Data Protection Compliance System
The Group has a Data Protection Compliance System, included as part of its Global Compliance System, that responds to the requirements of the European Data Protection Regulation (GDPR) and the Spanish Organic Law on the Protection of Personal Data (LOPD), at a technical, legal and organizational level.
The objective of this System is to promote and maintain a responsible and proactive attitude in the protection of personal data to ensure the good governance of personal data and preserve the trust of our stakeholders.
Data protection governance model
The data protection governance model of the Group responds to the organizational requirements established by the data protection regulations, assigning and defining the duties and responsibilities of the business units and members of the organization in terms of data protection.
For its definition and implementation, the following aspects, among others, have been taken into account:
- The appointment of a Data Protection Officer (DPO) who is responsible for safeguarding and ensuring compliance with current data protection regulations and for carrying out the duties and functions assigned to the role of interlocutor with the supervisory and control authority in this field (Spanish Data Protection Authority).
- The creation of a Data Protection Advisory Body, which provides support for the proper functioning of the data protection compliance system and proposes improvements to the same in the legal, technical and organizational fields.
- In addition to the DPO, the following areas are part of and are represented on this advisory body: Compliance, Legal Services, Corporate Security, Information Technology and Human Resources.
- The creation of an internal network of personal data protection interlocutors within each of the business management areas of the Group in Spain, as key players for the deployment of a data protection culture throughout the Company, connecting the management of the business areas with compliance of the regulatory requirements in this field.
Fostering a privacy culture
Raising awareness and providing training in this field are key factors for promoting and fostering a culture of privacy within the organization.
We promote, through the Company’s annual activity plan linked to the data protection compliance system, proper training and awareness-raising actions among its employees regarding the relevance of the data protection compliance system within the culture of integrity of the Organization.
For us it is essential to have a corporate compliance culture so that everyone in the organisation understands and values the need to respect the right to privacy of its stakeholders and its members
Proactivity in the protection of personal data
The Company has a conscious, diligent and proactive attitude towards the personal data processing that it carries out.
The Company also has in place, in line with the elements already mentioned above, the following:
- A specific risk analysis methodology regarding personal data processing in order to assess these risks and establish security measures and controls that guarantee the rights and freedoms of citizens.
- A methodology to identify, assess, classify/determine relevance and respond to security incidents related to compliance with data protection regulations.
- A protocol for managing and dealing with the ARCOPL rights of citizens regarding their right to access, rectification, erasure (right to oblivion), opposition, limitation of processing and portability of data of a personal nature.
- A protocol for hiring personal data processors.
- An internal standard that regulates privacy principles by design and by default and that incorporates into projects, activities and initiatives an approach oriented to the principles of risk management and proactive responsibility that protects personal data owner rights.
- A monitoring plan for the control framework of the organisational and legal measures of the data protection compliance system that is completed in a three-year cycle.
- Biennial internal audits to review the degree of adequacy of the Group in terms of data protection and compliance with the relevant regulations.