Complaints channel
Use this link to access to the whistleblower channel: Complaints Channel
INDEX
- Purpose of the Privacy Policy
- Definitions
- Identity of the Data Controller
- Applicable laws and regulations
- Principles applicable to the processing of personal data
- Safety measures
- Processing purposes
- Legitimacy of the treatment
- Recipients of your data
- Data processing activities performed
- Personal data of minors
- Origin and types of processed data
- Rights of interested parties
- Acceptance
1.-POLICY PURPOSE
The purpose of this “Privacy and Data Protection Policy” is to disclose the conditions governing the collection and processing of your personal data by MEDIA INVESTMENT OPTIMIZATION, S.A, CIF A87668190, (hereinafter MIO Group) to ensure the fundamental rights, honor and freedoms, all in compliance with current regulations governing the Protection of Personal Data according to the European Union and the Spanish Member State.
In accordance with these regulations, we need to have your authorization and consent for the collection and processing of your personal data, so below, we indicate all the details of interest to you regarding how we perform these processes, for what purposes, which other entities may have access to your data and what your rights are.
For all of the above, once you have reviewed and read our Data Protection Policy, it is imperative that you accept it as proof of your agreement and consent.
DEFINITIONS
- “Personal data”: Any information about an identified or identifiable natural person (“the Website user”); an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- “Treatment: any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Limitation of processing”: the marking of personal data retained for the purpose of limiting their processing in the future.
- “Profiling”: any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects relating to that natural person’s professional performance, financial situation, health, personal preferences, interests, reliability, behavior, location or movements.
- “Pseudonymization: the processing of personal data in such a way that it can no longer be attributed to a data subject without the use of additional information, provided that such additional information is separately identified and subject to technical and organizational measures designed to ensure that the personal data are not attributed to an identified or identifiable natural person.
- “File”: any structured set of personal data, accessible according to specified criteria, whether centralized, decentralized or distributed functionally or geographically.
- “Data controller” or “responsible party”: the natural or legal person, public authority, service or other body which alone or jointly with others determines the purposes and means of processing; if Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its appointment may be laid down by Union or Member State law.
- “Data processor” or “processor” means the natural or legal person, public authority, service or other body processing personal data on behalf of the controller.
- “Recipient”: natural or legal person, public authority, service or other body to whom personal data is disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the framework of a specific investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by such public authorities shall be in accordance with the data protection rules applicable to the purposes of the processing.
- “Third party”: natural or legal person, public authority, service or body other than the data subject, the controller, the processor and the persons authorized to process personal data under the direct authority of the controller or the processor.
- “Consent of the data subject”: any freely given, specific, informed and unambiguous expression of will by which the data subject agrees, either by a statement or by a clear affirmative action, to the processing of personal data concerning him/her.
- “Personal data security breach”: any breach of security resulting in the destruction, loss or accidental or unlawful alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to such data;
- “Genetic data”: personal data relating to inherited or acquired genetic characteristics of a natural person that provide unique information about that person’s physiology or health, obtained in particular from the analysis of a biological sample from such person.
- “Biometric data”: personal data obtained from specific technical processing, relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.
- “Health-related data”: personal data concerning the physical or mental health of a natural person, including the provision of health care services, revealing information about his or her health status.
- “Main establishment”: a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of processing are taken in another establishment of the controller in the Union and the latter establishment has the power to implement such decisions, in which case the establishment which has taken such decisions shall be considered the main establishment; b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union or, if there is no central administration in the Union, the establishment of the processor in the Union where the main processing activities are carried out in the context of the activities of an establishment of the processor in so far as the processor is subject to specific obligations under this Regulation.
- “Representative”: a natural or legal person established in the Union who, having been appointed in writing by the controller or processor pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this Regulation.
- “Enterprise”: natural or legal person engaged in an economic activity, regardless of its legal form, including companies or partnerships regularly carrying out an economic activity.
- “Supervisory authority”: the independent public authority established by a Member State in accordance with Article 51 of the GDPR. In the case of Spain, it is the Spanish Data Protection Agency.
- In the case of Germany, please contact Berliner Beauftragte für Datenschutz und Informationsfreiheit
- In the case of Austria, you may contact Österreichische Datenschutzbehörde.
- In the case of Belgium, you can contact the Autorité de protection des données
Gegevensbeschermingsautoriteit - In the case of Bulgaria, you may contact the Commission for Personal Data Protection.
