Privacy policy

1. Data Controller and Data Protection Officer (DPO) Contact Information.

In accordance with Spanish data protection regulations (GDPR and LOPDGDD), J. García Carrión, S.A., with Tax ID A08267403 and registered address at Carretera de Murcia S/N, 30520 Jumilla (Murcia) (hereinafter, “J. García Carrión”), is considered the Data Controller of the Internal Information Channel (hereinafter, “IIC”).

Data subjects may contact the Data Protection Officer (DPO) of J. García Carrión by email at dpo@jgc.es 

2. Purposes and Lawfulness of the Processing

The personal data accessed in the course of the functions and procedures regulated by this Policy shall be governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the “General Data Protection Regulation” or “GDPR”), as well as Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, the “LOPDGDD”).

Personal data will be processed by J. García Carrión, as the Data Controller, for the purpose of managing, investigating, and resolving communications concerning the alleged commission of actions within the organization that may be contrary to the Data Controller’s Code of Ethics or to the law, submitted through the Internal Information Channel (IIC).

In this regard, the processing of personal data through the IIC shall be considered lawful based on compliance with a legal obligation applicable to the Data Controller (in accordance with Article 6.1.c) of the GDPR), as well as the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (in accordance with Article 6.1.e) of the GDPR).

Furthermore, the processing of special categories of personal data (such as biometric data, racial or ethnic origin, sexual orientation, etc.) that may arise as a result of the submitted complaint may be carried out on the grounds of substantial public interest, in accordance with Article 9.2.g) of the GDPR.

However, if during the investigation personal data — including special categories of data — are obtained and such data are not necessary for the purpose of understanding and investigating the facts, they shall be immediately deleted from the IIC and shall not be recorded, stored, or otherwise processed.
For this purpose, and to comply with this objective with full guarantees, we collect the following data

• Identifying data:  Name, surname, and email address (only if you choose to identify yourself).
  
  
• Relationship or connection between the complainant and J. García Carrión.
  
  
• Description of the facts constituting a breach of the Code of Ethics / ethical principles and values, laws, procedures and/or standards of the Data Controller, including all relevant data and details.
  
  
• Information on the identity of the individuals involved in the reported incident.

3. Disclosure of Your Personal Data.

The processing of personal data by entities other than J. García Carrión, including disclosure to third parties, shall be lawful insofar as it is necessary to adopt corrective measures within J. García Carrión or to initiate the corresponding disciplinary or criminal proceedings.

In this regard, data may be disclosed to the Law Enforcement Authorities, Public Administrations with jurisdiction over the reported actions, Courts of Justice, and other judicial bodies, in the cases provided for by law and for the purposes established therein.

Additionally, a data processing agreement, pursuant to Article 28 of the GDPR, will be entered into with the specialized company that provides the platform used as the Internal Information Channel (IIC). This third-party service provider shall guarantee the highest standards of data protection.

4. Duration of Data Processing

Your personal data will be retained for the time strictly necessary to investigate the reported facts, taking into account the following:

• Archived reports without further action: If the report does not meet formal requirements, refers to a doubt, inquiry, or complaint that does not constitute a violation, is clearly irrelevant, or shows no indication of an infringement, all data will be deleted from the system within three months of its entry into the Internal Information Channel (IIC).
  
  
• Reports admitted for investigation: In accordance with Article 24 of the LOPDGDD, the data shall be retained for a period not exceeding three months after the conclusion of the investigation procedure. Once this period has elapsed, the information will be archived. This does not apply in cases where disciplinary and/or legal proceedings have been initiated against the person concerned, the reporting individual, or a third party. In such cases, the data may be retained for the period required by applicable legislation and until any potential liabilities resulting from the report have expired.

5. Rights

The data protection rights that data subjects may exercise, where applicable, are:

Right	Description
Right of Access	To consult which personal data is being processed by the Data Controller. More information here.
Right to Rectification	To modify your personal data when it is inaccurate, incorrect, or incomplete. More information here.
Right to Object	To request that the Data Controller does not process your personal data for specific purposes. More information here
Right to Erasure (Right to be Forgotten)	To request that the Data Controller deletes your personal data. More information here
Right to Restriction of Processing	To request that the Data Controller limits the processing of your personal data. More information here.
Right to Data Portability	When processing is carried out by automated means, to receive your personal data in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another data controller. More information here.
Right not to be Subject to Automated Individual Decision-Making	This right seeks to ensure that you are not subject to a decision based solely on the automated processing of your data, including profiling, which produces legal effects concerning you or significantly affects you in a similar manner. More information here.
Right to Lodge a Complaint with the Competent Authority	To file a complaint against the Data Controller before the Spanish Data Protection Agency (AEPD) if the data subject considers that their personal data has been processed in breach of applicable regulations.

 

The holders of the personal data obtained may exercise their personal data protection rights by sending a written communication to the registered office of J. García Carrión, located at Carretera de Murcia S/N, 30520 Jumilla (Murcia), or via the following email address enabled for this purpose: dpo@jgc.es

You may use the following templates to exercise your data protection rights:

• Access to the template for exercising the right of access.
  
• Access to the template for exercising the right to rectification
  
  
• Access to the template for exercising the right to erasure.
  
  
• Access to the template for exercising the right to object.
  
  
• Access to the template for exercising the right to restriction of processing.
  
  
• Access to the template for exercising the right to data portability.
  
  
• Access to the template for exercising the right not to be subject to automated individual decision-making.

For more information on the exercise of data protection rights, please visit the official website of the Spanish Data Protection Agency (hereinafter, “AEPD”) at the following link.

6. Security Measures.

In order to safeguard the security of your personal data, the Data Controller undertakes to maintain the confidentiality and security of the data provided, particularly the data of users who submit a communication through the Internal Information Channel (IIC), ensuring that such data is not accessible to the individuals whose alleged actions within the organization may be contrary to the law or to the entity’s Code of Ethics.

To this end, the Data Controller has adopted the legally required levels of personal data protection security and has implemented the technical means at its disposal to prevent the loss, misuse, alteration, unauthorized access, and theft of such data. However, it should be noted that absolute security does not exist.

Likewise, the Data Controller informs you that all staff members, regardless of the phase of processing in which they are involved, have committed to treating your data with the utmost diligence and confidentiality.

7. Updates to the Privacy Policy.

The Data Controller may update its Privacy Policy in accordance with the applicable legislation in force at any given time. For this reason, we recommend reviewing it each time you access the website or engage in any procedure with our organization.