whistleblowing activities, pursuant to Article 28 of the GDPR and as explicitly stated in paragraph 6 of Article 13 of the Decree, is the provider of WhistleblowingSoftware—the platform used by the company to allow for both written and oral reports.
The data processor is also Prof. Antonio Barone, in his role as the platform’s administrator and data manager for whistleblowing reports, limited to areas under his direct responsibility.
The processed data includes digital files in multimedia and text formats, and the nature of this data is considered sensitive.
In light of the above, and in compliance with the principle of accountability set out by the GDPR, the company has implemented internal measures and adopted the necessary security protocols to:
Furthermore, in compliance with paragraph 6 of the applicable Decree, Agriplast has carried out a Data Protection Impact Assessment (DPIA) using dedicated European software, to assess the impact of whistleblowing activities on personal data protection, as required by Article 35 of the GDPR. The assessment was conducted by the Data Protection Officer (DPO) using a dedicated notebook assigned exclusively to the DPO.
The software platform selected by Agriplast complies with Article 14 of the Decree, which governs the retention of whistleblowing reports, including the personal data they contain. The retention period is limited to the time strictly necessary to process the report and, in any case, must not exceed five years from the date the outcome of the report is communicated. This timeline is consistent with the principles of privacy by default and data minimization, which do not allow for indefinite data storage.
The Data Controller has also configured the chosen platform to manage reports in accordance with internal policies on deletion of processed personal data, including those stored, managed, recorded, and retained in digital format.
The identity of the whistleblower may be known by the Supervisory Body (Organismo di Vigilanza – OdV), and the platform selected by Agriplast allows for anonymous reporting. Personal data will not be disclosed externally and may only be shared with third parties in the cases expressly provided for by Article 12 of the Decree.
The whistleblower may exercise their rights, including the right of access to personal data, by contacting the Data Controller – Agriplast S.p.A., President and CEO, via F. Bonetta 35 – 97019 Vittoria (RG), Italy, or via email at amministrazione@agriplast.com.
The whistleblower will be informed and asked to provide explicit consent for the processing of personal data during the reporting procedure, via the dedicated section of the whistleblowing platform.