- For Denmark, please contact Datatilsynet.
- For Slovakia, please contact https://dataprotection.gov.sk/uoou/.
- For Slovenia, you can contact https://www.ip-rs.si/.
- For Estonia, please contact https://www.aki.ee/et.
- In the case of Spain, it is the Spanish Data Protection Agency.
- In the case of Finland, you may contact the Office of the Data Protection Ombudsman, .
- In the case of France, you may contact the Commission Nationale de l’Informatique et des Libertés
- In the case of Greece, you can contact the Hellenic Data Protection Authority.
- For Hungary, please contact Office of the Commissioner for Fundamental Rights of Hungary
- In the case of Ireland, you may contact the Data Protection Commission.
- In the case of Italy you can contact Garante per la Protezione dei Dati Personali
- For Latvia, please contact https://www.dvi.gov.lv/lv.
- In the case of Lithuania you can contact the State Data Protection Inspectorate
- In the case of Luxembourg, you may contact the Commission Nationale pour la Protection des Données
- In the case of Malta you can contact the Information and Data Protection Commissioner
- For the Netherlands, please contact https://autoriteitpersoonsgegevens.nl/en.
- For Poland, please contact https://archiwum.giodo.gov.pl/.
- In the case of Portugal, you can contact Comissão Nacional de Proteção de Dados
- For the United Kingdom, you may contact the Information Commissioner’s Office at
- For Romania, please contact Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal.
- In the case of Sweden you can contact the Swedish Authority For Privacy Protection
- In the case of the Czech Republic, please contact https://www.uoou.cz/.
- In the case of Cyprus you may contact the Office of the Commissioner for Personal Data Protection
Data Protection Authorities (other European countries):
- In the case of Andorra, you can contact the Andorran Data Protection Agency (Agència Andorrana de Protecció de Dades)
- In the case of Croatia, you can contact the Croatian Personal Data Protection Agency.
- For Iceland, please contact https://www.personuvernd.is/.
- For Liechetenstein, please contact https://www.llv.li/.
- For Macedonia, please contact https://dzlp.mk/.
- In the case of Monaco, you may contact the Commission de Contrôle des Informations Nominatives
- In the case of Norway, you can contact Datatilsynet
- For Switzerland, please contact https://www.edoeb.admin.ch/edoeb/de/home.html.
Other International Data Protection Authorities:
- For Canada, please contact https://www.priv.gc.ca/en/
- For Hong Kong, please contact https://www.pcpd.org.hk/
- “Cross-border treatment”: a) the processing of personal data carried out in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, if the controller or processor is established in more than one Member State, or b) the processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
- “Information society service”: any information society service, this means, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
3.-IDENTITY OF THE DATA CONTROLLER
Who collects and processes your data?
The Data Controller is the natural or legal person, of a public or private nature, or administrative body, which alone or jointly with others determines the purposes and means of the processing of personal data; in the event that the purposes and means of the processing are determined by the law of the European Union or of the Spanish Member State.
In this case, our identification data as Data Controller are the following:
MEDIA INVESTMENT OPTIMIZATION, S.A CIF A87668190
How can you contact us?
- Postal and office address: Calle Alfonso XI No. 3. 28014, Madrid (Madrid), Spain
- Registered office: Calle Alfonso XI Nº 3. 28014, Madrid (Madrid), Spain
- Email: madrid@miogroup.com- Telephone: +34 902 333 654
Who can help you with our Data Protection Policy?
We have a person or entity specialized in data protection, which is responsible for ensuring proper compliance of the legislation and regulations in force in our entity. This person is called the Data Protection Officer (DPO) and, if needed, can be contacted as follows:
Auratech Legal – CIF B87984621
Email: dpo@mio.es- Telephone: 34 91 1134963
4.- APPLICABLE LAWS AND REGULATIONS
This Privacy and Data Protection Policy is developed based on the following data protection laws and regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Hereinafter GDPR.
- Organic Law 3/2018 of December 5th, on the Protection of Personal Data and Guarantee of Digital Rights. Hereinafter LOPD/GDR.
- Law 34/2002, of July 11th, on Information Society Services and Electronic Commerce. Hereinafter LSSICE.
