Privacy Policy
Whistleblowing
We would like to inform you that your personal data will be processed in compliance with the legislation on the protection of personal data (Regulation (EU) 2016/679, "GDPR"), and Legislative Decree 196/2003 and ss.mm.ii. ("Privacy Code").
-
Data controller
The Data Controller is Università Commerciale "Luigi Bocconi", with registered office in Via Sarfatti n. 25, 20100 Milano (MI).
-
Data Protection Officer
The University has designated a Data Protection Officer (“DPO”) who can be contacted at dpo@unibocconi.it.
-
Processing of personal data
-
How data are processed
The University has equipped itself with a reporting channel that, through the use of an IT platform - implemented with all appropriate security measures, including cryptographic ones - guarantees the confidentiality of the identity of the reporter, of the person possibly involved and of the person reported, as well as of the content of the report and of the relevant documentation, as analytically documented in the impact assessment, pursuant to Article 35 of the GDPR.
-
Disclosure of personal data
For the pursuit of the above-mentioned purposes, the personal data collected may be communicated to:
a. authorized personnel, pursuant to Article 29 of the GDPR and Article 2-quaterdecies of the Privacy Code.
The management of the reporting channel is entrusted to a collegial body (hereinafter referred to as the “Pool”) of staff trained in the investigation and handling of reports. The Pool is composed of three Staff members designated by the Managing Director from the Institutional Affairs and Compliance Governance Department, the Legal Affairs Department and the People and Culture Department, and one Faculty member designated by the Rector from among the members of the Rector's Committee as full members and two Staff members designated by the Managing Director as alternate members.
In the event that investigative needs require that other persons within the University should be made aware of the content of the report or of the documents annexed thereto, the identity of the person making the report shall not be disclosed, nor shall elements be revealed which might, even indirectly, allow the identification of the person making the report, unless the person making the report authorizes the disclosure of his/her identity or unless anonymity cannot be enforced for reasons of judicial investigation and/or disciplinary proceedings;
b. third companies appointed as Data Processors, pursuant to Article 28 of the GDPR. In detail:
-
Aruba s.p.a. (Sub-processor), via San Clemente, 53 - 24036 Ponte San Pietro (BG).
-
DigitalPA s.r.l., with registered office in Via Tommaso D'Aquino 18/A, 09134 Cagliari.
c. The data may also be communicated to subjects, bodies, organizations or authorities to whom it is compulsory to communicate your personal data by virtue of legal provisions or orders by the authorities.
Your personal data will in no way be the subject of communication and dissemination outside the above-mentioned cases, nor of transfer to a third country outside Europe, nor of automated decision-making processes including profiling.
-
Transfer of data outside of the EU
Personal data will be processed in Italy on servers located there. Your personal data are therefore not transferred outside the European Union.
In the event that it becomes necessary to transfer personal data outside the European Union or to international organizations, the Data Controller nevertheless informs you that the processing will take place according to one of the methods permitted by current law, in compliance with the provisions of Articles 44-49 of the GDPR.
In any event, you can always obtain further details from the Controller by requesting evidence of the specific guarantees adopted from the contacts listed above.
-
Data subject rights
You have the right to access your data at any time, pursuant to Articles 15-22 of the Regulation. In particular, as a data subject you have the right to:
-
obtain confirmation of the existence or otherwise of the data provided;
-
request, in the forms provided for by law, the rectification of inaccurate personal data and the integration of incomplete data;
-
exercise any other rights under Articles 18 to 22 of the GDPR, where applicable.
It should be noted that the right of access, as set out in Article 15 of the GDPR, does not apply with regard to the identity of the whistleblower; the identity of the whistleblower may only be disclosed with express consent or if knowledge is indispensable for the whistleblower's defense or anonymity cannot be opposed for reasons of judicial investigation and/or disciplinary proceedings.
Similarly, revocation of consent does not apply when the reporting person has given it for the purpose of revealing his identity, even to persons other than those competent to receive or follow up the report.
Requests must be addressed in writing to the Controller or the DPO at the above-mentioned addresses.
If you consider that the processing of your personal data violates the applicable data protection regulations, you also have the right to lodge a complaint (Art. 77 GDPR) with the Garante Privacy (www.garanteprivacy.it).
Last updated: 11 July 2023