In relation to the data processed for the purposes of receiving, analysing, investigating and managing reports and any consequent actions, Rete Ferroviaria Italiana S.p.A. invites to carefully read the personal data protection policy. Depending on the reporting channel chosen, specific consents may be required for certain purposes, as regulated by Legislative Decree 24/2023 and better specified below. 

This section provides our contact details

• The Data Controller is Rete Ferroviaria Italiana S.p.A., represented by the pro tempore Chief Executive Officer who can be contacted at the e-mail address titolaretrattamento@rfi.it, with registered office at Piazza della Croce Rossa, 1 - 00161 Roma .
• he Data Protection Officer/Data Protection Referent may be contacted at the e-mail address protezionedati@rfi.it.

This section outlines the types of data we process

The personal data subject to processing are included in the following categories:

Personal data of the reporting person in case of reports made non-anonymously through the dedicated platform and/or through the dedicated telephone line with automatic voice response system integrated with the same platform (subject to obtaining the express consent of the reporting person to record the call):

• Common:
  - Required: name, surname, company and employee id number (only if internal of the FS Group).
  - Optional: position, job title/relationship, personal telephone contact, personal e-mail address.

Personal data of any facilitator in case of reports made non-anonymously through the dedicated platform and/or through the dedicated telephone line with automatic voice response system integrated with the same platform (subject to obtaining the express consent of the reporting person to record the call):

• Common:
  - Required: name, surname, FS Group company and employee id number (only if internal of the FS Group).
  - Optional: job title/relationship, personal telephone contact, personal e-mail address.

Personal data of the reporting person in case of reports made non-anonymously through other channels:

• reports may also be sent through alternative channels, such as ordinary mail and verbally, through a statement made at a specific hearing, to the Ethics Committee/the Supervisory Board of Rete Ferroviaria Italiana S.p.A.. In these cases, the personal data processed is that which is voluntarily disclosed by the reporting person. 

Personal data relating to the individual(s) involved in the report:

• the data that the reporting person intends to provide in relation to the facts described in the report. It should be noted that, in this case, Rete Ferroviaria Italiana S.p.A. is unable to determine in advance the data covered by the report, which may also include particular data (for example, data relating to criminal sentences, offences, etc.).

To ensure that no retaliatory measures are taken against the reporting and/or facilitator (if any) employee, Rete Ferroviaria Italiana S.p.A. will also process data relating to the management of its employees’ employment relationships, in accordance with article 17 of Legislative Decree 24/2023.

The data referred to above will be processed by IT systems and on paper in a way that guarantees their safety and confidentiality. The use of paper documents is kept to a minimum and stored with adequate security measures.

The transmission and storage of data provided by the reporting person are protected with advanced encryption, cutting-edge security technologies and rigorous security measures, guaranteeing maximum confidentiality and protection at every stage of processing. Reports acquired through the dedicated telephone line with automatic voice response system are entered into the platform after applying a masking algorithm which makes the voice of the reporting person unrecognizable.

Cookies are not used to transmit personal information, and persistent cookies to track users are not used. Only technical cookies are used to the extent strictly necessary for the correct and efficient use of the platform. Session cookies (which are not permanently stored on the user's computer and disappear when the browser is closed) are strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server), which are necessary for the safe and efficient browsing of the platform. 

This section outlines the processing purposes and the legal basis underlying the same

The purpose of processing is to receive, analyse, investigate and manage reports and any consequent actions, and in particular to ascertain the facts reported and to take any necessary measures. Pursuant to Article 6, paragraph 1, letter c) and f) of the European Regulation No. 679/2016 (hereinafter also referred to as the "Regulation"), all personal data collected within the scope of this processing are strictly functional and necessary for the pursuit of the provisions of Legislative Decree 24/2023, as well as for any possible internal auditing purposes, the monitoring of business risks, the defence of a right in court or for further legitimate interests of the Data Controller. Furthermore, where the reporting person and/or facilitator (if any) is an employee of Rete Ferroviaria Italiana S.p.A. and declares his or her identity, in order to ensure that no retaliation is committed against the reporting and/or facilitator (if any), even long after the report is submitted, Rete Ferroviaria Italiana S.p.A. will initiate a two-year observation period after the date of the report regarding the employee’s employment situation.

Depending on the reporting channel chosen, specific consents pursuant to Article 6, paragraph 1, letter a) may be required for certain purposes, as regulated by Legislative Decree 24/2023 and better specified in this personal data protection policy.

Any contact information provided by the reporting person will be used if direct contact with the reporting person is necessary and for updates regarding the report.

 

If reports pertaining to another FS Group company are received by Rete Ferroviaria Italiana S.p.A., they will be forwarded to the relevant company, which shall act as independent Data Controller. 

This section outlines who will process the data and to whom they will be communicated 

To pursue the above-mentioned purposes, the personal data are processed only by individuals within the Company who are authorised to receive or follow up on the analysis, investigation and management of reports and any consequent actions. These persons are instructed to avoid loss, access to data by unauthorised persons or unauthorised processing of data and, more generally, in relation to personal data protection obligations. The data may also be processed by external Consultants and Third Parties with technical functions (e.g. the IT platform provider), who act as Data Processors/Sub-Processors and have signed a specific contract that punctually regulates the processing entrusted to them and the obligations regarding data protection and security of processing pursuant to Article 28, paragraph 3 of the Regulation.

Finally, your personal data may also be transmitted to other independent Data Controllers, in accordance with the law or regulations (e.g. Public Authorities, Judicial Authorities, etc.).

The updated list of these subjects can be requested from the Ethics Committee/Supervisory Board at the following e-mail addresses: comitatoeticorfi@rfi.it and org.vig@rfi.it.

The identity of the reporting person and any other information from which such identity may be inferred, directly or indirectly, may be accessible to other parties only with the express consent of the reporting person in accordance with the provisions of Legislative Decree 24/2023. This consent will be requested from the reporting person when drafting the report through the dedicated platform and/or the dedicated telephone line. For reports made through the additional channels referred to in paragraph II, the aforementioned consent, if not provided with the report itself, may be requested from the reporting person at a later stage.

This section assures you that your data will not be disclosed 

The personal data processed will never be published, displayed or made available/consulted by unspecified persons.

This section indicates the amount of time your data is retained

Reports and related documentation are kept for the time necessary to process the report and in any case no longer than 5 years from the date of the notification of the final outcome of the reporting procedure, subject to confidentiality obligations. If reports are received outside the scope of the reporting procedure (e.g. complaints, disputes, claims or requests related to a personal interest of the reporting person, communications or complaints relating to business activities or services to the public), they are retained for a period not exceeding 8 months from the date of their classification and subsequent closure.

This section provides details on your guaranteed rights

In accordance with articles 15 et seq. of Regulation the data subject may exercise the rights of access, rectification, erasure, restriction, portability and objection to data processing. However, these rights may be subject to specific limitations established by law, in particular to safeguard the interests referred to in Articles 23 of the Regulation and 2-undicies of Legislative Decree 196/2003 as amended and supplemented (Privacy Code).

The data subject may request to exercise his or her rights at any time from Rete Ferroviaria Italiana S.p.A. at the following e-mail addresses: titolaretrattamento@rfi.it e protezionedati@rfi.it.

Moreover, should the data subject consider that his or her rights have been violated, the data subject has the right to lodge a complaint with the Supervisory Authority, which in Italy is the Garante per la Protezione dei dati personali.