1. ADDITIONAL INFORMATION
1.1. Scope of this privacy policy
This document governs the privacy policy of IVIRMA’s Internal Information Channel (hereafter refer to as the “Channel” or “Internal Information Channel“).
The Internal Information Channel is the platform established by IVIRMA for you to report:
- (i) any behavior by any employee or professional providing services to IVIRMA that may imply irregularities or actions contrary to the Law.
- (ii) the commission, by a third party or interested party (suppliers, collaborators, etc.) of any act contrary to the law or to the provisions of the Code of Ethics and internal rules of IVIRMA. Therefore, this privacy policy reflects the information regarding the processing related to the different categories of interested parties mentioned.
1.2. Guarantee of Confidentiality and Responsible Use of the Internal Information Channel
IVIRMA ensures the absolute confidentiality of both the information provided and your personal data submitted through the aforementioned Channel.
It is advisable to use the Internal Information Channel responsibly, avoiding from making baseless or badfaith communications, as such actions may results in legal or disciplinary consequences if applicable. In addition, in the exposition made to inform any other person, you must be respectful and keep decorum and good manners. IVIRMA will not be held responsible for any derogatory comments you may make against any third party.
Likewise, you must ensure that the personal data provided is true, accurate, complete and up to date.
1.3. Data Controllers
EQUIPO IVI, S.L.U. (or IVIRMA) is supported by third parties specialized in the management and maintenance of the internal information channel, intervening in the investigations carried out, being the technology partner for the management of the channel “icloudCompliance” solution supplied by the company Klab Corporate Project Management, S.L. with whom the corresponding service, confidentiality and data processing agreements have been signed in accordance with the applicable regulations, as well as with the other third party experts with whom it collaborates.
1.4. Purposes
Main purpose of the processing are the data provided by the informant through the Internal Information Channel will be used for managing the reception and developing the handling of the communication submitted, in relation to malpractice or regulatory compliance, including:
- (i) Investigate and clarify the reported facts.
- (ii) Determining responsibilities.
- (iii) Implement corrective actions.
- (iv) Bringing legal and disciplinary actions before the responsible bodies in each case.
- (v) Inform you about the outcome of the procedure, if necessary.
1.5. Legitimacy for Data Processing and Affected Groups
- (A) Legal basis legitimizing the processing of your data:
- GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest.
- GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.
- GDPR: 6.1.f) Processing necessary for the fulfilment of legitimate interests pursued by the controller.
- GDPR: 6.1.a.) Consent of the data subject to process the data of informants.
- (B) Affected groups:
The collective with the authority to submit communications through IVIRMA’s Internal Information Channel is as follows:
- Employees
- Contacts
- Suppliers
- Other possible related interested parties
- (C) Type of information which may be processed in the context of investigations:
- Data of an identifying nature: Personal data relating to address, image, voice, telephone, name and surname.
- Academic and professional data: Personal data relating to education, qualifications, student record, professional experience, membership of professional bodies or associations.
- Employment details: Personal data relating to profession, job title, non-financial data from the employee’s salary or employment history.
- Economic, financial and insurance data: Personal data relating to income, earnings, investments, assets, credit, loans, guarantees, bank details, pension plans, retirement, payroll financial data, tax deductions, insurance, mortgages, subsidies, benefits, credit or credit/debit card history.
- Data relating to transactions in goods and services: Personal data relating to goods and services provided by the data subject, goods and services received by the data subject, financial transactions, compensation or indemnities.
- Sensitive data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed solely for the purpose of identifying a human being, data concerning health, data concerning a person’s sex life or sexual orientation.
1.6. Conservation of the data
In accordance with applicable data protection legislation, the data of the person making the report shall be stored in IVIRMA’s Internal Information Channel system only for the time necessary to decide whether to initiate an investigation into the reported incidents should be initiated.
However, if, as a result of the company’s investigation into the reported facts, there is a need to take the appropriate legal actions and/or initiate legal proceedings, the data may be retained for an extended period until a final judicial decision is reached, in compliance with the current legislation.
1.7. Addresses
In accordance with the applicable data protection regulations, access to the data is limited exclusively to individuals responsible for internal control and compliance.
Nonetheless, access by other individuals, or even its communication to third parties, will be considered lawful when necessary for the internal investigation, implementation of disciplinary measures or for the processing of legal proceedings, if any:
- (i) The data provided will be disclosed to the Judicial Authority, Judges, Prosecutors, State Security Forces and Corps or administrative authority to whom the result of the investigation is transferred when so required by them or when the reported facts constitute a criminal offense.
- (ii) The data provided will be processed and, if necessary, transferred to relevant third parties, including Collaborating Entities, expert advisors participating in the investigation, such as lawyers, forensic experts, experts, who will be subject to the confidentiality obligations.
- (iii) Only when disciplinary measures are being considered against an employee, access to the data will be granted to personnel with human resources management and control functions.
1.8. Rights of the interested parties
- (A) You have the right to access your personal data (the right of access is limited to personal data only, with no access granted – under any circumstances – to the informant’s identification data, you have also the right to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
- (B) In certain circumstances, you may request the limitation of data processing, in which case we will only keep the data for the exercise or defense of claims.
- (C) Under specific circumstances and for reasons related to your particular situation, you may object to the processing of your data. IVIRMA will cease processing the data, except for compelling legitimate reasons, or the exercise or defense of potential claims.
- (D) You also have the right to file a complaint with the supervisory authority if you consider that the processing does not comply with the applicable data protection regulations. Also, you have the right of your personal data portability.
- (E) The right to file a complaint with the relevant supervisory authority.
- (F) In case the complaint is related to IVIRMA, the request can be sent by mail to the email address dpo@ivirma.com, identifying yourself as a user of IVIRMA’s Internal Information Channel form.
However, insofar as a real and concrete prejudice to the confidentiality of the informant may result, the rights recognised in articles 15 to 22 of the GDPR shall be limited or denied if necessary.
Finally, if you would like more information about your data protection rights or if you need to make a complaint, you may contact the relevant supervisory authority.
1.9. Security
To safeguard the security of your personal data, we inform you that we have implemented all the technical and organizational measures: These measures are in place to protect your personal data from being altered, lost, used improperly, disclosured, and unauthorized processing or access, as required by personal data protection regulations.
In this sense, IVIRMA guarantees the custody of the data being processed, for which it shall undertake the relevant measures for such purposes, always in line with the current state of technology.
Our security measures are continuously updated in accordance with the technological development and obligations imposed by data protection regulations.
While it is impossible to provide an absolute guarantee against intrusion when transmitting information over the Internet, we, along with our subcontractors and business partners, diligently work to maintain physical, electronic and procedural safeguards to ensure that your data is protected in accordance with the applicable legal requirements.
The measures we use include the following:
- (i) Allowing access only to the authorized control body for the management tasks that required to achieve the described objectives.
- (ii) Perimeter protection systems for IT infrastructures (“firewalls”) to prevent unauthorized access.
- (iii) Regular monitoring of access to identify and stop any unauthorized or improper attempts to access personal data.