5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
Personal data collected and processed through this Website will be treated in accordance with the following principles:
- Principle of lawfulness, fairness and transparency: Any processing of personal data carried out through this Website will be lawful and fair, being completely clear to the user when personal data concerning him/her is being collected, used, consulted or processed. Information regarding the treatments performed shall be transmitted in advance, easily accessible and easy to understand, in simple and clear language.
- Purpose limitation principle: All data will be collected for specified, explicit and legitimate purposes and will not be further processed in a manner incompatible with the purposes for which they were collected.
- Data minimization principle:The data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Principle of accuracy: The data will be accurate and, if necessary, updated, taking all reasonable steps to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are deleted or rectified without delay.
- Principle of limitation of the storage period: Data will be kept in a form that permits identification of data subjects for no longer than necessary for the purposes of processing the personal data.
- Principle of integrity and confidentiality: Data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss or damage, through the implementation of appropriate technical and organizational measures.
- Principle of proactive responsibility: The entity owning the Website shall be responsible for compliance with the principles set forth in this paragraph and shall be able to demonstrate it.
6.-SAFETY MEASURES
What do we do to ensure the privacy of your data?
MIO has taken all the required measures to protect personal data; likewise, MIO has adopted the available technical measures to prevent data loss, unfair use, alteration, unauthorized access or data theft. However, the user should bear in mind that Internet security measures are not completely indestructible.
MIO adopts the necessary organizational and technical measures to guarantee the security and privacy of your data, avoid its alteration, loss, treatment or unauthorized access, depending on the state of the technology, the nature of the data stored and the risks to which they are exposed.
Among others, the following measures stand out:
- Guarantee:
- Confidentiality: The information processed by MIO will be made available or disclosed exclusively to authorized persons at the time and by the means established.
- Integrity: The information processed by MIO will be complete, accurate and valid, and the content will be provided by the parties concerned and will be subject to no manipulation of any kind.
- Availability: The information processed by MIO will be accessible and usable by authorized persons at any given time, guaranteeing its persistence against any eventuality.
- Restore availability and access to personal data quickly in the event of a physical or technical incident.
- Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
- Pseudonymize and encrypt personal data, in case of sensitive data.
MIO assumes responsibility for supporting and encouraging the establishment of the organizational, technical and control measures necessary to comply with the above security guidelines.
On the other hand, MIO manages information systems according to the following principles:
- Principle of regulatory compliance: All information systems shall comply with the applicable legal, regulatory and industry standards that affect information security, especially those related to the protection of personal data, security of systems, data, communications and electronic services.
- Risk management principle: Risks shall be minimized to acceptable levels and a balance shall be sought between security controls and the nature of the information. Security purposes should be established, reviewed and consistent with the information security aspects.
- Principle of awareness and training: Training programs, sensitization and awareness campaigns shall be articulated for all users with access to information, in terms of information security.
- Principle of proportionality: The implementation of controls that mitigate the security risks of the assets shall be carried out seeking a balance between security measures, nature and information and risk.
- Principle of responsibility: All members of the Data Controller shall be responsible for their conduct in terms of information security, complying with the established rules and controls.
- Principle of continuous improvement: The degree of effectiveness of the security controls implemented in the organization shall be reviewed on a recurring basis in order to increase its capacity to adapt to the constant evolution of risk and the technological environment.
7.- PURPOSE OF THE TREATMENT
Why do we want to process your data?
The following are the uses and purposes foreseen:
Management of communications received through the complaints channel.
- Create an internal communication channel to allow the delivery of information on irregular practices in order to correct them and repair any damage they may have caused.
- Informing employees and third parties about the existence of anonymous information systems on actions or omissions that may go against the legal system.
- To protect citizens who report actions or omissions that violate the legal system, affect financial interests or affect the internal market.
- Adequately protect those persons who, by communicating irregularities of which they become aware in their work or professional environment, publicize them through the organization’s complaints channel, thus enabling the public authorities to act and put an end to the illicit activity detected when it affects the general interest.
Investigation of complaints received
- Creation of a procedure for managing incoming communications that identifies this channel, sending acknowledgement of receipt and informing the informant of actions or omissions carried out
- Management of the logbook of communications received and of the internal investigations to which they give rise
- Inform the person under investigation of his or her right to submit written allegations and of the processing of his or her personal data.
- Conducting the necessary investigations to respond to the informant’s inquiry
How long do we keep your data?
