ARITHMOS Privacy Statement
Information and Privacy Policy
Information pursuant to Art. 13 EU Reg. April 27, 2016 No. 679
Pursuant to Article 13 of the European Regulation, on the protection of individuals with regard to the processing of personal data, we inform you that the personal data of the candidate for the establishment of an employee relationship are processed in accordance with the following principles and rules.
General principles of processing
Processing will be carried out by means of collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction and will be carried out by the owner, managers and persons authorized for processing.
Personal data are: processed in a lawful, correct and transparent manner; collected for specified, explicit and legitimate purposes and thereafter will be processed in a manner not incompatible with those purposes; adequate, relevant, limited to what is necessary in relation to the purposes for which they are processed; accurate and up-to-date, committing the co-owner to take the necessary measures to delete or rectify the data in relation to the purposes for which they are processed; kept in a form that allows the identification of the interested party for the time strictly necessary to achieve the purposes for which they are processed; processed with the utmost confidentiality, both with computer and paper tools, in compliance with the principles dictated by the European Regulation on the protection of personal data, the prescriptions issued by the Control Authority and in any case in such a way as to ensure adequate security, including protection, with appropriate technical and organizational measures, from unauthorized or unlawful processing or from loss, even accidental.
(a) Identity and contact details of the co-owner of data processing
The co-owners of the data processing, in co-ownership, are Arithmos S.r.l., with registered office in Italy, Via Germania 2, 37136 Verona VAT N. IT03568990232, and Arithmostech Ltd., with its place of business at Booths Hall, Suite M3, Chelford Road, Knutsford, WA16 8GS, United Kingdom. The Co-Ownership Agreement is available here.
For the purposes of exercising the rights provided by the Regulations and for any request relating to personal data, the data subject may contact the co-owners of the data processing by sending a communication to the email address privacy@arithmostech.com.
(b) Purpose and legal basis of data processing
Personal data are processed by the co-owners for the following purposes:
1. Handling of requests from users via special form;
2. Marketing activities, including but not limited to direct sales, sending of
advertising material, market research, commercial communication;
For the same purposes, data of individuals who are employees and/or self-employed workers of current or potential client companies of the co-owners are processed.
The processing of personal data for the purpose indicated in point 1 is lawful pursuant to Article 6, letter b) of European Regulation 679/2016 (“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”).
The processing of personal data for the purpose indicated in point 2 is lawful if and insofar as the data subject has given consent to the processing of his or her personal data, pursuant to Article 6, letter a) of European Regulation 679/2016 (“the data subject has given consent to the processing of his or her personal data for one or more specific purposes”).
The data subject is also made aware that the personal data that the co-owners will come into possession of upon the conclusion of the contract with the customer, and in particular the e-mail address, may be used in the future for promotional activities relating to services similar to those covered by the contract. The data subject may always object to the processing, with a simple request to be sent to the Data Controller at the indicated email address. The processing in question is lawful insofar as it is necessary for the pursuit of the legitimate interest of the Data Controller Art. 6 (f) of European Regulation 679/2016).
(c) Possible recipients or categories of recipients of personal data
The personal data that the co-owners of the data processing will come into possession of are not subject to dissemination.
The data may be known by the persons in charge and those responsible for processing. In particular, the data may be known by other employees and/or collaborators, internal and external, of the co-owners.
(d) Data transfer to third countries
ArithmosTech Ltd. is a company with registered office and business place in United Kingdom, a country that offers – according to European Commission – an adequate protection in the data processing.
By conferring data, Data Subject acknowledges that the Data will be processed outside the European Union.
(e) Period of storage of personal data
The data shall be kept for a period not exceeding that necessary to pursue the purposes explained above and in any case for a period not exceeding two (2) years. In any case, until the data subject may to the co-owners his or her wish to delete his or her personal data from the archives and/or not to receive promotional communications.
(f) Right to withdraw consent
The data subject always has the right to revoke consent to the processing of personal data for the purpose indicated in point 2 of the paragraph “Purposes and legal basis of processing”; in any case, revocation of consent to processing does not affect the lawfulness of processing based on the consent given before revocation.
(g) Right to lodge a complaint
The data subject has the right to propose a complaint to the Supervisory Authority of the country where the co-owners of the data processing have their registered office.
(h) Mandatory or optional nature of providing data
The provision of personal data is not required by law or contract, but refusal to provide them may result in the objective impossibility for the co-owners to pursue the purposes indicated in point 1.
The provision of personal data for promotional purposes and for profiling is optional.
(i) Possible recipients or categories of recipients of personal data
The Data Subject has the right to obtain access to personal data from the co-owner of the data processing.
In particular, the Data Subject has the right to obtain from the co-owner of the data processing confirmation as to whether or not personal data concerning him or her is being processed and, if so, access to the personal data and the following information:
- the origin of the personal data, if the data are not collected from the data subject;
- the purposes and methods of processing;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if recipients in third countries or
international organizations; - the expected period of retention of personal data, or, if this is not possible, the criteria adopted to determine this period;
- the existence of the data subject’s right to request from the controller the rectification or erasure of personal data or the restriction of the processing of
data concerning him or her or to object to their processing; - the right to lodge a complaint with a supervisory authority;
- the existence of an automated decision-making process, including profiling, and, at least in such cases, meaningful information about the logic used, as
well as the importance and the expected consequences of such processing
for the data subject; - where the data are transferred to a third country or international organization, the adequate safeguards under Article 46 of Regulation
679/2016 of such transfer.
