Information about personal data processing
Additional information on the processing of your personal data in the Ethics Channel of the Sacyr Group:
Responsible for the data processing: The personal data that you provide us will be processed by the Board of Directors of Sacyr S.A., as responsible for the processing of the Internal Information System, with address at Calle Condesa del Venadito, 7, 28027, Madrid, as responsible for the processing. You can contact our Data Protection Officer by writing an email to dpo@sacyr.com
Purpose of the processing: TWe will process your data to manage notifications about the reported facts, to carry out the investigation of said facts or to adopt the pertinent corrective measures and inform you, once the investigation is complete, about the result of the procedure. You should know, in relation to the possibility of filing anonymous complaints in this Ethics Channel, that the company will duly investigate them, provided they contain enought information to do so and respecting in any case the terms established in this regard in Law 2/2023, of 20 February, regulating the protection of persons who report breaches of Union Law.
Lawfulness of processing: The processing of data of complaints is necessary for compliance with a legal obligation in accordance with article 6.1.c of the GDPR by virtue of Law 2/2023, of February 20, regulating the protection of persons who report breaches of Union Law.
In the event of public disclosure, the processing is based on legitimation of the fulfillment of a mission carried out in the public interest in accordance with article 6.1.e of the GDPR.
The information received that contains data considered to be a special category will be deleted immediately without being registered and processed, provided that these data are not necessary to carry out the investigation and unless the treatment is carried out for reasons of essential public interest, by virtue of article 9.2.g) of the GDPR.
In specific cases in which the complaints deal with matters related to the prevention of money laundering or harassment, the basis of legitimacy will be the legal obligation, in the case of money laundering, since some companies of the Sacyr Group are in the scope of this regulation. In the case of those complaints that deal with matters related to harassing behaviors, personal data will be processed based on the legal authorization granted by Organic Law 10/2022, of September 6, on the comprehensive guarantee of sexual freedom.
Data retention period: Personal data related to the information received and internal investigations carried out for this purpose will only be kept for the period that is necessary in order to comply with Law 2/2023 previously referenced. In particular, the provisions of sections 3 and 4 of article 32 of this Law will be considered. In no case may the data be kept for a period of more than ten years in the corresponding record book.
However, as an extraordinary circumstance, the company reserves the possibility, to be able to exercise its defense rights with all the guarantees, of keeping the complaint files duly for a maximum period equivalent to the lapse period that applies in each case to the criminal offense or administrative infraction communicated.
The extraordinary exceptions that the SACYR Group has considered to extend the period of retention of personal data and information related to the files generated in the Internal Information System, especially the personal information related to the informants, will be duly documented in procedures or other similar documents for internal use that the Regulatory Compliance Unit prepares and maintains in order to establish the management guidelines for communications received through the Ethics Channel.
In cases involving conflicts of interest notified through this Channel, the files will be kept for a period of 3 years from the end of the investigation, a period during which the data may be useful to comply for the purpose described in the SACYR Conflicts of Interest Protocol.
Data recipients: Personal data will be processed confidentially unless they are carried out anonymously, in which case there will be no processing of personal data.
Access to the data will be limited exclusively to the Regulatory Compliance Unit, to those who carry out internal control functions or to those people who in each case carry out a specific corporate function that has been designated for this purpose. Access to the personal data contained in the files that are managed through the Ethics Channel is also lawful, when it is necessary for the adoption of disciplinary measures or for the processing of legal proceedings that, if applicable, proceed.
However, if the identity of the complainant is not disclosed in the terms described in Law 2/2023, it is possible that to investigate and clarify the reported facts, their data may be communicated to:
• Authorities and/or public administrations that may participate in the investigation or possible legal proceedings.
• Third parties that SACYR can rely on to manage this Channel: among others, data hosting platforms, providers to which the investigation can be delegated, lawyers or other types of external advisers or consultants.
In the event of making international transfers outside the European Economic Area to Sacyr's subsidiaries for the purpose of managing the complaints that concern them, Sacyr guarantees that your personal data collected for the aforementioned fines will not be transferred outside the European Union in the absence of clauses contractual type in accordance with article 46 of the GDPR, or will be carried out when necessary for reasons of public interest in accordance with the exceptions of article 49 of the GDPR.
Exercise of rights: We inform you that, when appropriate, you may exercise your rights of access, rectification, deletion, opposition, limitation of the purpose and portability with respect to the personal data that you have provided, through the email protecciondedatos@sacyr.com
If there are reasonable doubts when it comes to identifying the interested party, additional information may be requested.
If you consider your privacy rights violated, you may contact the SACYR Data Protection Officer (dpo@sacyr.com) or, if the latter does not meet your request, you may file a claim with the Spanish Data Protection Agency (www.aepd.es).
Additional information: If you need to check additional information on any specific aspect of the processing of your data within the framework of the Internal Information System and/or the SACYR Ethics Channel, you can contact dpo@sacyr.com at any time.