Data Protection Policy
CIRSA wishes to provide its employees, external workers, business partners, suppliers, customers and, in general, any other type of user who might use this channel (hereinafter, "Data Subjects") with this additional information on data protection (hereinafter, "Data Protection Policy"); in this, we set out in a transparent manner, using plain language, all legally required information in relation to processing for management of the internal reporting information system, the purposes for which we process their data and the rights which they may exercise. This Data Protection Policy will always be available on the website www.cirsa.com.
1. WHO ARE THE DATA CONTROLLERS AND HOW CAN YOU CONTACT US?
The management of the internal reporting information system necessarily implies the processing of personal data by (hereinafter, “CIRSA”):
- Worldwide and in particular for Spain, CIRSA ENTERPRISES, S.L. (hereinafter, "CIRSA"), incorporated under Spanish law, whose Tax ID is B-87.959.649, whose registered office is at Calle Fermina Sevillano, number 5-7, 28022 Madrid (Madrid) and who is registered with the Mercantile Register of Madrid under Volume 36.763, Folio 13, Page M-658.665.
- Internationally, the parent company in each country, as applicable, based on the source of the Alert issued whenever it proves necessary for a more in-depth investigation of the facts alerted to take disciplinary measures and/or to conduct the legal proceedings that might, where applicable, be appropriate. You can find out more about the CIRSA Group's international presence at https://www.cirsa.com/cirsa/presencia-internacional/.
The aforementioned companies act as joint controllers jointly responsible for processing your personal data, since they jointly decide on and undertake the processing of personal information for the purposes of managing the internal reporting information system.
If you have any queries regarding the manner in which we process your personal data, you may contact our Data Protection Officer by email at: protecciondedatos@cirsa.com.
2. WHAT IS PERSONAL DATA AND PROCESSING?
Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person will be considered to be any person who can be identified, directly or indirectly, in particular by reference to an identifier such as for example a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The processing of personal data is any operation or set of operations which we perform on your personal data, such as for example the collection, recording, storage, use and communication of your data.
3. WHAT PERSONAL DATA DO WE COLLECT AND HOW DO WE COLLECT IT?
We may only collect personal data about you and identify you where you disclose your identity to us. In these cases, CIRSA may collect the following information through the internal reporting information system:
- First name and surname
- Email address
- Telephone number
- National ID, Foreign Residents ID or passport number
- Content of the report made
- All the information you can provide when completing the form in the reporting channel.
Whenever Data Subjects make the reports anonymously, CIRSA will not be able to identify them and will not therefore process any of the Data Subjects’ personal data.
4. WHAT RIGHTS CAN YOU EXERCISE?
A) Right of access
You have the right to know whether CIRSA is processing your personal data and, where this is the case, to know which data it concerns.
B) Right to rectification
You have the right to change any data which is inaccurate or incomplete. For this, you should indicate which data you wish to change and provide sufficient evidence of this.
C) Right to object
Under the circumstances provided for by law, you may at any time object, on grounds relating to your particular situation, to our processing your data. Remember that your objection to the processing of your data will make it impossible for CIRSA to deal with such requests.
D) Right to erasure
You have the right to cancel your personal data. This means that your data, rather than being fully removed, will be stored as blocked data in such a way as to prevent it from being processed, notwithstanding the fact that it may be made available to public administrations, courts and tribunals to deal with any liabilities that may have arisen as a consequence of the processing during the limitation period for such liabilities.
E) Right to data portability
You have the right to receive and/or to transfer to a data controller other than CIRSA the personal data concerning you which you have provided us with.
F) Right to restriction of processing
You have the right to ask us to suspend the processing of your data whenever (i) you have contested the accuracy of your data, pending CIRSA’s verification of said accuracy; or (ii) you have exercised your right to object to the processing of your data, pending verification of whether CIRSA's legitimate grounds override yours in your capacity as the Data Subject. This right also allows you to ask CIRSA to store your personal data whenever (i) the data processing is unlawful and you in your capacity as the Data Subject object to the erasure of your data, requesting instead a restriction on the use of such data; or (ii) CIRSA no longer needs your personal data for the purposes of the processing, but needs the data for the establishment, exercise, or defence of claims.
You can exercise your rights by sending your request via your user profile created in the specific internal reporting information mailbox. We would likewise inform you that, should you feel that CIRSA has not properly met your requirements in terms of exercising your rights, you may file a complaint with the Spanish Data Protection Agency (AEPD) by visiting its website at http://www.aepd.es.
5. HOW DO WE PROCESS YOUR DATA?
To provide you with detailed, transparent information about the purposes for which we process your data, we have separated the information relating to each processing operation out into separate tables. This means that you can find in the corresponding table all the specific information on the processing of your data as performed by us, tailored to each case. The descriptive table contains the following information:
For what purposes do we process your data?
In this column we explain for what purposes we process your personal data.
What is the legal basis for us to process your data?
