- Privacy Notice: this document.
- BM Madrid: Baker McKenzie Madrid, S.L.P.
- Local Channel: channel made available by BM Madrid to Reporters so that they can report locally on Wrongdoings.
- Personal Data: any information related to the Data Subject.
- DPO: Data Protection Officer.
- Firm: Baker McKenzie International B.V.
- Reports: communications on Wrongdoings submitted by the Reporters.
- Reporters: employees and third parties who submit a Report through the Local Channel.
- Wrongdoing: (i) act or omission that may constitute an infringement of European Union Law and involves BM Madrid; (ii) act or omission that involves BM Madrid and may constitute a criminal offence and (iii) act or omission that involves BM Madrid and may constitute a serious or very serious administrative infringement.
- Data Subject: any identified or identifiable natural person. In this regard, an identifiable natural person is one "whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of that person's physical, physiological, genetic, psychological, economic, cultural or social identity".
- Act: Spanish Act 2/2023, of February 20, on the protection of persons who report legal breaches and fight against corruption.
- Log- Book: record of all the Reports received through the Local Channel and of the internal investigations to which they give rise.
- Policy: Policy and Procedure of the Local Reporting System approved by BM Madrid in accordance with the provisions of Articles 5 and 9 of the Law.
- Local System Manager: BM Madrid manager responsible for the management and investigation of the Reports submitted through the Local Channel. The Local System Manager is the BM Madrid Compliance Officer.
- Substitute Local System Manager: BM Madrid manager who will replace the Local System Manager in the management and investigation of the Reports submitted through the Local Channel, in case of need.
- Local Reporting System: set of measures adopted and resources allocated by BM Madrid to promote the collaboration of its employees and third parties in preventing or detecting any Wrongdoing within the organization.
The Personal Data of the Informants, of the persons referred to in the Report or of other persons acting as Data Subjects may be processed within the processes and operations of the Local Reporting System. In such case, the Personal Data in question shall be processed in accordance with the applicable data protection regulations, the Law, and this Privacy Notice.
3. Data Controller
BM Madrid (Baker McKenzie Madrid, S.L.P.) stablished in Calle de José Ortega y Gasset 29, Madrid, Spain will process the Personal Data as data controller, as it will determine the purposes and means of the processing.
Any query related to the processing of Personal Data within the scope of the Local Reporting System may be sent to the DPO of BM Madrid, who can be contacted at the following e-mail address: email@example.com.
4. Purpose of the Processing
Madrid and, in particular, the Local System Manager, the Substitute Local System Manager, and the persons belonging to the investigation team, will process Personal Data for the following purposes:
- Evaluate the Reports received through the Local Channel for employees, partners, and interns.
- Evaluate the Reports received through the Local Channel for third parties.
- Evaluate the Reports received in face-to-face meetings held with the Local System Manager or the Substitute Local System Manager.
- Conduct an investigation of the reported facts.
- Apply appropriate disciplinary measures.
- Record the operation and effectiveness of the Local Reporting System, its processes, and the Policy.
5. Legal Bases for Processing
Madrid is obliged by the Spanish Act 2/2023 to implement an internal reporting channel. Consequently, the legal basis for the processing of Personal Data for the purpose of operating the Local Reporting System and processing the Personal Data provided by the Reporters is the fulfillment of the legal obligation to which BM Madrid is subject.
6. Categories of Personal Data
The following categories of Personal Data may be processed by BM Madrid within the scope of the Local Reporting System:
- Identity, role, functions and contact details of Reporters, persons referred to in the Reports and other persons affected, such as those interviewed as part of an investigation.
- Personal Data related to the reported facts.
- Evidence containing Personal Data related to the reported Wrongdoings.
- Investigation Reports containing Personal Data.
- Personal Data obtained during any investigation, such as those obtained during interviews.
As a general rule, special categories of Personal Data provided for in Article 9 of the GDPR (e.g., data revealing ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic, biometric, health or sexual orientation data) will not be processed. However, in exceptional cases and when indispensable for the proper evaluation and investigation of a Report, these categories of Personal Data may be processed on the basis of a substantial public interest, in conjunction with the legal basis consisting of compliance with the legal obligations previously indicated applicable to BM Madrid.
The Personal Data processed by BM Madrid may be collected or obtained from the Report or the sources of investigation. In this regard, Personal Data may be collected in particular from:
- Wrongdoings reported through the Local Channel from employees, partners, and trainees;
- Wrongdoings reported through the Local Channel by third parties;
- Wrongdoings reported in face-to-face meetings with the Local System Manager or the Substitute Local System Manager;
- Testimony or evidence provided by others involved in an investigation.
