Whistleblower Channel Privacy Policy
Data Controller
Responsible Party:SMILEAT, S.L. (hereinafterSMILEAT).
Mailing Address: Calle Gran Vía, 62, 5th Floor, Apartment D – 28013 Madrid
Email: info@smileat.com
Purposes of the Processing
SMILEAT tprocesses the data for the purpose of providing data subjects with an internal information system and to monitor, investigate, and resolve, where appropriate, any information regarding actions or omissions reported by them through the channels established for this purpose by SMILEAT.
As part of their duties and responsibilities, the individuals designated for this purpose by SMILEAT in accordance with applicable regulations may contact the data subjects to the extent that they provide their information for this purpose and in order to investigate and/or address the information and/or the details provided in each case.
Legal Basis for the Processing of Your Data
The legal basis for the processing of your data is compliance with a legal obligation applicable to SMILEAT as the data controller, in accordance with the provisions of Law 2/2023 of February 20, which regulates the protection of individuals who report regulatory violations and combats corruption.
Furthermore, the processing resulting from such public disclosures will be justified as necessary for the performance of a task carried out in the public interest.
SMILEAT, in order to achieve the purposes described above, will act with full guarantees of confidentiality, integrity, and legality. Likewise, SMILEAT will take the necessary measures to protect the identity and ensure the confidentiality of the data pertaining to the individuals affected by the information provided, particularly that of the person filing the complaint, if they have been identified.
Recipients
No disclosure of data to third parties is anticipated, except for disclosures required by law to those public agencies and/or entities that must necessarily receive such data in order for SMILEAT cancomply with the applicable legal obligations and requirements in each case and manage the information and/or complaint submitted through the internal reporting system made available by this entity.
Such disclosures will, in all cases, be made in compliance with all legally established safeguards. To that end, access to the data will be limited exclusively to those who perform internal control and compliance functions, or to any data processors that may be designated for that purpose.
However, access to your data by other individuals, or even its disclosure to third parties, will be permitted when necessary for the implementation of corrective measures or for the processing of any applicable procedures. In the event that the transfer of your data is contemplated under other circumstances, SMILEAT will request your explicit consent or another legal basis.
Data Processed
Data processed by SMILEAT will be the data provided by the reporting individual (employee, former employee, customer, contractor, supplier, or others), unless they choose to do so anonymously: personal data relating to the reporter, the person against whom the complaint is filed, and third parties connected to the information provided. Data provided during the course of the investigation by the accused in their own defense, witnesses, publicly available sources, etc. The categories of personal data processed by SMILEAT are as follows: (i) Basic information: First name, last name (ii) Contact information: Phone number and email address (iii) Information provided by the complainant and other data that may be necessary depending on the type of complaint, which will be classified into categories based on the investigation.
Data Accuracy.
You warrant that the information provided is true, accurate, complete, and up-to-date, and you are liable for any direct or indirect damages or losses that may arise as a result of a breach of this obligation.
International Data Transfer
SMILEAT informs you that no international transfers of your data are planned.
If international data transfers are necessary, they will be subject to the safeguards provided for in Article 46 of the GDPR, and you may exercise any rights and take any legal actions you deem appropriate to exercise your rights. Such safeguards will be provided by any of the mechanisms set forth in the aforementioned article; therefore, no express authorization from the supervisory authority is required.
Exercising Rights
SMILEAT informs you of your right to access, rectify, erase, and object to the processing of your personal data, as well as your right to restrict processing, data portability, and the right not to be subject to automated individual decision-making.
- Access: allows the data subject to obtain information about whether SMILEAT processes personal data concerning them or not, and, if so, the right to obtain information about their personal data that is being processed.
- Correction: allows you to correct errors and modify data that turns out to be inaccurate or incomplete.
- Erasure: Allows data to be deleted and no longer processed by SMILEAT unless there is a legal obligation to retain it and/or other legitimate grounds for its processing by SMILEAT in accordance with current regulations.
- Restriction: Under the conditions established by law, this allows data processing to be suspended, thereby preventing SMILEAT from processing it in the future, retaining it solely for the purpose of asserting or defending legal claims.
- Objection: Allows the data subject, under certain circumstances and for reasons related to their specific situation, to object to the processing of their data. SMILEAT willwill cease processing the data, except for legal reasons or to exercise or defend against potential claims.
- Portability: This right allows the data subject to receive their personal data and transmit it directly to another data controller in a structured, commonly used, and machine-readable format. To exercise this right, the data subject must provide a valid email address.
You may exercise your rights by any means that allows for proof of the sending and receipt of your request. The request must be addressed to SMILEAT using the contact information provided in the “Data Controller” section, with the subject line “Data Protection.” The request must include: first name, last name, a detailed description of your request, and your mailing address for notification purposes. In the event that
If there are doubts about a person's identity, any procedure that verifies the person's identity should be used, but without requiring a copy of their ID card.
If you are not satisfied with the response from SMILEAT in response to your exercise of your rights, you have the right to file a complaint with the supervisory authority, the Spanish Data Protection Agency, to seek protection of those rights
Notwithstanding the foregoing, any person has the right to obtain confirmation as to whether SMILEAT is processing personal data concerning them.
Conservation
The data will be retained by SMILEAT for as long as necessary in accordance with the purpose and legal basis of the processing for which it was collected. To that end, data on employees, whistleblowers, and third parties will be retained for the time necessary to decide whether to initiate an investigation through the whistleblowing channel, and in any case no longer than three months from the date the data was entered; after that period, the data will be deleted. However, even after that time has elapsed, the data may continue to be processed for the investigation of the reported facts; and only if that investigation results in the adoption of specific measures against the accused would it be possible to retain the data for a longer period in accordance with statutory limitation periods; otherwise, the data must be deleted.
If data is processed for the purpose of documenting a complaint in the internal reporting system, it may only be recorded in the system in an anonymized form.
In accordance with industry standards, SMILEAT informs you that it maintains technical and organizational measures to protect against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and other unlawful acts or practices. In this regard, SMILEAT will take appropriate security measures to prevent the alteration, loss, unauthorized processing, or unauthorized access to data. Furthermore, it will inform anyone with access to your data of their obligations regarding security and confidentiality, as well as their duty of confidentiality.