Cookie Policy
Information on the use of cookies Regulation (EU) No. 2016/679 (“GDPR”)
Arithmos S.r.l. protects the confidentiality of personal data and provides them with the necessary protection from any event that may put them at risk of being breached. As required by the European Union Regulation No. 2016/679 (“GDPR”) and the current legislation on the processing of personal data we provide the user (“Data Subject”) with information about the so-called “cookies”.
(a) Data Controller
The data controller is Arithmos S.r.l. with registered office in Via Germania n. 2, 37136 – Verona, with VAT no. and C.F. 03568990232.
In order to exercise the rights listed in this statement, the interested party may contact the Controller at the following addresses: Via Germania n. 2, 37136 – Verona; e-mail address: info@pmholding.it; Tel. +39 045 585492.
(b) What are cookies
Cookies are small text strings that sites visited by the user send to his terminal (usually to the browser), where they are stored, to be then retransmitted to the same sites on the next visit of the same user.
In the course of browsing a site, the user may also receive on his terminal equipment cookies that are sent by different sites or web servers (so-called “third parties”), on which some elements (such as, for example, images, maps, sounds, specific links to pages of other domains) present on the site he is visiting may reside.
(c) Technical, analytical and profiling cookies
Technical cookies allow the transmission of a communication over an electronic communication network or to provide a service requested by the user. For example, technical cookies are those that automatically recognize the language the user uses, those that facilitate online shopping, those that make home banking procedures less complex and more secure, etc.
Technical cookies are distinguished into session cookies, which are automatically deleted when the browser is closed, and persistent cookies, which remain stored in the user’s terminal until the set expiration date.
Analytical cookies are used by website operators to collect information in an aggregate manner of a statistical nature (e.g. to know the number of visitors to the site).
Profiling cookies control the user’s navigation, tracking it in order to monitor and profile the user (by tastes, habits, consumption choices, to send personalized advertising).
(d) Data processed
Cookies may collect information and personal data such as IP address, nationality, city, date/time, device, browser, operating system, screen resolution, navigation origin, pages visited and number of pages, duration of visit, number of visits made.
The use of third-party cookies is governed by the rules prepared by the third parties themselves; therefore, the Data Subject is invited to read the privacy policies published on the third parties’ web pages.
(e) Installed cookies, purpose, deactivation, and management of cookies
The site only installs technical cookies. It does not install analytical cookies or profiling cookies.
Arithmos S.r.l. uses ReCaptcha on its sites and services to check whether data entry (e.g. in a contact or registration form) is done by a person or by an automated program in order to prevent misuse of the services provided. The use of ReCaptcha is subject to Google’s Privacy Policy (https://policies.google.com/privacy?hl=it) and Terms of Service (https://policies.google.com/terms?hl=it).
The use of third party cookies is governed by the rules prepared by the third parties and therefore the Data Subject is invited to read the information on the processing of personal data and the directions to manage or disable cookies published on the relevant web pages.
The User may at any time manage, i.e. request the general deactivation or deletion of cookies, by changing the settings of his/her internet browser. Such deactivation, however, may slow down or prevent access to certain parts of the site or make navigation less functional. The settings for managing or disabling cookies may vary depending on the internet browser you use. Therefore, for more information on how to do so, we suggest that Users consult their device’s manual or the “Help” or “Help” function of their internet browser.
Below are links indicating how to manage or disable cookies for the most popular internet browsers:
Internet Explorer: http://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies
Google Chrome: https://support.google.com/chrome/answer/95647
Mozilla Firefox: http://support.mozilla.org/it/kb/Gestione%20dei%20cookie
(f) Disclosure to third parties and categories of recipients
Personal data collected by the Owner through the use of cookies will not be disclosed to third parties.
(g) Transfer of data outside the EU
The site installs third-party cookies that are based outside the European Union: Google Re-captcha. Users are encouraged to review the disclosures issued by the third parties.
(h) Duration of data retention
The data retention duration is related to the persistence of the cookies.
Please refer to the table in the section “Installed cookies, purposes, deactivation and management of cookies”.
(i) Data Subject’s rights
The Data Subject has the right to obtain access to personal data from the data controller.
In particular, the Data Subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed and, if so, access to the personal data and the following information:
(a) the origin of the personal data, if the data are not collected from the data subject;
(b) the purposes and methods of processing;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if recipients in third countries or international organizations;
(d) the expected period of retention of personal data, or, if this is not possible, the criteria adopted to determine this period;
(e) the existence of the data subject’s right to request from the controller the rectification or erasure of personal data or the restriction of the processing of data concerning him or her or to object to their processing
(f) the right to lodge a complaint with a supervisory authority;
(g) the existence of an automated decision-making process, including profiling, and, at least in such cases, meaningful information about the logic used, as well as the importance and the expected consequences of such processing for the data subject;
(h) where the data are transferred to a third country or international organization, the adequate safeguards under Article 46 of Regulation 679/2016 of such transfer.
