Ethics Line Channel’s Privacy Policy

“Basic data protection information”

Data Controller:NORTIA SERVICIOS CORPORATIVOS, S.L. (hereinafter, “Nortia Group”) (Spanish national tax id. no. N.I.F. B-58.654.039).

Purpose: (i) to manage the initial registration of your complaint and the corresponding communication process; (ii) to provide you with an acknowledgement of receipt of your complaint within the legally established deadline; (iii) to request additional information from you, if necessary, and to guarantee the confidentiality of such information at all times.

Legitimate basis: legal obligation provided for in Law 2/2023 pursuant to Article 6.1.c) of the GDPR; (ii) in case of public disclosure, on the legal basis of Article 6.1.e) of the GDPR; and (iii) pursuant to Article 9.2 of the GDPR with regard to the processing of special categories of personal data.

Recipients: Other Nortia Group companies, for the adoption of corrective measures in the company or the processing of any internal administrative disciplinary or criminal proceedings that may be appropriate. In order to fulfil the aforementioned purposes, the Nortia Group hires third parties (suppliers) who may have access to and/or process the personal data in their capacity as data processors. In any case, your personal data shall not be transferred to countries located outside the European Union for which there are no adequate safeguards.

Rights: access, rectification, deletion and opposition, as well as other rights, as explained in the additional information.

Additional information: you can consult further detailed information on data protection in our Privacy Policy.”

“Additional data protection information”

 

1. Data Controller

Identity: NORTIA SERVICIOS CORPORATIVOS, S.L.
Address: Camí de Ca n’Ametller,16, edificio 1, 5ª plta., 08185, Sant Cugat del Vallès, Barcelona (Spain).
Spanish corporate tax id. no. CIF: B58654039
Email: protecciondatos@nortia.com

 

2. Purposes of Data Processing

Why do we process your personal data?

If you choose to identify yourself by means of your personal data, we shall process such data in order to handle your complaint submitted through the Ethics Line Channel regarding actions or omissions that may constitute breaches of European Union law, or may constitute a serious or extremely serious criminal or administrative offence, in accordance with the applicable legislation. Specifically, we shall process your data in order to:

  1. Manage the initial registration of your complaint and the corresponding communication process;
  2. Provide you with acknowledgement of receipt of your complaint within the legally established deadline;
  3. Request additional information from you, if necessary, and guarantee the confidentiality of this information at all times.

 

3. Legitimate Basis

What is the legitimate basis for processing your personal data? 

Your personal data shall be processed for the aforementioned purposes and based on the following legitimacy:

  • Legal obligation: The processing of your personal data for the aforementioned purposes, both in the case of internal and external channels, shall be carried out on the legal basis of Article 6.1.c) GDPR, considering that NORTIA is a subject bound by Law 2/2023.
  • Public interest: The processing of your personal data arising from a public disclosure shall be carried out on the legal basis of Article 6.1.e) of the GDPR. If special category data are to be processed, this shall be done pursuant to the provisions of Article 9.2.g) of the GDPR.

 

4, Conservation

How long shall we store your data for?

As a general rule, the data processed may be kept in the information system only for the time necessary to decide whether or not to open an investigation into the facts reported. Under no circumstances shall personal data be processed if they are not necessary for the knowledge and investigation of the actions or omissions established in the applicable legislation, proceeding, where appropriate, to their immediate deletion, including the personal data of any third parties.

On the other hand, any data you provide us with which: (i) is included in the special data categories; (ii) is not essential for the intended purpose; or which, if applicable; (iii) is manifestly false, shall be deleted immediately, unless, in the latter case, the lack of truthfulness may constitute a criminal offence.
In any case, if 3 months have elapsed since the receipt of the communication without any investigation having been initiated, it must be deleted, unless the purpose of the storage is to leave evidence of the operation of the system. In the latter case, the fact that they shall be kept for the maintenance and updating of the Register of information, including the cases received, both those that have led to an investigation and those that have been archived, shall be considered, and shall be stored for a period of 10 years.

 

5. Recipients of the personal data

Shall we share your data with other companies?

