Whistleblower Privacy Policy
Data protection policy
We take data protection and confidentiality very seriously. We comply with the provisions of the EU General Data Protection Regulation (GDPR) and the current national data protection regulations. Please read this data protection notice carefully before submitting a report.
Purpose of the whistleblowing system and legal basis
The whistleblowing system (BKMS® System) serves to securely and confidentially receive, process and manage reports about violations of the law or Empark Group’s internal regulations. The processing of personal data within the scope of the whistleblowing system (BKMS® System) is based on the legitimate interest of our company in discovering and preventing misconduct in order to avoid damage to the Empark Group, its employees and its clients. The legal basis of this processing of personal data is Article 6(1)(f) of the GDPR (General Data Protection Regulation) of the European Union.
Data controller
The data controller of the personal data you provide in the whistleblowing system is Empark Aparcamientos y Servicios, S.A. (“Empark”) with VAT ID A78320736. The data controller’s contact details are:
Address: C/ Avenida del General Perón nº36, 1ª Planta, 28020.
The whistleblowing system is administered by a specialised company, EQS Group GmbH, Bayreuther Str. 35, 10789, Berlin, Germany, on behalf of Empark.
Personal data and information entered in the whistleblowing system are stored in a database operated by EQS Group in a highly secure data centre. Only Empark can see the data. EQS Group and other third parties do not have access to the data. This is guaranteed in the certified procedure through extensive technical and organisational measures.
All data are stored encrypted with various levels of password protection so that access is restricted to a very small group of expressly authorised persons.
Empark, a company that is part of the Empark Group, has appointed a data protection officer. You may send your questions about data protection and privacy to dpo@empark.com.
Type of personal data collected
Use of the whistleblowing system is voluntary. If you send a report through the whistleblowing system, we will collect the following personal data:
- your name, if you choose to disclose your identity
- if you are an Empark Group employee
- the names and other personal data of the people you mention in your report, if applicable.
Confidential handling of reports
Reports are received by a small group of employees of Empark’s compliance department who have been expressly authorised and have received specific training. The reports are always handled confidentially. The employees of Empark’s compliance department assess the case and carry out the necessary investigations on a case-by-case basis.
When processing a report or conducting a special investigation, it may be necessary to share reports with other Empark employees, or with employees of other Empark Group companies, if the reports refer to incidents occurring in companies that are part of the aforementioned Empark Group, companies that, in all cases, are located in the European Economic Area.
Access to data by other persons, or even communication to third parties, is also permissible where it is deemed appropriate in the following cases:
- The data provided will be communicated to judicial bodies, judges, public prosecutors, state security forces and bodies or administrative authorities to whom the results of the investigation are provided, when so required by them or when the incidents reported constitute an illegal act.
- The data provided will be processed and, if necessary, passed on to interested third parties, such as collaborating entities or expert advisors involved in the investigation such as lawyers, forensic experts, other experts, who will be subject to the same obligation of confidentiality.
- Companies that have a contractual or corporate relationship with the reporting and accused person(s), if this is necessary to carry out the internal investigation and to take disciplinary or other appropriate measures, depending on the nature of the relationship with the person concerned.
In any case, everyone who receives access to the data is obliged to keep the information received confidential.
Informing the accused
We are obliged by law to inform the people accused that we have received a report about them, unless this threatens further investigations into the report. In doing so, your identity as a whistleblower will not be revealed unless we are legally obliged to do so.
Rights of the data subject
In accordance with European data protection legislation, you and the persons named in the report may exercise your right of access (the right of access is limited to the personal data itself, with the accused person not having access – under any circumstances – to the whistleblower’s identification data), and your rights of rectification, erasure, restriction of processing and portability of the data in the cases and with the scope established by the applicable regulations at all times.
In order to exercise these rights, you may contact Empark, identifying yourself as a user of Empark Group’s whistleblowing system, through any of the following channels:
- By post, enclosing a photocopy of your ID card, passport or any other identification document and the request in which the proposal is made to Empark Aparcamientos y Servicios, S.A., Avenida del General Perón, 36, planta 1ª Departamento de Atención al Cliente RGPD.
- By email to dpo@empark.com with the following information: name and surname of the data subject, photocopy of ID card, passport or any other identification document and the request in which the proposal is made.
Please also be informed of your right to submit a claim to the Agencia Española de Protección de Datos [Spanish Data Protection Agency] or the Control Authority of the country concerned.
Personal data retention period
Personal data will be stored for the amount of time required to clarify the situation and make a conclusive assessment of the report, or as long as it is required by law or there is a legitimate interest on the part of the company. Once the processing of the report has been completed, the data will be deleted in accordance with legal requirements.
In accordance with the provisions of the applicable data protection legislation, the data of the whistleblower shall be kept in the whistleblowing system only for as long as it is necessary to decide on the appropriateness of initiating an investigation into the incidents reported. This period may not exceed three months, unless the purpose of the retention is to provide evidence of the functioning of the model for the prevention of the commission of crimes by the legal person.
However, in the event that, as a result of the investigation process initiated by the company in connection with the reported incidents, the need to take appropriate legal action and/or the need to initiate legal proceedings should arise, the data may be retained by the relevant body.
Use of the whistleblowing system
Communication between your computer and the whistleblowing system takes place through an encrypted connection (SSL). Your IP address is not stored during your use of the whistleblowing system. To maintain the connection between your computer and BKMS® System, a cookie is stored in your computer that only contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session, and will expire when you close your browser.
In the whistleblowing system, you have the option of setting up a secured postbox using a user name/pseudonym and a password chosen freely by you. This allows you to submit reports to the person responsible at Empark, either using your name or anonymously and securely. This system only stores data within the whistleblowing system, which makes it especially secure. It is not a regular email communication system.
Note on sending attachments
When sending a report or additional information, you can send attachments to the responsible Empark employee at the same time. If you wish to send an anonymous report, please note the following security advice: attachments may contain hidden personal data that could jeopardise your anonymity. Remove all such information before sending a file. If you cannot delete these data or you are not sure how to do it, copy the text from the attachment into the report text or send the printed document anonymously to the address indicated in the footer, citing the reference number received at the end of the reporting process.