INTEGRITY HELPLINE

STELLANTIS PRIVACY NOTICE - INTEGRITY HELPLINE

1. GENERAL

The Integrity Helpline allows employees and others to securely and confidentially report concerns and provides the framework for receiving, processing and managing such reports regarding violations or alleged violations of the compliance rules of Stellantis.

Subject to the applicable law related to the protection of the personal data of those utilizing the Integrity Helpline, data protection of personal data such as names, addresses, functions, etc. are also subject to protection. Other special categories of personal data that could include, but not be limited to, race, sex, national origin, religion, and political beliefs or opinions, etc. (hereinafter referred to as “Data”) are collected depending on the nature of your request. The Data will be treated confidentially and respectfully.

Be aware that the use of the system is optional and there will be no consequences for employees who do not use the system.

Moreover, good faith use of the system, even if the facts are later proven inaccurate or are not acted upon, will not expose the reporter to any disciplinary sanctions.

The Data will be processed by the respective Stellantis Group Companies involved in the report (“Stellantis Companies”). Accordingly, it may be necessary to share reports with additional employees within Stellantis, in the event that the reports refer to incidents related to subsidiaries or affiliates.

Stellantis Companies act as independent controllers and you can receive the list of the respective companies by sending an email to the below mentioned contact.

Incoming reports are received by a small selection of expressly authorized and specially trained employees of the Compliance Organization/Committee of Stellantis Group and are handled confidentially. Access to disclosed data is restricted to these persons.

The Ethics and Compliance Committee shall resolve salient cases involving ethical dilemmas, interpreting the Code and other Company policies as appropriate.

This system may not be used to knowingly transmit false or defamatory statements or information. Reports made in bad faith, that among other things, denounce other persons or defame them can give rise to consequences under civil or criminal law and can result in disciplinary actions up to and including termination depending on the gravity of the offense.

2. PURPOSE AND PROCEDURE FOR THE PROCESSING OF PERSONAL DATA

The processing of the Data by this system will be carried out for reporting on topics that are especially focused on reports of corruption and white-collar crimes as well as for the purpose of the opening, processing, investigation and closing of the case that has been opened about alleged situations, events, or actions in areas such as financial, accounting, banking and anti-bribery (and in any case according to the local laws) that could negatively impact the reputation of the Stellantis Companies in the eyes of its shareholders or could be detrimental to the morale, productivity, or personal safety of its employees.

The processing of the Data by this system will be carried out also for Conflict of Interests disclosures (potential or existing), submitted by employees or third parties as well as gifts and invitations that cannot be rejected for obvious cultural reasons and recorded in the Integrity Helpline system.

3. INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA

Use of the Integrity Helpline is voluntary. If you submit a report via the system, the respective controller processes your personal data as follows:

Data (mandatory data is marked with *) Purpose(s)
  • Name (if you reveal your identity)
  • Whether you are employed at Stellantis*
  • Whether you have already informed someone about the incident
  • Whether the incident involves a potential loss or disclosure of personal data
  • You report information including personal/special categories of data of persons that you name
  • For the secure connection between reporting person and the system, the IP address is not captured

Submitting, processing and managing reports

4. MODALITY OF THE DATA PROCESSING AND LEGAL BASES

The Data will be exclusively processed in accordance with the terms described in this Privacy notice and in compliance with the privacy, fairness, necessity, relevance, lawfulness and transparency principles as provided by the Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”) and by any other applicable laws and regulations.

The Data could be processed in hardcopy, automated or electronic format and, in particular, via post or electronic mail and telephone, telefax and any other electronic channel. Appropriate security measures are adopted in order to prevent any loss, or any unlawful or unfair use or unauthorized access to the Data.

If the activities are performed under the GDPR requirements, the data processing is based on at least one of the following legal bases foreseen by the GDPR:

  • Art. 6 (1) a) GDPR (consent) when reporting and disclosing of Data is voluntary
  • Art. 6 (1) b) GDPR when necessary for the performance of a contract (depending on local law and whistleblowing topic and/or contractual obligations)
  • Art. 6 (1) c) GDPR, local legal provisions, e.g. on a works agreement or specific local law (e.g. French law “Transparency, the Fight Against Corruption and Modernization of the Economy”, known as Sapin II)
  • Art. 6 (1) f) GDPR (depending on local law and whistleblowing topic a/o contractual obligations)

5. RECIPIENTS

Within the framework of processing a report or within a special investigation, it may be necessary to disclose reports with additional employees within Stellantis e.g. if the reports refer to incidents in one of the Stellantis Companies. The latter may be based in countries outside the European Union or the European Economic Area (EEA) with different regulations about the protection of personal data and potentially without adequate level of data protection. In case of necessary data transfers outside the EEA they will take place if either adequacy decisions of the European Commission or derogations according to Art. 49 (I) a) or b) GDPR apply. A transfer of personal data to 3rd countries will in particular take place if it is necessary for the establishment, exercise or defense of legal claims, if it is required for the performance of a contract or if the data subject has consented to the proposed transfer.

