PRIVACY POLICY OF THE CIDOB ETHICS CHANNEL

The Privacy Policy of the Ethics Channel of the Centre d’Informació i Documentació Internacionals a Barcelona (hereinafter, the Channel and CIDOB, respectively) regulates the processing of personal data for the management and processing of complaints, guaranteeing the confidentiality and protection of whistleblowers.

CIDOB complies with current data protection regulations, basing the processing on compliance with a legal obligation and a mission of public interest, as provided for in Article 6.1. c) and e) of the GDPR, respectively.

Identifying data, information regarding the reported violation, and any other data voluntarily provided are collected. It is advisable to avoid including unnecessary information.

Personal data may be communicated to competent authorities and providers responsible for maintaining the Channel. Personal data are retained only for the period strictly necessary for the investigation and for compliance with legal obligations.

CIDOB prohibits retaliation against whistleblowers acting in good faith and guarantees security measures to protect the information.

Data subject may exercise their rights of access, rectification, to erasure, restriction or limitation of processing and opposition by contacting CIDOB or, in case of a violation of their rights, by filing a complaint before the Spanish Data Protection Agency (AEPD). This policy may be updated in accordance with regulatory changes or improvements to the Channel.

 

1. INTRODUCTION

The purpose of this Privacy Policy for CIDOB’s Ethics Channel is to inform about the processing of personal data that will, where applicable, may be carried out for the management and processing of complaints submitted through this channel.

For the proper configuration and design of the Channel, CIDOB fully complies with applicable data protection regulations; in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 about the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the Spanish Organic Law on the Protection of Personal Data.

 

2. DATA CONTROLLER

  • Entity: Centre d'Informació i Documentació Internacionals a Barcelona - CIDOB

  • Address: C/ Elisabets 12, 08001 - Barcelona

  • VAT ID: G08824187

  • Contact email: cidob@cidob.org

  • Data Protection Officer (DPO): dpd@cidob.org 

 

3. PURPOSE OF PROCESSING

The personal data collected through this Channel will be processed for the following purposes:

  • To manage and process received complaints.

  • To investigate reported incidents and take appropriate measures.

  • To guarantee the protection of whistleblowers against retaliation.

  • To comply with legal obligations regarding compliance and the fight against corruption.

 

4. LEGAL BASIS FOR PROCESSING

The legal basis legitimising the processing of personal data is compliance with a legal obligation arising from Law 2/2023 of 20 February, governing the protection of persons who report regulatory infringements and the fight against corruption. Additionally, personal data may be processed based on public interest when the Data Controller shares the results of investigations with the competent authorities.

 

5. CATEGORIES OF PERSONAL DATA PROCESSED

Within the framework of complaint management, CIDOB may process the following categories of personal data:

  • Identifying data (name, surname, national identity document number, email address, telephone number, if the complainant chooses to identify themselves).

  • Professional data (professional profile)

  • Data related to the reported infringement.

  • Any other information voluntarily provided by the complainant.

CIDOB recommends refraining from providing unnecessary personal data in the report in order to safeguard the whistleblower’s privacy.

 

6. DATA RECIPIENTS

The data may be communicated to:

  • Public administrations, authorities, and public organizations, including courts and tribunals, when required by applicable regulations.

  • Third-party service providers responsible for maintaining the Channel, who will act as data processors.

 

7. INTERNATIONAL DATA TRANSFERS

We will not transfer your personal data to third parties outside the European Union. In the event of any international data transfers, we will adopt appropriate technical and organizational measures to guarantee the security of your data.

 

8. AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING

Automated individual decision-making, including profiling, is not foreseen.

 

9. DATA RETENTION PERIOD

Personal data collected through the Ethics Channel will be retained for a specific period depending on its purpose.

Data will be retained for a maximum of three months, unless the investigation requires the opening of a formal case file, in which case the data will be stored until the file is closed.

If, during the analysis of the complaint, it is determined that the information provided is false, it will be deleted immediately, except in cases where such information could constitute a crime, in which case it will be retained until the resolution of the legal proceedings.

 

10. CONFIDENTIALITY AND PROTECTION OF WHISTLEBLOWERS

CIDOB guarantees the absolute confidentiality of the whistleblower's identity and the information provided, unless disclosure is required by law. Furthermore:

  • Retaliation against those who file reports in good faith is prohibited.

  • Technical and organizational measures are adopted to protect the Channel's information.

 

11. PRINCIPLE OF PROPORTIONALITY AND DATA MINIMIZATION

Personal data collected within the framework of the Channel:

  • Will be limited to what is strictly and objectively necessary to process reports and, if applicable, verify the veracity of the reported facts;

  • Will be always processed in accordance with applicable data protection regulations, for legitimate and specific purposes related to any investigation that may arise as a result of the report;

  • Will not be used for incompatible purposes;

  • Will be adequate and not excessive in relation to the mentioned purposes.

 

12. EXERCISE OF RIGHTS

Data subjects may exercise their rights of access, rectification, erasure, opposition, restriction of processing, and data portability at any time and free of charge by sending a written request to:

  • Postal address: C/ Elisabets 12, 08001 – Barcelona

  • Email: dpd@cidob.org 

If you believe your rights have been violated, you may file a complaint with the Catalan Data Protection Authority (www.apdcat.cat).

 

13. CHANGES TO THE PRIVACY POLICY

CIDOB reserves the right to update this Privacy Policy in accordance with regulatory changes or improvements to the Channel. The current version will always be available on the CIDOB website.