In general, NORTIA shall not communicate your personal data to third parties, except in the following cases:

  1. the competent administrative authority in the framework of a criminal, disciplinary or sanctioning investigation and competent bodies, courts, public prosecutors, tribunals, independent whistleblower protection authority or any other third parties legitimised under the applicable regulations;
  2. If necessary for the investigation of the facts reported in the cases of internal communication, based on compliance with a legal obligation, we may communicate your data to other companies in the NORTIA group, in order to take corrective measures in the entity or to process disciplinary or criminal proceedings, where appropriate.

However, NORTIA has contracted the provision of certain services (e.g. virtual infrastructure services, cloud computing, legal consultancy in the processing of the complaint, etc.) to providers, which may have access to and/or process personal data in their capacity as data processors. Some of these providers may process and store personal information on servers located outside your country of residence, details of which can be obtained by emailing protecciondatos@nortia.com.

Therefore, depending on each individual case, transfers of data to other countries may take place. In such a case, your personal data may be transferred internationally to third parties located outside the European Economic Area (hereinafter “EEA”), provided that NORTIA has the authority to do so and subject to compliance with the appropriate safeguards set out in Articles 44 to 50 of the GDPR. Such third parties shall only access the data to carry out their services on behalf of and in the name of NORTIA, under the obligation of confidentiality and always following their instructions and without at any time using such data for their own purposes and/or unauthorised purposes.

In any case, appropriate safeguards include, inter alia:

  • Adequacy decision: a declaration by the European Commission that a non-EU state offers an adequate level of data protection equivalent to that provided by European data protection law, thus enabling the international transfer of data to a third party established in a state outside the EU;
  • Binding Corporate Rules: they apply to groups of companies or associations of companies engaged in a joint economic activity, which enable the flow of personal data based on a self-regulation accepted and assumed by each of the signatory entities;
  • Standard Corporate Rules: this is a mechanism signed between the exporter of the Personal Data from any of the EEA countries and a third country. It is a contractual agreement whose model has been approved and published by the European Commission and aligned with the precepts of the GDPR.
  • Code of conduct or a certification mechanism, including binding and enforceable commitments made by the recipient regarding the implementation of appropriate safeguards to protect the data transferred.

In absence of the foregoing, your personal data may exceptionally be transferred to a third country or international organisation, applying the mechanisms that may be recognised in this respect by data protection legislation.

 

6. Your rights

What rights do you have regarding the processing of your data?

You have the right to obtain information about how NORTIA processes your personal data. Furthermore:

  1. You have the right to access your personal data to determine what data we are processing, as well as to rectify any incorrect data or, where applicable, request the deletion of your data when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
  2. In some cases, you may request the limitation of processing of your data, in which case we shall only store them for the exercise or defence of claims.
  3. In certain circumstances and for reasons relating to your particular situation, you may object to the processing of your data. In this case, NORTIA shall cease to process your personal data, except for compelling legitimate reasons, or for the exercise or defence of possible claims.

    Notwithstanding the foregoing, if the person to whom the facts related in the communication or to whom the public disclosure refers exercises the right to object, it shall be presumed that, in the absence of proof to the contrary, there are compelling legitimate grounds that legitimise the processing of their personal data.

  4. You have the right to portability, i.e. to have your personal data transferred directly to another controller in a structured, commonly used and machine-readable format, where technically possible.
  5. Finally, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you.

You may exercise your rights by sending an email to the following email address: protecciondatos@nortia.com.

We shall respond to your requests as soon as possible and, in any case, within one (1) month of receiving your request. Depending on the complexity and the number of applications NORTIA is dealing with, the deadline may be extended by two months. In such case we shall inform you in a timely manner within one (1) month of receipt of your request. If this is not the case, please excuse us and contact us again so that we can assist you and correct any technical errors that may have prevented us from responding to you in a timely manner.

Do you have the right to lodge a complaint?

If you believe that the processing of your personal data infringes data protection regulations, or if you believe that we have not complied with the exercise of your rights, you may lodge a complaint with the Spanish Data Protection Agency.

In any case, before initiating any complaint, please contact us by email at protecciondatos@nortia.com, in order to try to resolve any disagreement amicably.