Dear Data Subject, “Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (hereinafter “GDPR”) envisages the protection of individuals and other parties with respect to the processing of personal data. We therefore wish to inform you, pursuant to Article 13 GDPR, that the Data Controller will process the personal data that you provided in line with the procedures outlined below.
DATA CONTROLLER
The "Data Controller" in relation to the personal data is Juventus FC S.p.A. with registered office at Via Druento 175, 10151 Turin. The Data Controller can be contacted at the email address: privacy@juventus.com
DATA PROTECTION OFFICER (DPO)
The Data Protection Officer (hereinafter "DPO") appointed by the Data Controller can be contacted by emailing privacy@juventus.com.
LEGAL BASIS FOR THE PROCESSING
The processing of personal data is necessary to fulfil a legal obligation of the Data Controller. Personal data are processed, with specific reference to the task of ascertaining any violations that harm the public interest or the integrity of Juventus, pursuant to current regulations on whistleblowing (Italian Legislative Decree 24/2023) by those who have relations with Juventus if they become aware of a situation subject to reporting.
TYPES OF DATA PROCESSED, PURPOSE AND NATURE OF THE PROCESSING
The data provided for reporting and the data provided by the whistleblower in order to communicate alleged violations of which he/she has become aware during relations with Juventus, committed by parties who interact with the company for various reasons, as well as the data strictly necessary to verify the validity of the report and allow for its management.
The data are processed for the purpose of carrying out the necessary preliminary investigations to verify the validity of the event(s) reported and the subsequent adoption of measures.
Providing the data is necessary in order to manage the report.
METHOD OF DATA PROCESSING
The data provided at the time of registration and the data contained in the reports will be processed in accordance with the principles of fairness, lawfulness, transparency and the protection of confidentiality and rights, yours and those of all interested parties, in compliance with the confidentiality obligations imposed by privacy regulations and the law on whistleblowing.
The processing will make use of IT and electronic tools designed for the organisation and processing of data strictly related to the purposes referred to above, and in any event in such a way as to ensure the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures envisaged in the applicable provisions.
RECIPIENTS OF THE DATA
The personal data collected are processed by members of the Juventus organisation, appointed to perform specific control functions, or in any event responsible for the receipt, preliminary assessment and investigation of reports received, as outlined in the report management procedure, which are authorised to process such data, and act on the basis of specific instructions provided regarding the processing purposes and methods pursuant to Article 29 GDPR.
The identity of the whistleblower and any other information from which the identity of the whistleblower and of other parties may be inferred, directly or indirectly, who, even thought they did not made the report directly, are in any case deemed to deserve protection, are strictly confidential and shall not be communicated without their express consent to persons other than those responsible for receipt and follow up on the report, expressly authorised and instructed to process such data pursuant to Article 29 GDPR. Except in cases resulting in liability for slander or libel pursuant to the Italian Criminal Code or Article 2043 of the Italian Civil Code and cases in which confidentiality is not enforceable by law (e.g. criminal, administrative or tax investigations, audits of supervisory bodies), the identity of the whistleblower may be disclosed to the disciplinary authority and to the reported person only in cases where:
- the whistleblower gives his/her express consent;
- all or part of the challenge of the disciplinary charge is based on the report and knowing the whistleblower's identity is indispensable for the defence of the reported person, provided that this circumstance is inferred and proven at the hearing or through the filing of defence briefs.
In compliance with confidentiality obligations imposed by privacy regulations and the law on whistleblowing, personal data may also be processed by third parties included in the following categories: a) Consultants (Law Firms, etc.), b) Development and/or management companies of information systems dedicated to receiving reports and storing data; c) Public Institutions and/or Authorities, Judicial Authorities, Police Authorities, and Investigative Agencies. In any event, the personal data will not be disclosed.
The data will be stored on servers located in Italy and under no circumstances will they be transferred to non-EU countries.
DATA RETENTION PERIOD
The personal data relating to the reports are stored and kept for as long as necessary to fulfil the report management procedure and are stored for no more than 5 years from the date of the communication of the final outcome of the reporting procedure.
If unlawful conduct should emerge from the investigation, any personal data referenced will be processed until the settlement of any disputes initiated as a result of the report.
RIGHTS OF DATA SUBJECTS and COMPLAINTS TO THE DATA PROTECTION AUTHORITY
In the situations envisaged, data subjects shall be entitled to access their personal data through the Data Controller and request that said data be rectified or erased, that limitations be imposed on the processing or object to processing of the data (GDPR Article 15 et seq.). You may exercise all the rights listed above by emailing the Data Controller at privacy@juventus.com, or by sending a recorded delivery letter to the address of the Data Controller.
Data subjects who believe that their personal data are processed in violation of GDPR provisions shall be entitled to lodge a complaint with the Data Protection Authority, as envisaged in Article 77 GDPR, in accordance with the procedure found on the website of the Data Protection Authority (www.garanteprivacy.it), to lodge a complaint about a violation of the regulations on personal data protection and request an investigation by the Authority, or to take legal action before the appropriate judicial authorities (Article 79 GDPR).