We use your data for the time strictly necessary to fulfill the purposes indicated above. Unless there is a legal obligation or requirement, the retention periods foreseen are as follows:
Management of communications received through the complaints channel. For a period of 10 years from the last confirmation of interest. After 3 months the data will be deleted if the complaint is unsuccessful. If the complaint succeeds, the maximum period of time may exceed 10 years.Handling of received complaints: All data processed and collected during the investigation phase are deleted after 3 months. If the complaint is successful, the maximum term may not exceed 10 years.
8.- LEGITIMACY OF THE TREATMENT
Why do we process your data?
The collection and processing of your data is always legitimized by one or more legal bases, which are detailed below:
Management of communications received through the complaints channel.
- (Art. 6.1.c GDPR) Fulfillment of legal obligations of the Data Controller
- Law regulating the protection of persons who report regulatory violations and the fight against corruption. Law regulating the protection of persons reporting regulatory infringements and the fight against corruption transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23rd 2019 on the protection of persons reporting breaches of Union law.
- (Art. 6.1.e GDPR) Fulfillment of a public mission or exercise of public powers conferred to the Data Controller.
- GDPR and LOPDGDD. Compliance with legal obligations: General Data Protection Regulation (GDPR) and Organic Law 3/2018, of December 5th, on Personal Data Protection and guarantee of digital rights (LOPDYGDD). Compliance with legal obligations: General Data Protection Regulation (GDPR) and Organic Law 3/2018, of December 5th, 2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDYGDD).
- Organic Law 7/2021, of May 26th, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal sanctions. Organic Law 7/2021,of May 26th, on the protection of personal data processed for the purposes of the prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal penalties.
Investigation of complaints received
- (Art. 6.1.c GDPR) Fulfillment of legal obligations of the Data Controller
- Law regulating the protection of persons who report regulatory violations and the fight against corruption. Law regulating the protection of persons reporting regulatory infringements and the fight against corruption transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23rd 2019 on the protection of persons reporting breaches of Union law.
- (Art. 6.1.e GDPR) Fulfillment of a public mission or exercise of public powers conferred to the Data Controller.
- Organic Law 7/2021, of May 26th, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal sanctions. Organic Law 7/2021,of May 26th, on the protection of personal data processed for the purposes of the prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal penalties.
9.- RECIPIENTS OF YOUR DATA
To whom do we disclose your data within the European Union?
Occasionally, in order to comply with our legal obligations and our contractual commitment to you, we are faced with the obligation and need to transfer some of your data to certain categories of recipients, which we specify below:
Management of communications received through the complaints channel.Other public administration bodies . External channel managed by the Independent Authority for the Protection of Whistleblowers or similar independent regional authorities with competence. Data will also be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation. Investigation of complaints received : Other public administration bodies. External channel managed by the Independent Authority for the Protection of Whistleblowers or similar independent regional authorities with competence. Data will also be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation.
Do we make International Transfers of your data outside the European Union?
We do not make international transfers of your data
10.- DATA PROCESSING ACTIVITIES
The data processing activities carried out through the Website are detailed below, specifying each of the following sections:
- Activity: Name of the data processing activity
- Purposes: Each of the uses and treatments that are carried out with the data collected.
- Legal basis: The legal basis that legitimizes the processing of data.
- Data processed: Type of data processed
- Source: Where from is the data obtained
- Retention: Period during which the data is retained.
- Recipients: Persons or third parties to whom the data is provided.
- International Transfers: Transborder data transfers outside the European Union
10.1 -Treatment activities
These are those data processing activities whose purposes are necessary for the provision of services.
