Confidentiality/Employee data protection policy

Commitment to Confidentiality 

Both during the duration of the employment/functional contract and after its termination for any reason, the employee is obliged to maintain absolute secrecy of the Company's Confidential Information.

Confidential Information is any information the employee has access to as part of performing their job (including personal data accessed). Should the employee have accessed personal data as part of their duties, they shall only process them to comply with these duties; they may never be used for other purposes or transferred to third parties, not even for storage. The worker must adopt the technical and organizational measures indicated by Sociedad Estatal de Correos y Telégrafos, S.A., S.M.E.

The prohibition established in the preceding paragraph extends to the reproduction in any medium of the information of Sociedad Estatal de Correos y Telégrafos, S.A., S.M.E. to which the employee has access regarding clients, procedures and organisational systems, computer programs or any type of internal information. Thus, in the event that the employee discloses to third parties any protected or confidential information, they may be liable to incur criminal liability under art. 278 et seq. of the Penal Code, as well as the provisions of Law 1/2019, of 20 February 2019, on Business Secrets. In this regard, the worker must adopt the technical and organisational measures indicated by Sociedad Estatal de Correos y Telégrafos, S.A., S.M.E. .

Employee data protection policy

Data controller

The data controller is "Sociedad Estatal Correos y Telégrafos, S.A., S.M.E." ("Correos"), with tax identification number A83052407 and registered office at calle Conde Peñalver, 19, 28006 Madrid (Spain).

To ensure compliance with data protection regulations, Correos has appointed a Data Protection Officer (“DPO”) who you can write to with any questions about this topic at the following email address: dpdgrupocorreos@correos.com.

Purposes of the processing of personal data, data processed and basis of legitimisation

Your personal data may be processed for the following purposes:

Purpose 1 - Management of the labour relationship with the Employee

  • Description of the purpose: Administration of the employment or civil service relationship with you (hereinafter, the Employee). For illustrative purposes, this purpose may include actions such as: employee registration, appointments and terminations; management of tax and accounting activities deriving from the employment relationship; management and control of professional expenses; where appropriate, payment and tax deductions or allowances; management and payment of payroll and other non-wage items; management of communications to the Social Security; actions relating to the prevention of occupational hazards; handling of requests and suggestions submitted by employees; handling of requests made by employees, such as requests for advances on paychecks; recording the working day worked by the employee in order to comply with the obligation to ensure the daily recording of the working day; management of functional and geographical mobility processes; management of trips made by the employee in connection with the employment relationship; management and settlement of travel expenses of the Employee, as well as other similar expenses; allocation and control of the resources necessary for the performance of the work, including the management of corporate accounts and profiles, as well as IT support and maintenance, where appropriate; management and control of work, including disciplinary and grievance actions and procedures; management of rights linked to trade union membership; management of leave, transfers, leave of absence, temporary incapacity; administration of termination or suspension of employment.
  • Basis of legitimacy: Execution of the contractual relationship, compliance with the applicable Collective Bargaining Agreement and other collective agreements applicable in each case and compliance with legal obligations.
  • Data processed for this purpose: Identification and contact data, professional and academic data, identification and contact data of family members, economic and financial data, data on family characteristics, data on social circumstances, data of special category; data collected for the registration of the working day.
  • Enabling circumstances for the processing of special category data: Fulfilment of obligations and exercise of specific rights of the controller and the data subject in the field of labour law and social security and social protection. If applicable, (i) certain health data may be processed due to the disability or condition that the Employee may have, within the framework of compliance with social support measures and adaptation of the job position to the conditions required in each case, for access to job positions reserved for people with disabilities, or for the management and processing of aid and discounts in tax and social security matters, and (ii) certain union data in the event of elections or disciplinary proceedings requiring the hearing of the union delegate in the event that the Employee is a member of a union.

