Autostrade per l'Italia

Informativa Privacy Whistleblowing

Media / Ad Moving / Informativa Privacy Whistleblowing

Informativa Privacy Whistleblowing


Information pursuant to Articles 13 and 14 of European Regulation 2016/679 on the Processing of Personal Data within the framework of the Whistleblowing System

Autostrade per l'Italia SpA has introduced the "Whistleblowing" tool as a system for reporting alleged offences, within the framework of the employment relationship, by its own employees, employees of the Companies in the "ASPI Group" and third parties (collaborators/suppliers), in compliance with the relevant legislation in force (italian law 231/2001, as amended by Law 179/2017).

Autostrade per l'Italia S.p.A. manages whistleblowing reports on behalf of Ad Moving S.p.A. (hereinafter Ad Moving).

Autostrade per l'Italia S.p.A. has adopted the "Procedure for the management of Whistleblowing Reports" also implemented by Ad Moving which allows, as part of the performance of the process of receiving and managing Whistleblowing Reports, to apply measures to protect all persons involved in compliance with paragraphs 2-bis, 2-ter and 2-quater of art. 6 of italian law 231/2001, as introduced by the aforementioned Law 179/2017 ("Provisions for the protection of people reporting offences or irregularities of which they have become aware in the context of a public or private employment relationship") and the legislation on the protection of personal data [European Regulation 2016/679 ("GDPR") and italian Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 ("Privacy Code")] .

Pursuant to Articles 13 and 14 of European Regulation 2016/679 (hereinafter "GDPR"), Ad Moving provides below the information on the processing of personal data of the persons involved in the process of receiving and managing the Whistleblowing Reports (hereinafter also "Whistleblowing").


Ad Moving with head office in Via Bergamini, 50 - 00159 Rome, Tax Code no. and VAT no. 08228281005.

The Data Protection Officer (DPO) can be contacted at


In the context of the "Whistleblowing" procedure, the personal data processed are the data of the "Whistleblower", of the "Reported Person" and of the persons involved and/or connected to the facts that are the subject of the Whistleblowing (hereinafter referred as "Data Subjects").

The personal data collected and processed include "common" personal data of the Data Subjects (personal details, functions, contact details such as: e-mail address, postal address, telephone number) and, in some cases, where necessary, also data belonging to special categories pursuant to art. 9 of the GDPR.

Data may be collected either directly from the Data Subject or through other parties involved in the Whistleblowing, by means of the platform and/or the communication channels indicated in point 4 below.

The data are provided voluntarily by the Data Subject/Whistleblower, unless they choose the anonymous form, and data which data that is not strictly necessary for the purposes set out in point 3 below will not be processed.


Personal data are processed, within the framework of the "Whistleblowing" procedure, exclusively for the purposes of investigating and ascertaining the facts that are the subject of the Whistleblowing and of taking any consequent measures.

In particular, the personal data collected are those necessary and relevant to achieve the above- mentioned purposes, based on the "principle of minimisation".

With respect to these data, their provision is voluntary and the Data Subject is requested to provide only the data necessary to describe the facts that are the subject of the Whistleblowing without communicating redundant personal data in addition to those necessary for the purposes indicated above. In case they are provided, such data will not be used.

Personal data are processed on the legal basis of the legitimate interest of the Data Controller, pursuant to art. 6(1)(f) of the GDPR, to handle Whistleblowing of wrongdoing, of which the Whistleblower has become aware for work reasons and/or within the scope of the employment relationship, as well as to protect the internal and external Data Subjects involved in the "Whistleblowing" procedure.

Personal data pursuant to art. 9 of the GDPR, may be processed, where necessary, on the legal basis of the legitimate interest of the Data Controller, pursuant to art. 6(1)(f) of the GDPR, to establish, exercise or defend a right in court, as well as on the legal basis pursuant to art. 6(1)(b) of the GDPR ("performance of contract") for certain aspects of the employment relationship.


Personal data will be processed, in compliance with the regulations in force, through manual, IT and telematic tools and by implementing procedures strictly related to the aforementioned purposes, so as to ensure the confidentiality and security of the data.

In particular, they are collected via the following electronic/telematic tools:

  • the "Whistleblowing" online platform made available on the website of the parent company Autostrade per l’Italia S.p.A.,

  • e-mail address:

as well as through manual ordinary mail tools, at the address: Ethic Officer - Team Segnalazioni di Gruppo ASPI, via Bergamini, 50 Roma.

Data collected by means of electronic and telematic tools will not be subject to fully automated processing as specified in art. 22 of the GDPR.

Specific security measures are used to prevent loss of data, unlawful or incorrect use and unauthorised access.

Moreover, pursuant to art. 32 of the GDPR, specific technical and organisational measures are taken to ensure the protection of the identity of the Data Subjects as well as the anonymity of the Whistleblower and complete anonymity in accessing the platform (no log).


Personal data will be kept only for the time necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to art. 5(1)(c) of the GDPR and for the purposes

of managing the preliminary investigation, concluding the activity of defining the Whistleblowing and adopting the relevant measures, in the event of an assessment.


To carry out the activities relating to the "Whistleblowing" procedure, and again for the purposes referred to in point 3, the parent company Autostrade per l'Italia S.p.A. shall manage Whistleblowing reports on behalf of Ad Moving.

Within Autostrade per l'Italia S.p.A., only the persons tasked with the processing by the Data Controller and authorised to perform the processing operations within the scope of the aforementioned activities may acquire the personal data provided.

The data may be disclosed to third parties (subsidiaries or third-party companies, such as suppliers of IT services) who enable the operation and maintenance of the IT tools on which the Whistleblowing can be entered, and who are required to process the data for the same purposes as those set out in point 3 above, and who are, for this purpose, appointed as "Data Processors", pursuant to art. 28 of the GDPR.

The full list of persons appointed as Data Processors is available from the DPO. Under no circumstances will personal data be disseminated.


Articles 15-22 GDPR allow Data Subjects the possibility to exercise specific rights, such as, for in- stance, the right of access, corrtion, cancellation, restriction of processing.

The aforementioned rights may be exercised by making a request addressed without formalities to the Data Protection Officer (DPO) at the following PEC address:

The Data Subject may lodge a complaint pursuant to art. 57(f) of the GDPR with the Data Protection Authority.

If the exercise of the above rights by the Reported person may entail an actual and concrete prejudice to the protection and confidentiality of the Whistleblower’s personal data, the Data Controller may limit, delay or exclude such exercise, pursuant to art. 2-undecies(1)(f) of the Privacy Code, and not grant the request.

In such cases, the rights of the Data Subject, pursuant to art. 2-undecies(3) of the Italian Privacy Code, may be exercised through the Data Protection Authority in the manner set out in art. 160 of the Italian Privacy Code.


Data are managed and stored on servers of third-party companies appointed as Data Processors and located in Italy; the Data Controller may use servers of third companies located within the European Union, as indicated in point 6.

The Data Controller does not intend to transfer Personal Data outside the European Union.

Should it become necessary, the Data Controller can move the location of the archives and servers to Italy and/or the European Union and/or countries outside the EU. In the latter case, it is assured, as of now, that the transfer of data outside the EU will take place in compliance with the applicable provisions of law, stipulating, where necessary, agreements that guarantee an adequate level of protection and/or adopting the Standard Contractual Clauses envisaged by the European Commission.

Version 2.1 of 09.02.2022

Download the policy