Sistema de Información Grupo BME

The BME Group Internal Reporting System (hereinafter, the “BME Whistleblowing System”) provides a channel to report irregular or potentially inappropriate conduct, actions, or omissions that may constitute violations or raise reasonable suspicion of breaches of applicable legislation or internal regulations established within the SIX-BME Group, including any form of discrimination or harassment in the workplace (hereinafter, “misconduct or breaches”).

The BME Whistleblowing System applies to employees, clients, suppliers, and other stakeholders with a professional relationship with BME or any of its group companies, who detect misconduct or breaches in a work-related context and report them through the available channels (hereinafter, “whistleblowers”).

Internal Channels and Communication Methods

Internal reporting channels, in accordance with current regulations, are the preferred method for submitting reports. The BME Whistleblowing System includes the following internal channels:

  • A reporting channel to submit information about irregular or potentially inappropriate conduct, actions, or omissions that may constitute violations or raise reasonable suspicion of breaches of applicable legislation or internal SIX-BME Group policies.

  • A channel to report any form of workplace discrimination or harassment, including sexual harassment.

Reports may be submitted through the following methods:

  • In writing:

             - By email to BME Group’s Compliance Department: canaldedenuncias@grupobme.es

             - Through the BME Integrity Line tool available at: https://bme.integrityplatform.org/.
               Only the Compliance Department has access to this platform.
               It also allows reports to be submitted and managed anonymously.

  • By in-person meeting with the BME Group Compliance Department, upon the whistleblower’s request, to be held within a maximum of seven (7) calendar days from the initial communication.

 

Core Principles of Case Management:

Information received through the BME Whistleblowing System is managed based on the following principles:

  • Confidentiality

The system is designed and managed to ensure the confidentiality of the information reported, the identity of the whistleblower and any third parties mentioned, as well as all procedures undertaken during the handling of the report.

  • Data Protection

Personal data is protected to prevent unauthorized access. More information can be found in the following link.

  • Protection Against Retaliation

Individuals who report concerns through the provided channels will be protected, provided they act in good faith and have reasonable grounds to believe the information was true at the time of reporting, even if no conclusive evidence is presented.


All acts of retaliation, including threats or attempts of retaliation, are strictly prohibited.

  • Protection of Accused Individuals

Accused persons are entitled to the presumption of innocence, the right to defense, and access to their case file. They are also entitled to the same confidentiality protections as whistleblowers.

External Reporting Channels

Reports may also be submitted through the external reporting channel of the Independent Authority for Whistleblower Protection (A.A.I.), or through the relevant regional authorities, concerning actions or omissions that may constitute:

a) Violations of European Union law, as listed in the annex of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, especially when such breaches affect the EU's financial interests or the internal market (as per Articles 325 and 26.2 of the Treaty on the Functioning of the European Union).

b) Serious or very serious criminal or administrative offences under Spanish law.

Additionally, such breaches may be reported to the appropriate institutions or bodies of the European Union, when within the scope of Directive (EU) 2019/1937.

Data Protection Information

Who is the Data Controller?

The controller of the personal data included in any report submitted through the BME Whistleblowing System is Bolsas y Mercados Españoles, Sociedad Holding de Mercados y Sistemas Financieros, S.A.U. (“BME Holding”), Tax ID: A-83246314 Registered office: Plaza de la Lealtad, 1, 28014 Madrid, Spain.


Purpose and Legal Basis of Data Processing

Personal data will be processed by BME for the following purposes:

  • To analyze and manage the report internally.

  • To maintain contact with the whistleblower, the accused party, or any third party relevant to the process.

  • To investigate the matter, if applicable.

  • To report to competent authorities, where necessary.

Processing may be carried out:

  • For internal reports: based on a legal obligation under Article 6.1(c) of the General Data Protection Regulation (GDPR), pursuant to Law 2/2023 of 20 February on whistleblower protection.

  • For public disclosures: based on a public interest mission under Article 6.1(e) GDPR.

  • For special categories of personal data: when justified by reasons of substantial public interest, in accordance with Article 9.2(g) GDPR.

