Haleon Whistleblowing privacy notice

Italy

 

Last Update: October 14, 2024

We know that privacy is important to you. We are committed to handling your personal information with care and fairness.

In accordance with applicable personal information protection laws, we inform you that your personal data (hereinafter also referred to as 'data') is collected and processed to fulfill the obligations to which the company is subject in terms of Whistleblowing. The data is processed with and without the aid of electronic tools, based on logic and procedures consistent with the purposes indicated below and in compliance with Regulation (EU) 2016/679 ('GDPR'), including confidentiality and security profiles.

Haleon values your privacy. We refer to it when we say 'Haleon', 'we', or 'our'.

Personal information means any information or parts of information that can directly (e.g., your name) or indirectly (e.g., a unique identification number) identify you within the scope of managing a Whistleblowing report.

If anything in this Privacy Notice conflicts with local law in your country, local law prevails.

What personal information do we collect about you?

Haleon will process the following personal data and information provided when making a non-anonymous report:

• your name and contact details (unless the report is made anonymously);
• the name and personal data of other people possibly provided in the report (e.g., description of roles and contact information);
• the description of the alleged violation, as well as a description of the circumstances of the case. Note that depending on the laws in force in the country where the reporter resides, the report may not be allowed anonymously; however, personal data will be treated confidentially and disclosed only according to the rules indicated below.

Only where relevant to the reported issue and only to the extent permitted by applicable law and/or the need to establish, exercise, or defend a legal claim, data belonging to special categories (e.g., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as processing genetic data, biometric data intended to uniquely identify a natural person, data concerning health or a person's sex life or sexual orientation) or those relating to convictions or offenses may be processed. If such data is not relevant to the report or is extraneous, it will be promptly deleted and not further processed.

The provision of personal data is voluntary. However, the reporter is encouraged to disclose their identity for the following reasons:

• it is more difficult to follow up on a report if further information cannot be obtained from the source of the report; and
• the company can follow up on the report and conduct a more complete and thorough investigation.

If the personal data of the persons subject to the report or involved in it is not provided, it may be impossible to conduct an investigation.

For what purposes do we collect your personal information?

Haleon collects the personal data you provide when making detailed reports of ⁽ⁱ⁾ unlawful conduct or violations of Haleon's organizational and management models that have come to light within the employment relationship in accordance with the law (law November 30, 2017, no. 179); ⁽ⁱⁱ⁾ behaviors contrary to the correct and complete application of company policies and to carry out subsequent and consequent activities to these checks, as well as to comply with specific obligations provided by law, regulations, and applicable legislation with reference to specific internal control needs of Haleon and monitoring of business risks, specifically dictated by law; ⁽ⁱⁱⁱ⁾ conduct determined within the Code of Conduct ('Policy'/'Code of Ethics') available here Haleon CoC v1.0 in ITALIANO (1).pdf and through the channels mentioned in the same Policy.

The purposes of processing personal data are the management of reports, based on the obligation to comply with legal provisions related to the implementation of a whistleblowing system under Italian whistleblowing law.

On what basis do we use your personal information?

We may collect and process your personal information when one of the following conditions occurs:

• Compliance with legal obligations (art. 6, paragraph 1, letter c of the GDPR): to comply with relevant laws and regulatory requirements and to respond to legitimate requests, judicial orders, and legal proceedings.
• Legitimate interests (art. 6, paragraph 1, letter f, of the GDPR): to pursue a legitimate interest based on an assessment of Haleon's interests, the data subject's interests, and other fundamental interests.
• Consent (art. 6, paragraph 1, letter b, of the GDPR): the identity of the reporting person and any other information from which such identity can be inferred, directly or indirectly, cannot be disclosed without the express consent of the same reporting person, to persons other than those competent to receive or follow up on the reports, expressly authorized to process such personal data. Express consent is also required during the use of the voice messaging channel and to record in-person meetings.
• Vital interests (art. 6, paragraph 1, letter d, of the GDPR): where they are the subject of a report.

How long do we keep your personal information?

We will retain your personal data for the time strictly necessary to pursue the purposes for which your personal data is collected and to fulfill applicable legal obligations and no longer than 5 years from the date of communication of the outcome of the reporting procedure.

Furthermore, the data will be deleted or permanently anonymized upon achieving the above purposes, except where Haleon is required to retain the data for an additional period to comply with legal obligations.

How are your personal information processed and with whom do we share it?

