PRIVACY POLICY - WHISTLEBLOWING CHANNEL | Grupo Antolin

PRIVACY POLICY - WHISTLEBLOWING CHANNEL

1.    DATA CONTROLLER:

GRUPO ANTOLÍN IRAUSA, S.A., domiciled in Burgos, at Carretera Madrid-Irún, Km. 244,8 (SPAIN), registered at Burgos Commercial Registry in volume 182, book 102 of Companies Section 3, sheet 133, page 1960, with employer identification number A09092305 (“Antolín” or the “Company”) is the controller of the personal data that are processed through the Antolín transparency and whistle-blowing channel. This clause provides information on the use that the Company will make of your personal data and your rights under the General Data Protection Regulation (“GDPR”). Should you have any questions regarding the processing of your data, please contact the Company at the following addresses: by mail, at Grupo Antolín Irausa, S.A. (Ctra. Madrid-Irún Km. 244,8 09007 Burgos) or via the Company’s website, at: http://www.grupoantolin.com/en/contact-us?contact=privacy

2.    PURPOSES OF THE PROCESSING, LEGAL GROUNDS AND DATA DISCLOSURES:

In the following table you can consult the purposes of the processing of your data, the legal grounds that entitle the Company to process your data for those purposes, the possible disclosure of your data to third parties and the existence of potential international data transfers. You will receive information on the storage periods of your data on the Company’s systems, notwithstanding the obligations to block data set forth in applicable legislation. You may request a list of recipients of your data by writing to http://www.grupoantolin.com/en/contact-us?contact=privacy, indicating the specific recipients in relation to which you require information.

Purpose of the processing Legal basis Recipients International transfers Storage period

Processing of personal data necessary to manage reports that any person related in any way to Antolín may file in order to notify Antolín of the breach of any regulations at Antolín, as well as to manage reports or communications sent by any person related to Antolín using this Channel.

Legitimate interest of Antolín: Need to ensure compliance with any legislation that may be applicable at Antolín, and to ensure respect for the dignity of all persons related in any way to the Antolín Group

Data may be disclosed, on the legal basis of Antolín’s right to due process, to courts or tribunals.

The categories of service providers of Antolín that may have access to your data as data processors, given the services they provide to the Group, are:

•    •    Technology services and systems maintenance companies of Antolín.

 

Your data may be transferred to technology services and systems maintenance companies of Antolín located outside the European Union (“EU”). If you would like to know where these companies are located, please write to the following address http://www.grupoantolin.com/en/contact-us?contact=privacy and you will be provided with an updated list.  

These transfers would be carried out on the basis of the signature by these companies located outside the EU of standard data protection clauses adopted by the European Commission for international transfers, pursuant to article 46.2 GDPR. Should you require a copy of these contractual clauses please write to Antolín at: http://www.grupoantolin.com/en/contact-us?contact=privacy.

 

Data contained in reports sent via the Transparency Channel shall be kept in the system for the time necessary to ascertain whether it is necessary to open an investigation into the case reported, and such time period may not exceed three months following the filing of the report. If it is decided not to open an investigation, the data shall be deleted from the whistle-blowing system.

If it is decided that an investigation should be opened, the data will be migrated to the system and area of Antolín tasked with carrying out such investigations, and the data may be kept on such systems for the time strictly necessary for the successful conclusion of the investigation.

 

Necessary, up-to-date information

Completion of all the fields marked with an asterisk (*) in the forms you may be given is compulsory. Failure to complete any of these fields could lead to your being denied access to the functionalities of this tool.

In order to ensure that the information provided is constantly up to date and does not contain errors, you should notify Antolín as soon as possible of any amendments or changes to your personal data. By clicking on the “Send” button (or similar) on such forms, you state that the information and data provided are accurate and true.

3.    ASPECTS TO BE TAKEN INTO ACCOUNT WITH RESPECT TO THE WHISTLE-BLOWING CHANNEL:

Antolín makes this whistle-blowing channel available to all persons related in any way to the Group. Through the channel, any person may inform Antolín of the commission of any type of inappropriate act or conduct that could be contrary to the general or industry legislation applicable to the Group carried out by any person or group of people related to the Group in any way (employees, clients, suppliers, visitors, etc.). The whistleblower may identify themselves with their personal data on filing the report, or may do so anonymously. Only our Compliance department will have access to this channel and only where disciplinary action may be taken against any Antolín employee will access be permitted to the HR personnel tasked with such cases. The Group maintains the strictest confidentiality of all personal data and information provided through the whistle-blowing channel, and has implemented the technical and organizational security measures necessary to protect this information. The data included in whistle-blowing reports shall be kept only for the time strictly necessary to decide whether it is appropriate to open an investigation and shall be erased from the whistle-blowing channel in all cases three months after the data is entered (being migrated to another system if an investigation is to be opened). 

 

4.    DATA SUBJECTS’ RIGHTS:

You may exercise the following rights:
(i)    right of access to your personal data to know which data are being processed and the processing operations that are being performed with that data; 
(ii)    right to rectification of any inaccurate data; 
(iii)    right to erasure of the personal data, where possible; 
(iv)    right to request the restriction of the processing of your personal data where the accuracy, legality or need to process the data is doubtful and in the other cases envisaged in the GDPR;
(v)    right to object, at any time, for reasons related to your specific situation. The Company shall stop processing your data unless it has a compelling legitimate interest for the processing, or for the establishment, exercise or defense of legal claims.

 

In order to exercise these rights, you should send a written request by letter to Grupo Antolín Irausa, S.A. (Ctra. Madrid-Irún Km. 244,8 09007 Burgos) or via the Company’s website: http://www.grupoantolin.com/en/contact-us?contact=privacy. You must sign the request, include your full name and address, and indicate which rights you wish to exercise.

You may also lodge a complaint with the AEPD if you consider that data protection legislation has been breached in the processing of your personal data.

5.    CONFIDENTIALITY AND SECURITY

The Company shall make all reasonable efforts to maintain the confidentiality of the personal information in question through this tool. Antolín has implemented and maintains strict levels of security in order to protect the personal data it processes from accidental loss and unauthorized access, processing or disclosure, having regard to the state of the art, the nature of the stored data and the risks to which they are exposed. This notwithstanding, the transmission of information via the Internet is not totally secure; accordingly, and despite the fact that the Company shall make its best efforts to protect your personal data, it cannot guarantee the security of such data during transit to the tool or systems of Antolín. All information provided by you shall be sent at your own risk. Once your personal data have been received, the Company shall use rigorous security functions and procedures to prevent any unauthorized access.