What Personal Data May Be Collected?

  • Whistleblower (if not anonymous): full name, email address, home address, mobile number, or any other data included in the report.

  • Accused individuals: data provided in the report and any data uncovered during the investigation.

  • Witnesses or third parties: data mentioned in the report or collected during the investigation that may be relevant.

Who Has Access to the Data?

Access to the personal data contained in BME's Information System shall be limited exclusively to the System Manager and the persons who perform internal control and compliance functions in the Compliance Department and, when necessary, to the Criminal Prevention Committee. Exceptionally, such access may be granted to:

  • The Head of Human Resources when it is appropriate to take disciplinary measures against an employee.
  • The Head of Legal Counsel when: (1) it is necessary to take legal measures; or (2) the communication refers to the System Manager or to a member/s of the Compliance Department and they have to inhibit themselves.
  • The persons in charge of the processing that are designated.
  • BME's Audit and Risk Committee when necessary.
  • The Data Protection Delegate.
  • Likewise, the processing of personal data by other persons shall be lawful when necessary for the adoption of corrective measures at BME or the processing of any disciplinary or criminal proceedings that may be applicable.

Likewise, the processing of personal data by other persons shall be lawful when it is necessary for the adoption of corrective measures at BME or the processing of any sanctioning or criminal proceedings that may be applicable.

BME relies on the services of EQS Group AG, supplier of the Integrity Line platform and offers guarantees regarding independence, confidentiality, data protection and secrecy of communications. In general, only third parties who provide adequate guarantees may have access to the management of the information received through the BME Information System.

The identity of the informant, if identified, may only be communicated to the Judicial Authority, the Public Prosecutor's Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation. The person to whom the facts reported in the information communicated refer shall in no case be informed of the identity of the informant.

What technical and organizational measures are used?

BME will ensure that it adopts all necessary technical and organizational measures aimed at preserving the identity and guaranteeing the maximum confidentiality of the data corresponding to the persons concerned and any third parties mentioned in the information provided.

Persons who, in the performance of their duties, become aware of information submitted through any of the channels, shall be bound by professional secrecy, especially with regard to the identity of the informants.

Both EQS Group AG and the software developed for EQS Integrity Line are certified according to the ISO 27001 information security standard. The platform ensures full compliance with the GDPR and guarantees the anonymity of the whistleblower so that his or her identity cannot be traced by technical means..


What is the retention period?

The personal data of the informant, affected and third parties mentioned in the communication will be kept only for the time necessary to decide on the appropriateness of initiating an investigation of the facts denounced or reported. If it is proven that the information provided or part of it is not truthful, the data must be deleted immediately. If the lack of truthfulness could constitute a criminal offence, the information will be kept for the necessary time during the legal proceedings.

 

After three months have elapsed from the receipt of the communication without any investigation having been initiated, the data shall be deleted, unless their storage serves to provide evidence of the functioning of BME's Internal Information System. Communications that have not been processed may only be recorded in an anonymized form, and the obligation to block them shall not apply.


How can I exercise my rights?

The informants, affected, denounced, witnesses and other third parties whose personal data are processed, will be referred to as “Interested Parties” for the purpose of exercising their rights.

Data Subjects may exercise their rights of access, rectification, erasure, portability and limitation of processing, as well as contact the Parties' Data Protection Officer at the following address:

BME Group Data Protection Delegate: protecciondedatos@grupobme.es, Plaza de la Lealtad, 1, 28014 Madrid.

Interested Parties may also file a complaint with the Spanish Data Protection Agency (www.aepd.es).

Notwithstanding the foregoing, the characteristics of the investigation process may modify the scope of the exercise of any of these rights:

  • None of the Stakeholders whose personal data are processed during this research will be able to exercise the right of cancellation.
  • The right of access to information included in the information system shall be limited to information related to the personal data of the requesting Stakeholder (third party data cannot be accessed).

None of the Stakeholders to whom the facts reported in the communication refer may object to being investigated. Should any of these Stakeholders exercise the right to object, it will be presumed that, unless there is evidence to the contrary, there are legitimate reasons for processing their personal data.