SII Privacy Policy

MONEI DIGITAL PAYMENTS S.L. (hereinafter, "MONEI"), with registered office at Calle Palestina, 1, Entreplanta, 29007, Málaga and Tax ID B02660926.

Data Protection Officer: support@monei.com

In the framework of processing and investigating reports, MONEI will collect the following personal data:

• Name and contact details of the whistleblower, in case of a non-anonymous report. The whistleblower may also voluntarily identify themselves after submitting the report or provide additional documentation or information at a later stage of the process.
• Information provided both at the time of reporting and throughout the processing of the case. This information will contain a precise and detailed description of the reported facts, the approximate date of the irregular action, the affected area and its possible impact, as well as precise evidence supporting the report.
• Name and other personal data of the persons mentioned in the report (alleged offender, possible witnesses, and others), if such information is provided (i.e., description of functions, contact details, and participation or role regarding the reported facts).
• Depending on the reported facts, MONEI may access: (i) all information provided by the whistleblower (including interviews if necessary), (ii) information provided by third parties such as: witnesses, family members, the reported person, experts, state security forces, MONEI colleagues, external third parties such as specialized investigators or consultants, (iii) all documents provided or related to the reported fact, and (iv) information technology resources assigned to the whistleblower and reported person, including, but not limited to, their corporate email, as well as any other computer resources provided by MONEI.

At all times, only personal data that is strictly necessary for the purposes of managing, processing, and investigating reports relating to the commission of irregularities is processed, in order to carry out the necessary actions for investigating the reported facts, including, where appropriate, the adoption of appropriate disciplinary or legal measures.

The purpose of processing personal data is to manage the communication of irregular conduct through this System when the whistleblower reports suspicions of irregular conduct, illegal acts, or regulatory non-compliance. MONEI makes available to users who are employees, suppliers, or any third party with legitimate interest the possibility of reporting any irregular conduct, illegal acts, or regulatory non-compliance through the System.

Personal data will not be used for any purpose other than that indicated.

The processing of personal data carried out in the framework of managing and investigating received reports is carried out on the basis of Article 6.1.c) of the GDPR (compliance with a legal obligation) or under Article 6.1.e) of the GDPR (compliance with public interest). Additionally, the processing of special categories of data that occurs within the framework of the System is covered by the exception in Article 9.2.g) GDPR (reasons of substantial public interest).

The applicable regulations in Spain establish the obligation to establish communication channels and recognize these as an excellent tool for the effective prevention of crimes, including as recipients all company subjects (employees, managers, etc.) as part of its internal control in terms of risk management. In particular:

• Law 2/2023, of February 20, regulating the protection of persons who report regulatory infractions and fight against corruption.
• The Criminal Code establishes in its Article 31 bis 2. 4º the "obligation to report possible risks and non-compliance to the body in charge of monitoring the operation and observance of the prevention model." Implicitly, companies must provide a channel through which information can be sent.
• Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing establishes in its Article 26.bis the obligation for obliged subjects to establish procedures for their employees, managers, or agents to communicate, even anonymously, relevant information about possible breaches of that law, its development regulations, or implemented policies and procedures.

All reports, queries, suggestions received through MONEI's SII, the responses given to the whistleblower, all documentation generated in the investigation, interviews, etc. will be retained in accordance with applicable data protection regulations and for the time strictly necessary for the purposes of developing the investigation or to apply appropriate measures to defend MONEI's interests. In no case may data be retained for a period longer than ten (10) years.

The data of those who make the communication and of employees and third parties must be kept in the System only for the time necessary to decide on the appropriateness of initiating an investigation into the reported facts.

In any case, after three (3) months from the introduction of the data, it must be deleted. Communications that have not been processed may only be recorded in anonymized form, without the blocking obligation in Article 32 of Organic Law 3/2018, of December 5, being applicable.

After the period mentioned in the previous paragraph, the data may continue to be processed by the body responsible for investigating the reported facts, not being kept in the System itself.

System users can exercise their rights of access, rectification, deletion, opposition, limitation of processing and portability, regarding the processing for which MONEI is responsible by writing to MONEI at the address indicated above proving their identity or by email to: support@monei.com

Likewise, in the event that data protection rights are considered to have been violated, any complaint may be filed with MONEI's Data Protection Officer or with the Spanish Data Protection Agency, AEPD, www.aepd.es.