Terms and conditions

These Terms and Conditions are governed by Italian laws (excluding the United Nations Convention on Contracts for the International Sale of Goods – CISG). The competent court for any disputes arising from or relating to these Terms and Conditions is the court of Perugia, where the company's administrative and operational offices are located (Italy).

WHISTLEBLOWING INFORMATION

Introduction

STERNE INTERNATIONAL SPA, in relation to the data processed for the purpose of receiving, analyzing, investigating, and managing reports and any consequent actions, provides this information regarding the protection of personal data.

Data Controller

The Data Controller is STERNE INTERNATIONAL SPA, P.I. 01913370548, in the person of its legal representative pro tempore, with registered office in Milan, via Morimondo 22 – 20143 (MI), contactable at the email address niaz@lorenaantoniazzi.it;

Types of personal data processed

The personal data subject to processing fall into the following categories:

• Mandatory: name, surname, relationship with THE Data Controller;
• Optional: classification, role, qualification, telephone contact, email or certified email address.

• reports can also be submitted by using a dedicated telephone line or direct meeting with the external Manager. In this case, the personal data processed will be those voluntarily communicated by the reporting person.

• the data that the reporting person intended to provide to represent the facts described in the report. It should be noted that in this case, Ferrovie dello STERNE INTERNATIONAL SPA is not able to determine in advance the data subject to the report, which may therefore also include special data (e.g., criminal convictions, offenses, etc.).

The aforementioned data will be processed using IT and paper supports that guarantee their security and confidentiality. Paper documentation is limited to the bare minimum and stored and kept in cabinets and rooms equipped with security locks and perimeter and volumetric alarms. The documentation held by the Data Processor, as the external Manager of the reports, is also duly kept in premises protected by armored doors and equipped with a perimeter alarm.

The transmission of data provided by the reporting person through access to the platform is managed with the HTTPS protocol. Encryption techniques are also applied and all data is fully encrypted, thus guaranteeing the confidentiality of the transmitted information.

Purpose of processing and legal basis

The processing is aimed at receiving, analyzing, investigating, and managing reports and any consequent actions, and in particular at ascertaining the reported facts and adopting any measures. Pursuant to Article 6, paragraph 1 letter f) of European Regulation No. 679/2016 (hereinafter also "Regulation"), all personal data collected within the scope of this processing are strictly functional and necessary for the pursuit of the provisions of Legislative Decree no. 24/2023, as well as for any internal control needs, monitoring of corporate risks, defense of a right in court or for other legitimate interests of the Data Controller. Any contact details provided by the reporting person will be used in case a direct contact with them is necessary and for updates regarding the status of the report.

Data recipients and Data Processors

For the pursuit of the aforementioned purposes, the personal data provided are made accessible only to those who are competent to receive or act on the analysis, investigation, and management of reports and any consequent actions. These individuals are appropriately instructed in order to prevent the loss, unauthorized access to data, or unauthorized processing of the data itself and, more generally, in relation to personal data protection obligations. Data may also be processed by external Consultants and Third Parties with technical functions (e.g., the external report manager and the IT platform provider), who act as Data Processors/Sub-Processors and have signed a specific contract that precisely governs the processing entrusted to them and the obligations regarding data protection and processing security in accordance with Article 28, paragraph 3 of the Regulation. The identity of the reporting person and any other information from which, directly or indirectly, such identity can be inferred, may only be revealed to persons other than those competent to receive or act on reports with the express consent of the reporting person in accordance with the provisions of Legislative Decree no. 24/2023.

Interested parties are informed that, in this specific case, the Data Processors are the company MY GO SRL of the Zucchetti Group, as the provider of the My Whistleblowing platform, and Studio Bizzarri STP SaS of Luca Bizzarri and C., as the external manager of reports and registered with the Order of Chartered Accountants and Accounting Experts of Perugia. The Processors process personal data on behalf of the Data Controller according to the latter's instructions, in conformity with the purposes pursued by the legislation referred to in Legislative Decree no. 24/2023, in compliance with the internal Regulation and this information notice. However, the updated list of recipients of the data can be requested from Sterne International at the following email address niaz@lorenaantoniazzi.it.

Finally, personal data may also be transmitted to other independent data controllers, based on legal or regulatory provisions (e.g., Public Authorities, Judicial Authority, etc.).

Data Dissemination

The personal data subject to processing will never be published, displayed, or made available/consulted by indeterminate subjects.

Data Retention

Reports and related documentation are retained for the time necessary for the processing of the report and, in any case, for no longer than five years from the date of communication of the final outcome of the reporting procedure, in compliance with confidentiality obligations. In the event that prohibited reports are received (e.g., disputes, claims, or requests related to a personal interest of the reporting person, communications, or complaints relating to commercial activities or public services), these are retained for a period not exceeding 8 months from their archiving.

Rights of Data Subjects

EU Regulation 2016/679 (Articles 15 to 22) grants data subjects the exercise of specific rights. In particular, in relation to the processing of their personal data subject to this information notice, the data subject has the right to ask STERNE INTERNATIONAL SPA:

• access: the data subject can ask for confirmation as to whether or not data concerning them is being processed, as well as further clarification about the information contained in this information notice;
• rectification: the data subject can ask to rectify or integrate the data they have provided, if inaccurate or incomplete;
• erasure: the data subject can ask for their data to be erased, if no longer necessary for the aforementioned purposes, in case of withdrawal of consent or their opposition to processing, in case of unlawful processing, or if there is a legal obligation to erase;
• restriction: the data subject can ask for their data to be processed only for storage purposes, excluding other processing, for the period necessary for the rectification of their data, in case of unlawful processing for which they object to erasure, if they need to exercise their rights in court and the stored data may be useful and, finally, in case of opposition to processing and a verification is underway on the prevalence of STERNE INTERNATIONAL SPA's legitimate reasons over theirs;
• objection: the data subject can object at any time to the processing of their data, unless there are legitimate reasons for processing that override theirs, for example for exercise or defense in court;
• portability: the data subject can ask to receive their data, or to have them transmitted to another controller indicated by them, in a structured, commonly used and machine-readable format.

Furthermore, the data subject has the right to lodge a complaint, if they believe their rights have been violated, with the Supervisory Authority, which in Italy is the Garante per la Protezione dei Dati Personali. Pursuant to Article 2-undecies of Legislative Decree no. 196/2003 and subsequent amendments (hereinafter "New Privacy Code") and in implementation of Article 23 of the Regulation, it is informed that the aforementioned rights cannot be exercised by persons involved in the report, if the exercise of such rights could result in actual and concrete prejudice to the confidentiality of the identity of the reporting person. In particular, the exercise of such rights:

• will be carried out in accordance with the provisions of law or regulation governing the sector (Legislative Decree 24/2023);
• may be delayed, limited, or excluded with a reasoned communication made without delay to the data subject, unless the communication may compromise the purpose of the limitation, for the time and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the identity of the reporting person;
• in such cases, the data subject's rights may also be exercised through the Garante per la Protezione dei Dati Personali in the manner set out in Article 160 of the New Privacy Code, in which case the Garante informs the data subject that it has carried out all necessary checks or carried out a review, as well as of the data subject's right to lodge a judicial appeal.

At any time, the data subject may request to exercise their rights by contacting the Data Controller directly at the email address niaz@lorenaantoniazzi.it.