The Integrity Helpline system is operated on behalf of the respective controllers by the provider GCS Compliance Services Europe Unlimited Company trading as NAVEX, Vantage West – 4th floor, Great West Road, Brentford, TW8 9AG United Kingdom, who acts as the processor.

NAVEX is located in United Kingdom outside the European Economic Area but there is an adequacy decision of the European Commission in place (Adequacy decision).

The data center is located in Germany and the telephone intake services are performed by the provider in Portugal (Teleperformance Portugal SA).

Moreover, the Data will be processed by the following Stellantis Companies as allocated the Audit and Compliance teams in charge of the internal investigations:

  • North America Audit: FCA US LLC 1000 Chrysler Drive Auburn Hills MI 48326 US
  • Enlarged Europe Audit: FCA Services s.c.p.a. No. 86 Via Plava, Torino 10135, Italy.
  • Enlarged Europe Audit: Stellantis Auto SAS 2, Boulevard de l'Europe 78300 Poissy, France
  • Enlarged Europe Audit: Opel Automobile GmbH, Bahnhofsplatz, 65423 Rüsselsheim, Germany
  • South America Audit: FCA Fiat Chrysler Participações Brasil Ltda. Av. Contorno, n° 3455, Galpão 42 - Parte, Bairro Paulo Camilo, Betim/MG, CEP 32.669-900
  • South America Audit: Peugeot Citroen do Brasil Automoveis Ltda. Avenida Renato Monteiro, s/n.º (parte), Polo Urbo Agro Industrial, no Município de Porto Real, Estado do Rio de Janeiro CEP: 27570-000, Brasil
  • China Audit: Stellantis Asia Pacific Investment Co., Ltd 8/F, A2 Building,1528 Gumei Road, Xuhui District, Shanghai, China
  • lndia and Asia Pacific Audit: FCA Engineering India Pvt 6th Floor, South Block, Phase 2,M/s. IG3 Infra Ltd, SEZ, Pallavaram - Thoraipakkam 200 feet Road, Thoraipakkam, Chennai - 600097, Tamil Nadu, India
  • Middle East and Africa: Peugeot Citroën DS, Shore 21 Casanearshore, Casablanca, Maroc

The Data may be communicated to third parties in connection with the fulfilment of legal obligations, by order of public authorities or to exercise a legal right.

6. DURATION OF DATA PROCESSING

The Data shall be processed as long as is necessary to open, investigate and archive the alleged violation communicated via this system or as far as legal retention periods exist. The following principles apply to the deletion of data:

Status of the complaint Deletion period
The complaint was closed due to inadequate predication. 15 days after the complaint has been closed.
The complaint was closed without confirmation of allegation, moreover, no further follow-up procedures 5 years after the complaint has been closed.
The complaint was resolved; the allegation was confirmed, there may be subsequent proceedings (e.g. disciplinary proceedings, criminal proceedings, etc.) 5 years after proceedings have been closed.

7. CONSEQUENCES OF FAILURE TO PROVIDE DATA

Provision of the Data marked as obligatory is compulsory for the purpose mentioned under point 3 above. Therefore, any refusal to provide the Data marked as obligatory may, partially or totally, prevent Stellantis Companies from processing your request.

8. CONTROLLERS AND DATA PROTECTION OFFICER

The Data will be processed by the respective Stellantis Companies involved in the complaint. You can receive the list of the respective controllers by sending an email to the below mentioned contact.

You can contact the Data Protection Officer of the respective controller by the respective contact channel and you can contact the Stellantis Data Protection Officer at the following e-mail address: dataprotectionofficer@stellantis.com.

9. ANONYMITY

This system allows anonymous reporting. However, local law needs to be respected, which could restrict or exclude anonymous reporting.

10. GRANTED RIGHTS

The following rights, among others, shall be granted to you if applicable under applicable law:

  • right to access: you have the right to obtain information as to whether or not your Data are being processed and, where applicable, obtain access;
  • right to rectification or erasure: you have the right to obtain the rectification of inaccurate and/or incomplete Data, as well as the erasure of Data when the request is based on legitimate grounds;
  • right to restriction of processing: you have the right to request the suspension of the processing of Data when the request is based on legitimate grounds;
  • right to data portability: you have the right to obtain Data in a structured, commonly used and readable format, as well as the right to transmit Data to another controller;
  • right to object: you have the right to object to the processing of Data when the request is based on legitimate grounds.

Please note that your above-mentioned rights are restricted by law and must be fulfilled by the respective controller possibly only under certain conditions.

To exercise your right to lodge a complaint please contact a competent supervisory authority.

If you want to exercise your above-mentioned rights you can write an e-mail to the following e-mail address:

If I am in the United States, Mexico or Canada, I have acknowledged my privacy related rights as described in the following respective privacy policies:

For the US:

FCA US Privacy Policy for Consumers

FCA US Employee Privacy Policy

FCA US Non-Employee Privacy Policy

Manage Your Privacy Choices

For Mexico

For Canada

By clicking "Continue",

I declare that I am acting in good faith and that I am referring to circumstances that are known to me or that I reasonably believe to be true.

   

FAQ