Internal Information Channel Privacy Policy

Ministry of Economy, Trade and Business

Data Controller

Inspection of Services, Undersecretary, Ministry of Economy, Trade and Business

Address: Paseo de la Castellana 1623, 28071 Madrid

Contact email: sgis@economia.gob.es

Data Protection Officer email: dpd@economia.gob.es

Spanish Data Protection Agency

The controller guarantees that personal data will be processed in accordance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 (LOPDGDD) and Law 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.

Purpose of Processing

Personal data will be processed for the following purposes:

  • To manage communications, complaints or information submitted through the channel.
  • To carry out the necessary investigations to clarify the reported facts.
  • To adopt corrective or disciplinary measures where appropriate.
  • To comply with legal obligations relating to internal information systems.
  • To ensure the traceability and secure recording of the report.

The data will not be used for purposes incompatible with the above.

Legitimacy

The processing is based on:

Processing necessary for compliance with a legal obligation arising from the establishment of an internal information system and the performance of the functions assigned to its controller [Art. 6.1(c) GDPR, Art. 13.2 and Art. 5 Law 2/2023], therefore:

  • Compliance with a legal obligation under Law 2/2023.
  • Public interest in the prevention and detection of regulatory infringements, corruption and irregular conduct.
  • Where applicable, consent of the whistleblower, only when the report is submitted voluntarily without legal obligation.

Types of Data Processed

Depending on the report submitted, the following may be collected:

  • Identifying data (name, surname, ID number, position).
  • Contact details (email, telephone number).
  • Content of the report or communication.
  • Information about third parties involved or witnesses.
  • Sensitive data, only when essential for the investigation (e.g., disciplinary data or infringements).

The whistleblower may submit the report anonymously if they so wish.

Recipients of the Data

The data will only be accessible by:

  • Authorised personnel of the Internal Information System of the Ministry of Economy, Trade and Business
  • Internal investigation teams, when necessary.
  • External legal advisers, when essential.
  • Competent authorities (judicial, police or administrative) when there is a legal obligation or a substantiated request.

No international transfers will be made unless legally required.

Confidentiality and Security Measures

Ministry of Economy, Trade and Business guarantees:

  • Absolute confidentiality of the identity of the whistleblower.
  • Independent and secure processing of the system.
  • Restricted access only to authorised personnel.
  • Secure custody and archiving protocols.
  • Confidentiality agreements.

Retention Periods

The data will be retained:

For the time strictly necessary to fulfil the purpose for which it was collected, as well as the time necessary to decide whether to initiate an investigation into the reported facts. If it is proven to be untrue, it will be immediately deleted unless such lack of truthfulness may constitute a criminal offence, in which case the information will be kept for the time necessary for the legal proceedings to be processed. In any case, if three months have elapsed since receipt of the report without any investigation having been initiated, the information will be deleted, unless the purpose of its retention is to leave evidence of the functioning of the system (Art. 29 and Art. 32.3 and 4 of Law 2/2023).

Therefore:

  • For the time necessary to investigate and resolve the complaint.
  • Maximum 3 months in the internal system from receipt, unless its retention is necessary for evidence or subsequent proceedings.
  • Subsequently, it may be stored in a restricted environment for the legally applicable period.

Rights of Data Subjects

You may exercise the following rights:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Objection (where applicable)

As the system must guarantee the integrity of the investigation, some rights may be temporarily restricted.

You may exercise your rights by writing to: sgis@economia.gob.es or also to the Spanish Data Protection Agency

Obligation to Provide Data

The whistleblower may choose whether to provide identifying information or to submit the report anonymously.

The information included in the communication must be truthful and provided in good faith.

Automated Decisions

No automated decisions or profiling will be carried out based on the data provided.

Policy Updates

Ministry of Economy, Trade and Business may update this information when necessary to adapt it to regulatory changes or improvements to the internal information system.

Security Measures

The security measures included in the high-level National Security Scheme will be applied.