7. Data recipients
Personal Data will be processed directly by BM Madrid by the Local System Manager, the Substitute Local System Manager and the persons belonging to the investigation teams.
However, BM Madrid may need to share Personal Data with the following "Data Recipients":
- The competent public authorities and judicial bodies. This may be the case when the result of any investigation must be shared with such Data Recipients in the framework of a criminal or administrative procedure, or when such Data Recipients require information related to BM Madrid's compliance with its legal obligations. In the latter case, Personal Data will only be disclosed in exceptional cases where it is strictly necessary and proportionate, and, to the extent permitted by applicable law, Personal Data related to Reporters will not be disclosed.
- The data processors that process Personal Data on behalf of BM Madrid, such as suppliers or forensic experts involved in any investigation, and any others who are necessary for the operation of the Local Reporting System and the possible investigation of the reported facts. In this regard, the Local System Manager may need the support of other persons or teams of the Firm (for example, persons belonging to the Office of the General Counsel) to complete the investigation who may also act as processors.
Sharing Personal Data with any of the aforementioned Data Recipients may involve the transfer of such Personal Data to countries other than Spain. The applicable regulations in some of the receiving countries may not offer the same level of protection for Personal Data as those applicable in Spain. However, the Firm has taken appropriate measures to ensure that Personal Data are protected in the same way as under the laws of Spain, including the requirements applicable to cross-border transfers. In particular, the Firm may enter into transfer agreements based on the standard contractual clauses approved by the European Commission, and base international data transfers on the adequacy decisions of the European Commission. For any further information in this respect, please contact BM Madrid's DPO at the following e-mail address: firstname.lastname@example.org.
8. Data retention
The Personal Data processed by BM Madrid within the scope of the Local Reporting System will be kept by BM Madrid in the Local Reporting System for the time strictly necessary to decide whether to open an investigation on the reported facts.
Notwithstanding the above, the following information will be deleted immediately:
- Information whose untruth is proven, unless such untruth may constitute a criminal offense, in which case it will be kept for the time necessary for the duration of the relevant legal proceedings.
- Information containing special categories of Personal Data provided for in Article 9 of the GDPR. The deletion of this information may not take place if the processing of the Personal Data concerned is indispensable for the correct assessment and investigation of the reported facts.
- Information that is not strictly necessary for the knowledge and investigation of the acts or omissions constituting the reported facts.
In any case, Personal Data will be deleted three (3) months after receipt of the Report if no investigation has been initiated, unless the purpose of retaining the Personal Data is to provide evidence of the functioning of the Local Reporting System.
Reports that are not followed up will be retained anonymous form (i.e., it will not be possible to identify any of the individuals who are part or the information constituting the reported facts).
Upon completion of an investigation, Personal Data will be retained in BM Madrid's internal information and investigation Log-Book for the period of time necessary and appropriate to comply with applicable laws, up to a maximum of ten (10) years, unless exceptionally necessary to preserve BM Madrid's right of defence.
9. Data Protection Rights
Data Subjects may exercise their data protection rights of access, rectification, erasure, restriction of processing, data portability, objection and not to be subject to decisions based solely on automated processing, including profiling. For example, Data Subjects can:
- Find out whether BM Madrid is processing your Personal Data, and if so, which categories of Personal Data and the source of collection of such Personal Data.
- Request that a copy of your Personal Data be provided.
- Request that your Personal Data be corrected when it is inaccurate or incomplete.
- Request the total or partial deletion of your Personal Data.
- Request that the processing of your Personal Data be restricted.
- Request that your Personal Data not be processed based on the legitimate interests of BM Madrid.
However, the exercise of data protection rights shall not apply in the following cases:
- In relation to a Report related to the prevention of money laundering and the financing of terrorism, in which case the provisions of Article 32 of Law 10/2010, of April 28, 2010, on the Prevention of Money Laundering and the Financing of Terrorism shall apply.
- When the individual to whom the reported facts relate exercises his or her right to object, in which case it should be presumed that there are compelling legitimate reasons that justify the processing of his or her Personal Data, unless proven otherwise.
- When the person to whom the reported facts relate exercises his or her right of access to learn the identity of the Reporter.
Data subjects may exercise their data protection rights by sending an e-mail to the following address: email@example.com.
Finally, data subjects may file a complaint with the Spanish Data Protection Agency (SDPA).