This column explains the legal basis or grounds permitting us to process your personal data lawfully. Data protection regulations require us to process your data on a legal basis or on legal grounds providing for the lawfulness of such processing. Thus, to process your personal information, we may rely on different legal bases or grounds, depending on what kind of processing of your data that we undertake. The legal bases for the processing of your personal data may be:
- Legitimate interest
- The performance of the contract
- The performance of a task carried out in the public interest.
- CIRSA’s compliance with a legal obligation
- Vital interests
- Your consent
For how long do we store your data?
This column gives an indication of how long your data will be stored for. The storage period will in any event depend on the processing operation that is performed on your personal information. You should bear in mind that certain regulations may require us to store certain data on Data Subjects for a certain period of time.
Below is a more detailed description of how CIRSA processes your personal data:
Management of the internal reporting information system
For what purposes do we process your data?
- To correctly process communications, confirm their receipt and respond within the time limit provided for by law.
- To ensure adequate protection for Data Subjects who report acts or omissions contrary to the law or to the applicable collective bargaining agreement.
- To keep a register recording the information received in the reports and the internal investigations to which this has led, ensuring in any event that the requirements for confidentiality are met.
- To be aware of and investigate the commission, both within the corporation and in terms of the actions of third parties contracted by the corporation, of acts or conduct contrary to the law or to the applicable collective bargaining agreement.
- To forward the information to the Public Prosecutor's Office immediately whenever the facts might be indicative of a criminal offence. If the facts might concern the financial interests of the European Union, to refer the matter to the European Public Prosecutor's Office.
- To comply with the obligations that might be legally required of CIRSA.
Upon what legal basis do we process your data?
Compliance with a legal obligation applicable to the Data Controller. More specifically:
- Law 2/2023 of 20 February on the protection of persons who report regulatory infringements and on anti-corruption measures;
- Organic Law 10/2010 of 28 April on the prevention of money laundering and terrorist financing and;
- Organic Law 3/2007 of 22 March for effective equality between women and men.
For how long do we retain your personal data?
- The Data Subject's personal data will be processed only for the period of time that is absolutely necessary to decide on the advisability of initiating an investigation into the facts reported. With the exception of data which: i) it is not necessary to know about and investigate; ii) is not true; iii) refers to conduct not included within the scope of application of the Law and/or; iv) is included among special categories of data; which will be immediately deleted.
- As a general rule, this may not exceed three (3) months from receipt of the communication or, if no acknowledgement of receipt was sent, three (3) months from expiry of the seven (7) day period following the communication, except in cases of particular complexity requiring an extension of the time limit, in which case the period may be extended for a maximum of a further three (3) months. If the time limit has elapsed without any investigative measures having been initiated, unless the storage of the data serves to provide evidence of the functioning of the system, the data will be deleted. In this case, communications that have not been acted upon may only be recorded in anonymised form.
- Otherwise, they will be kept in the register for as long as is necessary and proportionate for the purposes of complying with the applicable regulations and, under no circumstances, for a period of more than ten (10) years.
6. TO WHOM DO WE DISCLOSE YOUR DATA?
CIRSA may disclose your data, subject to a legal requirement or legal basis providing for the lawfulness of the communication, to:
- The person responsible for the system and whomever directly manages the same.
- The human resources manager or duly designated competent body, only where it might be appropriate to take disciplinary measures.
- The person responsible for the legal services of the entity if it might be appropriate to take legal measures in relation to the facts recounted in the communication.
- The data protection officer.
- Legal advisors, experts, cybersecurity firms and/or other third parties required in order to conduct the investigations necessary to discern the facts reported by the Data Subjects.
- Public Prosecutor's Office
- European Public Prosecutor's Office
- Courts and Tribunals
- Government and Public Administration Agencies
- State Law Enforcement Agencies
7. WHO MAY ACCESS YOUR DATA?
CIRSA would inform you that we work with third parties, more specifically, service providers required for the proper development of the internal reporting information system. These service providers may, in the course of their business, have access to your data. Rather than constituting a transfer of data, such access represents access in the capacity of a data processor, a person regulated by and provided for in the GDPR. In any event, we would inform you that CIRSA takes care of your data and has therefore checked that these providers offer an adequate level of security and ensure the protection of Data Subjects’ rights and freedoms.
8. IS YOUR DATA SECURE?
We shall adopt appropriate procedures to ensure the fair and transparent processing of your personal information; this will include the implementation of technical and organisational measures that take the potential risk into account and correct any identified imprint on the personal data processed, in such a way that the risk of any error is minimised, with your data being fairly and securely processed.
Likewise, we shall ensure that our service providers also have adequate security standards in place for the protection of the personal data to which they have or may have access, in compliance with the data protection legislation in force at any time.
9. CHANGES TO THIS DATA PROTECTION POLICY
This Data Protection Policy may change over time due to possible changes in the criteria followed by the competent data protection supervisory authority at any given time. CIRSA therefore reserves the right to change this Privacy Policy to permit us to adapt it to said criteria and to jurisprudential or legislative changes.
Latest version: 13 June 2023.
