Who is the Data Controller?
The data controller of the personal data included in any information communicated through BME’s Information System is Bolsas y Mercados Españoles, Sociedad Holding de Mercados y Sistemas Financieros, S.A.U. ("BME Holding"), with tax identification code A-83246314 and registered office at Plaza de la Lealtad 1, 28014 Madrid.
What is the purpose and legal basis for processing of personal data?
Personal data will be processed by BME for the following purposes:
- Analyze and manage the complaint internally.
- Maintain contact with the reporting person, denounced/concerned party or third party relevant to the procedure.
- Conduct, if appropriate, the corresponding investigation into the complaint filed.
- Eventual referral to the competent authorities.
The processing of personal data by BME may be carried out:
- In cases of internal communication, based on a legal obligation as provided in 6.1.c) of the General Data Protection Regulation (hereinafter, "GDPR") when it is mandatory to have an internal reporting system as established by Spanish Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and anti-corruption.
- In the case of a public disclosure, on the performance of a task carried out in the public interest as indicated in art. 6.1.e) of the GDPR.
- In the case of the processing of special categories of personal data for reasons of substantial public interest, it may be carried out in accordance with the provisions of Article 9.2.g) of the GDPR.
What personal data is collected and processed?
The following personal data may be processed:
- From the reporting person (if the report is not anonymous): full name, e-mail, address, cell phone number or any other data included in the description of the communication.
- From the concerned/accused person: the data indicated by the complainant in the description of the communication and those that may be ascertained during the investigation.
- From the witness or other third parties: data ascertained from third parties indicated in the communication by the reporting person or relevant to the investigation being carried out which may provide significant information.
Who has access to personal data?
Access to the personal data contained in BME's Information System shall be limited exclusively to the Responsible for BME's Information System and the persons who perform internal control and compliance functions in the Compliance Department and, when necessary, to the Criminal Prevention Committee. Exceptionally, such access may be granted to:
- The Head of Human Resources when it is appropriate to take disciplinary measures against an employee.
- The Head of Legal Counsel when: (1) it is necessary to take legal measures; or (2) the communication refers to the Responsible for BME's Information System or any a member/s of the Compliance Department and they have to inhibit themselves.
- The Data Processors to be appointed.
- BME's Audit and Risk Committee when is necessary.
- The Data Protection Delegate.
Likewise, the processing of personal data by other persons shall be lawful when necessary for the adoption of corrective measures in BME or the processing of disciplinary or criminal proceedings, if any.
BME relies on the services of EQS Group AG, which provides the Integrity Line platform and offers guarantees regarding independence, confidentiality, data protection and secrecy of communications. In general, only third parties who provide adequate guarantees may have access to the management of the information received through BME Information System.
The identity of the reporting person, if identified, may only be communicated to the Judicial Authority, the Public Prosecutor's Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation. The person to whom the facts reported in the information communicated refer shall in no case be informed of the identity of the reporting person.
What technical and organizational measures are used?
BME will ensure that all necessary technical and organizational measures are taken to preserve the identity and guarantee the maximum confidentiality of the data corresponding to the persons concerned and any third parties mentioned in the information provided.
Persons who, in the performance of their duties, become aware of information submitted through any of the channels, shall be bound to maintain professional secrecy, especially with regard to the identity of the reporting persons.
Both EQS Group AG and the software developed for EQS Integrity Line are certified according to the ISO 27001 information security standard. The platform ensures full compliance with the GDPR and guarantees the anonymity of the reporting person so that his or her identity cannot be traced by technical means.
What is the personal data retention period?
The personal data of the reporting person, persons concerned and third parties mentioned in the communication will be stored only for the time necessary to decide whether to initiate an investigation of the denounced or reported facts. If it is evidenced that the information provided or part of it is not true, the data must be deleted immediately. If the lack of truthfulness could constitute a criminal offense, the information will be kept for the necessary time during the legal proceedings.
After three months have elapsed from the receipt of the communication without any investigation actions having been initiated, the data shall be deleted, unless their retention serves to provide evidence of the operation of BME's Internal Information System. Communications that have not been acted upon may only be recorded in anonymized form, without the obligation to block being applicable.
How can I exercise my rights?
The reporting persons, concerned or accused persons, witnesses and other third parties whose personal data are processed will be referred to as "Data Subjects" for the purpose of exercising their rights.
The Data Subjects may exercise their rights of access, rectification, deletion, portability and limitation of processing, as well as contact the Data Protection Officer through the following address:
Data Subjects may also file a complaint with the Spanish Data Protection Agency (www.aepd.es).
Notwithstanding the foregoing, the characteristics of the investigation process may modify the scope of the exercise of any of these rights:
- None of the Data Subjects whose personal data are processed during this research may exercise the right of cancellation.
- The right of access to the information included in BME’s Information System will be limited to information related to the personal data of the Data Subject requesting it (third party data cannot be accessed).
- None of the Data Subjects to whom the facts related in the communication refer to may object to being investigated. In the event that any Data Subject to whom the facts reported in the communication refer exercises the right to object, it will be presumed that, unless there is evidence to the contrary, there are legitimate reasons for processing his or her personal data.