Data Protection Officer (DPO)
The Company makes use of a data protection officer (also known as a “Data Protection Officer” or “DPO”). The DPO can be contacted through the following channel: dpo@astm.it.
Information Notice for Analysts, Investors and Rating Agencies
1. Processing of personal data
Pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of personal data (“GDPR”), ASTM S.p.A. (the “Company” or the “Data Controller”), as data controller, processes your personal data, following your expressed interest in receiving information relating to the Company and/or the Group to which it belongs, in order to respond to your requests and manage its relations with you as an analyst, investor or representative of a rating agency.
2. Purpose of this information notice
This notice allows you to understand the nature of your personal data that are being processed, the purposes, legal basis and methods of processing, any possible recipients of the data, and your rights. The Company may supplement and/or update this notice, in whole or in part, as published on the Company’s website (www.astm.it).
3. Purpose of data use and legal basis
The Data Controller processes your personal data in order to acquire, evaluate, manage and, in general: to respond to your requests for information about the Company; and to manage corporate events and/or meetings, send relevant communications, including press releases and documentation relating to the Group’s financial results, and send company presentations. The legal bases for the above processing are: (i) the performance of pre-contractual/contractual activities requested by the data subject (Article 6(1)(b) of the GDPR) and (ii) the legitimate interest of the Data Controller in ensuring proper communication and effective management of events (Article 6(1)(f)).
4. Nature of data provision
The provision of your personal data is therefore necessary to follow up on your requests and to manage your relationship with the Company. Failure to provide your personal data, or providing partial or inaccurate data, may make it impossible for the Company to carry out the above activities.
5. Personal data being processed
The personal data being processed are common data such as personal details, identification data and contact information.
6. Data processing methods
The processing is carried out manually and/or by IT and telematic tools with logic related to the above indicated purposes and, in any case, in such a way as to guarantee security and confidentiality.
7. Data Circulation
7.1 The data are used by the Data Controller’s staff who have been assigned a specific role and given appropriate operating instructions. Your personal data will only be made accessible to those within the company organisation who need them for their job or hierarchical position.
7.2 Your personal data may also be processed by third parties to whom the Company entrusts activities and services (or part thereof) for the pursuit of the purposes indicated in this notice, or third parties to whom the Company is required to communicate your data in compliance with applicable legislation. Depending on the case, such parties will operate as data processors or independent data controllers. The list of persons appointed as data processors pursuant to Article 28 of the GDPR is available from the Data Controller, who can be contacted by sending an email to privacy@astm.it.
8. Data retention
The Company retains your data for the entire duration of your relationship with the Company for the purposes indicated above and, in any case, for a period not exceeding 6 months from the termination of the relationship. The Company may also retain them subsequently, where required by law or where necessary for the resolution of disputes or to respond to requests made by the judicial authorities or supervisory authorities.
9. Data controller
The data controller is ASTM S.p.A., with registered office in Turin, Corso Regina Margherita, 165, Turin Companies Register number, tax code and VAT number 00488270018.
10. Data Protection Officer
The Company makes use of a data protection officer (also known as a “Data Protection Officer” or “DPO”). The DPO can be contacted through the following channel: dpo@astm.it.
11. Exercising your rights
Where the conditions and limits set out in the applicable legislation are met, you may exercise the following rights in relation to the processing of your personal data: (i) right of access to personal data and information on its processing; (ii) right of rectification if personal data is inaccurate or incomplete; (iii) right to obtain the erasure of personal data; (iv) right to object to the processing of personal data; (v) right to restriction of processing of personal data: (vi) right to obtain the transfer of personal data to other companies or organisations and/or to receive personal data in a structured, commonly used and machine-readable format. The above-mentioned rights may be exercised by contacting privacy@astm.it. We also remind you that you have the right to lodge a complaint with the Data Protection Authority if you believe that your rights have not been respected or that you have not received a response in accordance with the law.
Turin, 30 July 2025
Information Notice for Candidates
1. Processing of personal data
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 on the protection of personal data (“GDPR”), we inform you that ASTM S.p.A. (the “Company” or the “Data Controller”), as data controller, processes your personal data, provided by you and also acquired from third-party sources, during selection procedures initiated by the Company.