(l) Right to lodge a Complaint
The interested party has the right to propose a complaint to the Control Authority, represented in Italy by the Guarantor for the Protection of Personal Data. The complaint may be submitted by the interested party in the manner deemed most appropriate: by hand, by registered letter with return receipt, by fax or by e-mail. For information, the interested party is invited to consult the Guarantor’s website at www.garanteprivacy.it.
Careers
Information pursuant to Art. 13 EU Reg. April 27, 2016 No. 679
Pursuant to Article 13 of the European Regulation, on the protection of individuals with regard to the processing of personal data, we inform you that the personal data of the candidate for the establishment of an employee relationship are processed in accordance with the following principles and rules.
General principles of processing
Processing will be carried out by means of collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction and will be carried out by the owner, managers and persons authorized for processing.
Personal data are: processed in a lawful, correct and transparent manner; collected for specified, explicit and legitimate purposes and thereafter will be processed in a manner not incompatible with those purposes; adequate, relevant, limited to what is necessary in relation to the purposes for which they are processed; accurate and up-to-date, committing the co-owner to take the necessary measures to delete or rectify the data in relation to the purposes for which they are processed; kept in a form that allows the identification of the interested party for the time strictly necessary to achieve the purposes for which they are processed; processed with the utmost confidentiality, both with computer and paper tools, in compliance with the principles dictated by the European Regulation on the protection of personal data, the prescriptions issued by the Control Authority and in any case in such a way as to ensure adequate security, including protection, with appropriate technical and organizational measures, from unauthorized or unlawful processing or from loss, even accidental.
(a) Identity and contact details of the co-owner of data processing
The co-owners of the data processing, in co-ownership, are Arithmos S.r.l., with registered office in Italy, Via Germania 2, 37136 Verona VAT N. IT03568990232, and Arithmostech Ltd., with its place of business at Booths Hall, Suite M3, Chelford Road, Knutsford, WA16 8GS, United Kingdom. The Joint Controlling Agreement is available here.
For the purposes of exercising the rights provided by the Regulations and for any request relating to personal data, the data subject may contact the co-owners of the data processing by sending a communication to the email address privacy@arithmostech.com.
(b) Purpose and legal basis of data processing
The personal data provided by the candidate will be processed by Arithmos S.r.l. exclusively for personnel search and selection activities and in particular:
(a) to carry out the necessary assessments regarding the possible establishment of an employment or collaboration relationship with our company;
b) in case of positive evaluation, prepare the necessary documentation for the establishment of the employment or collaboration relationship.
The data processing is lawful in accordance with Art. 6, letter b) of the European Regulation 679/2016 insofar as it is aimed at implementing pre-contractual measures at the request of the data subject.
Where the processing concerns particular categories of data (for example, in the event that the CV refers to the candidate’s membership in protected categories), the processing of the data provided for the purposes of personnel search and selection has a legal basis in the consent of the data subject pursuant to Art. 9 lett. a) of European Regulation 679/2016.
(c) Possible recipients or categories of recipients of personal data
The personal data that the co-owners of the data processing will come into possession of are not subject to dissemination.
The data may be known by the persons in charge and those responsible for processing. In particular, the data may be known by other employees and/or collaborators, internal and external, of the undersigned Facility (e.g., employees working within the Personnel Department; external company that has access to the data controller’s computer system).
(d) Data transfer to third countries
ArithmosTech is a company with registered office and business place in United Kingdom, a country that offers – according to European Commission – an adequate protection in the data processing.
The transfer will be performed in compliance with the conditions of lawfulness set forth in Articles 44 et seq. of European Regulation 679/2016.
(e) Period of storage of personal data
The data shall be kept for a period not exceeding that necessary to pursue the purposes explained above and in any case for a period not exceeding two (2) years.
(f) Right to withdraw consent
The processing of the applicant’s personal data for the establishment of the employment relationship does not have a legal basis in the consent of the person concerned. Therefore, a candidate who has disclosed his or her personal data does not have the right to revoke consent to the processing of personal data; in any case, revocation of consent to the processing does not affect the lawfulness of the processing based on the consent given before revocation.
(g) Right to lodge a complaint
The data subject has the right to propose a complaint to the Supervisory Authority of the country where the co-owners of the data processing have their registered office.
(h) Mandatory or optional nature of providing data
The provision of personal data is not mandatory, but optional.
However, the provision of the data is strictly necessary for the pursuit of the purposes of personnel search and selection, and any refusal on the part of the candidate may result in the impossibility of carrying out the job proposal or offer.
(i) Data subject’s rights
The Data Subject has the right to obtain access to personal data from the co-owner of the data processing.
