The Data Controller is M.M. S.r.l. a socio unico, with its registered office at 33100 Udine (UD), via Zanussi No. 300/302 (Tax Code and VAT No. 02984500302).

• Identifying and contact information of the whistleblower;
• Identifying information of individuals involved in the report;
• Information and data regarding reported violations, including any personal data related to special categories or criminal convictions and offenses;
• Any other information regarding the whistleblower, the individuals involved in the report, or third parties that the whistleblower decides to share to better describe the suspected violation;
• Identifying, contact, and account access information for individuals responsible for managing the reports through the IT platform.

The personal data subject to processing are those provided by the whistleblower and any data collected independently during investigative activities necessary to ascertain the circumstances of the report.
The provision of data is necessary and functional for managing the received reports in the forms and methods described in the "Whistleblowing Procedure" (hereinafter referred to as the "Procedure"), contained in the Organization, Management, and Control Model pursuant to Legislative Decree 231/2001 adopted by the Company..

The personal data will be collected and processed for purposes related to managing reports of violations concerning: i) national and European legislation related to sectors and interests relevant to the Union; ii) violations relevant under Legislative Decree 231/2001 or violations of organizational models; iii) further civil, administrative, and accounting offenses covered by national legislation; with the methods and tools described in the Procedure.

The legal basis is the fulfillment of a legal obligation to which the controller is subject (Art. 6(1)(c) of the GDPR), in application of Legislative Decree 24/2023 and Legislative Decree 231/2001 (organization, management, and control model).

Reports and related documentation will be retained for the time necessary to process the report, and in any case, no longer than five years from the date of the final outcome of the whistleblowing procedure, in compliance with the confidentiality obligations of the whistleblower. 
Personal data that are clearly irrelevant to the assessment of the report will be immediately deleted.

The personal data will be processed by the  Supervisory Body of M.M. S.r.l. a socio unico, which, in compliance with current legislation and the adopted Whistleblowing Procedure, is required to ensure the confidentiality of the whistleblower's identity and the information they have accessed.
The identity of the whistleblower or any other information that could directly or indirectly reveal this identity may only be disclosed with the explicit consent of the whistleblower. Where necessary for investigative purposes, some information related to the report may be processed by:

• Other company departments, which have received specific instructions;
• Consulting or auditing firms, or entities providing services instrumental to the above purposes, limited to the information necessary for the functions assigned to them.

Finally, some data may be transmitted to the Judicial Authorities and/or competent authorities in the cases provided for by law.

Concerning the data, the data subjects may exercise the rights provided for under Chapter III of Regulation EU 2016/679 (GDPR). In particular, the whistleblower may exercise the right to access, rectify, erase, and restrict processing in the same manner in which they submitted the report.
The whistleblower also has the right to lodge a complaint with one of the competent data protection authorities if they believe that the processing of their personal data has been carried out unlawfully (Article 77 of the GDPR). In Italy, the complaint can be submitted to the Data Protection Authority.
It should be noted that the exercise of the aforementioned rights by other data subjects, such as the reported individual or other involved persons, may be delayed, limited, or excluded if such exercise could cause an actual and concrete prejudice to the confidentiality of the whistleblower's identity, as provided for by Article 2-undecies(f) of the Privacy Code (implementing Article 23 of the GDPR). In such cases, these rights may be exercised through the Data Protection Authority in accordance with Article 160 of the Privacy Code.