PROCESSING OF PERSONAL DATA and INFORMATION (Articles 13 and 14 GDPR)

Brembo N.V., with legal seat in Amsterdam, the Netherlands, and with business and corporate address in Bergamo, via Stezzano 87 – 24126, Italy and the other Brembo Group companies, as indicated below (hereinafter, individually "Company", jointly "Group" or "Joint-Controllers"), have implemented a system of prevention and repression of illegal conduct within the Group, including a system aimed at receiving and managing reports of such conduct, both through web platform and through Apps called "Legality Whistleblowing" and regulated by the corporate procedure on whistleblowing (hereinafter, "Whistleblowing Platform").

The system is shared among the companies that, as data Joint controllers pursuant to Art. 26 of the General Data Protection Regulation of the European Union – Regulation (EU) 2016/679 (hereinafter, "GDPR"), have signed a joint controller agreement whose extract is available to data subjects upon request to the addresses indicated at the bottom of this notice.

In the context of managing the aforementioned reports, the Joint-Controllers will process your personal data, provided and/or in any case received in the context of the Whistleblowing Platform in accordance with the provisions of the applicable personal data protection legislation and this notice.

Type of personal data

The personal data acquired through the report are:

• Identification data of the whistleblower, where relevant for the management of the procedure and allowed by current legislation, and within the limits indicated below, including name and surname, registration credentials to the reporting system implemented by the Joint Controllers and managed through the Whistleblowing Platform, offered by an external supplier, which operates as the Joint Controllers’ data processor and bound to confidentiality, in ways totally separated from the Group systems. The identification data and the registration email (which cannot be a Brembo company e-mail to protect the confidentiality of the whistleblower) are provided by the whistleblower when registering on the platform and reporting, or can be acquired, where necessary, during the investigative activities and consequent assessments;
• Identification data of the person concerned by the report, provided by the whistleblower and/or further acquired during the investigative activities and consequent assessments;
• Information relating to the reported events, depending on the contents of the report, including any reference to data relating to third parties who should be involved in the events subject to reporting and reported by the whistleblower or acquired during subsequent investigations.

For the purposes of managing the report, personal data may be supplemented on the basis of publicly available information and/or collected through third parties, depending on the specific circumstances of the report and always according to the principle of minimisation, and/or collected from the data subject and/or already be available to the Joint Controller of the process affected by the report.

It is understood that, on the basis of the facts reported, data belonging to special categories referred to in art. 9 (1) GDPR (and more specifically, in these contexts, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data relating to the health or sexual life or sexual orientation of the person), and/or data relating to criminal convictions and offences or related security measures pursuant to art. 10 GDPR may be reported or subsequently acquired in the context of the derived investigations.

The Joint Controllers do not collect personal data that are manifestly not useful for the processing of a specific report or, if accidentally collected (when reporting or subsequent investigation), immediately delete them. The reports, therefore, must not contain irrelevant facts.

Purpose and legal basis of processing

The data provided will be processed for the purpose of carrying out the necessary investigations, on the basis of the applicable legislation, aimed at verifying the validity of the fact subject to reporting and the adoption of the consequent administrative, judicial, and/or disciplinary measures and procedures.

The legal basis is therefore the compliance  with a legal obligation (Art. 6 (1) lett. c) and, in the case of special categories of data, Art. 9 (2) lett. g) GDPR, as established by the national provisions implementing EU Directive 2019/1937) concerning the protection of persons who report breaches of Union law and applicable national regulatory provisions[1] (hereinafter "Whistleblowing Regulation").

Nature of provision and processing methods

The provision of data such as e-mail and password by the whistleblower is necessary to register and access the confidential area of the report on the platform managed by a third party provider, and therefore be able to guarantee the confidentiality of the identity of the whistleblower, the person concerned and the person mentioned in the report, as well as the content of the report and the related documentation; therefore, failure to provide them will not allow the controller to accept the report.