Management of communications received through the complaints channel. |
---|
Legal basis (Art. 6.1.c GDPR) Fulfillment of legal obligations of the Data Controller (Law regulating the protection of persons who report regulatory infringements and the fight against corruption); (Art. 6.1.e GDPR) Fulfillment of a public mission or exercise of public powers conferred to the Data Controller (GDPR and LOPDGDD). Compliance with legal obligation: General Data Protection Regulation (GDPR) and Organic Law 3/2018 of December 5th on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), Organic Law 7/2021 of May 26th on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and enforcement of criminal penalties. Purposes: Create an internal communication channel to allow the delivery of information on irregular practices in order to correct them and repair the damage they may have produced; Inform employees and third parties about the existence of anonymous reporting systems on actions or omissions that may go against the legal system. To protect citizens who report actions or omissions that violate the legal system, affect financial interests or affect the internal market; To adequately protect those persons who, by reporting irregularities of which they become aware in their work or professional environment, publicize them through the organization’s complaints channel, thereby enabling the public authorities to act and put an end to the unlawful activity reported when it affects the general interest.Informants internal complaints channel (Identification data; Criminal data; Other categories). Persons allegedly involved (Identifying data; Criminal data) Origin of data The data subject himself or his legal representative; The data is communicated by the informant himself through the organization’s complaints channel. Other persons other than the data subject or his representative; The data is delivered by the informant or becomes known in the process of instruction and investigation. Category of recipients Other public administration bodies; External channel managed by the Independent Authority for the Protection of the Informant or by analogous autonomous independent Authorities with competence. Data will also be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation.International transferNot foreseen Storage period For a period of 10 years from the last confirmation of interest. After 3 months the data will be deleted if the complaint is unsuccessful. If the complaint is successful, the maximum term may not exceed 10 years. Security Measures
In order to safeguard the security of the personal data of the complaints channel, the organization undertakes to maintain the security and confidentiality of the data provided and, specifically, of the data of the Whistleblowers who make a communication through the internal complaints channel, preventing access to them by those who caused the communication due to the alleged commission of actions within the organization contrary to the Law or the Code of Conduct of the entity. The organization has adopted the legally required levels of security for the Protection of Personal Data and used the technical means at its disposal to prevent the loss, misuse, alteration, unauthorized access and theft of the same.
Likewise, the organization informs that all its staff, regardless of the processing phase in which they are involved, has adopted the commitment to treat your data with the utmost care and confidentiality.
Investigation of complaints received |
---|
Legal basis (Art. 6.1.c GRPD) Fulfillment of legal obligations of the Data Controller (Law regulating the protection of persons who report regulatory infringements and the fight against corruption); (Art. 6.1.e GRPD) Fulfillment of a public mission or exercise of public powers conferred to the Data Controller (Organic Law 7/2021, of May 26th, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and enforcement of criminal penalties.) Purposes Creation of a management procedure for communications received that identifies the present channel, sending acknowledgement of receipt and communication to the informant of the actions or omissions carried out; Management of the log-book of communications received and of the internal investigations to which they have given rise; Informing the person under investigation of his right to submit written allegations and of the processing of his personal data; Carrying out the investigations necessary to respond to the informant Categories of data and groups.Informants internal complaints channel (Identification data; Criminal data; Other categories). Persons allegedly involved (Identifying data; Criminal data) Origin of data The data subject himself or his legal representative; The data is communicated by the informant himself through the organization’s complaints channel; Other persons other than the data subject or his representative; The data is delivered by the informant or becomes known in the process of instruction and investigation.Category of recipients Other public administration bodies; External channel managed by the Independent Authority for the Protection of the Informant or by analogous autonomous independent Authorities with competence. Data will also be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation.International transferNot foreseen Storage period All data processed and collected during the investigation phase are deleted after 3 months. If the complaint is successful, the maximum term may not exceed 10 years Security Measures
In order to safeguard the security of the personal data of the complaints channel, the organization undertakes to maintain the security and confidentiality of the data provided and, specifically, of the data of the Whistleblowers who make a communication through the internal complaints channel, preventing access to them by those who caused the communication due to the alleged commission of actions within the organization contrary to the Law or the Code of Conduct of the entity. The organization has adopted the legally required levels of security for the Protection of Personal Data and used the technical means at its disposal to prevent the loss, misuse, alteration, unauthorized access and theft of the same.
Likewise, the organization informs that all its staff, regardless of the processing phase in which they are involved, has adopted the commitment to treat your data with the utmost care and confidentiality.
11.- DATA OF MINORS
Minors under 14 years of age may not use the services available through the Website without the prior authorization of their parents, guardians or legal representatives, who shall be solely responsible for all acts performed through the Website by the minors in their care, including the completion of the telematic forms with the personal data of such minors and the marking, where appropriate, of the boxes that accompany them.
In compliance with the provisions of Article 8 of the GRPD and Article 7 of the LOPD/GDD, only those over 14 years of age may give their consent to the processing of their personal data in a lawful manner by MIO.
12.-PROVENANCE AND TYPES OF DATA PROCESSED
Where did we obtain your data?
Management of communications received through the complaints channel.
- Informants internal complaints channel: The interested party himself or his legal representative . The data is reported by the informant himself through the organization’s complaints channel.