Purpose 2 - Provision of medical services and compliance with the legal obligations of Correos

  • Description of purpose: Processing of data on active employees in order to organise and carry out medical examinations of the workforce; to aggregate personal data by province, headquarters and sex - so that information on the state of health cannot be linked to the individual, in order to carry out statistical studies, with the aim of assessing the collective state of health of the company's workers, and to establish priorities for action in preventive matters; processing of data on Correos employees in order to communicate them to the competent Public Authorities and/or Private Entities, insofar as this is necessary to enable the fulfilment of legal obligations.
  • Basis of legitimacy: Compliance with legal obligations.
  • Data processed for this purpose: Identification data, contact data, professional data, economic and financial data, family data and special category data.
  • Enabling circumstances for the processing of special category data: Fulfilment of obligations and exercise of specific rights of the controller and the data subject in the field of labour law and social security and social protection.

Purpose 3 - Training

  • Description of purpose: Planning and carrying out the training plan and other educational and informative actions not included in the training plan.
  • Basis of legitimacy: Execution of the contractual relationship.
  • Data processed for this purpose: Identification, contact, academic and professional data.

Purpose 4 - Performance evaluation

  • Description of purpose: Manage the professional development of the employee in internal development and evaluation processes.
  • Basis of legitimacy: Execution of the contractual relationship.
  • Data processed for this purpose: Identification data, contact, academic and professional data, as well as information derived from the evaluation of the Employee.

Purpose 5 - Absenteeism control

  • Description of purpose: Verification, by medical staff, of the state of illness or accident at work or alleged absenteeism, in order to justify absences from work. This purpose includes medical summons by health staff and/or Correos staff in the exercise of their duties.
  • Basis of legitimacy: Enforcement of the employment relationship in relation to the framework of powers of control and supervision recognised by labour legislation (Article 20.4 of the Workers' Statute).
  • Data processed for this purpose: Identification data, contact data and professional and special category data.
  • Enabling circumstances for the processing of special category data:  the processing is necessary for the purposes of preventive or occupational medicine, assessment of the worker's fitness for work, medical diagnosis, the provision of health or social care or treatment, or the management of health and social care systems and services, on the basis of Union or Member State law or under a contract with a health professional. Where applicable, health data, collected during the management of temporary incapacity, may be processed to verify the state of illness or accident at work claimed by the worker to justify absences from work.

Purpose 6 - Labour control

  • Description of purpose: Verify the correct performance of the functions attributed to the Employee and their duties, by means of systems and methods of supervision in the workplace. Correos may use geopositioning technology in the mobile devices or corporate vehicles used by the employee to perform functions such as delivery and distribution of postal services, parcels, etc. The implementation of this technology shall comply with the criteria of data minimisation and privacy from the design and by default and shall only receive the information necessary for the exercise of the necessary business control and its activity shall be limited to the worker's working day.
  • Basis of legitimacy: Legitimate  interest of Correos consisting of: (i) exercising the powers of labour control and supervision granted to employers under current legislation, allowing the inclusion of the improvements and optimisation in the organisation of resources required to achieve the Company's objectives more effectively and maintain the Company's economic sustainability; (ii) the organisation's legitimate interest in avoiding adverse situations and, where appropriate, resolving them, for example in the event of security incidents and/or loss of devices or consignments being delivered, as well as helping to reduce the accident rate - and therefore increase the safety of workers - and to make transport and/or delivery routes more efficient; (iii) the organisation's legitimate interest in adapting to new market requirements and providing recipients with near real-time information on the status of their consignments and/or deliveries and information on the approximate location, in order to increase the added value of the service, as well as to reduce delivery attempts due to absences at home, which, ultimately, would also lead to a reduction in costs by achieving greater efficiency in the provision of the service; and; (iv) help to reduce the accident rate - and thus increase worker safety - and make transport and/or delivery routes more efficient.
  • Data processed for this purpose: Identification data, contact data, academic and professional data and, depending on the case, geolocation or browsing and interaction with technological features and tools made available to employees.

Purpose 7 - Complaints Channel Management

  • Description of purpose: Management, through the Ethics Channel, of communications relating to possible irregularities, breaches or behaviour contrary to the ethics, legality or corporate rules of Correos, in order to investigate them in cases where it is appropriate to open an investigation file, and which are related to the Employee.
  • Basis of legitimacy: Compliance with legal obligations (inter alia, regulations governing the protection of persons reporting regulatory violations and anti-corruption).
  • Data processed for this purpose: Identification and contact data, as well as other categories that, due to the information transferred, may be communicated (for example, employment/academic data),
  • economic-financial, kinship, social circumstances and/or special status –depending on the situation disclosed and where there are reasons of essential public interest).