Sending a report is completely optional. However, once the whistleblower decides to send a report, the provision of other data by the whistleblower, such as name and surname, is mandatory, since the possibility of anonymous reports is not foreseen. Failure to provide such data does not allow the whistleblowing process to continue.

Data will be processed with IT and electronic tools with organisational and processing logics strictly related to the purposes indicated above, as indicated in the relative corporate whistleblowing procedure, and in any case in order to guarantee data correctness, security, integrity and confidentiality in compliance with the organisational, physical and logical measures provided for by the provisions in force.

The information and documentation related to the report, as well as the information flows with the entities involved in the check, are managed and stored only within the platform, in order to guarantee the highest level of security and confidentiality and in compliance with the appljcable provisions.

It should be noted that in the event that the written form has been used to make the report, it is still possible, with the consent of the interested party, to proceed to its conservation through registration on a suitable device or with a detailed report or minutes.

In the case of reports made orally through the Whistleblowing Platform messaging channel, or directly to the Chief Internal Audit Officer, the report will be documented in writing, with the prior consent of the whistleblower, by registration on the Platform.

Data recipients and data transfer

The personal data collected are processed by the personnel authorised specifically for this processing, identified by the Brembo Group, as indicated in the relevant Whistleblowing procedure of the Joint Controllers, and specifically the persons responsible for reporting at the Brembo N.V. Global Central Function Internal Audit, who act on the basis of specific instructions provided regarding the purposes and methods of the processing itself.

Personal data are also accessible, for the sole purpose of managing the Whistleblowing Platform, to the company that provides the Whistleblowing Platform, and carries out outsourcing activities on behalf of the Joint Controllers, who has been appointed Data Processor (Digital PA S.r.l.).

In addition, in cases where it is necessary, for the purpose of ascertaining the substantiation of the fact subject to reporting, the related investigative activities and the adoption of the consequent measures, the personal data of the data subjects may be sent to the staff of the Joint Controller concerned by the report belonging to the departments in charge for the adoption of the measures to protect the Joint Controllers or for the initiation of any disciplinary measures, as well as to any legal consultants, to the judicial authority and to the pertinent authorities and other boards/bodies of public law competent in relation to the reported case.

It is understood that the identity of the whistleblower cannot be disclosed without his/her consent, which the relative Joint Controller will request in the cases specifically provided for by the Whistleblowing Regulations.

Personal Data will be processed within the European Union and stored on servers located within the European Union. 

Personal data retention

The data will be kept for the period necessary and proportionate to comply with the obligation imposed by the Whistleblowing Regulations. It is understood that in application of the principle of minimisation, personal data that are manifestly not useful for the processing of a specific report will not be collected and, in the event of accidental collection, must be immediately deleted by the Data Controller.

Reports and relative documentation are kept for the time required for processing of the report, and in any event for no more than five years after the date that the whistleblower is notified about the final outcome of the report.

Rights of the data subject

Data subjects can exercise the rights provided for in articles 15 to 21 of the GDPR (right of access, rectification, cancellation and limitation of processing, as well as opposition) by contacting, as a priority, Brembo N.V., which acts as contact point, or its Data Protection Officer (DPO) at the email address privacy@brembo.com, or by written communication to the address below. Brembo N.V. will handle the request and provide feedback in accordance with the law (pursuant to Art. 26 (3) GDPR, the data subject may in any case exercise his/her rights also with respect to the other Joint Controllers at the addresses shown in the table below), without prejudice to the limitations on the exercise of the rights provided for by the applicable national legislation, in the event that the exercise of these rights may result in an effective and concrete prejudice to the confidentiality of the identity of the person reporting the breach of which s/he has become aware by reason of his/her office.

The data subject can also lodge a complaint with the pertinent supervisory authority (for example the Garante per la protezione dei dati personali  in Italy).

Identity and contact details of the Joint controllers and Data Protection Officer

Data controllers of personal data are (depending on the company to which the report relates):