Send a report with the outmost confidentiality.

SECURITY AND DATA PROTECTION

Protection of the whistleblower provided by the law

The Act XXV of 2023 on complaints, disclosures in public interest, and related rules on reporting abuses, (commonly known as the Whistleblower Protection Act) declares the rules of whistleblower protection.

No retaliation, discrimination or unfair treatment of any kind whatsoever may be imposed on a whistleblower where they will have acted in good faith. Nor shall a whistleblower be subject to any disadvantage if the report they will have made in good faith is found to be unsubstantiated during the investigation.

In the case of lawfully filed reports, protection is due to whistleblowers under law if they have been subjected to an adverse measure and the reported action stands in breach of certain EU laws and national statutory instruments ensuring their harmonized implementation.  Such statutory instruments include the Union acts that are listed in Annex 1 and Annex 2 to Act XXV of 2023 on Complaints, Disclosures in the Public Interest and Rules Associated with the Reporting of Abuse, or the statutory provisions that ensure their implementation.

The personal data of a whistleblower who will have disclosed their identity, moreover the personal data of someone subject to the whistleblower report, as included in the internal whistleblowing system, may not be disclosed to anyone other than the duly authorised persons. Pending the conclusion of the investigation or the initiation of formal prosecution as a result of the investigation, the persons investigating a whistleblower report may, in addition to informing the person concerned under the whistleblower report, share information about the content of the report and the person concerned with other departments or staff of the employer to the extent strictly necessary for conducting the investigation.

Where it becomes apparent that a whistleblower has disclosed untruthful data or information in bad faith, and this leads to the arising of circumstances suggesting that a crime or a breach of rules has been committed, or if there are reasonable grounds to believe that they have caused unlawful damage or other legal harm to someone else, their personal data will be transferred at the request of the agency or person authorised to institute and conduct the proceedings.

Transferring data processed within the framework of the internal whistleblowing system to a third country or an international organisation may only take place if the recipient of the transfer has provided a legal commitment for compliance with the rules on whistleblower reporting as provided for in Act XXV of 2023, and having regard to the requirements applicable to the protection of personal data.

Infrastructure and security

The software of Whistleblowing, in line with the law, guarantees the highest levels of security both for the whistleblower and in relation to infrastructure.

Security of the whistleblower and the reports

 

  • Asymmetric encryption on textual contents and attachments: the encryption does not require specific actions from the users. The cryptographic system ensures that both the messages and the attachments can only be read by the sender and by the recipient, through the combination of a "public and private cryptographic key".
  • Login with smart card.
  • Access regulated in accordance with the privacy legislation: the access to the reports is allowed only through the insertion of credentials (for registered users) or by entering the codes that are associated to the report (for unregistered users).

Application security

 

The secrecy of the identity of the whistleblower is guaranteed by the application, that separates the process of registration from the process of the insertion of a report, for a proper separation of data; in the report, in fact, the name of the whistleblower is not shown. The person, responsible for the investigation has the possibility to activate the procedure through which the system connects the identity of the whistleblower to the report, when this is considered necessary and in cases provided by law; the Investigator must insert a motivation for his request to reveal the identity of the whistleblower. This action is automatically notified to the whistleblower by the application and is registered in the system logs. In case the report is made anonymously the connection will not be possible.

  • DigitalPA dedicated servers: maximum data protection and security levels, guaranteed both by DigitalPA and by the server farm infrastructure, both certified under ISO 27001/2014.
  • Integrated hardware and software firewalls: every platform has an integrated firewall with strict rules, which limit the accesses and the actions exclusively to the tasks that the user must perform with the software; the integration of the different firewalls enhances the security even further.
  • SSL certificate: the whistleblowing software is accessible exclusively via HTTPS access (Secure Sockets Layer).
  • Dedicated IP and SSL Certificate for each client.
  • User input validation: the platform is based on an approach of the validation of the input of the user. Through extremely rigid rules, the user is verified both at the client and at the server level.
  • CSRF Prevention: all requests managed by the platform are protected by CSRF token.