- Persons presumed to be involved: Persons other than the interested party or his representative. The data is provided by the informant or is acquired during the instruction and investigation process.
Investigation of complaints received
- Informants internal complaints channel: The interested party himself or his legal representative . The data is reported by the informant himself through the organization’s complaints channel.
- Persons presumed to be involved: Persons other than the interested party or his representative. The data is provided by the informant or is acquired during the instruction and investigation process.
What types of data do we collect and process about you?
Management of communications received through the complaints channel. Informants internal complaints channel
- Identification data (E-mail address; Mailing address; Name and Surname; Telephone number)
- Criminal data (Administrative infractions; Criminal infractions)
- Other categories (Telephone conversation)
Persons allegedly involved
- Identification data (Name and Surname)
- Criminal data (Administrative infractions; Criminal infractions)
Instruction of the complaints received Informants internal complaints channel
- Identification data (E-mail address; Mailing address; Name and Surname; Telephone number)
- Criminal data (Administrative infractions; Criminal infractions)
- Other categories (Telephone conversation)
Persons allegedly involved
- Identification data (Name and Surname)
- Criminal data (Administrative infractions; Criminal infractions)
13- RIGHTS OF INTERESTED PARTIES
What are your rights?
The current data protection regulations provide you with a series of rights regarding the use of your data. Each and every one of your rights are unipersonal and non-transferable, that is to say, they can only be exercised by the owner of the data, after verifying his or her identity.
The following are the rights you are entitled to:
- Right of access: It is the right of the website user to obtain confirmation as to whether or not the Data Controller is processing his/her personal data and, if so, to obtain information about his/her specific personal data and the processing that the Data Controller has carried out or is carrying out, as well as, among other things, the information available on the origin of such data and the recipients of the communications made or planned in the same.
- Right of rectification: It is the right that the user of the website has to have their personal data modified if they are found to be inaccurate or, considering the purposes of the processing, incomplete.
- Right of suppression: It is often referred to as the “right to be forgotten”, and it is the right of the website user, unless otherwise provided by law, to obtain the deletion of his/her personal data when they are no longer necessary for the purposes for which they were collected or processed; the user has withdrawn his/her consent to the processing and there is no other legal basis; the user objects to the processing and there is no other legitimate reason to continue with the processing; the personal data have been processed unlawfully; the personal data have been obtained as a result of a direct offer of information society services to a minor under 14 years of age. In addition to deleting the data, the Controller shall, taking into account the technology available and the cost of implementation, take reasonable steps to inform other data controllers that may be processing the personal data of the data subject’s request to delete any link to such personal data.
- Right to the limitation of data: This is the website User’s right to limit the processing of his or her personal data. The website User has the right to obtain the limitation of the processing when challenging the accuracy of his/her personal data; the processing is unlawful; the Controller no longer needs the personal data, but the User needs it to make claims; and when the website User has objected to the processing.
- Right to data portability: In those cases where the processing is carried out by automated means, the website User shall have the right to receive from the Data Controller his/her personal data in a structured, commonly used and machine-readable format, and to transmit them to another Data Controller, where technically possible, the Data Controller shall transmit the data directly to such other Data Controller.
- Right of opposition:This is the User’s right not to have his or her personal data processed or to stop the processing of such data by the Data Controller.
- Right not to be subject to automated decisions and/or profiling: The right of the website User not to be subject to an individualized decision based solely on the automated processing of his or her personal data, including profiling, unless otherwise provided by law.
- Right to revoke consent: This is the right of the website User to withdraw, at any time, the consent given for the processing of his/her data.
- Right to file a complaint regarding data protection before the Supervisory Authority: Spanish Data Protection Agency.
The interested party may exercise any of the aforementioned rights by contacting the Data Controller and prior identification of the User using the following contact information:
- Responsible: MEDIA INVESTMENT OPTIMIZATION, S.A.
- Address: Calle Alfonso XI Nº 3. 28014, Madrid (Madrid), Spain
- Telephone: +34 902 333 654
- E-mail: madrid@miogroup.com
- Website: https://miogroup.com/
You can also exercise your rights with the Data Protection Officer:
Email: mdelapena@auratechlegal.es – Phone: 647633242
How can you exercise your rights in relation to your data?
To exercise your rights of access, rectification, deletion, limitation or opposition, portability and withdrawal of your consent, you can do so as follows:
Management of communications received through the complaints channel.
