DATA PROTECTION

In accordance with the applicable regulations in force on the protection of personal data (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – the General Data Protection Regulation or GDPR-), the current regulations on whistleblowing channels and whistleblower protection (Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law – Directive (EU) 2019/1937 –), national legislation on both matters and the doctrine developed by the competent supervisory authorities in this regard,  we inform you that the personal data that may be collected in the context of this Internal Reporting System will be processed in accordance with the following considerations:

Joint Data Controllers

The personal data of the whistleblower (in the event that he/she reveals his/her identity), of the respondent, of any other subjects mentioned in the communication or of the persons interviewed in the framework of the possible subsequent investigation, will be processed by AZ Capital, S.A. (hereinafter, the «Company«) with registered office at Calle Fortuny, 6, 28010, Madrid, Spain, and acting as joint data controllers.

Purposes of processing and legal bases

Personal data will be processed exclusively for compliance with the legal obligations required by the applicable legislation on the Internal Information System and whistleblower protection and in particular to (i) assess the communications or information received through the Internal Information System, (ii) carry out the necessary internal investigations,  (iii) implement the corrective measures that are appropriate in each case and (iv) record the operation and effectiveness of the Information System and the  Company’s Compliance Program.

Thus, the legal basis for the processing of data received as a result of a communication or in the framework of a subsequent internal investigation is Article 6.1.c) of the GDPR, i.e. the processing is necessary for compliance with the legal requirements related to the Internal Reporting System, in accordance with the applicable legislation on the whistleblowing channel and whistleblower protection referred to above.

In addition, in the event that an interested party requests to make their communication verbally (by means of a personal interview, voice messaging system or, where appropriate, telephone line), the processing of personal data will also be based on their consent for the transcription of the conversation, which may in any case be checked, rectified and accepted by means of the signature of the interested party,  or for recording it, as long as mechanisms are used for this purpose that have the appropriate guarantees and security measures.

Data processed

The following is an illustrative but not limited to the personal data that may be processed to carry out the purposes described above:

1. Identity, role, functions and contact details of whistleblowers, reported persons, other affected persons and persons interviewed.
2. Facts reported and personal data related to them.
3. Any evidence related to the reported facts.
4. Research reports.
5. Data obtained during the interviews.

The data will be obtained through the communication itself or within the framework of any subsequent investigation.

As a general rule, no specially protected personal data will be processed according to the criteria established by the applicable data protection regulations (e.g. data on health, sexual orientation, religious beliefs, ideology, etc.). However, exceptionally and when it is essential for the correct assessment and investigation of a communication, this type of personal data may be processed on the basis of an essential public interest in accordance with Article 9.2 g) GDPR.

Categories of Recipients

Personal data may be communicated or allowed access to the following categories of recipients:

1. The System Manager and, where appropriate, the Substitute for the System Manager.
2. The members of the Supervisory and Control Body, when they participate in internal investigations in accordance with the provisions of the Company’s internal regulations.
3. The Investigating Committee, in cases of prevention of workplace harassment, in accordance with the Company’s internal regulations in this area.
4. The Company’s internal staff, always in accordance with the restrictions provided for in the applicable national legislation.
5. The competent public authorities to whom, where appropriate, (i) the outcome of any internal investigation is communicated (Investigating Judge, Public Prosecutor’s Office or relevant administrative authority) in the framework of a criminal, disciplinary or sanctioning investigation or (ii) require information relating to compliance with the obligations provided for in the applicable national legislation transposing Directive (EU) 2019/1937,  GDPR or other relevant regulations in the context of the Internal Information System. In the latter case, personal data will only be transferred in exceptional cases where it is strictly essential and in a proportionate manner, and personal data relating to the whistleblowers will never be transferred.
6. Other third parties (such as, for example, Notaries), exclusively when necessary for the adoption of corrective measures in the entity or the processing of sanctioning or criminal proceedings that, where appropriate, may be appropriate.
7. Data processors that may be designated by the Company who may be affected by a communication. It is an independent entity that processes personal data on behalf of the controller or, where appropriate, joint controllers, and exclusively following its instructions for the purpose of providing a service as a general rule. By way of illustration, but not limitation, these data processors will provide services related to: the technological infrastructure that supports the Internal Reporting System, external experts specialized in investigations and forensic services, storage service providers, as well as other external advisors that may be necessary for the successful completion of internal investigations. These entities are located in the European Economic Area, so there are no international data transfers.

In any case, the identity and personal data of the whistleblowers will be reserved and will not be communicated to the reported or to third parties or entities other than those indicated in this section.

Retention period

The personal data that are subject to processing will only be kept in the Internal Reporting System for the time necessary to decide on the appropriateness of initiating an investigation into the facts reported.

Any information that is proven to be untrue will be immediately deleted, unless such lack of veracity may constitute a criminal offence, in which case the information will be kept for the necessary time during which the judicial proceedings are being conducted.

If the information received contains personal data included within the special categories of data, it will generally be immediately deleted, without the registration and processing of the same, unless these personal data are essential for the correct assessment and investigation of the communication, on the basis of an essential public interest in accordance with Article 9.2 g) GDPR (for example,  communications based on discrimination based on race or sexual orientation). For these purposes, «special categories of data» means those listed in Article 9.1 of the GDPR.

The subjects included in the personal scope of application of the Internal Reporting System will be informed of the processing of personal data that occurs within the framework of the Internal Reporting System. In addition, when personal data are obtained directly from the data subjects, they will be provided with the legally required information on the processing of these data, and they will be informed that their identity will be reserved in all cases.

If the information is provided verbally and the communication is to be recorded, the whistleblower will be warned of such recording and will be informed of the processing of their data in accordance with the provisions of data protection regulations.

The person to whom the facts relate shall in no case be informed of the identity of the whistleblower or of the person who has carried out the public disclosure, even if he or she exercises his or her right of access to his or her personal data.

In any case, if three months have elapsed since receipt of the communication without any investigation actions having been initiated, the personal data will be deleted unless the purpose of the storage is to leave evidence of the operation of the Internal Reporting System. Communications that have not been processed will only be recorded in an anonymised form, i.e. it will not be possible by any means to identify any of the natural persons who are part of the communication or file, and without the obligation to block provided for in the LOPDGDD being applicable in any case.

Once an investigation has been completed, the data will be kept in the Internal Information and Research Record Book for the period that is necessary and proportionate for the purposes of complying with applicable legislation, which may not exceed, as a general rule, 10 years.

http://www.aepd.es/

Data protection rights

The affected or interested parties may exercise, in accordance with data protection legislation, their rights of access, rectification, deletion or opposition, and, if applicable, the limitation of the processing and portability of their data, when appropriate according to the applicable regulations, by sending an email to the address proteccion.datos@azcapital.com or by post to Calle Fortuny, 6, 28010, Madrid, Spain. In addition, they also have the possibility of filing a complaint with the relevant supervisory authority, such as the Spanish Data Protection Agency (www.aepd.es).

However, the exercise of such rights in Spain does not apply when it is planned in relation to a communication related to the prevention of money laundering and terrorist financing, in which case the provisions of Article 32 of Law 10/2010, of 28 April, will apply. In addition, in the event that the person to whom the facts reported in the communication refer exercises the right to object, it will be presumed that there are compelling legitimate reasons that legitimise the processing of their personal data, unless proven otherwise.