In compliance with GDPR, the personal data concerning you acquired from time to time may be used to update and correct the information previously collected.

Personal data is accessible to duly authorized personnel based on necessity criteria and is communicated to third parties in the following cases by the Judicial Authority or any other Authority entitled to do so.

Your data may also be communicated to third-party suppliers who support us in providing the necessary services for managing reports, duly appointed as data processors in accordance with GDPR provisions.

Any reports and the personal data included therein may be reported, orally or in writing, even during a physical meeting (to be requested at the time of report submission). Verbal communications, including those made through face-to-face meetings, must be documented in one of the following ways: (a) through a recording of the conversation; or (b) through a complete and accurate transcription of the conversation (it is possible to verify, rectify, and accept the transcription of the conversation by signing it).

In which cases do we transfer your personal information outside your country of origin?

For the management of the Whistleblowing report, we may need to transfer and use your personal information outside the country where we collect it. When we transfer your personal information outside your country, we take appropriate measures to protect it, such as data transfer agreements incorporating standard data protection clauses. The privacy laws in the countries to which we transfer your information may not be the same as the laws in your country. Law enforcement, regulatory agencies, security authorities, or courts in the countries to which we transfer your personal information may have the right to see your personal information.

The European Commission recognizes that some countries outside the EEA have equivalent standards for data protection. The full list of these countries is available here.

If we transfer your personal information to a country not on this list, we do so based on the standard contractual clauses adopted by the European Commission. These allow us to make international transfers of personal information within companies that are part of our Group and to comply with European Union data protection laws and the General Data Protection Regulation (GDPR). For further information regarding the countries outside the European Economic Area to which your personal data is transferred, you can write to: privacy@haleon.com

How do we protect your personal information?

We want to ensure that your personal information is not shared or used by those who are not authorized to see it. We use a range of security measures and technologies to protect your personal information.

We carefully select the service providers we work with and ensure that they have security measures and technologies to protect your personal information.

What are your rights regarding your personal information?

You have rights that we must make you aware of. You can contact Haleon at the contact details below to get the updated list of our external Data Processors, the entities to whom the data is communicated, and to exercise at any time the rights provided by Articles 15 and following of the GDPR, e.g., to obtain confirmation of the existence or not of your data, verify its content, origin, accuracy, request its integration, updating, rectification, deletion, anonymization, request data portability, limitation of processing, opposition to processing for legitimate reasons.

The exercise of your rights as mentioned above may, in any case, be delayed, limited, or excluded with a reasoned communication from Haleon (unless the communication could compromise the purpose of the limitation), for the time and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard Haleon's interests related to confidentiality pursuant to the law of November 30, 2017, no. 179. In such cases, your rights may also be exercised through the Data Protection Authority in the manner provided for in Article 141 of Legislative Decree 196/2003. The address to exercise your rights is: privacy@haleon.com

At any time, you can file a complaint with the competent Authority (the Data Protection Authority) as provided for under Article 77 GDPR. The rights available to you depend on the reason we process your personal information and the local law of your country. Therefore, you may have the right to:

To know how to contact us to exercise any of the rights mentioned above, you can consult the 'Contact Information and Privacy Contacts' section.

To protect you and the privacy of others, we may need to verify your identity before completing your request.

If you object to our use of your personal information or withdraw the consent initially given to us to use your personal information (in countries where Haleon processes your personal information based on your consent), we will respect your choice in line with applicable law. However, by objecting or withdrawing your consent, we may not be able to complete the necessary activities to achieve the processing purposes described in the 'How we use your personal information' section.

How do we update this Privacy Notice?

We will update this Privacy Notice periodically. Any changes become effective when we post the updated Privacy Notice on the Haleon website. This Privacy Notice was updated on the date indicated in the 'Last Updated' field shown at the top of this document. If the changes are significant, we will provide you with a more explicit notice of the changes made.

Who is the Data Controller of your personal information?

Haleon UK Services Limited, located at The Heights Building 5, First Floor, The Heights Weybridge Surrey, KT13 0NY, United Kingdom, and Haleon Italy S.r.l. Unipersonale, located at Via Monte Rosa 91, 20149 Milan, are the Co-Data Controllers of your personal information, together Haleon.

Contact Information and Privacy Contacts

If you want to exercise your rights, have questions about this Privacy Notice, need more information, or wish to report an issue, you can contact privacy@haleon.com.

If you want to know who your privacy contact is in your country, write to: Privacy@haleon.com.