Skip to main content




1. Data controller

Star Technology S.r.l. (hereinafter also "Star Technology ") in the person of its legal representative, in its capacity as Data Controller, informs you that the EU Regulation no. 2016/679 (so-called GDPR) and Legislative Decree no. 196/2003 as amended govern the protection of personal data. Star Technology imprints the processing of data on the principles of correctness, lawfulness, transparency and necessity, as required by the aforementioned legislation. To this end, pursuant to Articles 13-14 of the GDPR, we provide you with the following information.


2. Type of data processed

The receipt and management of reports, gives rise to the processing of c.d. "common" personal data (name, surname, job role, any other information related to the illicit conduct, founded or presumed, as well as may give rise, depending on the content of the reports and the acts and documents attached to them, to processing of c. d. "special" (data relating to health conditions, sexual orientation or trade union membership, referred to in Art. 9 GDPR) and personal data relating to criminal convictions and offenses (referred to in Art. 10 GDPR).


3. Purpose and Legal Basis for Processing

Personal data are collected and processed for the purposes strictly related to the management of reports of unlawful conduct, in violation of national/European regulations and if adopted of the Company's Code of Ethics and the Organization, Management and Control Model.

Taking into account the reference legislation (EU Directive No. 1937/2019 and Legislative Decree No. 24/2023), the legal basis for such processing is therefore represented:

  • For the processing of common data, Article 6.1(c) of the GDPR ("fulfillment of a legal obligation to which the data controller is subject").
  • For the processing of special and judicial data, by Art. 9.2. lett. g) of the GDPR


4. Modalities of processing

It is represented that the Data Controller undertakes to process, in a lawful, correct and transparent manner, only the data necessary to achieve the purposes indispensable for the performance of the activities covered by the report.
The processing is carried out by the Holder also with the help of electronic means, including automated tools, and tools suitable for receiving reports in oral form equipped with appropriate security measures (encryption of files), organizational, technical and physical, to protect the information from alteration, destruction, loss, theft or improper or illegitimate use.

Reports and documentation related to their handling will be retained for five years from the date of notification of the final outcome of the reporting process.

The identity of the reporting person and any other information from which such identity may be inferred, directly or indirectly, will be processed exclusively by persons authorized to process the data in accordance with Article 29 GDPR and will not be disclosed, to other persons, without specific consent of the same, as prescribed by Article 12 no. 2 of the Decree. Consent is optional and is given when reporting through the platform.


5. Communication and transfer of data

Your data will not be disseminated, but will be processed by the following entities, indicated by way of example and not limited to:

  • public authorities in fulfillment of specific legal obligations and judicial authorities acting as autonomous data controllers;
  • External parties or external companies entrusted with the management services of reports and IT service providers, who act as Data Processors pursuant to Art. 28 GDPR subject to confidentiality constraints and only for purposes functional to the task assigned to them;
  • Legal advisors possibly involved in the investigation phase;
  • Functions possibly involved in the inquiry and investigation phase, specifically and for this purpose authorized and bound to confidentiality;

The list of External Data Processors is available at the Company's registered office.


6. Rights of the data subject

It should be noted that, pursuant to Articles 15 to 22 of the GDPR, it is possible to exercise, within the limits of Article 2-undecies of the Privacy Code, the right to:
a) access to personal data;
b) their rectification in case of inaccuracy;
c) the cancellation of the data;
d) the limitation of processing;
e) the right to data portability, i.e. to receive in a structured format in common use and machine readable, the personal data provided and to obtain the transfer to another Data Controller without hindrance;
f) the right to object to the processing, where the conditions are met.

In addition, it is possible for the data subject to lodge a complaint with the Personal Data Protection Authority based in Piazza Venezia 11, 00187 Rome. For further clarification about this policy or any privacy issues, or in case you wish to exercise your rights, you may contact:

Access the portal