Terninox S.p.A. (hereinafter “Data Controller” or “Company”) informs that, pursuant to Article 13 of EU Regulation 2016/679 (hereinafter “GDPR”), the personal data provided will be processed in the forms and within the limits set by the GDPR on the protection of natural persons regarding the processing of personal data and the free movement of such data. The processing of personal data shall be governed by the principles of fairness, lawfulness, transparency, purpose and storage limitation, data minimization and accuracy, integrity, confidentiality, and accountability pursuant to Article 5 of the GDPR.

In particular, this privacy policy is provided with regard to the processing of personal data inherent, related and/or instrumental to the reports provided by the reporting person (hereinafter “Whistleblower”) in accordance with Legislative Decree 24/2023, which provides new rules on whistleblowing, i.e., the reporting of offences that an employee, collaborator, professional, volunteer, shareholder, or director has become aware of by reason of the employment relationship, including reports about alleged violations of national or EU regulatory provisions that harm the public interest or the integrity of the Public Administration or private entity, including administrative, accounting, civil, or criminal offences, as well as those related to alleged illegal conduct relevant under the Legislative Decree 231/2001. In this regard, please refer to the guideline LGG 009 – Management of internal reports (“Whistleblowing”).

The identity of the Whistleblower cannot be disclosed, without their express consent, to subjects other than those competent to receive or follow up reports, expressly authorized to process personal data, except in the case of judicial and/or disciplinary proceedings subsequent to the report. In particular, in the event of the establishment of criminal proceedings, the confidentiality of the Whistleblower is protected within the limits provided by Article 329 of the (It.) Code of Criminal Procedure, i.e., until the suspect does not have the right to have knowledge of it – and in any case not beyond the closure of that phase.

Please also note that:

A) The Data Controller is Terninox S.p.A. (DATA CONTROLLER).

B) The Data Controller processes common personal data (e.g.: name, surname, age and/or title, contact data), as well as special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, sex life or sexual orientation of the data subject, as well as judicial data, as long as they are strictly relevant and necessary for the management of the reports, in accordance with the principles of proportionality and necessity (DATA SUBJECT TO PROCESSING).

C) Personal data collected by the Data Controller will be processed for the following purposes:

a) management of reports of unlawful conducts, regarding activities and/or behaviours that deviate from the procedures implemented by the Data Controller, i.e., the violation of rules of professional conduct and/or principles of ethics referred to by the regulations in force – internal and external – and/or unlawful or fraudulent behaviours referable to employees, members of corporate bodies or third parties (customers, suppliers, consultants, collaborators) (PURPOSE OF THE PROCESSING).

D) The processing of data is lawfully carried out as it is necessary for the fulfilment of legal obligations imposed on the Data Controller, with regard to Italian and European Union legislation on whistleblowing and Legislative Decree 231/2001 and, residually, against the legitimate interest of the Data Controller to protect its business, reputation, as well as its employees and/or collaborators, as well as against the consent of the data subject (LEGAL BASIS OF THE PROCESSING).

E) Personal data are processed within the European Union. The processing of personal data includes collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use and communication; at the request of the data subject, the processing may also include erasure and destruction. Personal data are processed mainly in automated and digital form, but also in paper form, with logic strictly related to the aforementioned purposes. The Data Controller shall adopt the appropriate security measures aimed at preventing loss of data, unlawful or incorrect use and unauthorized access. The Data Controller, pursuant to Legislative Decree 24/2023, endorses the requirement relating to the protection of the confidentiality of the Whistleblower and the related prohibition of retaliation and/or discriminatory acts against the Whistleblower, subject to the exceptions provided by law (METHODS OF PROCESSING).

F) Personal data may be disclosed to the following parties exclusively for the purposes described and in compliance with the rules set forth in the GDPR: i) individuals specifically designated by the Data Controller; ii) competent authorities (e.g. judicial and/or police authorities) who make a formal request and/or for whom disclosure is mandatory by law; iii) external data processors duly appointed by the Data Controller pursuant to Article 28 of the GDPR. The Data Controller may process personal data independently or jointly with other companies of the Arvedi Group to which it belongs, with which a co-ownership agreement and/or other agreement regulating the management of personal data has been signed (DATA PROCESSING DESTINATORS).

G) Personal data are processed for the time strictly necessary for the fulfilment of the purpose, equal to the minimum necessary, as indicated in Recital 39 of the GDPR, that is until the termination of the contractual relationship between the data subject and the Data Controller, and in any case no longer than 5 years, without prejudice to a further period of conservation that may be imposed by law, as provided for by Legislative Decree 24/2023 (DATA STORAGE).

H) The data subject has the right: to request from the Data Controller access to and rectification or erasure of personal data; to limit the processing of data to the purposes strictly necessary; to object to the processing; to obtain the direct transmission of personal data from one controller to another, where technically feasible; to withdraw consent to the processing at any time without prejudice to the lawfulness of the processing based on the consent given before the withdrawal and, in any case, in the cases where consent was the legal basis for the processing; to lodge a complaint with a supervisory authority. These rights may be exercised by registered letter with return receipt to the following address: Acciai Speciali Terni S.p.A., c.a. del Responsabile p.t. delle Risorse Umane, viale Benedetto Brin n. 218, 05100 Terni or by writing an e-mail to: [email protected]. The right to be informed about the processing of one’s personal data in accordance with Articles 12 and 14 of the GDPR is limited by the obligations of secrecy and confidentiality imposed by the applicable legislation, as well as the risk of rendering impossible or seriously prejudicing the achievement of the purposes of the processing related to the reports under the whistleblowing system. (RIGHTS OF THE DATA SUBJECT).

The Data Controller