INFORMATION TO THE WHISTLEBLOWER
Who is responsible for the processing of data?
In accordance with the provisions of Law 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption, as well as the provisions of Regulation (EU) 2016/679, General Data Protection and the Organic Law on Data Protection, 3/2018 of 5 December 2018, FADE (hereinafter "FADE"), is the entity responsible for the processing.
What categories of data are processed and what is the purpose of processing it?
All personal data will be obtained from the information you provide, which may include identification data, contact data, data relating to the reported event, etc., data strictly necessary for the investigation, which may also include the processing of specially protected data to follow up the investigation. If the information received contains specially protected personal data, it will be immediately deleted, without the registration and processing of such data.
The data will be processed for the purpose of managing the report or inquiry received, for the sole purpose of processing the same and investigate the facts reported or response to the query raised.
Personal data that is not necessary for the knowledge and investigation of the actions or omissions reported or the response to the relevant query, will not, under any circumstances, be processed, and it will be immediately deleted. Likewise, any personal data that may have been communicated and that refers to a conduct that is not included in the scope of application of the law 2/2023 will be deleted.
In case you choose to identify yourself as a complainant, FADE guarantees your confidentiality, so that the processing of the report will be carried out preserving your identity.
What is the basis for the legitimacy of the processing?
The processing of your data has its basis of legitimacy in compliance with a legal obligation on the part of FADE, in accordance with the provisions of Article 30.2 of Law 2/2023 of 20 February, regulating the protection of persons who report regulatory violations and the fight against corruption.
Who can access the data?
Access to the data provided will be limited exclusively to those who, whether or not they are part of FADE, perform the following functions:
a) The person responsible for the system and whoever manages it directly.
b) The person responsible for human resources or the duly designated competent body, only when disciplinary measures may be taken.
c) The person responsible for the legal services of the entity or organization, if legal measures may be taken in relation to the facts described in the communication.
d) The persons in charge of processing that may be appointed.
e) The data protection officer, if one has been appointed in the organization.
Additionally, personal data may be shared with other entities of the Group FADE, in order to coordinate, manage and, if necessary, execute the actions and/or measures required for the management and processing of the report and, in some cases, the opened investigation. These organizations will be the following: FADE This communication of data is covered by the legitimate interest of FADE , which is to provide the correct processing of the reports, in accordance with Recital 48 of the GDPR. Only in the event that an offence is detected, your data may be communicated to third parties (Courts and Tribunals, Security Forces and Corps or Public Administration), in order to comply with the corresponding legal obligations.
Are there any international data transfers or automated decisions?
However, in the event that a supplier may be located in countries outside the European Economic Area (EEA) or, being located in the EEA, share information with other entities located outside the EEA, it is guaranteed that the transfers are made to countries for which the European Commission has declared that they provide a level of protection comparable to the European level. In the absence of such declaration of adequacy, adequate guarantees will be adopted through the Standard Contractual Clauses approved by the Commission.
How long is personal data kept?
The data being processed may be kept in the system for the time necessary in order to decide whether to initiate an investigation into the facts reported. In any case, if in three months after receiving the the communication there has not been any investigation initiated, the data will be deleted.
As an exception, the data may remain in the channel as long as the purpose is to leave evidence of the functioning of FADE's Commission of crimes's prevention model, and this data will be kept anonymized. Thus, once the aforementioned period has elapsed, the data may continue to be processed by the body responsible for the investigation of the reported facts.
What are your data protection rights and how can you exercise them?
You may exercise your rights of access, rectification, deletion, limitation of processing, opposition and/or portability of your data by writing to us. In the event that you exercise your right of opposition, it will be presumed that, unless proven otherwise, there are compelling legitimate reasons that legitimize the processing of your personal data by us.
You may also contact the Spanish Data Protection Agency (www.aepd.es), if you consider that your rights have been violated.
If the request is made by a third party, the representation granted for this purpose must be duly accredited. When FADE has reasonable doubts as to the identity of the natural person submitting the request, it may request that additional information be provided to confirm his or her identity.