Data controller
Canal Etico. System Manager: web@doscar.com.
Purpose
Management of internal channel reports, investigation of facts and, where appropriate, disciplinary, judicial or regulatory measures.
Legal basis
Legal obligation (art. 6.1.c GDPR) under Law 2/2023 and Directive (EU) 2019/1937. Consent is not requested.
Categories of data
Data is provided voluntarily. The channel offers two modes:
- Anonymous report: no identifying data is requested. Only data strictly necessary about the facts is processed.
- Identified report: requires creating an account with email, a hashed password (bcrypt cost 12) and optionally full name. The name is stored encrypted with AES-256-GCM. The email is required as account identifier and is not shared with third parties. You may request deletion of your account at any time.
Attachments are stored encrypted with AES-256-GCM with metadata recorded (name, MIME type, size, hash). Chat communications are encrypted at rest.
Recipients
System Manager and authorised personnel. No transfers to third parties unless legally required (judicial authority, Prosecutor, A.A.I., competent authorities).
International transfers
No transfers outside the European Economic Area.
Retention period
Personal data: maximum 3 months (art. 32.2 Law 2/2023) unless investigation is ongoing. Record book (art. 26): 10 years with metadata and no personal data, accessible only to judicial authority.
Security measures
- AES-256-GCM encryption at rest.
- TLS in transit.
- TOTP 2FA and tamper-evident audit log (hash-chain).
- IP addresses are not logged; internal identifiers are hashed with a secret key.
Rights
You may exercise access, rectification, erasure, objection, restriction and portability at web@doscar.com. You may also lodge a complaint with the Spanish Data Protection Agency (AEPD, aepd.es) or the A.A.I.
Security incidents affecting your data will be notified to the AEPD within 72 hours (art. 33 GDPR).
Automated decisions
No decisions are made solely on automated processing, nor is profiling carried out.