Below is the basic information about how we process your personal data.
Basic information on privacy and data protection | |
Data Controller | Osborne Clarke España, S.L.P. with registered office at Avenida Diagonal, nº 477, planta 20, Barcelona, 8036 and with NIF B65697609. |
Purpose of the processing |
Analyse, process and investigate the facts reported by the informant or third parties. |
Basis of lawfulness of processing | The basis of lawfulness of the processing that Osborne Clarke Spain, S.L.P. carries out with the personal data communicated is compliant with the obligations (art. 6.1.c GDPR) set out in Law 2/2023, of 20 February, regulating the protection of persons who report regulatory and anti-corruption infringements (hereinafter, the " Law 2/2023 "). |
Recipients of the data | Providers of the services necessary for the operation of the Ethics Channel; other members of Osborne Clarke Verein (as that term is defined herein ); competent authorities involved as a result of the events reported. |
Rights of Data Subjects | Access, rectification, deletion, limitation, portability, opposition and to file claims with the AEPD. Please note that the rights of access and opposition may be limited in accordance with the provisions of Law 2/2023. |
Data Protection Officer | |
Additional information | Further information can be found below on the processing of personal data we carry out on personal data communicated through the Ethics Channel:
|
Data Controller
The person responsible for the processing of personal data of the data provided by the informant through the Ethics Channel or by third parties in the course of the investigations motivated by the information communicated is Osborne Clarke España, S.L.P. (hereinafter, the " Data Controller ") with registered office at Avenida Diagonal, nº 477, planta 20, Barcelona, 8036 and with NIF B65697609.
Purpose of the processing
The Data Controller will process the personal data provided for the purpose of analysing, processing and investigating any information that:
· may constitute an infringement of European Union law, with the particularities defined in Article 2.1.a) of Law 2/2023, of 20 February, regulating the protection of persons who report regulatory and anti-corruption infringements (hereinafter, "Law 2 /2023 ");
· may constitute a serious or very serious criminal or administrative offence, including any serious or very serious criminal or administrative offence that involves economic loss for the Public Treasury and/or Social Security.
Basis of legitimacy
The basis for the lawfulness of the processing carried out by the Data Controller with the personal data communicated is compliant with the obligations (art. 6.1.c GDPR) set out in Law 2/2023.
When the information provided by the reporting party or by third parties contains personal data of special categories whose processing is necessary for the fulfilment of the purposes of the processing – described above – such processing will be carried out on the basis of lawfulness of necessity for reasons of essential public interest (art. 9.2.g GDPR).
Data subject to processing and origin
The Data Controller, in order to fulfil the purposes of the processing, may process the following categories of data:
• Your contact details, if provided (first and last name, e-mail, telephone number).
• Name and title of the persons reported in the complaint.
• Any other personal data contained in the information on the facts reported, as well as in the rest of the documentation generated in the course of the investigation by the Data Controller.
Please note that we will only process personal data that is necessary for the knowledge and investigation of the reported facts and that we will immediately delete any other data. In addition, the Data Controller shall delete any information whose lack of veracity is proven at any stage of the investigation, unless such lack of veracity may constitute a criminal offence. In the latter case, the Data Controller will keep the information for as long as necessary to support the corresponding legal proceedings.
Duration of retention of personal data
The personal data communicated through the Ethics Channel and those processed in the course of the investigations carried out by the Data Controller will only be kept for the period that is necessary and proportionate for the purposes of complying with Law 2/2023, in particular:
· The personal data that is subject to processing will be kept by the Data Controller only for the time necessary to decide on the appropriateness of initiating an investigation into the facts reported.
· In any case, if three months have elapsed since the receipt of the informant's communication without any investigation actions having been initiated, the Data Controller will delete the personal data communicated, unless the purpose of the storage is to provide evidence of the operation of the Ethics Channel.
Communications that have not been followed up by the Data Controller will be anonymised, so that any personal data communicated will no longer identify the informant or the person whom such data would identify or make identifiable.
