emoticon furgone Free shipping on orders over 65€ emoticon furgone

Contact Us
Store Locator
  • My Account
  • My Wish List ()
  • Sign In
  • Compare
  • Create an Account
Toggle Nav
Chat with operator
Menu
Icon Contact UsContact Us
Icon Find a StoreFind a Store
Account

Data Controller
The Data Controller is Medspa s.r.l., represented by its legal representative pro tempore, with registered office at Corso Sempione n. 17, Milan. Email: privacy@medspa.it, certified email (PEC): medspa.srl@pec.it

Contact details of the Data Protection Officer (DPO)

The DPO can be contacted by sending an email to dpo@medspa.it

Type of data processed

The reporting process is designed to protect the anonymity of the whistleblower.

It is possible, by following the instructions provided on the dedicated page, to hide your IP address.

The operator in charge of managing and forwarding reports is not authorised to disclose any personal data unless such information is voluntarily provided by the whistleblower to facilitate investigative and judicial activities.

Purpose of data processing

Personal data is collected and processed for purposes strictly connected to the management of reports concerning unlawful conduct, activities and/or behaviours that do not comply with the procedures implemented by the company.

This includes violations of professional conduct standards and/or ethical principles required by applicable regulations, as well as unlawful or fraudulent behaviour attributable to employees, corporate officers or third parties (clients, suppliers, consultants, collaborators).

Legal basis

The legal bases for the processing of personal data for the purposes indicated above are:

- the need to comply with legal obligations to which the Data Controller is subject (see in particular Art. 6, para. 2-bis et seq. of Legislative Decree 231 of 8 June 2001);

- the need to ascertain, exercise or defend a right in judicial proceedings.

Data retention period

Data is stored only for the time strictly necessary to achieve the purposes for which it is processed or for the periods provided for by national and EU laws, rules and regulations applicable to the organisation.

In particular, the Data Controller has defined the following retention periods:

- reports considered irrelevant and archived according to the company procedure adopted by the Controller will be deleted 60 days after completion of the verification of the facts reported;

- all other reports received through the authorised reporting channels, including any documents attached to the report or received during the investigation phase, are retained for 5 years from receipt, except in the case of judicial proceedings in which the applicable limitation period will apply starting from the date of closure of the report.

After these retention periods, reports may be stored only in anonymised form for statistical purposes.

Confidentiality and protection of the whistleblower

The Data Controller protects the confidentiality of the whistleblower’s identity during all activities relating to the management of the report and prohibits retaliatory or discriminatory acts, whether direct or indirect, against the whistleblower for reasons connected directly or indirectly to the report.

Therefore, except in cases where liability for slander or defamation may arise pursuant to the Criminal Code or Art. 2043 of the Civil Code, and in cases where confidentiality cannot be invoked by law (e.g. criminal, tax or administrative investigations, inspections by supervisory authorities), the identity of the whistleblower will be protected from the moment the report is received and throughout all subsequent phases, in accordance with Privacy regulations.

The identity of the whistleblower may be disclosed only when:

  1. a) the disciplinary charge is based, wholly or partly, on the report and knowledge of the whistleblower’s identity is absolutely essential for the defence of the reported person;
  2. b) mandatory legal provisions require Medspa s.r.l. to disclose the whistleblower’s identity.

All individuals who receive and/or are involved in managing reports are required to protect the confidentiality of this information.

Violation of the confidentiality obligation constitutes grounds for disciplinary liability, without prejudice to any additional forms of liability provided for by law.

Transfer of data outside the EU

No transfers of data outside the EU are envisaged.

Rights of the data subject (Arts. 15–22 of EU Regulation 679/16)

The data subject has the right to access personal data; to request rectification or erasure; to request restriction of processing; to object to processing; to data portability; and to withdraw consent without affecting the lawfulness of processing based on consent before its withdrawal. In case of a breach, the data subject may lodge a complaint with the Data Controller, the Data Protection Authority or the competent Judicial Authority. The rights may be exercised at the company’s registered office using the contact details provided under “Data Controller” or by contacting the DPO using the contact details provided above.

Limitations to the rights of the reported person and other concerned individuals

The following information is provided for transparency towards the reported person and any other individuals potentially mentioned in a report, to inform them about limitations to exercising certain GDPR rights:

Right to information – the right to be informed about the processing of one’s personal data under Articles 12 and 14 GDPR is limited due to secrecy and confidentiality obligations imposed by Legislative Decree 231/2001, as amended by Law 179/2017, and due to the risk of making it impossible or seriously impairing the purposes of whistleblowing (see Art. 14(5), letters b) and d) GDPR).

Other data subject rights – the rights under Articles 15–22 GDPR cannot be exercised (via request to the Controller or complaint under Art. 77 GDPR) where doing so would result in actual and concrete harm to the confidentiality of the whistleblower’s identity (see Art. 2-undecies of the Privacy Code and Art. 23 GDPR) and/or compromise the objectives of compliance with whistleblowing regulations.

In particular, the reported person is informed that the exercise of such rights:

• will be allowed in accordance with applicable legal or regulatory provisions;

• may be delayed, restricted or excluded with a justified communication provided without undue delay to the data subject, unless such communication may compromise the purpose of the restriction, for the time and to the extent necessary to safeguard the confidentiality of the whistleblower’s identity;

• may, in such cases, be exercised through the Data Protection Authority (“Garante”), which will inform the data subject of having conducted all necessary checks or reviews, and of the right to judicial remedy.

The exercise of rights by the reported person (including the right of access) will therefore be possible only within the limits permitted by applicable law; requests will be assessed by the competent bodies in order to balance the protection of individuals’ rights with the need to prevent and counter violations of corporate governance rules and applicable regulations.

Copy and paste the link below into your browser to submit a report: medspa.smartleaks.cloud

Select Store