In relation to the data processed for the purposes of receiving, analysing, investigating and managing reports and any consequent actions, Rete Ferroviaria Italiana S.p.A. invites you to carefully read the personal data protection policy.

This section provides our contact details

• The Data Controller is RFI S.p.A., represented by the pro tempore Chief Executive Officer who can be contacted at the e-mail address titolaretrattamento@rfi.it, with registered office at Piazza della Croce Rossa, 1 - 00161 Roma .
• The Data Protection Officer may be contacted at the e-mail address protezionedati@rfi.it.

This section outlines the types of data we process

The personal data subject to processing are included in the following categories:

• Personal data of the whistleblower in case of reports made non-anonymously through the dedicated platform:
  Common:
  - Mandatory: name, surname, relationship with the FS Group.
  - Optional: position, job title/relationship, telephone contact, e-mail address.
• Personal data of the whistleblower in case of reports made non-anonymously through other channels:
  - reports may also be sent through alternative channels, such as ordinary mail and e-mail, as well as verbally, through a statement made at a specific hearing, to the Ethics and Reporting Committee/the Supervisory Body of RFI S.p.A. In this case, the personal data processed is that which is voluntarily disclosed by the whistleblower.
• Personal data relating to the individual(s) involved in the report:
  - the data that the whistleblower intends to provide in relation to the facts described in the report. It should be noted that, in this case, RFI S.p.A. is unable to determine in advance the data covered by the report, which may also include particular data (for example, data relating to criminal sentences, offences, etc.).

The data referred to above will be processed by IT systems and on paper in a way that guarantees their safety and confidentiality. Paper documents are kept to a minimum and filed and stored in cabinets and rooms with security locks.

The data provided by the whistleblower by accessing the platform are transmitted using the HTTPS protocol. Encryption techniques based on the AES algorithm are also applied and all data is fully encrypted, thus guaranteeing the confidentiality of the information transmitted.

Cookies are not used to transmit personal information, and persistent cookies to track users are not used. Only technical cookies are used to the extent strictly necessary for the correct and efficient use of the platform. Session cookies (which are not permanently stored on the user's computer and disappear when the browser is closed) are strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server), which are necessary for the safe and efficient browsing of the platform. 

This section outlines the processing purposes and the legal basis underlying the same

The purpose of processing is to receive, analyse, investigate and manage reports and any consequent actions, and in particular to ascertain the facts reported and to take any necessary measures. Pursuant to Article 6, paragraph 1, letter f) of the European Regulation No. 679/2016 (hereinafter also referred to as the "Regulation"), all personal data collected within the scope of this processing are strictly functional and necessary for the pursuit of the provisions of Legislative Decree 24/2023, as well as for any possible internal auditing purposes, the monitoring of business risks, the defence of a right in court or for further legitimate interests of the Data Controller.

If reports pertaining to another FS Group company are received by RFI S.p.A., they will be forwarded to the relevant company, which shall act as independent data controller.

Any contact information provided by the whistleblower will be used if direct contact with the whistleblower is necessary and for updates regarding the report. 

This section outlines who will process the data and to whom they will be communicated 

To pursue the above-mentioned purposes, the personal data provided is made accessible only to individuals within the Company who are authorised to receive or follow up on the analysis, investigation and management of reports and any consequent actions. These persons are duly instructed to avoid loss, access to data by unauthorised persons or unauthorised processing of data and, more generally, in relation to personal data protection obligations. The data may also be processed by external Consultants and Third Parties with technical functions (e.g. the IT platform provider), who act as Data Processors/Sub-Processors and have signed a specific contract that punctually regulates the processing entrusted to them and the obligations regarding data protection and security of processing pursuant to Article 28, paragraph 3 of the Regulation.

Finally, your personal data may also be transmitted to other independent data controllers, in accordance with the law or regulations (e.g. Public Authorities, Judicial Authorities, etc.).

The identity of the whistleblower and any other information from which such identity may be inferred, directly or indirectly, may only be disclosed to people other than those competent to receive or investigate reports with the express consent of the whistleblower in accordance with the provisions of Legislative Decree 24/2023.

The updated list of recipients of the data can be obtained from the Ethics Committee/Supervisory Body by making a request to the e-mail addresses: org.vig@rfi.it e comitatoeticorfi@rfi.it.

This section assures you that your data will not be disclosed 

The personal data processed will never be published, displayed or made available/consulted by unspecified persons.

This section indicates the amount of time your data is retained

Reports and related documentation are kept for the time necessary to process the report and in any case no longer than five years from the date of the notification of the final outcome of the reporting procedure, subject to confidentiality obligations. If reports are received outside the scope of the reporting procedure (e.g. disputes, claims or requests related to a personal interest of the whistleblower, communications or complaints relating to business activities or services to the public), they are retained for a period not exceeding 8 months from the archiving of the report.

This section provides details on your guaranteed rights

In accordance with the provisions of articles 15 to 22 of Regulation (EU) 2016/679 the Data Subjects are entitled to exercise specific rights. Specifically, in relation to the processing of their personal data covered by this policy, the data subject has the right to request the following from Ferrovie dello Stato Italiane S.p.A:

• access: the data subject may request confirmation as to whether or not his or her data is being processed, along with further clarification of the information referred to in this policy;
• rectification: the data subject may ask that the data that he or she has provided be rectified or integrated if the data is inaccurate or incomplete;
• erasure: the data subject may ask that his or her data be deleted if it is no longer necessary for the purposes mentioned above, if consent is withdrawn or if the processing is opposed, in the event of unlawful processing, or if there is a legal obligation to delete the data;
• restriction of processing: the data subject may request that his or her data only be processed for the purposes of retention, with the exclusion of other processing operations, for the period necessary to rectify his or her data, in the event of unlawful processing for which he or she objects to the erasure, whereby he or she must exercise his or her rights in court, and the data stored may be of use to him or her and, finally, if he or she objects to processing and a check is being carried out as to whether the legitimate reasons of [La Società] prevail over his or hers;
• objection: the data subject may object at any time to the processing of his or her data, unless there are legitimate grounds for processing which override his or her own, for example for the exercise or defence of legal claims;
• portability - the data subject may request to receive his or her data or to sent to another data controller indicated by him or her in a structured, commonly used and machine-readable format.

Moreover, should the data subject consider that his or her rights have been violated, the data subject has the right to lodge a complaint with the Supervisory Authority, which in Italy is the Garante per la Protezione dei dati personali (Article 77 of EU Regulation 2016/679).

Pursuant to Article 2-undecies of Legislative Decree 196/2003 as amended and supplemented (hereinafter the "New Privacy Code") and in implementation of Article 23 of the Regulation, we inform you that the above-mentioned rights may not be exercised by the persons involved in the reporting, if the exercise of these rights may result in actual and concrete detriment to the confidentiality of the whistleblower's identity.

In particular, the exercise of these rights:

• will be carried out in accordance with the legal or regulatory provisions governing the sector (Legislative Decree 24/2023);
• may be delayed, restricted or excluded by reasoned notice given without delay to the data subject, unless such notice would undermine the purpose of the limitation, for such time and to the extent that this constitutes a necessary and proportionate measure, having regard to the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the whistleblower's identity;
• in such cases, the data subject's rights may also be exercised through the Garante per la Protezione dei dati personali in accordance with Article 160 of the New Privacy Code, in which case the Authority will inform the data subject that it has carried out all the necessary checks or has conducted a review, and that the data subject has the right to lodge a legal complaint.

The Data Subject may ask RFI S.p.A. to exercise his or her rights at any time by contacting the Data Protection Officer, at the e-mail address protezionedati@rfi.it.