The informant/whistleblower/reporting person figure plays a key role in exposing and preventing breaches and protecting the welfare of society. However, potential reporting persons tend to be discouraged from reporting their concerns or suspicions for fear of retaliation.
This entity is deeply committed to the importance of this figure and the need to protect those who “are closest to the source of information” regarding possible abusive practice and therefore be able to prevent them.
Below, you can find information regarding how we protect your personal data in the Ethics Channel Internal Information System (the Channel):
- Who is responsible for processing your personal data in the Channel.
- Purpose for which your personal data is processed.
- Type of personal data processed in the Channel.
- Storage periods of your personal data.
- Legal basis for processing your personal data.
- Recipients of your personal data. Who we share your data with in a secure manner.
- Personal data protection both for the whistleblower/reporting person, third parties affected by the information and the person against whom a report is made.
- Recognised rights regarding data protection in the Channel, how they can be exercised and restriction of right of access for the person against whom a report is made.
- Principle of data minimisation.
WHO IS RESPONSIBLE FOR PROCESSING YOUR DATA?
Channel Manager: Idoia Azaldegui
Company name: Basque Center For Macromolecular Degign and Engineering - Polymat Fundazioa
Registered Office: Avenida de Tolosa , 72 - 20018. Donostia-San Sebastián
Telephone: 943 50 60 61
Data Protection Officer: Basque Center For Macromolecular Degign and Engineering - Polymat Fundazioa
FOR WHAT PURPOSE DO WE PROCESS YOUR PERSONAL DATA?
We inform you that the personal data you provide and that which is generated during the handling and management of the information is processed for the following purposes:
- To ensure that the information communicated in the Channel can be processed effectively and confidentially.
- To adequately protect the persons who use this Channel to report any breaches set out in our Rules of Use and any other irregular, unlawful or criminal conduct committed within this entity.
- To implement the necessary security measures in order to comply with Spanish Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights (LOPDGDD), General Data Protection Regulation of the European Union 2016/679 (GDPR), Law 2/2023, of 20 February, governing the protection of persons who report breaches of the law and on combatting corruption (Whistleblower Act), EU Directive 2019/1937 regarding protection of persons who report breaches of Union Law (Whistleblowing Directive) and Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and execution of criminal sanctions.
- To send the acknowledgement of receipt of your communication and any other confidential information related to the handling of the reporting procedure and investigation to the address or secure receipt point that you have provided us with.
- To request further information from the reporting person in order to investigate the reported facts, if it is deemed necessary.
- To keep a register of the information received and internal investigations that may arise. This register shall not be public and its content may only be fully or partially accessed at a reasoned request from the competent judicial Authority, by court order and within the framework of judicial proceedings and under the Authority’s supervision.
- To publicise the existence of the Channel among the personnel of this entity, and the fact that it has been designed in a secure manner that safeguards the confidentiality of the information, the identity of the reporting person, of any third party mentioned in the communication and the identity of the person against whom a report has been made.
- To strengthen a culture of compliance, the organisation’s integrity infrastructures and to foment a culture of communication as a mechanism to prevent and detect threats to the public interest in general and to this entity in particular.
WHAT TYPE OF DATA IS PROCESSED IN THIS CHANNEL?
Unless you request anonymisation, the data you provide us with can be:
- Name and surnames
- Email address
- Postal address
- National ID number
- Location data
- Job or professional information
- Internet Protocol (IP) address
- Telephone number
The Channel shall preserve the identity and shall ensure the confidentiality of the personal data of the reporting person, of the person affected by the report/information and of any third party that is mentioned in the information provided; especially, the identity of the reporting person in the event of having identified themselves.
Information obtained through this Channel shall not be used for purposes other than that intended for the functioning and effectiveness of the system itself and to comply with the Whistleblower Act.
WHERE DOES YOUR DATA COME FROM?
Personal data processed by the Channel are provided by the reporting person, or obtained from publicly accessible sources.
WHICH PERSONAL DATA IS NOT PROCESSED IN THIS CHANNEL?
We inform you that, under no circumstances shall personal data be subject to processing if such data is not necessary for an understanding and investigation of the actions or omissions reported and that this data shall be deleted immediately.
All personal data that may have been communicated and that refers to conduct that is not included within the scope of the Whistleblower Act (suggestions, mere comments or complaints regarding the functioning of the entity’s services or products or interpersonal conflicts of interest, for example), that is, facts or actions that do not have a direct implication in the relationship with the entity and the reporting person shall be deleted.
Should the information received contain personal data included in the special category data, this will be deleted immediately, without being registered or processed. Particularly sensitive data that shall not be processed refers to data revealing ethnic or racial origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data used to uniquely identify a person, data related to health or related to a person’s sex life or sexual orientation.
HOW LONG WILL WE STORE YOUR DATA?
Your personal data shall be kept in the Channel only for the time needed to determine whether to open an investigation.
If the information provided in the Channel is proven not to be true, it shall be deleted as soon as this is confirmed, unless the lack of truthfulness constitutes a criminal offence. In this case, the information shall be kept for the time that is strictly necessary to process the legal procedure.
In any event, after 3 months from receipt of the information without having initiated investigation proceedings, we shall delete it, unless the purpose of storage is to prove the functioning of the system.
Communications that are not processed further shall only be recorded in anonymised format, without applying the obligation for blocking and storage set out in article 32 of the LOPDGDD.
In addition, the Channel holds a register of the information received and the internal investigations that have been carried out, ensuring the confidentiality of its content in any event. Personal data stored in the register shall only be stored for the time that is strictly necessary and proportional and under no circumstances shall the data be stored for a period exceeding 10 years.