In particular, the Data Subject has the right to obtain from the co-owner of the data processing confirmation as to whether or not personal data concerning him or her is being processed and, if so, access to the personal data and the following information:
(a) the origin of the personal data, if the data are not collected from the data subject;
(b) the purposes and methods of processing;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if recipients in third countries or international organizations;
(d) the expected period of retention of personal data, or, if this is not possible, the criteria adopted to determine this period;
(e) the existence of the data subject’s right to request from the controller the rectification or erasure of personal data or the restriction of the processing of data concerning him or her or to object to their processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) the existence of an automated decision-making process, including profiling, and, at least in such cases, meaningful information about the logic used, as well as the importance and the expected consequences of such processing for the data subject;
(h) where the data are transferred to a third country or international organization, the adequate safeguards under Article 46 of Regulation 679/2016 of such transfer.
Client and Supplier
Information Notice pursuant to art. 13 Regulation (EU) 2016/679 on 27th April 2016
Information on the processing of data belonging to employees of client and supplier companies
According to the European Regulation nr. 2016/679 (“GDPR”) any person who carries out personal data processing is required to inform the data subject (i.e. the person whom data belong to) on some elements qualifying data processing, which must be carried out with fairness, lawfulness and transparency, protecting the confidentiality and rights of the data subject.
General Principles of Data Processing
Data processing will be performed through collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction and will be carried out by the data controller, data processor and persons authorized to process data.
Personal Data will be processed lawfully, fairly and in a transparent manner; will be collected for specified, explicit and legitimate purposes and processed in a manner that is not incompatible with such purposes; they will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, accurate and up-to-date; they will be processed with the utmost confidentiality, mainly with electronic and automated means, and stored both electronically and on paper, and on any other type of suitable means, in accordance with the principles of the General Data Protection Regulation, the requirements given by the supervisory authority and, in any case, in such a way as to ensure adequate level of security, including protection, with adequate technical and organizational measures, from non-authorized or unlawful processing, or even accidental loss. Data will be stored in a manner that permits the identification of the data subjects for the extent strictly necessary to the achievement of the purposes for which they were processed.
ARITHMOS S.r.l. (Arithmos S.r.l.) undertakes the responsibility to observe specific security measures in order to prevent data loss, illegitimate or unfair use and unauthorized access, in full compliance with statutory and regulatory provisions.
The personal data voluntarily provided by yourself (both by email and other means of communication, or by spontaneous sending of your curriculum vitae through the website at the time of your application), will be stored in Arithmos’s database exclusively for the purposes specified above and for the time required by the relevant legislation.
Identity and Contact Details of the Data Controller
Data Controller is ARITHMOS S.r.l., a sole shareholder company, with registered office in Verona, Via Germania n. 2, VAT Number 03568990232.
For the purposes of exercising the rights provided for in the GDPR, and for any request relating to your personal data, you may contact the Data Controller by sending a communication to the following e-mail address: privacy@arithmostech.com
Contact Details of the Data Protection Officer
Arithmos S.r.l. has appointed as Data Protection Officer (DPO), Avv. Simone Baggio, whose email address is dpo@pmholding.it.
Purposes and Legal Basis of Data Processing
The processing of the personal data of client or supplier and employees of the client or supplier companies is aimed at carrying out contractual negotiations and executing the contract concluded with the holder of the employment relationship or at performing checks, controls and audits before or after the execution of the contract itself.
The processing of personal data of client or supplier is necessary for the performance of the contract to which the Data subject is party.
The processing of personal data belonging to employees of third-party companies is required for pursuing the legitimate scope of the undersigned company, and precisely it is necessary in order to execute the contract between Arithmos S.r.l. and the organization to which the employee belongs, or in the context of contractual negotiations, or again during checks, controls and audits.
Categories of personal data being processed
Data which are subject to processing are common data (which relate to client or supplier personal and fiscal data and the employment relationship, job tasks, personal and fiscal data, contractual data, etc.). No data relating to health condition and biometric or judicial data will be processed.
Possible Recipients or Categories of Recipients of Personal Data
Personal data acquired by the undersigned company are not subject to dissemination.
Personal data may be known by employees, autonomous collaborators, subsidiaries, sister companies and controlling companies, to the extent that such knowledge is necessary for the achievement of the purposes indicated.
These data may be communicated within the company and be known by the persons tasked with data processing and appointed as data processors by Arithmos S.r.l. The list of Data processor can be asked by email to the address privacy@arithmostech.com
Transfer of Personal Data to Third Countries
For the purposes specified, Arithmos S.r.l. uses the platform Zoho CRM, which is managed by the company ZOHO CORPORATION B. V, with registered office at Beneluxlaan 4B, 3527 HT Utrecht, the Netherlands, including ZOHO CORPORATION PVT. LTD., incorporated and registered in India, whose registered office is at Estancia IT Park, Plot No. 140 & 151, GST Road, Vallancherry Village, Chengalpattu Taluk, Kanchipuram District 603 202, INDIA. Arithmos S.r.l. transfers the personal data adopting data protection clauses set forth by the European Commission.
Arithmos S.r.l. could transfer your personal data for the purposes specified to other organization in Third Countries by adopting data protection clauses set forth by the European Commission.