Purpose 8 - Communication of data in the development of professional relationships

  • Description of purpose: To  allow the inclusion of employees' professional information in service proposals, documentation required by public and/or private tenders to which Correos may apply and in contracts signed with third parties to which Correos is a party, when the Employee's participation in the development of such professional relations is foreseen.
  • Basis of legitimacy: Legitimate  interest of Correos in (i) professionally locating valid representatives in the organisation with which it maintains a relationship, as well as (ii) keeping its own employees reachable in the management of relationships with customers, suppliers and other third party entities with which Correos maintains a commercial or contractual relationship, ensuring an effective and correct execution of the professional relationship.
  • Data processed for this purpose: Identification data, contact data and professional data.

Purpose 9 - Physical security of facilities (video surveillance)

  • Description of purpose: Depending on the case,  Correos may have systems in place to control and preserve the security of people, goods and facilities. This information will be supplemented, as appropriate, by specific information displayed at the facility (e.g. warning signs).

In addition, CORREOS will process the data obtained from the video surveillance cameras for the purpose of business control in the exercise of the functions provided for in Article 20.3 of the Workers' Statute and in the civil service legislation within the legal framework and with the limits inherent to it.

  • Basis of legitimacy: Legitimate interest of Correos in controlling and preserving the security of persons, property or facilities, including: (i) preventing the generation of illegal and/or harmful acts to the security and interests of Correos and its employees and; (ii) respond to these illegal and/or harmful acts.

Likewise, and on the basis of legitimate interest, CORREOS will process the data obtained from the video surveillance cameras for the purpose of business control in the exercise of the functions provided for in Article 20.3 of the Workers' Statute and in the civil service legislation within the legal framework and with the limits inherent to it. This purpose includes the possibility of using the images captured as evidence of a breach of work or service obligations or the commission of any other unlawful act, all in accordance with the provisions of the regulations in force at any given time and with the necessary respect for fundamental rights.

  • Data processed for this purpose: Identification data (image data).

Purpose 10 - Facility access control

  • Description of purpose: Correos has access to control systems, in order to control the regime of visits, access to the aforementioned access points to its facilities and to ensure their security.
  • Basis of legitimacy: The legitimate interest of Correos, as far as identification data is concerned, consisting in monitoring that access to the facilities is carried out by authorized personnel, avoiding possible unauthorized access.
  • Data processed for this purpose: Identification data (name, surname, photograph and, if applicable, identification document).

Purpose 11 - Managing corporate resources

  • Description of purpose: Monitor, control and access the technological resources and means provided to the Employee, if applicable, always in compliance with the applicable law and with respect for the principles of proportionality, rationality and suitability. ​To guarantee the security of the information processed by Correos, the electronic equipment provided to the worker to carry out their functions (such as computers and mobile phones) will be installed with various technological solutions that enable the logging and monitoring of activities or the remote encryption of documentation, when necessary. Except when expressly authorised, the use of all Correos electronic devices for purposes unrelated to carrying out the worker's assigned functions is prohibited.
  • Basis of legitimacy: Legitimate interest of Correos, consisting of ensuring the integrity, security and updating of Correos devices, ensuring their use in accordance with the established rules of use and limits.
  • Data processed for this purpose: Identification data, contact data, and browsing and interaction data with the resources provided.

Purpose 12 - Prevention and investigation of unlawful actions

  • Description of purpose: Correos will process employee data for the purpose of complying with established legal and corporate regulations; investigating and preventing crime, in particular fraud, misuse of services, irregular practices or similar conduct and other unlawful actions that may have a negative impact on Correos, such as financial or reputational loss. Data will also be processed in order to cooperate with the competent authorities when required for the prevention, detection and correction of possible fraud and similar conduct, in this sense, data may be processed in the framework of the management, participation and response in investigative or legal proceedings, including those conducted by administrative authorities or bodies of the judiciary.
  • Basis of legitimacy: Legitimate  interest of Correos consisting of guaranteeing a lawful action and in accordance with the ethical commitments acquired by Correos on the part of employees, through the processing of personal data strictly necessary for the prevention of fraud and similar conduct that may have a negative impact on Correos, in accordance with the possibilities recognised for this purpose by Recital 47 of the General Data Protection Regulation.
  • Data processed for this purpose: Identification data, contact details, academic data, professional and employment details, including information known in the recruitment process and inferred from the employment relationship, and financial data.

