All persons who use our internal channels of complaint in good faith will have the right to be protected, provided that the events reported are not manifestly false or unlikely to be true.
The protection of complainants will in all cases include the right not to have their identity disclosed to those who have been reported or to others affected by the complaint.
htopgroup guarantees that no whistleblower will be subject to retaliation for reports submitted or complaints made through our internal channels or, if applicable, those submitted to the Independent Authority for the Protection of the Informant or those publicly disclosed under the terms of Act 2/2023. The right of protection will extend to their relatives and close associates, and to any organisations with which the complainant maintains links.
Data processing carried out in accordance with Act 2/2023 is protected by the Act, which constitutes its legal justification. In addition, the regulations establish a presumption of legality for the processing of special categories of data on the basis of essential public interest.
In compliance with data protection legislation, all data subjects are also informed that their identity will remain confidential and will not be disclosed to the persons to whom the events reported refer or to third parties, except when there is a legal obligation to do so.
The complainant and any interested party may exercise their right to access, rectify, limit, delete and transfer their personal data in accordance with current legislation. In view of the requirement for confidentiality mentioned in the previous paragraph, some of these rights may be subject to certain limitations, for example, with regard to the right of access or the right of opposition.
Only those company employees specifically authorised to do so will be able to access the data contained in the Internal Information System. Disclosure of such data to third parties will also be limited in accordance with the law.
The data may only be kept for as long as is necessary to decide whether it is appropriate to initiate an investigation. Moreover, if three months have passed after the submission of the report and no investigation has been initiated, the personal data will be deleted, unless the purpose of storing them is to provide evidence of the functioning of the Internal Information System, in which case the data will be anonymised.