According to Spanish Law 2/2023, February 20th, regulating the protection of persons who report infringements and the fight against corruption, all companies with over 50 employees are obliged to have an internal helpline for reporting what may be serious criminal or administrative offences or infringements of European Union (EU) law.
It is also obligatory under these regulations to inform interested parties how to use internal information channels and the essential principles of the procedure.
To ensure compliance with the above, the following are available:
Internal Information System (IIS) Policy
Internal Information Channel Instruction Manual
CAPTRAIN INFORMATION
ETHICS HELPLINE
The ethics helpline ensures compliance with articles 7 and 9 of the aforementioned law.
ANONYMOUS COMMUNICATIONS AND PERSONAL DATA
Communications may be anonymous – the informant is not obliged to identify themselves – and will be answered through the same channel through which they were received. The code assigned on receipt of the complaint should be saved.
The informant’s identity will only be revealed with their express consent, or when there is a necessary and proportionate obligation under EU or national law in the context of an investigation carried out by national authorities or as part of judicial proceedings, in particular to safeguard the rights of the person concerned.
Compliance with current data protection legislation (DPL and GDPR) will be guaranteed throughout the procedure.
HOW TO USE THE ETHICS HELPLINE
To guarantee total objectivity and transparency, complaints will be directed to and managed by an online application external to the CAPTRAIN domain.
The external provider will follow CAPTRAIN’s instructions in accordance with current legislation on data protection, ensuring compliance with Article 28 of the GDPR.
The application may be used by any CAPTRAIN employee or any other third party who may have knowledge of unethical, fraudulent or illegal conduct committed within the organisation.
The ethics helpline is not the appropriate channel for issues relating to employment terms and conditions or disciplinary matters; in these cases, the organisation’s relevant policies should be followed.
LINK TO THE ETHICS HELPLINE FORM
Main compliance policies
PL0170 Política anticorrupción y prevención del soborno
PS0147 Código Ético de CAPTRAIN España
PS0149 Procedimiento de prevención y respuesta ante delitos
Ethics helpline data privacy policy
In compliance with European Parliament and European Council Article 13 Regulation (EU) 2016/679, dated April 27th 2016, on the protection of persons with regard to the processing of personal data and on the free movement of such data; Article 11 of Spanish Law 3/2018, dated December 5th, on the Protection of Personal Data and the guaranteeing of digital rights; and Article 31 of Spanish Law 2/2023, dated February 20th, regulating the protection of persons who report infringements and the fight against corruption, information on personal data protection with regard to the processing of personal data in the Internal Information System is described below:
1. DATA CONTROLLER
The data controller is CAPTRAIN ESPAÑA S.A.U.
Address: C/ Viriato 47 9º, 08014, Barcelona, Spain
Telephone: (+34) 93 366 21 41
Tax number: A60462926
Your personal data will be treated with the strictest confidentiality and only by authorised personnel.
2. WHERE YOUR DATA CAME FROM
If you chose to identify yourself, your personal data came from the form you filled in on CAPTRAIN ESPAÑA’s Compliance Channel.
3. USE OF YOUR PERSONAL DATA
The personal data you provided in the form and the data in the documentation you submit in support of your communication will be processed for the sole purpose of managing the complaints received through the channel, for proceeding with the investigation into the reported allegations and, where appropriate, for responding to the query raised. They may also be used, where appropriate, for implementing protective measures and/or measures to prevent retaliation. All uses of personal data will comply with the provisions of the Internal Information System Policy and the Compliance Channel Management Protocol.
4. LEGAL BASIS
The legal basis for processing your personal data under the management of the Internal Information System will be that established in Article 6.1.c of the EU General Data Protection Regulation (GDPR), insofar as processing your personal data is necessary for the data controller to comply with Spanish Law 2/2023, dated February 20th, regulating the protection of persons who report infringements and the fight against corruption.
5. RETENTION OF YOUR PERSONAL DATA
Processed data may be kept in the information system only for as long as is necessary to decide whether an enquiry should be opened into the allegations.
If it is established that the information provided, or any part of it, is not truthful, it must be immediately deleted as soon as this comes to light, unless this lack of truthfulness constitutes a criminal offence, in which case the information will be kept for as long as necessary during legal proceedings.
If three months have passed since the receipt of the communication and no investigation has been started, it shall be deleted, unless the purpose of keeping it is to have evidence of the system operating. Communications that have not been processed may only be recorded in anonymised form, unless Article 32 of Spanish Law 3/2018, dated December 5th, is applied.
Under no circumstances will personal data be processed if not necessary for denouncing and investigating the actions or omissions to which Law 2/2023, dated February 20th, regulating the protection of persons who report infringements and the fight against corruption applies. If this is the case, it shall be deleted immediately. Likewise, any personal data that refer to conduct that is not included in the scope of the aforementioned law shall be deleted.
If the information received contains personal data included in the special categories of data, it shall be deleted immediately, without being registered and processed.
The personal data relating to the information received and to the internal investigations contained in the register shall only be kept for a period that is necessary and proportionate to comply with the aforementioned law. In no case may the data be kept for a period of more than ten years.
6. SHARING YOUR PERSONAL DATA
In the event that your identity is provided or identifiable, it will in any case be held back, and will not be communicated to the persons to whom the allegations refer or to third parties not involved in the management and processing of the communication, except when it is necessary for corrective measures to be taken or where sanctions or criminal proceedings may be applicable, in which case this must be communicated to the competent authorities.
The personal data processed in the Internal Information System may be communicated to judicial authorities, the public prosecutor’s office, the state security forces and competent administrative authorities, in the context of investigations they are carrying out or within the framework of judicial proceedings. It may also be communicated to the competent state or regional whistleblower protection authorities.
If the management of the Internal Information System is outsourced, the information provided through the online channel may be processed by the external third party, as a data processor, in accordance with the provisions of Article 6 of Law 2/2023, dated February 20th, regulating the protection of persons who report infringements and the fight against corruption.
There are no plans to transfer data internationally for processing.
7. YOUR RIGHTS
Informants have the right to access their personal data, to correct inaccurate or incomplete personal data, to request the deletion of their personal data and to limit processing of their personal data, by sending a letter to the postal address indicated above or to the e-mail address lopd@captrain.es, at any time and free of charge. In addition, you have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if you consider that a breach of data protection legislation has been committed with regard to the processing of your personal data.