Purpose 13 - Maintenance of emergency contact

  • Description of purpose: Management and maintenance of the contact details of those persons designated as emergency contact persons.
  • Basis of legitimacy: Employee Consent.
  • Data processed for this purpose: Identification and contact data, relationship data and/or status of the person designated as emergency contact.

Purpose 14 - Sending communications about corporate benefits

  • Description of purpose: Sending communications to the Employee through electronic channels with information about corporate benefits, either regarding Correos products and services, Correos Group companies, and third party companies with which Correos has signed a collaboration agreement/contracts/agreements.
  • Basis of legitimacy: Consent of the interested party.
  • Data processed for this purpose: Identification and contact information.

Purpose 15- Internal communication

  • Description of the purpose: development  of corporate tools that enable knowledge and contact between Correos employees; sending informative communications through various corporate channels, including corporate e-mail and telephone, relating to: initiatives developed by Correos related to the employment or civil service relationship maintained (e.g. work-life balance actions, employee opinion surveys, training actions, questionnaires on different subjects such as cybersecurity, data protection, etc.); activities developed in the field of Corporate Social Responsibility (e.g. solidarity events,  sustainability actions, etc.); competitions/draws organised by Correos in which employees and their families can participate and information on corporate benefits.
  • Basis of legitimacy: Legitimate interest of Correos, consisting of generating an environment and degree of generalised information among the staff about the novelties that take place in Correos and about relevant issues and facts about corporate activities.
  • Data processed for this purpose: Identification and contact information.

In relation to those purposes listed above and whose basis of legitimacy has been identified as the legitimate interest of Correos, the Employee may contact the following address derechos.protecciondatos.correos@correos.com in order to obtain more information on the weighting carried out (between the aforementioned interest and the right to the protection of personal data of those affected). The Employee also has the right to object to processing activities based on legitimate interest.

Purpose 16 - Compliance with legal obligations

  • Description of purpose: To comply with the various legal obligations attributed to it. In compliance with these obligations, Correos may communicate your data to Public Administrations and courts whenever said information is required for established legal proceedings.
  • Basis of legitimacy: The basis for this processing is compliance with a legal obligation.
  • Data processed for this purpose: For this purpose, the data necessary for the fulfilment of legal obligations will be processed in accordance with the applicable regulations.

Purpose 17 - Representation of third parties

  • Description of purpose: To comply with the various legal obligations attributed to it. In order to fulfil these obligations, Correos shall designate those employees it deems necessary to act as authorised representatives of third parties for the submission of applications to the different Public Administrations.
  • Basis of legitimacy: Compliance with legal obligations and execution of the contractual relationship, compliance with the applicable Collective Bargaining Agreement and other collective agreements applicable in each case.
  • Data processed for this purpose: For this purpose, the data necessary for the fulfilment of the legal obligations attributed will be processed.

Sources and types of data processed

The data processed for the correct management of the employment relationship come from different sources, including:

- The worker, like for instance, the information provided during the recruitment/assessment process and the subsequent signing of the contract, or, when required for the position, when filling out audit forms.

- The development and maintenance of the contractual or civil service relationship, for example, the employee's professional identification number (PIN) or analogous number that identifies the employee.

- Group companies, if the worker has provided services with them in the past.

- Other external sources, like recruitment and/or assessment companies.

- Public Bodies, like for instance the Social Security Treasury, the State Tax Administration Agency, etc.

Likewise, the worker shall provide the personal data of their family members that is necessary to comply with occupational, administrative, Social Security and tax regulations for legally established purposes, and declares to have informed and obtained consent from said family members to transfer their data to Correos for the purpose indicated above, undertaking to communicate any changes to the data that may occur so that they can be modified.

