Specific Data Protection Compliance Program

This specific Compliance Program is focused on the protection of personal data to which EDPR has access and for which it is responsible. This Program has as its central axis the principles reflected in the Personal Data Protection Policy, which applies across all business units and operations of the group (including service providers, which only process personal data following documented instructions from EDPR), approved by the Board of Directors in 2020.

In this context, EDPR has been strengthening its management system to ensure the compliance and adequacy of EDPR Group entities to the applicable legal requirements in terms of Data Protection in the different geographical areas. 

The governance model of the specific Data Protection Compliance Program is based on the conceptual risk and control “3 lines of defence” management model and establishes the responsibilities and the interaction framework between the different relevant stakeholders, establishing the responsibilities and the framework of interactions between the different relevant actors.

In the second line of defence, the Program is promoted and coordinated by the Center of Excellence (CoE) for Privacy & Data Protection, within the Ethics and Compliance Global Unit (E&C). In addition, whenever required by law, EDPR has a Data Protection Officer (DPO) who provides support in terms of privacy at a global level. The DPO reports directly to E&C on the development of its activity as well as regarding any non-conformities and risks detected. 

In turn, different businesses and other support functions (such as People & Organization or

Safety and Security), in the 1st line of defense, which carry out personal data processing activities, have responsibility for ensuring its activities are performed according with legal requirements and internally defined policies and procedures.

Internal Audit, in the 3rd line of defence, conducts specific audit work to verify the adequacy and effectiveness of the implemented control mechanisms.

Additionally, the program is supported by a set of Standards and Procedures that address in detail topics such as:

• the "privacy by design" process and risk and impact assessments;
• the management of third parties/service providers who process data on behalf of EDPR;
• the response to requests for the exercise of rights by the data subjects;
• the management of incidents and personal data breaches.