- Responsible: MEDIA INVESTMENT OPTIMIZATION, S.A.
- Address: Calle Alfonso XI Nº 3. 28014, Madrid (Madrid), Spain
- Telephone: +34 902 333 654
- E-mail: madrid@miogroup.com
- Website: https://miogroup.com/
Investigation of complaints received
- Responsible: MEDIA INVESTMENT OPTIMIZATION, S.A.
- Address: Calle Alfonso XI Nº 3. 28014, Madrid (Madrid), Spain
- Telephone: +34 902 333 654
- E-mail: madrid@miogroup.com
- Website: https://miogroup.com/
How can you file a claim?
In addition to your rights, if you believe that your data is not being collected or processed in accordance with current Data Protection regulations, you may file a complaint with the Supervisory Authority, whose contact details are given below:
- Spanish Data Protection Agency
C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain
Email: info@aepd.es- Phone: 912663517
Web: https://www.aepd.es
- In the case of Germany, please contact Berliner Beauftragte für Datenschutz und Informationsfreiheit
- In the case of Austria, you may contact Österreichische Datenschutzbehörde.
- In the case of Belgium, you can contact the Autorité de protection des données
Gegevensbeschermingsautoriteit - In the case of Bulgaria, you may contact the Commission for Personal Data Protection.
- For Denmark, please contact Datatilsynet.
- For Slovakia, please contact https://dataprotection.gov.sk/uoou/.
- For Slovenia, you can contact https://www.ip-rs.si/.
- For Estonia, please contact https://www.aki.ee/et.
- In the case of Finland, you may contact the Office of the Data Protection Ombudsman, .
- In the case of France, you may contact the Commission Nationale de l’Informatique et des Libertés
- In the case of Greece, you can contact the Hellenic Data Protection Authority.
- For Hungary, please contact Office of the Commissioner for Fundamental Rights of Hungary
- In the case of Ireland, you may contact the Data Protection Commission.
- In the case of Italy you can contact Garante per la Protezione dei Dati Personali
- For Latvia, please contact https://www.dvi.gov.lv/lv.
- In the case of Lithuania you can contact the State Data Protection Inspectorate
- In the case of Luxembourg, you may contact the Commission Nationale pour la Protection des Données
- In the case of Malta you can contact the Information and Data Protection Commissioner
- For the Netherlands, please contact https://autoriteitpersoonsgegevens.nl/en.
- For Poland, please contact https://archiwum.giodo.gov.pl/.
- In the case of Portugal, you can contact Comissão Nacional de Proteção de Dados
- For the United Kingdom, you may contact the Information Commissioner’s Office at
- For Romania, please contact Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal.
- In the case of Sweden you can contact the Swedish Authority For Privacy Protection
- In the case of the Czech Republic, please contact https://www.uoou.cz/.
- In the case of Cyprus you may contact the Office of the Commissioner for Personal Data Protection
Data Protection Authorities (other European countries):
- In the case of Andorra, you can contact the Andorran Data Protection Agency (Agència Andorrana de Protecció de Dades)
- In the case of Croatia, you can contact the Croatian Personal Data Protection Agency.
- For Iceland, please contact https://www.personuvernd.is/.
- For Liechetenstein, please contact https://www.llv.li/.
- For Macedonia, please contact https://dzlp.mk/.
- In the case of Monaco, you may contact the Commission de Contrôle des Informations Nominatives
- In the case of Norway, you can contact Datatilsynet
- For Switzerland, please contact https://www.edoeb.admin.ch/edoeb/de/home.html.
14.-ACCEPTANCE
The acceptance and provision of this document indicates that you understand and accept all the clauses of our privacy policy and therefore authorize the collection and processing of your personal data under these terms. This acceptance is done by checking the “Read and Accept” checkbox in our Privacy Policy.
MIO reserves the right to modify this Privacy Policy, according to its own criteria, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency or the rest of the European control authorities mentioned in the previous point. Changes or updates made to this Privacy Policy that affect the purposes, retention periods, data transfers to third parties, international data transfers, as well as any rights of the Website User, will be explicitly communicated to the user.
This policy will be maintained, updated and adapted to MIO’s needs and aligned with its strategic risk management principles. To this end, it will be reviewed at planned intervals or whenever significant changes arise to ensure its suitability and effectiveness.
Last update: December 21, 2023