Privacy Policy

This document sets out the methods and purposes of the processing of personal data implemented by Whistleblowing Solutions Impresa Sociale S.r.l. (WBS), as data controller (hereinafter, also the “Data Controller” or the “Supplier”), as well as any further information required by law, including information on the rights of the interested party and their relative exercise.

Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “Regulation”) establishes rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free circulation of such data and protects the fundamental rights and freedoms of natural persons, with particular reference to the right to the protection of personal data.

The art. 4, no. 1 of the Regulation provides that “Personal Data” means any information relating to an identified or identifiable natural person (hereinafter, “Data Subject”).

By “Treatment” we mean any operation or set of operations, carried out with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction (art. 4, n. 2 of the Regulation).

Pursuant to articles 12 and following. of the Regulation, it is also envisaged that the interested party must be made aware of the appropriate information relating to the processing activities that are carried out by the data controller and to the rights of the interested parties.


The Data Controller is Whistleblowing Solutions Impresa Sociale S.r.l. (WBS) based in Milan in Viale Abruzzi 13/A.


The owner has appointed the Personal Data Protection Officer who can be contacted by writing an email to


The treatment aims to:

  1. manage, conclude and implement the agreed contractual relationship, as well as any accessory devices required, including any fulfillment relating to tax and accounting obligations;
  2. fulfill legal obligations.


In compliance with the provisions of art. 5 of the Regulation, the Personal Data being processed are:

  1. processed in a lawful, correct and transparent manner in relation to the interested party;
  2. collected and recorded for specific, explicit and legitimate purposes, and subsequently processed in terms compatible with these purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, if necessary, updated;
  5. processed in such a way as to ensure adequate security;
  6. kept in a form that allows the identification of the interested party for a period of time not exceeding the achievement of the purposes for which they are processed.

Personal Data will be processed by the Data Controller with automated and non-automated tools; the storage in electronic form of Personal Data takes place in secure servers located in areas with controlled access and with restricted access.

Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.


Personal Data is kept for the time strictly necessary to achieve the purposes for which it was collected and processed. As a general principle, therefore, Personal Data will be kept for the entire period of validity of the relationship with the Supplier.

However, it is understood that, once the contractual relationship with the Supplier has ceased and, with it, the related purposes of the Processing, the Data Controller will in any case be obliged and/or entitled to further store the Personal Data, in whole or in part, for certain purposes, as expressly required by specific legal provisions (referring, for example, to the obligation to keep accounting records for a period of 10 years, envisaged by article 2220 of the Civil Code) or to assert or defend a right in legal venue (for example, in the event of possible disputes with respect to the activities carried out by the Supplier).


The Personal Data will be accessible to the Data Controller, to the persons in charge of the Processing and to the external collaborators in relation to the sole needs of executing the contract and with precise appointments pursuant to art. 28 of EU Regulation 2016/679.

Specifically, the following are appointed as Sub-Processors:

  • Transparency International Italia as project partner;
  • Seeweb S.r.l. as an infrastructure provider.


Personal data are not subject to disclosure.


Personal Data is mainly processed in Italy and exclusively in the countries of the European Union.

There is no transfer of Personal Data abroad to non-EU countries.


Whistleblowing Solutions Social Enterprise S.r.l. (WBS) is actively engaged in the protection of its customers and users and in raising awareness of IT security and privacy issues.

As such, WBS on its sites uses only technical cookies necessary to provide its services and in particular only cookies necessary for user authentication and the security of its sites and waives the use of any profiling, marketing and third-party cookies.


At any time, the interested party may access the Personal Data in order to correct them, eliminate them and, in general, exercise all the rights that are expressly recognized to him pursuant to the applicable legislation on the protection of Personal Data, and in detail: the right to obtain confirmation of the existence or otherwise of Personal Data and their communication in an intelligible form, to know their origin, purposes and methods of Treatment; the right to obtain the indication of the identification details of the Data Controller, of the data processors and of the subjects or categories of subjects to whom the Personal Data may be communicated; the right to verify the accuracy of Personal Data or request its integration or updating or rectification; the right to request cancellation, transformation into anonymous form or blocking of Personal Data processed in violation of the law, as well as their limitation in accordance with the law and to oppose in any case, in whole or in part, for legitimate reasons to their Treatment; the right to the portability of one’s Personal Data, as well as the right to lodge a complaint, a report or an appeal to the Guarantor for the protection of personal data, where the conditions are met. Furthermore, the applicable legislation recognizes the right to withdraw one’s consent to the Processing of Personal Data at any time, without prejudice, however, to the lawfulness of the Processing carried out by the Data Controller on the basis of the consent given before the revocation.


To exercise their rights, the interested party can contact the Data Controller at any time by writing an email to