Confidentiality/Employee data protection policy

Commitment to Confidentiality 

Both during the labour/civil service relationship and upon termination for any reason, the employee is bound to maintain Correos Confidential Information secret and strictly confidential.

Confidential Information is any information the employee has access to as part of performing their job (including personal data accessed).

Should the employee have accessed personal data as part of their duties, they shall only process them to comply with these duties; they may never be used for other purposes or transferred to third parties, not even for storage.

The employee will adopt the technical and organisational measures indicated by Correos.

Employee data protection policy

Data controller

The data controller is “Sociedad Estatal Correos y Telégrafos, S.A., SME” (“Correos”), with Spanish Tax ID No. A-83052407 and registered address at Vía Dublín no. 7 (Campo de las Naciones) 28070 Madrid (Spain).

To ensure compliance with data protection regulations, Correos has appointed a Data Protection Officer (DPO) who you can write to with any questions about this topic at the following email address:

Purposes of personal data processing

We process your data in order to properly manage the employment or civil service relationship with you. This includes, but is not limited to, the following activities:

     - Managing and paying salaries, and complying with the set of legal and regulatory requirements derived from carrying out the employment activity, including, for instance, administrative, fiscal, occupational and Social Security regulations.

     - Managing licences, permissions, transfers, leaves of absence, temporary disability, etc.

     - Applying Occupational Risk Prevention regulations.

     - Managing the professional development of the worker within Correos as part of internal development and/or assessment processes.

     - Planning and carrying out the training plan and other educational and informative actions not included in the training plan.

     - Carrying out the work of business management and control, which generally involves all activities aimed at verifying that the professional performance is in accordance with occupational regulations, the company’s directives (e.g. the Code of Ethics and Computer Use Policy) and  prevailing principles of good faith. Workers are therefore informed that:
          - Video surveillance cameras may be installed and used in work centres.
​          - To guarantee the security of the information processed by Correos, the electronic equipment provided to the worker to carry out their functions (such as computers and mobile phones) will be installed with various technological solutions that enable the logging and monitoring of activities or the remote encryption of documentation, when necessary. Except when expressly authorised, the use of all Correos electronic devices for purposes unrelated to carrying out the worker's assigned functions is prohibited.
​          - Correos may use technology for the correct functioning of mobile devices or company vehicles used by workers to carry out their functions like postal service delivery,  parcels, etc. This technology shall comply with data minimisation and privacy criteria by design, and by default we will only receive the information necessary to exercise the required business control, and only during the employee’s working hours. Correos shall inform all workers affected by this type of implementation beforehand of the rationale behind it.

     - Enabling the inclusion of employees’ professional information in service proposals, documentation required for public and/or private tenders that Correos may be participating in, and contracts entered into with third parties, when the worker is expected to directly participate in developing said professional relationships.

Type of data processed and sources

The data processed for the correct management of the employment relationship come from different sources, including:

     - The worker, like for instance, the information provided during the recruitment/assessment process and the subsequent signing of the contract, or, when required for the position, when filling out audit forms.

     - The development and maintenance of the employment or civil service relationship.

     - Group companies, if the worker has provided services with them in the past.

     - Other external sources, like recruitment and/or assessment companies.

     - Public Bodies, like for instance the Social Security Treasury, the State Tax Administration Agency, etc.

Likewise, the worker shall provide the personal data of their family members that is necessary to comply with occupational, administrative, Social Security and tax regulations for legally established purposes, and declares to have informed and obtained consent from said family members to transfer their data to Correos for the purpose indicated above, undertaking to communicate any changes to the data that may occur so that they can be modified.

The following types of data are processed:

  • Identifying information (e.g. name, surname(s), identity document, voice, etc.).

Legal basis

     - Personal details (e.g. marital status, age, sex, etc.)

     - Social circumstances (e.g. hobbies, etc.)

     - Economic, financial and insurance (e.g. insurance policies, taxes, etc.).

     - Academic and professional (e.g. education, degrees, etc.).

     - Employment details (e.g. category, job position, etc.).

     - Sensitive information. This category may include data on union affiliation or representation, health information, biometric data.

     - Commercial information (e.g. activities and businesses for managing conflicts of interest)

     - Criminal or administrative infractions committed, when it is necessary to know this data due to the characteristics of the job position.

Legal basis

Data is processed under the follow legal bases:

     A. Developing and executing the employment or civil service relationship with you.

     B. Complying with legal obligations and exercising the rights inherent to a business owner.

     C. Correos’s legitimate interest in developing corporate tools (e.g. the employee portal) that enable contact and connection among Correos employees and employees from the other companies in the Group, and the possibility of sharing knowledge.

     D. When the processing does not fall under any of the circumstances above, the worker will be asked for their free, informed and specific consent. (e.g. use of the worker’s image to promote Correos or the companies in its Group).   

Communicating personal data

Your data will be transferred to Public Administrations in compliance with occupational, administrative, Social Security and tax regulations for legally established purposes. Likewise, and for the purposes of performing your professional functions, your data shall be transferred to the following companies: (i) Insurance Companies, for the purpose of managing the different insurance policies that the worker may benefit from; (ii) Financial Institutions, for the purpose of issuing credit/payment cards and reconciling payments with travel agencies when necessary due to the characteristics and responsibilities of the job position; (iii) Printers, for the purpose of issuing business cards when required by the job position or activity; (iv) Workplace Accident Mutual Insurance Companies, companies that collaborate on managing temporary disability and companies working in occupational risk prevention, for the purpose of risk prevention; (v) Group companies, to assess the suitability of your profile for existing vacancies and rate your professional development in the Group; (vi) State Foundation for Workplace Training and similar entities for obtaining the corresponding allowances; (vii) Clients or potential clients of the Group where the worker will be participating directly; (viii) Suppliers of the Group when necessary to ensure the correct formalisation and signing of service provision contracts with said suppliers.

Time for keeping personal data

Personal data will be kept for as long as required by applicable law in each case, based on the type of data and the purpose of the processing. When the processing is no longer necessary they will be blocked, and only available at the request of Public Administrations and courts. Once the statute of limitations has passed, your data will be fully erased and no longer recoverable. As an example, infractions against social security regulations have a statute of limitations of 4 years and data is kept for 10 years under anti-money-laundering regulations.

Rights of employees

Workers may exercise the following rights related to the processing of their data to the extent they are recognised in the data protection regulations applicable at any time:

     A. Right to access: if you exercise this right you can find out what type of data  are being processed and the characteristics of the processing.

     B. Right to rectification: if you exercise this right you can request your data to be changed if they are inaccurate or untruthful.

     C. Right to portability: if you exercise this right you can obtain a copy of the data being processed in an interoperable format.

     D. Right to the limitation of data processing: to limit the processing of your data in the framework of the employment relationship, in the cases defined by Law, and provided said limitation does not hinder correct compliance under the terms cited above.

     E. Right of opposition: you may oppose the processing of your data and automated decision making, in the cases defined by Law, and provided said limitation does not hinder correct compliance under the terms cited above.

     F. Right to erasure: you can request the erasure of your data when the processing is no longer necessary.

To exercise any of these rights, workers may write to Correos, to the attention of the HR Department, via post or email: Postal address: Vía Dublín no. 7 (Campo de las Naciones) 28070 Madrid (Spain).  Email address: