Institutional portal - Municipality of Milan

Information pursuant to articles. 13 and 14 of EU Regulation no. 2016/679

Pursuant to the articles. 13 and 14 of EU Regulation no. 2016/679 (General Regulation on the Protection of Personal Data), the following information is provided.

Data controller
The Data Controller is the Municipality of Milan with headquarters in Piazza della Scala, 2 – 20121 Milan.

Responsible for the protection of personal data

The Data Protection Officer - “DPO”) of the Municipality of Milan can be reached at the following e-mail address: dpo@Comune.Milano.it

Purpose and legal basis 
Management of the reception, processing and analysis - with the aid of a specific IT platform - of reports of crimes or irregularities by employees of the Municipality of Milan, workers and collaborators of companies supplying goods or services and carrying out works in favor of the Municipality of Milan (so-called whistleblowing), as well as, in particular, self-employed workers, freelancers and consultants who provide their activity for the benefit of the Municipality of Milan, volunteers, paid and unpaid interns who equally provide their activity for the benefit of the Municipality of Milan pursuant to art. 3, paragraph 3, of Legislative Decree no. 24 of 10 March 2023 concerning: "Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, concerning the protection of persons who report violations of Union law and containing provisions concerning the protection of people who report violations of national regulatory provisions".  

The processing, pursuant to EU Regulation 2016/679, is aimed at fulfilling a legal obligation to which the owner is subject (art. 6 – par. 1 letter c) and at the execution of a task of public interest (art. 6 paragraph 1 letter e) in application of Legislative Decree no. 24/2023.

Types of data processed 
The procedure is related to reports of crimes or irregularities of which they have become aware in the public working context, pursuant to Legislative Decree no. 24/2023, employees of the Municipality of Milan, workers and collaborators of companies supplying goods or services and carrying out works in favor of the Municipality of Milan (so-called whistleblowing), as well as, in particular, self-employed workers, freelancers and consultants who provide their work for the benefit of the Municipality of Milan, volunteers, paid and unpaid interns who also provide their work for the benefit of the Municipality of Milan. This procedure involves the collection of personal data (such as: name, surname, tax code, email address) entered in the specific IT platform dedicated to receiving reports, as well as personal data present in the report, including the documentation attached to it. As part of the reports, data relating to the reported subject or other subjects involved in the report are also processed and may concern common as well as particular data relating to crimes and irregularities.

Mode of treatment 
The processing takes place in computerized mode through the dedicated platform in compliance with fundamental rights and freedoms and is based on the principles of correctness, lawfulness, transparency and protection of confidentiality.

Nature of treatment
The provision of personal data is necessary and failure to provide them precludes the possibility of implementing the effective recognition of the protections provided for by the relevant legislation and in particular by Legislative Decree no. 24/23.
Indeed, among the purposes of the relevant legislation is that of offering protection and ensuring the confidentiality of the identity of the person making the report and of the other subjects referred to in the art. 3, paragraph 5 of the same Legislative Decree, which highlights illicit conduct and facts.
This protection therefore operates only towards individuals who are identifiable, recognizable and attributable to the category indicated by Legislative Decree no. 24/23. 

Categories of data recipients
The processing is carried out by authorized persons committed to confidentiality and responsible for the related activities in relation to the purposes pursued. 

The recipients of the data collected following the reports are, where appropriate, the judicial authorities, the Court of Auditors and the ANAC.

The data is not subject to dissemination.

Data retention
The data will be kept for the achievement of the purposes for which they were collected and for the period necessary to complete the related administrative procedure and in any case they will be held for 5 years, starting from the date of communication of the final outcome of the reporting procedure .

Data transfer to third countries 
The data processed for the aforementioned purposes are not transferred to third countries outside the European Union or the European Economic Area (EEA) or to international organisations. 

Rights of interested parties 
Interested parties can exercise the rights provided for by the art. 15 and following of EU Regulation 2016/679 and in particular the right to access one's personal data, to request rectification or limitation, updating if incomplete or incorrect and cancellation if the conditions exist as well as to oppose the processing by contacting the request to:

  - Municipality of Milan as Owner, Piazza della Scala n. 2, - 20100 Milan to the following e-mail address: segretere.whistleblowing@comune.milano.it.

Right of complaint
Finally, we inform you that interested parties, if they believe that the processing of personal data relating to them occurs in violation of the provisions of EU Regulation 2016/679 (art. 77) have the right to lodge a complaint with the Guarantor, (garanteprivacy.it) or to take action in the appropriate judicial offices (art. 79 of the Regulation).

Pursuant to art. 2-undecies in the legislative decree of 30 June 2003, n. 196, the reported subject alleged perpetrator of the offence, with reference to his/her personal data processed by the Administration, cannot however exercise the rights provided for by articles 15 to 22 of Regulation (EU) no. 2016/679 (1). The possibility remains for the reported subject, presumed perpetrator of the offence, to exercise his rights in the manner provided for by the art. 160 Legislative Decree no. 196/2003 (2).

1) This specifically concerns the right of access to personal data (art. 15 GDPR), the right to rectify them (art. 16 GDPR), the right to obtain their cancellation or so-called right to be forgotten (art. 17 GDPR), of the right to limit processing when the hypotheses specified by the art. 18 GDPR, the right to portability of personal data (art. 20 GDPR) and the right to object to processing (arts. 21 and 22 GDPR).

2) This concerns the possibility for the interested party to request checks from the Guarantor on the compliance of the processing of their data. The Guarantor provides feedback regarding the relevant outcome. It is also expected that the data controller informs the interested party of this option.