The types of data processed by Correos, communicated directly by the interested party, are, by way of example:

  • Identification data: such as name, surname, identity document and image.
  • Contact information: such as telephone number and postal or e-mail address.
  • Personal characteristics data: such as data relating to your family, date of birth, nationality, age, gender, marital status, etc.
  • Data on social circumstances such as hobbies.
  • Economic, financial and insurance data: such as economic data related to the payment of your payroll, bank details, etc.
  • Academic, professional and employment details: such as information about your education and qualifications, employment history, employee identification, job title and category, etc.
  • Transaction data of goods and services: IP addresses and corporate device identifiers, access and navigation logs, etc.
  • Special category data: health data, union membership data, etc.
  • Geopositioning data in the cases indicated above.
  • Data collected for workday registration.
  • Data relating to the commission of criminal or administrative offences in those cases where this is necessary in view of the characteristics of the job to be performed.

Communication of personal data and international transfers

Your data will be transferred to the Public Administrations in compliance with labour, administrative, Social Security and Tax regulations for the legally established purposes; in relation to the records related to the working day registry, they will be available to the legal representatives and the Labour and Social Security Inspection. Likewise, and for the purposes of performing your professional functions, your data shall be transferred to the following companies: (i) Insurance Companies, for the purpose of managing the different insurance policies of which the employee may be a beneficiary; (ii) travel agencies, for the purpose of managing the trips that the employee must make as a result of the employment relationship; (iii) Financial Institutions, for the purpose of issuing credit/payment cards and reconciling payments with travel agencies when necessary due to the characteristics and responsibilities of the job; (iv) Printing companies, for the purpose of issuing business cards in those cases in which the activity of the job requires this; (v) Mutual Insurance Companies for the purpose of assessing the risk prevention of accidents at work; (vi) Group companies to assess the suitability of their profile for existing vacancies and to evaluate their professional development within the Group; (vii) State Foundation for Employment Training or similar entities to obtain the corresponding bonuses; (viii) Clients or potential clients of the Group in which the worker will participate directly; (ix) Suppliers of the Group when necessary to guarantee the correct formalisation and signing of service provision contracts with said suppliers.

Your data may also be shared with suppliers of Correos that require access to personal data, who will process them as data processors, according to the instructions under the supervision of Correos.

For those cases in which an international transfer of personal data may take place, it will only be carried out in compliance with the guarantees required by current legislation, either (i) through the adoption of appropriate safeguards following an analysis of the impact of such transfer or (ii) in cases recognized by the legislation as exceptions for specific situations.

Prior to the disclosure of personal data of third parties (e.g. emergency contacts, etc.), the Employee undertakes to obtain the informed consent of such third parties to disclose their personal data to Correos, in accordance with the information described in this policy.

How long are my personal data stored?

The personal data provided will be kept until the purpose that motivates its treatment in each case is achieved, as well as according to the period of time determined based on the following criteria: (i) duration of the employment relationship and attention to any liabilities arising from such relationship; (ii) legal obligation of conservation; and, (iii) request for deletion by the data subject in the cases in which it is appropriate. You can request more information about the retention periods by contacting the DPO mailbox at dpdgrupocorreos@correos.com.

What rights does the Employee have?

To the extent recognised by the data protection regulations applicable from time to time, the Employee may exercise the following rights in relation to the processing of your data:

a. Right of access: if you exercise this right you will find out what type of data we are processing and the characteristics of the processing we are carrying out.

b. Right to rectification: if you exercise this right you can request your data to be changed because they are inaccurate or untruthful.

c. Right to portability: if you exercise this right you can obtain a copy of the data being processed in an interoperable format.

d. Right to limitation of data processing: if you exercise this right you can limit the processing of your data in the cases defined by law.

e. Right to oppose: if you exercise this right you can oppose the processing of your data and request to no longer be sent commercial communications.

f. Right to erasure: if you exercise this right you can request the deletion of your data when the processing is no longer necessary.

g. Right to withdraw  the consent given, if applicable.

You may exercise your rights through any of the following channels, indicating the right to be exercised and attaching any other documentation you consider appropriate:

  • Postal address: Calle del Conde de Peñalver 19, 28006- Madrid (Spain)

You also have the right to file a complaint with the supervisory authority (in Spain, the AEPD), www.aepd.es , in the event that you believe your data protection rights have been violated. However, in the first instance, you may submit a complaint to the Data Protection Officer at the following e-mail address dpdgrupocorreos@correos.comwho will resolve the complaint within a maximum period of two months.