1. Introduction

Pursuant to Articles 13 and 14 of the Regulation (EU) 2016/679 on the “protection of natural persons with regard to the processing of personal data” (hereinafter also “GDPR”), e del D.Lgs. 196/2003 e s.m.i., we will provide you with the requested information on the processing and use of the personal data of whistleblowers, of the person under investigation and any other third parties (hereinafter referred to as ‘interested’) involved in the processing of the reports governed by the whistleblowing procedure of the Università Cattolica del Sacro Cuore.

2. Identity and contact details for the Data controller

The Controller of the processing of your Data is Università Cattolica del Sacro Cuore, with registered office in Largo Agostino Gemelli 1, 20123 Milan, telephone (+39) 027234.1.

3. Categories of personal data

"Personal data", as specified in Article 4 of the GDPR, means ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Subsequent to a non-anonymous report from its staff, the University may become aware of the following personal data (referring to the whistleblower or, possibly, to the reported person):

  • name and surname of the whistleblower together with other information that he/she freely releases such as telephone number, email address, postal address etc.;
  • information on the reported person that can be uploadedto the appropriate digital channel set up by the University to enable forwarding of the report.

Notwithstanding, the University will process this data exclusively for purposes strictly connected with, and instrumental to, verifying the authenticity of reports of irregularities or in order to fulfil specific legal obligations related to the purposes of the report.

4. Purposes of the processing and legal basis

Data collected will be processed for the following purposes:

  1. To carry out the obligations related to Legislative Decree 231/2001 and Lawn. 179 dated 30 November 2017, relating to the reporting of unlawful conduct that is pertinent to, and based on, precise and consistent factual elements or violations of the organisation, management and control model.
  2. To process the reports received, to ascertain the facts contained therein and to take the appropriate measures.
  3. Claim and/or defend the rights of the University in civil, criminal and/or administrative litigation cases.
  4. Security and property protection purposes.

The legal basis of processing is constituted:

  1. For purposes under a), by compliance with legal obligations;
  2. For purposes under b), c) and d) by the legitimate interest pursued by the Controller.

The whistleblower is required to provide the data; any refusal will make it impossible to implement the complaint procedure.

5. Processing methods

Personal Data are processed manually, digitally and electronically applying logics strictly connected to the purposes and, in any case, to guarantee the security and confidentiality of the Data pursuant to laws in force.

6. Data storage period

The University will process the Data for the time strictly needed to achieve the abovementioned purposes; with no prejudice to any storage terms established by law or regulations. Your data will be deleted or stored in a form that does not enable your identification, for 5 years from the conclusion of the procedure carried out by the Supervisory Body following the report, without prejudice to any possible withholding terms provided for by law or by regulations. Where necessary, the Data may be further withheld for additional processing that is deemed indispensable in the event that a judicial and/or disciplinary action is initiated against the reported person or against the whistleblower who has made false or defamatory statements or who has acted in bad faith; in these cases the data may be kept until the final conclusion of the judicial and/or disciplinary procedure.

7. Subject categories that the Data can be communicated to

Excluding the fulfilment of obligations deriving from the law, the personal data you provide will have no scope for communication and dissemination.
The recipient of the personal data is Università Cattolica del Sacro Cuore Supervisory Body which, in accordance with the provisions of current legislation and the whistleblowing procedure, is required to ensure the confidentiality of the identity of the reporting party. Personal data may be disclosed to the head of the corporate body in charge of disciplinary proceedings and/or to the accused only in cases where there is the express consent of the whistleblower or where the dispute of the disciplinary charge is based solely on the reporting and, therefore, the knowledge of the identity of the whistleblower is absolutely essential for the accused’s defence.
When enough facts or circumstances exist to meet the legal requirements, the personal Data may also be disclosed to third parties, included in the following categories: a) Consultants (Law Firms etc.), b) Companies in charge of the administration and management of personnel, the retention of personal data of employees, the development and/or operation of the information systems dedicated to the aforementioned, c) Institutions and/or Public Authorities, Judicial Authorities, Police Bodies and Investigative Agencies.

8. Transfer of personal data to countries extra EU

Without prejudice to specific requirements that will be agreed upon from time to time, Data cannot be transferred to non-EU countries.

9. Data Protection Officer, D.P.O.

The University has appointed a Data Protection Officer, D.P.O., (Data Protection Officer, D.P.O.), who can be contacted on

10. Rights of the Data subject

The Data Subject has the right to know what data concerning him/her (as the whistleblower, the person under investigation, the witness etc.) is held by the University for the whistleblowing reporting process, as well as the methods of their use and, when the conditions are met, he/she can attain cancellation, updating, rectification or, if of interest, data integration. The rights of the Data Subject (specifically, whistleblower) may be limited pursuant to, and for, the purposes of art. 2-undecies, first paragraph lett. f) of Legislative Decree 196 / 2003 and subsequent amendments and in accordance with art. 23 of EU Regulation 2016/679, if the scope of the aforementioned rights results in tangible and actual prejudice to the confidentiality of the identity of the whistleblower.
The assessment of the need to limit the rights of the Data subject is the duty of the Data Controller who is responsible forthe competent functions on the matter. In this case, the Data Controller must rapidly communicate justification to the interested party regarding the rejection/delay/limitation/exclusion of the request to exercise the above rights, without prejudice to the provisions of art. 2-undecies paragraph 3 of Legislative Decree 196/2003 and subsequent amendments.
In the event that access to the personal information of  Data subject is granted, the personal information of third parties, such as the whistleblower, reported person or witnesses, will be removed from the documents, except in exceptional circumstances.
To exercise the rights described in the aforementioned, you can contact the Supervisory Body at

Updated on: 27 November 2020