Information for whistleblower

in accordance with article 13 of EU Regulation 2016/679

Ca' Foscari University of Venice, as part of its institutional aims and in fulfilment of the obligations set forth in article 13 of EU Regulation 2016/679 ("Regulation"), gives you information regarding the processing of personal data collected by the University when you report an illicit conduct through the University whistleblowing procedure. Please be aware that you must have become aware of the illicit conduct that you are reporting as part of a working/contract relationship with the to be able to be protected by the safeguards provided by art. 54-bis D. lgs. n. 165/2001 and art. 3 of L. n. 179/2017.

1) Data Controller

The data controller is Ca' Foscari University of Venice, with headquarters in Dorsoduro n. 3246, 30123 Venice (VE), legally represented by the Rector.

2) Data Protection Officer

The University has appointed a "Data Protection Officer", who can be contacted by writing to the email address: or to the following address:  Ca' Foscari University, Venice, Data Protection Officer, Dorsoduro n. 3246, 30123 Venice (VE).

3) Personal data categories, purposes and legal basis of data processing

When you complete the reporting form on the University whistleblowing platform, the following personal data is collected: name, surname, fiscal code, contact details, professional role and data related to the alleged illegal conduct reported. 
The above-mentioned platform is an open source software powered by GlobaLeaks. Personal data is stored in the University servers and the platform has an encryption protocol that allows the segregation of the identity of those who fill the whistleblowing report and the content of the report itself. Only if strictly necessary for the evaluation of the report or if requested by the judicial authority, the Responsabile per la Prevenzione della Corruzione e della Trasparenza (RPCT) (the manager responsible for compliance with anti-bribery law and transparency), provided a motivation, may associate the identity of those who have made the report with the content of it. Therefore, your identity will not be revealed to anyone unless you are charged with slander or libel (in accordance with the criminal code or art. 2043 of the civil code), or in the cases in which the law does not allow you to remain anonymous (for example, in criminal, tax and administrative proceedings or during investigation carried out by public authorities). With the exception of the above-mentioned cases, your identity may be revealed to those who are involved in the proceedings only with your explicit consent. If your consent is not provided, those who are receiving your report or working on the procedure must protect your confidentiality in all cases.
Personal data will only be processed for the investigation of the whistleblowing report in accordance with art. 54-bis of D.Lgs. n. 165/2001. Therefore, the legal basis of this procesasing of personal data is represented by art. 6.1.c) of the Regulation (‘compliance with a legal obligation’). 
The processing of personal data is based on the principles of fairness, lawfulness and transparency and the protection of the privacy rights of the data subject, as well as the additional principles established by art. 5 of the Regulation.

4) Means of data processing

The processing of personal data will be carried out only by the RPCT, by their support staff and by other employees who are involved on the basis of the University Whistleblowing Regulation (in compliance with the provisions of Article 29 of the Regulation and art. 2-quaterdecies of the D. lgs. 196/2003). The processing of personal data will be carried out with the use of computerised procedures with encryption functionalities in order to protect your identity and the content of the whistleblowing report. The University has adopted appropriate technical and organisational measures to protect your personal data, identity and the content of the report from unauthorised or illegal access, destruction, loss of integrity and confidentiality, even if accidental in nature.

5) Data retention

Personal data will be retained for 5 years from the time of collection and, in any case, for the entire length of disciplinary, criminal, legal or administrative proceedings (if any). 

6) Recipients and categories of recipients of personal data

For the purposes set out above, in addition to specifically authorised employees and collaborators of the University, personal data may also be processed by those who execute outsourced activities on behalf of the data controller in their capacity as data processors (such as Google and Cineca). 
In the cases provided for by the law, personal data may also be shared with the Italian National Anti-corruption Authority and/or with the judicial authority. Moreover, the University may share personal data with the judicial authority to act for slander or defamation.

7) Collection of personal data

The provision of your personal data is voluntary. However, failure to provide it could prejudice the preliminary investigation of the report: anonymous reports will be taken into consideration only if they are adequately detailed, which means that they must show facts and situations connected to specific contexts.

8) Data subjects rights and how to exercise them

As a data subject, you have the right to obtain from the University, in the cases provided for by the Regulation, access to personal data, rectification, integration, erasure of your data, processing limitation or to object to the data processing itself (article 15 and following of the Regulation). The request can be submitted, without any formal procedures, by contacting the University’s “Responsabile della Prevenzione della Corruzione e della Trasparenza” (RPCT), who is the manager in charge of compliance with anti-bribery, corruption and transparency laws and regulations, at the contact details available at The request can also be sent to the following address: Ca' Foscari University of Venice - “Responsabile della Prevenzione della Corruzione e della Trasparenza” (RPCT), Dorsoduro 3246, 30123 Venice.Data subjects, who believe that the processing of their personal data is in violation of the provisions of the Regulation, have the right to file a complaint to the Data Protection Authority, as provided for by art. 77 of the Regulation itself, or to take appropriate legal action (Article 79 of the Regulation).

Last updated: 20/10/2022

Last update: 15/05/2024