Period of storage of Personal Data
Personal data will be stored by the undersigned company for the entire duration of the contract with the organization holding the employment contract and for ten years after the termination of the contract itself, and/or in any case in compliance with the requirements of the current civil, fiscal and administrative legislation on data storage. A longer period of storage of personal data may be due to requests made by the Public Administration or by another judicial, governmental or regulatory body, or caused by the participation of the undersigned company in judicial procedures involving the processing of personal data.
Rights granted to the Data Subject
Data Subjects are entitled to obtain access to personal data from the Data Controller, for free and without any limitation to third parties’ rights and freedoms. Particularly, they have the right to receive confirmation of whether or not their own personal data are being processed, and to receive the following information: a) the origin of the personal data, in case they were not collected from the data subject; b) the categories of personal data; c) the purpose and modality of treatment; d) the existence of an automated process, profiling included, and in that case the logic applied, the importance and any expected consequence of such processing for the data subject; e) updating or rectification; f) the deletion or limitation of the processing of their data (anonymization, blocking of unlawful data processing, including those whose storage is not required in relation to the purposes for which they were collected or then processed); g) the recipients or the categories of recipients to whom personal data have been or will be communicated, especially if they belong to international organizations or third countries (in the latter case, the data subject has the right to be informed of the existence of adequate guarantees pursuant to article 46 relating to data transfer); h) when possible, the expected period of storage of personal data or, in case it is not possible, the criteria used in order to determine such period.
Data Subjects have the right to withdraw their consent to data processing and to oppose data processing. Anyhow, the withdrawal of consent to data processing shall not affect the lawfulness of data processing based on the consent given before its withdrawal.
Data subjects also have the right to data portability.
Right to lodge a complaint
Data subjects have the right to lodge a complaint to the Supervisory Authority, which is represented in Italy by the Data Protection Authority, with its headquarters in Rome, Piazza Venezia, 11.
Mandatory or optional nature of data communication
The communication of your personal data is optional. The refusal to communicate them will prevent the company from pursuing the purposes specified in this information notice.
Existence of an automated decision-making process
The undersigned company does not use any automated decision-making process.
General Whistleblowing Disclosure
Reporting corporate wrongdoing
1. Foreword
This information notice is addressed to all persons who deal with Arithmos Srl and who are entitled to report possible corporate offences in which they were directly involved or of which they became aware.
The purpose of this information notice is to inform the reporting parties about the reporting channel made available for so-called whistleblowing, its operating mechanism, the procedure and deadlines for feedback, and the Company’s compliance with the relevant legal provisions.
The information is published on the Company’s website and is made available to interested parties upon request.
2. Entitled parties
Individuals who report a violation they learnt of in the course of their work are entitled to report corporate offences. Return in that category: workers employees and autonomous, free professionals and consultants, workers and collaborators provide goods goods services Company, volunteers, volunteers, the members, people with function direction administration and control, people the relationship of work with the Company Company is terminated and candidates in view of an assumption.
3. Content of the Report
Each Report must contain, if applicable to the specific case, the following elements: (i) identification data of the Whistleblower, (ii) description of the event (type of conduct, date and place of occurrence, parties involved); (iii) indication confirming whether the fact has occurred, is occurring or is likely to occur; (ivi) indication of the manner in which the Whistleblower has become aware of the fact; (v) existence of witnesses and, if any, their names; (vi) whether the Whistleblower has already reported the matter and, if so, to which function or manager; (vii) the specific function or management within which the suspicious conduct occurred; (viii) further information deemed relevant by the Whistleblower.
The subject of the report may be any conduct or facts that, in the reporting party’s opinion, constitute or are potentially capable of constituting offences of a civil, criminal, administrative or accounting nature and are detrimental to a public or private interest.
In particular, the object of reporting may be Breaches of Model 231, i.e. unlawful conduct relevant under Legislative Decree 231/2001 and conduct contrary to the principles and rules contained in the Code of Ethics and/or the Model; Breaches of European Union law. Precisely, these are offences committed in violation of the European Union legislation indicated in Annex 1 of the Whistleblowing Decree (in particular, these are offences relating to the following sectors public contracts; financial services, products and markets; prevention of money laundering and financing of terrorism; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; privacy and protection of personal data, security of networks and information systems); acts or omissions that harm the financial interests of the European Union (art. 325 TFEU), as identified in EU regulations, directives, decisions, recommendations and opinions; acts or omissions affecting the internal market that jeopardise the free movement of goods, persons, services and capital (Art. 26(2) TFEU). This includes violations of competition, state aid and corporate tax rules; acts or conduct that frustrate the object or purpose of European Union provisions in the areas mentioned in the previous points.
4. Internal reporting channel
In compliance with legal obligations, Arithmos Srl has adopted an internal reporting channel pursuant to Article 4, Legislative Decree 24/2024. In line with the provisions of the ANAC Guidelines, according to which ‘in the private sector, the choice of the entity to be entrusted with the role of reporting manager is left to the organisational autonomy of each entity, in consideration of the requirements related to the size, the nature of the activity performed and the concrete organisational reality. and […] This role, purely by way of example, can be entrusted, among others […] to the Supervisory Board provided for by the regulations of Legislative Decree no. 231/2001’, Arithmos Srl has identified its own Supervisory Board, in the person of its single-member member, as the Manager of internal reports.
