The Data Controller is Maschio Gaspardo S.p.A., with registered office at Via Marcello no. 73, 35011 Campodarsego (PD), Tax Code and VAT no. 03272800289.

The Data Protection Officer can be contacted at the e-mail address privacy@maschiogaspardo.com

The following types of personal data may be processed:

• Identification and contact details of the whistleblower;
• Identification details of the persons involved in the report, information and data relating to the reported violations, including any personal data belonging to special categories or relating to criminal convictions and offenses;
• Any other information concerning the whistleblower, the persons involved in the report, or any other third parties that the whistleblower decides to share in order to better describe the suspected violation;
• Identification, contact details, and access account data for the IT platform of the individuals responsible for managing the reports.

The personal data subject to processing are those provided by the whistleblower and any data that may be independently collected during the investigation activities, necessary to ascertain the circumstances reported.

The provision of data is necessary and functional for managing the reports received in the forms and methods described in the procedure 'Whistleblowing Policy – Rev02_2025 – Maschio Gaspardo'.

Personal data will be collected and processed for purposes related to the management of reports concerning: (i) national and European legislation relevant to sectors and interests of the Union; (ii) violations under Legislative Decree 231/2001 or breaches of organizational models; (iii) other civil, administrative, and accounting offenses provided for by national law; using the methods and tools described in the procedure.

The legal basis is compliance with a legal obligation to which the Data Controller is subject (Art. 6 – para. 1, letter c) pursuant to Legislative Decree 24/2023 as well as Legislative Decree 231/2001 (organizational and management model and code of ethics).

Reports and related documentation are retained for the time necessary to process the report and, in any case, no longer than five years from the date of communication of the final outcome of the reporting procedure, in compliance with the confidentiality obligations of the whistleblower. Personal data that are clearly not useful for assessing the report will be deleted immediately.

Personal data will be processed by the Whistleblower Committee (composed of the Legal function of Maschio Gaspardo), which, in accordance with applicable legislation and the reporting management procedure adopted by the Company, is required to ensure the confidentiality of the whistleblower’s identity and the information they have become aware of. The identity of the whistleblower or any other information that could directly or indirectly reveal such identity may only be disclosed with the express consent of the whistleblower. Where necessary for purposes related to investigative activities, certain information connected to the report may be processed by:

• Other Company functions that have been provided with specific instructions, such as the Supervisory Body pursuant to Legislative Decree 231/2001;
• Consulting firms, auditing/review companies, or entities providing services instrumental to the above purposes, limited to the information necessary for the functions assigned to them.

The IT platform for managing reports is operated by Net Patrol S.r.l., with registered office at Via Napo Torriani no. 31, 20124 Milan, designated as Data Processor. The platform’s encryption system does not allow the processor to access the whistleblower’s identity or the content of the reports. Finally, certain data may be transmitted, where required, to the Judicial Authority and/or competent Authorities.

With regard to these data, Data Subjects may exercise, in the cases provided for, the rights set out in Chapter III of Regulation (EU) 2016/679 (GDPR).
In particular, the whistleblower may exercise the right to access their data, to rectify or supplement them, to erase them, and to restrict processing, using the same methods by which the report was submitted.

The whistleblower, pursuant to Article 77 of the GDPR, also has the right to lodge a complaint with the Data Protection Authority if they believe that the processing violates the aforementioned Regulation.

Please note that the exercise of these rights by other data subjects, such as the reported person or other individuals involved, may be delayed, restricted, or excluded if such exercise could cause an actual and concrete prejudice to the confidentiality of the whistleblower’s identity, as provided for by Article 2-undecies, letter f) of the Privacy Code (implementing Article 23 of the GDPR). In such cases, these rights may be exercised through the Data Protection Authority, in accordance with Article 160 of the Privacy Code.