2. Purpose of this information notice
This information notice allows you to understand the nature of the personal data concerning you and subject to processing, the purposes and methods of processing, any recipients of the data and your rights. Also, in view of future changes that may be made to the applicable legislation on personal data, the Company may supplement and/or update, in whole or in part, this information notice on the Company’s website (www.astm.it).
3. Purposes of data use
Your personal data is used for selection procedures, in particular to verify the requirements for recruitment and/or to start a collaboration and to follow up on the candidate’s request.
4. Nature of data provision
Providing data is optional and is left to the candidate’s will who, without any solicitation from the Data Controller, submits its curriculum vitae. Regarding any data subsequently and possibly requested by the Data Controller, failure to provide such data will result in the impossibility of verifying the requirements for the selection procedures, recruitment and/or the start of collaboration and, therefore, to establish a relationship with the Data Controller.
5. Noconsent required
Consent to processing is not required as the processing concerns data contained in curricula spontaneously submitted by the data subjects for the possible establishment of employment/collaboration relationship.
6. Personal data being processed
In particular, the personal data in question concerns: name, address or other personal identification details, work-related data, social security data, educational and professional background, as well as data relating to your economic- financial situation.
On an occasional and exceptional basis, such as in the event that, due to the establishment of an employment relationship, it becomes known that the data subject belongs to a protected category, other personal data that may reveal the state of health may be acquired.
7. Data processing methods
Personal data may be processed, in addition to electronic means, also by non-automated tools, and processing is carried out solely using operations, logic and forms of data organization that are strictly necessary in relation to the obligations, tasks or purposes mentioned above.
8. Data circulation
8.1 The data are used by the Data Controller’s staff, who have been assigned a specific role and who have been given adequate operating instructions. Your personal data will only be made accessible to those within the company organization who need them for their job or hierarchical position.
8.2 Your personal data may also be processed by third parties to whom the Company entrusts activities and services (or part thereof) for the pursuit of the purposes indicated in this notice. Depending on the case, such parties will operate as data processors or independent data controllers and fall into the following categories:
a) companies belonging to the same group as the Company;
b) entities that provide information system management and maintenance services;
c) entities that provide personnel recruitment and selection services;
d) entities that provide administrative services for the issuance of consular visas.
8.3 The above-mentioned third parties may also be located abroad, in EU or non-EU countries. In the latter case, the data transfers are carried out on the basis of an adequacy decision by the European Commission concerning the non-EU country’s level of data protection, or based on the appropriate safeguards provided under Articles 46 or 47 of the GDPR (e.g. signing of the ‘standard clauses’ for data protection adopted by the European Commission) or the additional conditions for the legitimacy of the transfer provided for in Article 49 of the GDPR. For further information on the possible transfer of your personal data outside the European Union, you can write to privacy@astm.it .
9. Data retention
The data will be retained for the time necessary to fulfil the requirements for the selection of the candidate and in any case for no longer than five years from their collection, unless an employment and/or collaboration relationship is established.
10. Data controller
The data controller is ASTM S.p.A., with registered office in Turin, Corso Regina Margherita, 165, Turin Companies Register number, tax code and VAT number 00488270018 .
11. Data Protection Officer
The Company makes uses of a Data Protection Officer (also known as a “Data Protection Officer” or “DPO”). The DPO can be contacted through the following channel: dpo@astm.it .
12. Exercising your rights
Where the conditions and limits set out in the applicable legislation are met, you may exercise the following rights in relation to the processing of your personal data: (i) right of access to personal data and information on its processing; (ii) right of rectification if personal data is inaccurate or incomplete; (iii) right to obtain the erasure of personal data; (iv) right to object to the processing of personal data; (v) right to restriction of processing of personal data: (vi) right to obtain the transfer of personal data to other companies or organizations and/or to receive personal data in a structured, commonly used and machine-readable format. The above rights may be exercised by contacting privacy@astm.it .
