We are a global operator of essential infrastructure
Data Protection Compliance System
Redeia has a Data Protection Compliance System, included as part of its Global Compliance System, that responds to the requirements of the European Data Protection Regulation (GDPR) and the Spanish Organic Law on the Protection of Personal Data and Guarantee of Digital Rights, at a technical, legal and organizational level.
The objective of this System is to promote and maintain a responsible and proactive attitude in the protection of personal data to ensure the good governance of personal data and preserve the trust of our stakeholders.
Basic Principles of the Data Protection Compliance System
The company establishes the following basic principles regarding the protection of personal data, which align with the ethical principles and behavioural guidelines outlined in Redeia's Code of Ethics and Conduct, as well as the principles stated in its Compliance Policy.
Personal data should be processed in compliance with applicable laws, avoiding fraudulent, unfair, or unlawful personal data collection methods. Additionally, all interested parties should be provided with the information required according to said laws, including the identity of the data controller, the purpose of data processing, the legal basis for the processing, the recipients of the data, and the rights of all interested parties in relation to the processing, among other information.
Personal data collected and subjected to processing activities by Redeia should only be used for specific, explicit, and legitimate purposes, and should not be used for unauthorised purposes or purposes other than those for which they were originally collected.
All personal data processed should be adequate, appropriate, relevant, and limited to the purposes for which they were collected. Processing methods should prioritise the least harmful means to the rights of data owners, and only the data required for specific activities, projects, or initiatives should be collected.
To maintain accurate and up-to-date records of personal data processing activities in an effective and continuous manner, and to ensure that said records are regularly updated. Irrelevant personal data that no longer serves the purposes for which it was originally collected should be deleted.
To establish systems and timeframes that govern the storage, blocking, and, if applicable, deletion of personal data once its retention no longer serves a legitimate purpose. Data should only be retained for the duration necessary to fulfil the purposes of the processing.
To ensure the integrity, availability, and confidentiality of personal data by implementing any necessary security measures that are proportional to the processing and the sensitivity of the personal data involved.
To guarantee the implementation of appropriate technical, legal, and organizational measures to ensure and demonstrate that the processing of personal data aligns with the current legislation in this area
Data Protection Governance Model
Redeia’s data protection governance model responds to the organizational requirements established by the data protection regulations, assigning and defining the duties and responsibilities of the business units and members of the organization in terms of data protection.
For its definition and implementation, the following aspects, among others, have been taken into account:
- The appointment of a Data Protection Officer (DPO) who is responsible for safeguarding and ensuring compliance with current data protection regulations and for carrying out the duties and functions assigned to the role of interlocutor with the supervisory and control authority in this field.
- The creation of a Data Protection Advisory Body, which provides support for the proper functioning of the data protection compliance system and proposes improvements to the same in the legal, technical and organizational fields.
In addition to the DPO, the following areas are part of and are represented on this advisory body: Compliance, Legal Services, Corporate Security, Information Technology and People and Culture.
- The creation of an internal network of personal data protection interlocutors within each of Redeia’s business management areas in Spain, as key players for the deployment of a data protection culture throughout the Company, connecting the management of the business areas with compliance of the regulatory requirements in this field.
Fostering a privacy culture
Raising awareness and providing training in this field are key factors for promoting and fostering a culture of privacy within the organization.
At Redeia we promote, through the Company’s annual activity plan linked to the data protection compliance system, proper training and awareness-raising actions among its employees regarding the relevance of the data protection compliance system within the culture of integrity of the Organization.
For us it is essential to have a corporate compliance culture so that all the members of Redeia value the need to respect the right to privacy of the company’s stakeholders and members.
Proactivity in the protection of personal data
Redeia has a conscious, diligent and proactive attitude towards the personal data processing that it carries out.
The Company also has in place, in line with the elements already mentioned above, the following:
- A privacy policy that sets out and defines aspects such as the way personal data is handled and processed and how the rights of the owners of personal data is guaranteed, as well as how this data is safeguarded. This privacy policy is applicable to all data processing operations carried out by the Company, including those conducted by suppliers acting as data processing agents.
- A specific risk analysis methodology regarding personal data processing activities in order to assess these risks and establish security measures and controls that guarantee the rights and freedoms of citizens.
- A methodology to identify, assess, classify/determine relevance and respond to security incidents related to compliance with privacy regulations.
- A protocol for managing and dealing with the ARCOPL rights of citizens regarding their right to access, rectification, erasure (right to oblivion), opposition, limitation of processing and portability of data of a personal nature.
- A protocol for hiring personal data processors.
- An internal standard that regulates privacy principles by design and by default and that incorporates into projects, activities and initiatives an approach oriented to the principles of risk management and proactive responsibility that protects personal data owner rights.
- An internal protocol that outlines the criteria for the retention of personal data and the corresponding timeframes for blocking and/or deletion when there is no longer a legitimate purpose for its retention, to ensure compliance with the principle of limiting the retention period, blocking, and deletion established in the current legislation.
- A protocol to govern the usage of geolocation devices in the workplace.
- A monitoring plan for the control framework of the technical, legal, and organisational measures of the Data Protection Compliance System that is completed in a three-year cycle.
- Biennial audits to review Redeia's level of adequacy in terms of data protection and compliance with the applicable legislation, carried out in collaboration with external auditing firms specialised in this field.
- A disciplinary system applicable according to the provisions set forth in labour legislation, in the collective agreement and the internal rules of the organisation.