LEGITIMATION TO PROCESS YOUR PERSONAL DATA
We are legitimated to process your personal data in order to comply with the legal obligations imposed by the Whistleblower Act and the Whistleblowing Directive (article 6.1.c of the GDPR and article 8 of the LOPDGDD) which oblige us to implement an Ethics Channel.
If the whistleblower/reporting person chooses to report through the external channels of the Independent Authority for Whistleblower Protection (A.A.I), or the corresponding regional authority, processing of their personal data shall be legitimated by the need to comply with the obligations set out in the Whistleblower Act and the Whistleblowing Directive (article 6.1.e of the GDPR and article 11 of the LOPDGDD).
If the whistleblower/reporting person chooses public disclosure, processing of their personal data shall be legitimated by the need to comply with a mission carried out in the public interest or in the exercise of public authority conferred on the data controller (article 6.1.e of the GDPR and article 11 of the LOPDGDD).
WHO SHALL HAVE ACCESS TO YOUR PERSONAL DATA?
The identity of the reporting person shall be confidential in any event and shall not be communicated under any circumstances to the person/s referred in the reported facts nor to third parties.
Access to the information in the Channel:
Access to personal data held in the Channel shall be exclusively restricted to:
a) The Channel Manager and the person who manages it directly.
b) The head of Human Resources or the duly designated competent body, only if it is necessary to take disciplinary action against a worker. In the case of public employees, the competent body for the processing of the same.
c) The head of the entity’s Legal Department, if it is necessary to take legal action in relation with the facts reported in the communication.
d) Those who may eventually be appointed to be in charge of data processing. For example, the legal consultants for the Channel or the IT service provider who receives the reports/communications. In any event, they shall sign the corresponding “Commissioned Data Processing agreement” in order to guarantee confidentiality and proper use of the information to which they have access and to ensure that they have the technical and organisational measures in place for data processing.
e) The Data Protection Officer, if one has been appointed.
Communication to third parties
Communication of personal data to third parties shall be lawful when it is necessary for the adoption of corrective measures in the entity or the processing of sanctioning or criminal procedures, which may be applicable, such as competent Public Administrations, Judges and Tribunals, Public Prosecutor’s Office, Public Treasury and Social Security.
The identity of the reporting person shall be communicated to the judicial Authority, the Public Prosecutor’s Office or the competent administrative Authority within the framework of a criminal, disciplinary or sanctioning investigation.
Should it be necessary to disclose the identity of the reporting person to the competent Authority, the reporting person shall be notified of this fact prior to this disclosure, unless said information should compromise the investigation or judicial procedure. In this case, the competent Authority shall explain the reasons for the disclosure of the confidential data in question to the reporting person in writing.
With regard to the information stored in the Channel’s register, this shall not be public and its content may only be fully or partially accessed at reasoned request from the competent judicial Authority, by court order and within the framework of a judicial proceeding and under the Authority’s supervision.
WHAT ARE YOUR RIGHTS?
Interested parties may exercise their rights of access, rectification, deletion, restriction of processing, data portability, objection to processing and not to be subject to automated individual decision-making as recognised in articles 15 to 22 of the GDPR in the terms and with the necessary restrictions to ensure confidentiality and the effectiveness of the Channel required by the Whistleblower Act.
Right of access and rectification
The reporting person has the right to access his/her personal data and to obtain a copy of the personal data subject to processing, to update it and also to request rectification of inaccurate data or, where appropriate, request its deletion when the data is no longer necessary for the purposes for which it was collected, amongst other reasons.
The right of the person against whom a report has been made to access his/her personal data and to obtain information on its processing in this Channel shall be restricted in order to ensure confidentiality and security of the information and to protect the reporting person/whistleblower. The identity of the informer/reporting person shall never be communicated.
However, this individual is granted the right of access, with restrictions, the right to keep his/her identity confidential and protect it from third parties and the presumption of innocence.
Right of deletion
The interested party has the right to have his/her personal data that has been processed in the Channel deleted, due to the disappearance of the purpose for which it was processed or collected, or for any other motive contained in article 17 of the GDPR.
Deletion shall be carried out by proceeding to a high level erasure of data held on automated mediums and the physical destruction of non-automated mediums.
Principle of minimisation of data
All personal data that refers to conduct that is not included in the scope of application of the Whistleblower Act and facts or actions that do not have a direct implication in the professional relationship with the entity and with the person against whom a report has been made shall be deleted.
Restriction of processing
Also, in certain circumstances provided for in article 18 of the GDPR, interested parties may request the restriction of the processing of their data.
Right to object to processing
Should the person to whom the facts reported refer exercise the right to object, it shall be assumed that there exist compelling legitimate grounds that legitimise the processing of personal data, unless there is evidence to the contrary, and the objection shall be denied.
HOW CAN YOU EXERCISE YOUR RIGHTS?
By writing to the addresses mentioned above with a copy of your National Identity Document (DNI) or other document that proves the identity of the interested party or that enables us to identify the report if this were made anonymously,.
WHAT COMPLAINT PROCEDURES ARE THERE?
If you consider that your rights have not been properly addressed, you may make a complaint to the Spanish Data Protection Agency, (Agencia Española de Protección de Datos) whose contact details are: Telephones: 900 293 183 / 900 293 621. Website: https://sedeagpd.gob.es/sede-electronica-web/vistas/infoSede/inicioCiudadano.jsf Postal address: C/ Jorge Juan, 6, 28001, Madrid.