If you believe any irregularities in the processing of your personal data, you may lodge a complaint with the Data Protection Authority, using the methods indicated on the Authority’s website (www.garanteprivacy.it).
Turin, 1 June 2018
Information Notice for Suppliers' Employees and Collaborators
1. Processing of personal data
1.1 ASTM S.p.A., in order to benefit from goods and services, makes use of consultants, professionals and suppliers (collectively, the “Suppliers“) . During the evaluation and selection phase of its Suppliers and in the execution and management of the related supply relationships, the Company processes the personal data of these Suppliers, as well as their employees and collaborators (hereinafter collectively referred to as the “Data Subjects“).
1.2 ASTM S.p.A. qualifies as a “data controller” within the meaning of Regulation (EU) 2016/679 on the protection of personal data (“GDPR”), namely the entity that decides for what purposes and by what means personal data must be processed (hereinafter the ” Data Controller“).
1.3 The Data Controller is obliged to inform the Data Subjects in advance about the nature of the personal data being processed, the purposes and methods of processing, any possible recipients of the data and their rights. With reference to the Supplier’s employees and collaborators, this information notice is provided through the Supplier itself, which must therefore ensure that it is correctly received by the Data Subjects.
2. Purposes of data use and legal bases
2.1 The Data Controller processes the personal data of Data Subjects in order to:
a) evaluate the possible establishment of a contractual relationship with the Supplier (reputational assessments and preliminary checks, requests for information, requests for offers, initiation and management of tender procedures, negotiations);
b) in the event of the establishment of a contractual relationship (contract, framework agreement, orders, etc.), to use the goods or services supplied and, in general, to execute and manage the supply relationship;
c) carry out the administrative, accounting, tax and civil law obligations required by applicable legislation in relation to the supply relationship;
d) manage any possible disputes relating to the supply relationship;
as well as for purposes strictly related to the above.
The Data Controller processes the personal data of the Data Subjects for the management of the contractual relationship with the Company itself, as well as for the fulfilment of legal obligations, pursuant to Article 6, paragraph 1, letters b), c) and f) of the GDPR.
3. Nature of data provision
The provision of the personal data by Data Subjects is therefore necessary and/or mandatory in order to establish, execute and manage the supply relationship, as well as to fulfil the related regulatory obligations. Failure to provide, partial or inaccurate communication of the personal data of Data Subjects may result in the Data Controller being unable to carry out the aforementioned activities.
4. Personal data being processed
The personal data subject to processing include:
(i) common data such as identification data, contact details and bank details relating to employees and/or collaborators of the Supplier and/or natural persons who hold positions and roles within the Supplier’s organisation;
(ii) judicial data pursuant to Art. 10 of the GDPR provided by Suppliers, at the time of establishing the contractual relationship, and/or qualification, by means of self-declaration forms certifying the absence of convictions and/or pending charges for offences under Legislative Decree 231/01 and a declaration of the absence of suspension or disqualification measures relating to Article 14 of Legislative Decree 81/2008.
5. Data processing methods
Personal data are processed both by electronic means and by and non-automated tools.
6. Data circulation
6.1 The personal data of the Data Subjects are used by the Data Controller’s staff who have been assigned a specific role and given appropriate operating instructions. In particular, the data will only be made accessible to those within the company organisation who need them for their job or hierarchical position.
6.2 Personal data may also be processed by third parties to whom the Data Controller entrusts activities and services on behalf of the Data Controller, or by public or supervisory bodies to whom the Data Controller transmits the data in compliance with regulatory obligations. Depending on the case, such recipients will operate as data processors or independent data controllers and are included in the following categories:
a) companies belonging to the same group as the Data Controller;
b) entities that provide information system management and maintenance services for IT system;
c) entities that provide legal, administrative, accounting, tax and financial advice and assistance;
d) public bodies and authorities;
e) banks, credit institutions, factoring companies and credit collection companies;
f) statutory auditors.