5. Reporting procedures
In the event of Violations of the 231 Model, the Whistleblower must exclusively use the Internal Reporting Channel and follow the procedure established by Arithmos S.r.l..
In the case of EU Violations, the Whistleblower is encouraged to report them promptly, using – in the order of priority specified below – one of the following reporting channels: Internal Channel, preferably; External Channel; Public Disclosure, residually.
In detail, Whistleblowers should preferably use the Internal Channel and only in a subordinate and residual way the External and Public Disclosure channels.
The Whistleblower may in fact resort to the external channel only if: (i) the activation of the internal channel is not envisaged as mandatory in his work context, or, if it is envisaged, it has not been activated, or, if it has been activated, it does not comply with the requirements of the Whistleblowing Decree, in that it is unsuitable for guaranteeing the confidentiality of the Whistleblower and of the Report (ii) the Report has not been followed up, as the person entrusted with the management of the channel has not undertaken any activity in relation to the Report within the timeframe set out in the Whistleblowing Decree; (iii) has reasonable grounds to believe that, if he/she were to make the Report internally, it would not be followed up or would face retaliation; (iv) has reasonable grounds to believe that the Breach may constitute an imminent or obvious danger to the public interest.
Ultimately, the Whistleblower may have recourse to the public disclosure procedure if (i) the internal or external channel has been used beforehand, but has not been followed up; (ii) he/she has reasonable grounds to believe that the Breach may constitute an imminent or obvious danger to the public interest; (iii) the internal or external channels have not been used due to risk of retaliation or ineffectiveness of those systems.
5.1. Reporting procedure via Internal Channel
Offences may be reported in written or oral form.
The Report may be sent by registered letter to the following address: Avv. Simone Baggio, Largo Parolini n. 85, 36061 Bassano del Grappa (VI), c/o Studio Plura. The Reporting Party shall put the Report in two sealed envelopes, including, in the first one, its identification data (the non-anonymous reporting procedure is in fact preferable, with a view to facilitating the assessment of the Breach) and, in the second one, the subject of the Report; both envelopes shall then be put in a third envelope bearing, on the outside, the wording “confidential to the Reporting Manager“.
The Report may also be communicated through the following unregistered telephone line 0424/524397 and, at the request of the Reporting Party, through a direct meeting with the Reporting Manager.
The Report will be promptly handled by an appropriately trained staff member to ensure that the case is handled in accordance with the relevant regulations.
5.2. Reporting procedure via External Channel
The Whistleblower may report in written form through the IT platform set up by ANAC (https://whistleblowing.anticorruzione.it/#/), which has been outlined as the priority reporting channel, as it is best suited to guarantee the confidentiality of the Whistleblower and the Report;
The Whistleblower may also report orally, through a telephone service with operators or through direct meetings with ANAC officials.
5.3. Public disclosure
The Report may be made through means of dissemination capable of reaching a large number of people, such as the press and social networks (YouTube, Facebook, Twitter, etc.).
6. Procedural procedure
In case of use of the written communication channel (i.e., by registered letter A/ R), the Reporting Manager will file the Report received in a special place protected by adequate physical security measures, informing the Reporting Subject within 7 days of receipt of the Report, unless it is impossible to interact with the latter (as is the case, for example, with Anonymous Reports).
If the communication channel is used in oral form (i.e., unrecorded telephone line or face-to-face meeting), the Manager will draw up, respectively, a detailed record of the telephone massage received, or a minute of the meeting held, which should be countersigned by the Reporting Party in both cases.
Once the Manager receives the Report in the manner described above, he will first check that it is relevant and substantiated.
In particular, the Manager will check that the Reporting Party is one of the persons entitled to make the Report and that the subject of the Report concerns a relevant breach. If the Report is assessed as not inherent (e.g., personal grievances, labour disputes, interpersonal conflicts between colleagues, etc.), it may be handled in accordance with any procedures previously adopted by the Company for such violations, notifying the Reporting person thereof. The Manager shall also check that the Report contains at least (i) the identification data of the Reporting Party (name, surname, place and date of birth), as well as an address to which subsequent updates can be sent; (ii) the circumstances of time and place in which the event that is the subject of the Report occurred (description of the facts that are the subject of the Report, the circumstantial news; the manner in which the facts that are the subject of the Report came to the knowledge of the Manager).
Once the phase relating to the preliminary examination of the Report and its admissibility and admissibility to proceed has been completed, the Manager shall carry out all the investigations, analyses and assessments necessary to verify the validity or otherwise of the facts reported, directly acquiring the necessary information through the analysis of the documentation and/or information received, involving other corporate functions or external specialists (to whom the duties of confidentiality and privacy provided for by the Whistleblowing Decree must be extended), or conducting hearings of persons internal/external to the corporate apparatus.
At the end of this assessment phase and within 3 months from the date of receipt of the Report, the Manager shall communicate to the Whistleblower, alternatively: the fact that the Report has been dismissed, stating the reasons in support thereof; the ascertainment of the merits of the Report and its transmission to the competent bodies; the activity carried out so far and/or the activity it intends to carry out, reserving the right to inform it about the subsequent final outcome of the investigation of the Report.
