Personal Data Protection Policy
BANCO BILBAO VIZCAYA ARGENTARIA, S.A. (“BBVA”), with Tax Identification Number (CIF) A-48265169 and registered office at Plaza de San Nicolás, 4, Bilbao (48005), is the entity responsible for the BBVA Group Whistleblowing Channel platform.
Through this medium, the BBVA Group entities listed in this link (https://docs.google.com/document/d/1FXdIcSzmz-biIOM7-mWivy5lhenG0XJwybnBA9XVsac/edit) make their internal information system (hereinafter, individually the “Internal Information System”) available to you to report on behaviors or conduct that are not in accordance with the principles. included in the BBVA Group Code of Conduct, internal regulations or that are contrary to applicable legislation (together “Regulatory Violation”).
In accordance with the above, BBVA Group allows the communication to be submitted in the Internal Information System of the company with which you maintain your employment and/or contractual relationship, with which your employer company maintains the contractual relationship, or to which you decide to direct your communication because it is where the Regulatory Violation occurred (hereinafter, the “Internal Information System Company”).
Notwithstanding the above, you also could direct the communication to the Global Compliance unit with headquarters in Spain, even if the events have occurred in another entity of the BBVA Group, in which case BBVA is the Company of the Internal Information System.
Who is responsible for the processing of your personal data?
The legal entity responsible for processing your data is the legal entity of the Internal Information System to which you submit your communication, which will act under the supervision of its administrative body. The contact information as well as the company name, address and email of the Internal Information System entity can be found here (https://docs.google.com/document/d/1FXdIcSzmz-biIOM7-mWivy5lhenG0XJwybnBA9XVsac/edit).
Who is the Data Protection Officer of the Internal Information System entity and how can you contact him?
The Data Protection Officer is the person in charge of protecting the fundamental right to the protection of personal data and is responsible for compliance with data protection regulations. You can contact the Data Protection Officer through the addresses indicated for each Company in the Internal Information System (see https://docs.google.com/document/d/1FXdIcSzmz-biIOM7-mWivy5lhenG0XJwybnBA9XVsac/edit).
For what and why does the entity Internal Information System need to process your personal data?
The entity Internal Information System will process the personal data provided that are strictly necessary for the safe and confidential management and processing of communications related to infringements of European Union Law and/or actions or omissions that may constitute serious or very serious criminal or administrative infraction, in the sense established in Law 2/2023 on the Protection of whistleblowers*, as well as possible breaches of BBVA's Internal Regulations.
*) Law 2/2023, of February 20, regulating the protection of people who report regulatory infractions and the fight against corruption.
The entity Internal Information System will not process your personal data if you make an anonymous communication.
The legal basis that allows us to process your personal data will be:
- In the event that the report refers to the commission of criminal offenses or serious or very serious administrative infractions or infractions for which there is a specific obligation to create an Internal Information System, as well as violations of the law of the European Union, compliance with a legal obligation.
- In the event that the report refers to any other violations of the legal system, the legal basis will be the fulfillment of a mission of public interest.
- In other cases, the legal basis of the processing will be the legitimate interest of the entity Internal Information System in guaranteeing compliance with the BBVA Group Code of Conduct.
The processing of special categories of personal data for reasons of essential public interest may be carried out in accordance with the provisions of article 9.2.g) of the GDPR.
Personal data whose relevance is not evident to process specific information will not be processed or, if collected by accident, will be deleted without undue delay.
How long will your personal data be kept?
We will keep your personal data for the time necessary to decide whether to initiate an investigation into the reported facts.
If it is determined that it is not appropriate to initiate an investigation (“non-relevant communication”), the personal data included in the Internal Information System will be immediately anonymized. Communications that have not been processed will be recorded in anonymized form, without the blocking obligation provided for in article 32 of Organic Law 3/2018, of December 5, being applicable.
In the event that it is proven that the information provided or part of it is not truthful, it will be anonymized in the Internal Information System from the moment there is evidence of said circumstance, unless said lack of truthfulness may constitute a criminal offense, in which case the information will be kept for the necessary time during which the judicial procedure is processed.
If the reported facts have given rise to investigative actions (“relevant communication”) the information received and the personal data contained therein will be kept as long as they are necessary for the internal verification actions as well as for the following two years after the investigation actions are completed, in compliance with the whistleblower protection requirements of Law 2/2023.
After two (2) years from the conclusion of the investigation, personal data relating to the information will be blocked and kept during the legally applicable statute of limitations depending on the nature of the facts communicated for the purpose of possible claims or legal actions.
In any case, once ten (10) years have elapsed since receipt of the communication, it will be eliminated (destructed).
Who will we communicate your data to?
Your data may be communicated by the Internal Information System Company to BBVA and/or to the companies of the BBVA Group when necessary to:
- Carry out adequate coordination and better performance of the functions of the different Heads of the Internal Information System of the BBVA Group companies or in terms of compliance thereof;
- Carry out the investigation or adopt disciplinary or corrective measures, including in this case when you have directed the communication to the Global Compliance unit with headquarters in Spain, even if the events have occurred in another entity of the BBVA Group;
In addition to the above assumptions, your data may be communicated to comply with legally enforceable obligations, including those files and/or procedures before public institutions, supervisory bodies, courts, tribunals, the Public Prosecutor's Office and/or the European Public Prosecutor's Office.
In the event that, within the framework of a communication of data described above, an international transfer of data occurs to an entity that is located in a country that does not have an adequacy decision approved by the Commission, the appropriate guarantees provided for in the law so that the flow of information is adequate to the applicable regulatory requirements. For more information, you can contact BBVA's Data Protection Officer in accordance with the procedure described in the section “Who is the Company's Data Protection Officer of the Internal Information System and how can you contact him? ”
In any case, if you are a whistleblower or carry out a public disclosure, your identity will in all cases be reserved, and it will not be communicated to the people affected by the events or to third parties, except to the judicial authority, the Public Prosecutor's Office or to the competent administrative authority.
What are your rights in relation to the processing of personal data?
You may exercise your rights of access, rectification, deletion, opposition, limitation of processing and portability, by writing to the address provided by the entity Internal Information System (see https://docs.google.com/document/d/1FXdIcSzmz-biIOM7-mWivy5lhenG0XJwybnBA9XVsac/edit).
Without prejudice to the above, keep in mind that the exercise of the rights of access and opposition by an investigated person could be limited in accordance with the provisions of Law 2/2023, of February 20. In particular, the exercise of a right of opposition would not be applicable with respect to those purposes covered by legal obligation and the right of access would not include the data related to the whistleblower as they are protected by the aforementioned regulations.
If you consider that we have not processed your personal data in accordance with the regulations, you can contact the Data Protection Delegate of the Company of the Internal Information System at the address provided by the same (see https://docs.google.com/document/d/1FXdIcSzmz-biIOM7-mWivy5lhenG0XJwybnBA9XVsac/edit).
You can file a claim with the Spanish Data Protection Agency (www.aepd.es)