Your identity is protected
The report is not linked to your account. Reports are sent anonymously. Your identity will be accessible only to the whistleblowing manager if necessary.

Create an account

Registration Guide
1
User Data
2
Information and Terms
3
Privacy Policy
  • The password should consist of a minimum of 8 character types.
  • The password must have at least one numerical character.
  • Password must contain at least one uppercase letter.
  • Password must contain at least one lowercase letter.
  • The password must have at least 1 of these special characters: -_.*!$@
  • The password can not contain the following characters ' '.
Aware of liability in case of false statements, production or use of false documents, pursuant to and by effect of art. 76 of the D.P.R. 445 of 28 December 2000, I declare the truthfulness and accuracy of the data entered and transmitted through the present software.
Privacy Policy*

Privacy policy pursuant to Arts. 13 and 14 of EU Regulation no. 679/2016 (GDPR)

 

DATA CONTROLLER AND CONTACTS

The Data Controller is Azienda Trasporti Milanesi S.p.A. (ATM), with registered office in Foro Buonaparte 61, 20121, Milan (Italy). The Data Protection Officer, whom you can contact to exercise your rights under art. 13 and/or for any clarifications regarding personal data protection, can be contacted at the following email address: rpd@atm.it.

PURPOSE OF THE PROCESSING AND LEGAL BASIS

The purpose of the processing is the management of whistleblowing reports, according to the obligations established by current legislation on the protection of personal data. The legal basis is a legal obligation (Italian Legislative Decree no. 24 of 30 March 2023, Law on Whistleblowing no. 179 of 30 November 2017) to which it is subject the Data Controller pursuant to art. 6, paragraph 1, letter c, of EU Regulation no. 679/2016.

CATEGORIES OF DATA PROCESSED AND RECIPIENTS

Data processed are solely registration data and those disclosed contained in the reports. Among the data provided voluntarily, the following may be acquired: name, surname, email address, identification document, other data contained in the reports. Personal data relating to the profile cannot be directly viewed in the report. The data may be communicated to public authorities (e.g. at the request of the judicial authority).

METHODS OF PROCESSING AND POSSIBLE TRANSFER OF DATA

The data are processed only for the purposes mentioned above and according to the principles of lawfulness, correctness, transparency, accuracy, integrity and confidentiality, established by the regulations in force. The personal data management takes place through automated and computerized processes. The granting of the registration data (name, surname, email address and identification document) is mandatory and the non-disclosure of the data makes it impossible to create a whistleblower (reporting entity). The personal data processed are separated from any reports and the association between the whistleblower’s identity and the report  can be carried out by “Responsible” person in charge for reports management (‘Anti-corruption Representative of ATM Group or ‘AR’, SB, etc.); the law, in fact provides that the whistleblower becomes recognizable in order to be able to use the protection granted to it. The personal data collected will not be transferred outside the European Economic Area.

DATA RETENTION PERIOD

The data will be kept for 5 years starting from the date of communication of the final outcome of the reporting procedure or longer period for the protection of the company position.

DATA SUBJECT RIGHTS

All the rights of the data subject are guaranteed in accordance with the provisions of articles 15, 16, 17, 18, 20, 21, 22 and 77 of the GDPR:

  • right of access to your personal data and all information on the processing carried out;
  • right to rectification of inaccurate personal data and integration of incomplete data;
  • right to erasure (‘right to be forgotten’);
  • right to limit the processing of your personal data;
  • right to data portability;
  • right to object to the processing of your personal data;
  • right not to be subject to a decision based solely on automated processing;
  • right to lodge a complaint with the Italian Data Protection Authority in case a violation is thought to have been carried out.

Data subject rights cannot be exercised within the limits of the provisions of article 2-undecies of Legislative Decree no. 101 of 10 August 2018, if they could result in an effective and concrete prejudice to the confidentiality of the identity of the employee who reports the offense of which he has become aware by reason of his office. The exercise of the same rights may be delayed, limited or excluded with reasoned communication made without delay to the data subject, unless the communication could compromise the purpose of the limitation, for the time and within the limits in which this constitutes a necessary and proportionate, considered the subjects rights. In such cases, data subject rights can also be exercised through the Italian Data Protection Authority in the manner prescribed by the article 160 of Legislative Decree no. 101 of 10 August 2018.