7. Protection of the reporter
The protections provided for in favour of the Whistleblower are as follows: prohibition of retaliatory acts against him/her; obligation of confidentiality of his/her identity and of the information transmitted; limitation of his/her liability for disclosure of certain types of protected information.
The same protections are also provided for: (i) the natural persons assisting the Whistleblower in the reporting process and working in the same work context (so-called facilitators); (ii) other persons connected to the Whistleblower who might suffer retaliation in the work context, such as colleagues who have a habitual or recurrent relationship with the person; (iii) persons in the same work context who are connected to the Whistleblower by a stable emotional or family relationship up to the 4th degree.
7.1. Prohibition of retaliatory acts
The Company takes all necessary precautions in order to guarantee Whistleblowers against any and all forms of retaliation, discrimination and/or penalisation, direct or indirect, for reasons connected with the Report made. Examples of direct or indirect retaliation are (a) dismissal, suspension or equivalent measures; (b) downgrading or non-promotion; (c) change of duties, change of workplace, reduction of salary, change of working hours; (d) suspension of training or any restriction on access to it; (e) negative merit notes or negative references; (f) the adoption of disciplinary measures or any other sanction, including a fine; (g) coercion, intimidation, harassment or ostracism; (h) discrimination or otherwise unfavourable treatment; (i) failure to convert a fixed-term employment contract into an open-ended employment contract; (l) non-renewal or early termination of a fixed-term employment contract; (m) damage, including to a person’s reputation, particularly on social media or economic or financial prejudice, including loss of economic opportunities and loss of income; (n) inclusion on improper lists on the basis of a formal or informal sectoral or industry agreement, which may result in the person being unable to find employment in the sector or industry in the future; (o) premature termination or cancellation of a contract for the supply of goods or services; (p) cancellation of a licence or permit; (q) requesting psychiatric or medical examinations. Retaliatory acts committed in breach of this prohibition are null and void. Anyone who, in his capacity as a Whistleblower, believes he has suffered retaliatory or discriminatory acts for reasons directly or indirectly linked to the Whistleblowing, shall report the abuse to the SB and to the ANAC.
The Whistleblower loses protection: (i) if it is established, even by a judgment of first instance, that he/she is criminally liable for offences of defamation or slander, or if such offences are committed by reporting to the judicial or accounting authorities; (ii) in the event of civil liability for the same offence due to wilful misconduct or gross negligence. In both cases, a disciplinary sanction shall be imposed on the Whistleblower.
7.2. Confidentiality
Arithmos ensures the absolute confidentiality and anonymity – if any – of the identity of the Reporting Party (which may not be disclosed without its express consent, except to the competent figures authorised by law), as well as of the content of the Report and of the relevant documentation.
The Manager shall process each Report in compliance with the Privacy Law and, in particular, in accordance with the following principles: (i) transparency: the possible data subjects shall be provided ex ante with appropriate information on the processing of their personal data; (ii) purpose limitation: the Reports may not be used beyond what is necessary to adequately follow up on them; (iii) data minimisation: data that are clearly not useful for processing a specific Alert will be promptly deleted; (iv) limitation of storage: the Alerts and the relevant documentation will be kept for the time necessary to process them and, in any case, no longer than 5 years from the communication of the final outcome of the procedure.
7.3. Limitations of liability
The whistleblower shall not be held liable for the following offences: disclosure and use of official secrets (Article 326 of the criminal code) disclosure of professional secrecy (Art. 622 of the Criminal Code); disclosure of scientific and industrial secrets (Art. 623 of the Criminal Code); breach of the duty of loyalty and faithfulness (Art. 2105 of the Civil Code); breach of the provisions on the protection of copyright; breach of the provisions on the protection of personal data; disclosure of information on violations that offend the reputation of the person involved.
This protection regime applies provided that (i) at the time of disclosure or dissemination there are reasonable grounds for believing that the information is necessary to disclose the Breach being reported; (ii) the Breach reported falls within those listed in the relevant definition; (iii) the Reporting Party, at the time of reporting, had “reasonable grounds” for believing the information to be true; (iv) the Reporting is carried out in accordance with the procedures set out in the communication channels.
The Company shall sanction any conduct contrary to the rules of conduct set out in this Section: the relevant disciplinary measures shall be proportionate to the extent and gravity of the conduct ascertained and may go as far as termination of employment.
8. Retention of documents relating to reports
Pursuant to Article 14 of Legislative Decree 24/2023, reports and the related documentation shall be retained for as long as necessary for the processing of the report and, in any case, no longer than five years from the date of the communication of the9final outcome of the reporting procedure in compliance with the confidentiality obligations set out in Article 12 of Legislative Decree 24/2023 and the principle set out in Article 5(1)(e) of Regulation (EU) 2016/679 and Article 3(1)(e) of Legislative Decree No. 51 of 2018.
WHISTLEBLOWING – Information on the protection of personal data pursuant to Articles 13 and 14 GDPR 679/2016
General processing principles
The processing shall be carried out by means of collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction and shall be carried out by the data controller, data processors and persons authorised to process the data.