6.3 The above-mentioned recipients may also be located abroad, in EU or non-EU countries. In the latter case, the data transfers are carried out on the basis of an adequacy decision by the European Commission concerning the non-EU country’s level of data protection, or based on the appropriate safeguards provided under Articles 46 or 47 of the GDPR (e.g. signing of the ‘standard clauses’ for data protection adopted by the European Commission) or the additional conditions for the legitimacy of the transfer provided for in Article 49 of the GDPR. For further rinformation on the possible transfer of personal data outside the European Union, please write to privacy@astm.it.
7. Data retention
Personal data will be retained for 10 years from the conclusion of the service/supply, except in the event of any disputes and without prejudice to the limitation periods and legal provisions for tax, accounting and civil law purposes.
If no contractual relationship is established with the Supplier, the data will be retained by the Company for a period not exceeding 5 years from the Supplier’s qualification.
8. Data controller
The data controller is ASTM S.p.A., with registered office in Turin, Corso Regina Margherita, 165, Turin Companies Register number, tax code and VAT number 00488270018 .
9. Data Protection Officer
The Company makes use of a data protection officer (also known as a “Data Protection Officer” or “DPO”). The DPO can be contacted through the following channel: dpo@astm.it .
10. Exercising rights
Where the conditions and limits set out in the applicable legislation are met, each Data Subject may exercise the following rights in relation to the processing of their personal data: (i) right of access to personal data and information on its processing; (ii) right of rectification if personal data is inaccurate or incomplete; (iii) the right to obtain the erasure of personal data; (iv) the right to object to the processing of personal data; (v) the right to restrict the processing of personal data: (vi) the right to obtain the transfer of personal data to other companies or organisations and/or to receive personal data in a structured, commonly used and machine-readable format. The above-mentioned rights may be exercised by contacting privacy@astm.it .
We also remind you that you have the right to lodge a complaint with the Data Protection Authority if you believe that your rights have not been respected or that you have not received a response in accordance with the law, using the methods indicated on the Authority’s website (www.garanteprivacy.it).
Tortona, 17 July 2025
Cookie Policy
Information for individuals who report offences (a.k.a. Whistleblowers)
INFORMATION FOR INDIVIDUALS WHO REPORT OFFENCES (a.k.a. WHISTLEBLOWERS)
IN ACCORDANCE WITH THE REGULATION ON THE PROTECTION OF PERSONAL DATA
1. Processing of Personal Data
Pursuant to articles 13 and 14 of Regulation (EU) 2016/679 regarding the protection of personal data (“GDPR”) and in the event of reports made non-anonymously, ASTM S.p.A. (the “Company” or the “Owner”), as data controller, processes the personal data of the individual reporting offences (“Whistleblower”) in order to manage reports relating to behaviour, acts or omissions which, pursuant to Legislative Decree 24/2023, have the potential to jeopardise the public interest or the integrity of the Company or in any case are in conflict with the company policies of the Data Controller (“Violations”).
2. Scope of this notice
This document allows the Whistleblower to know the nature of the personal data being processed, the purposes and methods of the processing, any recipients of the same, as well as the rights recognised in relation to the processing of personal data.
3. Purpose and legitimacy of the processing
If the report is made non-anonymously, the personal data of the Whistleblower, in compliance with regulatory obligations and, in particular, in compliance with Legislative Decree 24/2023, will be used for the following purposes:
a) for the receipt of notifications;
b) for internal investigation aimed at verifying the validity of the Report, including by contacting the Whistleblower in order to gather additional information;
c) if the report turns out to be founded, adoption of disciplinary sanctions or activation of the appropriate contractual remedies;
d) possible initiation of legal actions against the individuals involved;
e) where the reported conduct constitutes a crime, the reporting of the offences to the Judicial Authority;
f) for the carrying out of all the instrumental and ancillary activities, and in any case required for the pursuit of the aforementioned purposes.
4. Nature of the provision of personal data
The processing of personal data is instrumental to the purposes referred to in Paragraph 3 above.
The provision of data by the Whistleblower is mandatory in the event of a report made non-anonymously. Any refusal to provide data therefore makes it impossible to report non-anonymously.