Recipients of the data
The Data Controller may not communicate the identity of the reporting person to any third party, except to the judicial authority, the Public Prosecutor's Office or the competent administrative authority in the context of a criminal, disciplinary or punitive investigation. In such a case, the informant shall be notified, provided that such communication does not jeopardise the investigation or judicial proceedings.
Notwithstanding the above, in order to allow the operation of the Ethics Channel, the personal data communicated by the informant must be communicated to the person in charge of the Ethics Channel, the entity Digital Products Development S.L. This entity has the appropriate technical and organisational measures in place to ensure the protection of the personal data communicated. These measures extend to the agreements entered into with its sub-processors, who provide you with storage, emailing, password storage, and firewall backup services. Below we detail the most relevant information regarding the identity and type of service offered by the sub-processors of Digital Products Development S.L. to allow the operation of the Ethics Channel:
Use | Service | Supplier |
Hosting |
Interxion HeadQuarters B.V.Scorpius 30,2132 LR Hoofddorp,The Netherlands P.O. Box 75812
The data from the Ethics Channel is stored in a data centre in Frankfurt. https://www.interxion.com/locations/europe/frankfurt | DIGITAL OCEAN, 101 Avenue of the Americas, 10th Floor, New York, NY 10013 VAT ID: EU528002224 |
Sending Emails | Sending warning and alert emails to the users of the platform.
It does not process information contained in the information provided by the informant, it only manages email addresses.
Digital Products Development S.L. has signed a DPA with standard clauses: https://postmarkapp.com/dpa | POSTMARK: ActiveCampaign, LLC, 1 North Dearborn St, 5th Floor, Chicago, IL 60602
|
Key Storage & Backups | Encryption keys are stored in Amazon's KMS system. | AMAZON KMS, AMAZON WEB SERVICES EMEA SARL, SUCURSAL EN ESPAÑA, CALLE RAMIREZ DE PRADO, 5, 28045 MADRID, SPAIN• CIF ES W0185696B
|
Web Application Firewall | Firewall that protects the platform from potential third-party attacks. The provider does not store any personal information on its systems. | Cloudflare, Inc. 101 Townsend St, San Francisco, CA 94107 USA
|
In addition to the person in charge of the Ethics Channel and its sub-processors, the personal data contained in the Ethics Channel may only be accessed, to the extent of their competences and functions, by:
1. The Ethics Channel Manager or the Compliance Manager Back Up in case of conflict with the former.
2. In the event of disciplinary action being taken against an employee. the duly designated competent body.
3. In the event that legal measures are to be adopted in relation to the facts reported in the communication, the head of the Office designated for the relevant legal area with respect to the facts reported.
4. The Firm's Data Protection Officer.
In addition, during the course of an investigation it may be necessary for us to share the facts you report – including necessary personal data – with another member of Osborne Clarke Verein (more information here ) or other third parties, where this is necessary to take corrective action on the part of the Controller.
Rights of Data Subjects
The informant or any natural person whose personal data is provided (hereinafter, the " Data Subject ") may exercise their rights of access, rectification, deletion, limitation, portability, opposition. You can consult the following link where the AEPD offers detailed information on each right and the conditions for exercising it: https://www.aepd.es/derechos-y-deberes/conoce-tus-derechos .
To exercise their rights, the Data Subjects may contact the address [email protected]
In any case, Data Subjects should be aware that the right to object may be limited within the framework of Law 2/2023. In this regard, article 31.4 of said Law establishes that, once the right to object has been exercised, the Data Controller may continue the processing of the data based on the existence of compelling legitimate reasons, unless proven otherwise. In addition, the right of access may also be limited, including in those cases where the interested party requests to know the transfers that the Data Controller has made to public authorities.
The Data Subject has the right to submit the claims he/she deems pertinent to the AEPD, for which the following addresses are provided:
· https://sedeagpd.gob.es/sede-electronica-web/vistas/infoSede/tramitesCiudadano.jsf
· https://www.aepd.es/la-agencia/donde-encontrarnos
DPO
You can contact the data protection officer by email: [email protected]