Personal data shall be: processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes and subsequently processed in a way that is not incompatible with those purposes; adequate, pertinent, limited to what is necessary in relation to the purposes for which they are processed; accurate and up-to-date, with the Controller undertaking to take the necessary measures to delete or rectify the data in relation to the purposes for which they are processed; kept in a form that permits identification of the data subject for the time strictly necessary to achieve the purposes for which they have been processed; processed with the utmost confidentiality, both by computer and on paper, in compliance with the principles dictated by the European Data Protection Regulation, with the prescriptions issued by the Supervisory Authority and in any case in such a way as to guarantee adequate security, including protection, with appropriate technical and organisational measures, from unauthorised or unlawful processing or from loss, even accidental.
Identity and contact details of the data controller
The data controller is Arithmos Srl, with registered office in Verona in via Roveggia n. 122, VAT number 03568990232.
For the purposes of exercising the rights provided for by the Regulation and for any request relating to personal data, the interested party may contact the Data Controller by sending a communication to the email address privacy@arithmostech.com
DPO
Arithmos Srl has appointed a Data Protection Officer (DPO), who can be reached at the email address dpo@arithmostech.com
Purpose and legal basis of processing
Personal data will be processed for the purpose of carrying out the necessary investigative activities aimed at verifying the validity of the fact being reported and the adoption of any measures that may be necessary.
Pursuant to Art. 6, para. 1, letter b), the processing is lawful insofar as it is necessary for the fulfilment of a legal obligation pursuant to Art. 6 , letter c, EU Reg. 27.4.2016, no. 670 (L. no. 179/2017, Legislative Decree no. 24/2023 on “Implementation of EU Directive 2019/1937”).
Recipients or category of data recipients
For the pursuit of the aforementioned purposes, the personal data provided may be made accessible only to those who, within the Company, need it for the role/task carried out in relation to the process of receiving, analyzing, investigating and managing reports. and any consequent actions.
These subjects are appropriately trained in order to avoid loss, access to data by unauthorized parties or unauthorized processing of the data themselves and, more generally, in relation to obligations regarding the protection of personal data.
The data may also be processed by external consultants and third parties with technical functions, who act as data processors/sub-processors and have signed a specific contract which promptly regulates the processing entrusted to them and the protection obligations. of data and security of processing pursuant to art. 28, paragraph 3 of the Regulation.
Finally, personal data may also be transmitted to other independent data controllers, based on laws or regulations (e.g. Public Authorities, Judicial Authorities, Court of Auditors and ANAC).
Data transfer to a third country
Your personal data will not be transferred outside the EU.
Personal data retention period
Your data are stored for a period of time not exceeding that necessary to pursue the purposes for which they were collected, in compliance with the provisions of legal obligations or in any case to allow the Company to protect its own rights and interests or that of third parties (e.g. defense in court).
The data is automatically deleted 5 years after the report is closed.
Right to withdraw consent
The processing of data provided by the Reporter is necessary for the fulfillment of a legal obligation and has no legal basis in the consent of the interested party. The Reporter therefore has no right to withdraw consent to the processing of personal data; in any case, the revocation of consent to processing would not affect the lawfulness of the processing based on the consent given before the revocation.
Right to lodge a complaint
The interested party has the right to lodge a complaint with the Supervisory Authority, represented in Italy by the Guarantor for the Protection of Personal Data. The complaint may be presented by the interested party in the manner deemed most appropriate: by hand, by registered letter with return receipt, by fax or by email. For information, the interested party is invited to consult the Guarantor’s website at www.garanteprivacy.it.
Mandatory or optional nature of providing data
The provision of data is optional; it is understood that any refusal to respond at the time of collection of the information, or any refusal to process the data may make it objectively impossible to take the report into consideration.
Rights recognized to the interested party
The interested party has the right to obtain access to personal data from the data controller.
In particular, the interested party has the right to obtain from the owner confirmation as to whether or not data concerning him or her are being processed and, in this case, access to the personal data and the following information:
a) the origin of the personal data, if the data are not collected from the interested party;
b) the purposes and methods of processing;
c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients are from third countries or international organisations;
d) the expected retention period of personal data, or, if this is not possible, the criteria adopted to determine this period;
e) the existence of the right of the interested party to ask the owner to rectify or delete personal data or to limit the processing of data concerning him or to oppose their processing;
f) the right to lodge a complaint with a supervisory authority;
g) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the interested party;
h) if the data are transferred to a third country or to an international organisation, the adequate guarantees pursuant to art. 46 of Regulation 679/2016 of this transfer.
Data Controller
Arithmos S.r.l.
Location
Arithmos Research – Verona, VR ITALY
Info
The data controller is Arithmos S.r.l. with registered office in Via Germania n. 2, 37136 – Verona, with VAT no. and C.F. 03568990232.
In order to exercise the rights listed in this statement, the interested party may contact the Controller at the following addresses: Via Germania n. 2, 37136 – Verona; e-mail address: info@pmholding.it; Tel. +39 045 585492.