5. Legal basis for processing
The processing of personal data is carried out by the Company:
a) to fulfil the specific legal obligations established by Legislative Decree. 24/2023, pursuant to art. 6, 1 c) of the GDPR;
b) in relation to the Company’s legitimate interest in repressing any offences or irregularities that damage the integrity of the Company, pursuant to art. 6, 1 f) of the GDPR.
6. Personal data subject to processing
6.1 Categories of data subject to processing
In the event of a Report made non-anonymously, the Whistleblower’s personal data will be processed, including identification data (name, address or other personal identification elements) and contact data (e-mail address and telephone number).
No special categories of personal data will be processed, for example information on racial and/or ethnic origin, religious and/or ideological beliefs, trade union membership or sexual orientation.
6.2 Processing of data other than that included in the above categories
The Company may in any case request and process additional personal data to that which falls within the above categories, for the same purposes as stated in paragraph 3 above, if the provision of such additional data is:
a) imposed by laws, regulations or the decisions of authorities; and/or
b) necessary and instrumental for the management and execution of the investigation following the Report or for the exercise of the right of defence in court.
7. Data retention times
The data will be kept for a period not exceeding five years starting from the date of receipt of the Report or from the conclusion of any proceedings arising from the management of the Report.
Once these activities have been completed, personal data will be deleted or anonymised.
8. Data usage
8.1 The processing of the Whistleblower’s personal data is carried out with digital tools by internal or external individuals who have been specifically appointed for this and are bound by confidentiality.
8.2 Data is protected by security measures to prevent unauthorised access, loss or destruction, in line with applicable data protection legislation.
8.3 In particular, in the event of a Report made in written or oral form via the Digital Platform used by the Company, data relating to the IP address of the Whistleblower and its location are not processed.
8.4 The Digital Platform, managed by the supplier who acts as data controller, is equipped with adequate technical measures to guarantee data protection and confidentiality. The data provided will be stored in a database managed by the supplier of the Digital Platform, which is specially protected and equipped with adequate security safeguards. Data stored in this database is encrypted using the most advanced technology available.
8.5 The personal data present on the Digital Platform will be processed exclusively within countries belonging to the European Economic Area.
9. Data sharing
9.1 The personal data of the Whistleblower is made accessible only to those who, within the corporate organisation of the Company and who have been given adequate operating instructions, have a specific need for it due to their job or hierarchical position, as well as for the correct investigation and management of the Report.
9.2 In case of use of the Digital Platform, personal data will be processed, as Data Processing Manager pursuant to art. 28 of the GDPR, by the supplier of the same, EQS Group AG, with registered office in Munich (Germany), Karlstraße 47, on the basis of instructions given by the Data Controller.
9.3 Personal data may also be processed by public or supervisory individuals with whom the Company shares the data, in both cases for the sole purposes referred to in Paragraph 3 above.
For more information on the recipients and categories of recipients with whom personal data is shared, email privacy@astm.it.
10. Data controller
The data controller is ASTM, with registered office in Corso Regina Margherita 165, Torino, company registration number, tax code and VAT number 00488270018.
11. Data Protection Officer
The Company avails itself of a Data Protection Officer (also known as “DPO”). The DPO can be contacted via the following communication channel: dpo@astm.it.
12. Exercising your rights
Upon occurrence of the conditions and within the limits of the applicable legislation, including art. 2-undecies of Legislative Decree 196/2003, the Whistleblower may exercise the following rights in relation to the processing of their personal data: (i) right to access personal data and information on the processing of personal data; (ii) right to rectification of personal data, should it be inaccurate or incomplete; (iii) right to deletion of personal data; (iv) right to object to the processing of personal data; (v) right to limit the processing of personal data: (vi) the right to obtain the transfer of personal data to other companies or organisations and/or to receive personal data in a structured and commonly used electronic format. The aforementioned rights can be exercised by contacting privacy@astm.it.
Should the Whistleblower notice irregularities in the processing of their personal data, they may lodge a complaint with the Guarantor for the protection of personal data, following the procedure indicated on the Guarantor’s website (www.garanteprivacy.it).
ASTM S.p.A.
Torino, 07/14/2023