Privacy Notice | EDP Renováveis

In accordance with applicable Data Protection Legislation by means of this Privacy Policy, the data subject is informed of the following:

1. Who is the Data Controller for the processing of the personal data?

• Data controller: The EDP RENOVÁVEIS, Group company (hereinafter, "EDPR" or "Data Controller") processing the data subjects’ personal data. For these purposes, “Group” shall be understood as the definition of ‘group of companies’ set forth in the applicable regulations. For further information about which companies are part of EDPR Group, you may access here. 
• Registered office: Plaza del Fresno, number 2 Oviedo (Spain), with registered office at Centro Empresarial Parque Norte Edificio Olmo, 7th floor, 28033 Madrid (Spain). 
• Tax Identification Number: A-74219304
• Contact details of the Data Protection Officer (DPO) dataprotection@edpr.com
  

2. Purposes of processing, categories of personal data and lawful bases  

The Data Controller will process the information, manually or automatically, provided by the data subject, in a lawful, fair and transparent manner. To this end, it is important that the data subject informs of any changes that occur in his/her personal data, in order to keep them up to date.

Means of contact

The Data Controller will process the personal data of data subjects in order to manage and answer queries, doubts or requests made by them, through the means of contact made available to them.

The Data Controller will process, for this purpose, the following categories of data:

• Identification data: name, surname;
• Contact details: e-mail, telephone;
• Other: any other information provided by the data subject via email or telephone.

In the event that the data subject provides personal data related to a third party, the data subject declares that the provision of personal data is lawful and undertakes to pass on the information contained in this Privacy Policy to said third party.

The lawfulness for the processing of personal data for this purpose is EDPR’s legitimate interest in the correct management of the data subjects’ queries, doubts or requests and their due attention and, where applicable, response thereto.

Suppliers and business contacts as recipients of e-mail communications

The Data Controller will use the contact details of data subjects for the purposes of professional location, management of contractual and commercial relations with the recipient or with the entity in which the recipient provides services, as appropriate, as well as resolution of queries and, where appropriate, complaints addressed to EDPR by the recipient of such communications.

The Data Controller will process, for this purpose, the contact details of the data subjects. The lawfulness for this processing is the execution of the contact or pre-contract between the parties.

On the other hand, the Data Controller will also process the contact details of the data subjects for the purpose of maintaining commercial relations with the third parties. The lawfulness for this processing is the legitimate interest of the Data Controller in maintaining commercial relations.  This processing contributes to the achievement of the purposes of the Data Controller, promoting economic activity and productivity in the sector and the interest of the suppliers and business contact in which the data subject provides their services for the initiation or maintenance of the commercial relationship between the parties. In any case, the data subject may object at any time to the processing of his/her data for the aforementioned purpose, in accordance with the provisions of the section on the exercise of rights.

Due diligence measures for sponsorships and/or donations

The Data Controller may conduct an analysis of the adequacy of the sponsorships and/or donations’ beneficiaries (hereinafter the “Beneficiary”) in line with the EDPR Group's due diligence procedures, in accordance with EDPR's legitimate interests  in ensuring compliance with internal integrity requirements and policies in its relations with third parties on the occasion of sponsorships and/or donations, for which an assessment between EDPR's legitimate interests and the rights and freedoms of data subjects has been performed. In order to achieve this objective, the following checks will be carried out:

• controls relating to the Beneficiary’s relationship with Politically Exposed Persons.
• verification on the Beneficiary’s inclusion on national and international sanction lists or exclusion lists.
• verification of the Beneficiary’s involvement in judicial and/or administrative proceedings that may lead to the commission of unlawful acts, directly or indirectly, related to EDPR, activities.
• media checks on facts that may reveal reprehensible conduct by the Beneficiary.

The checks described above are necessary to prevent the risk of committing certain offences and to maintain an adequate level of integrity among the people who maintain relations of any kind with EDPR.

However, in order to prevent damage and potential negative consequences arising from such processing, technical and organisational measures have been taken to guarantee the appropriate use of this information and to reinforce its confidentiality and security. The Beneficiary may object to this processing in accordance with the provisions of the section on the rights of data subjects with regard to data protection.

Relationship with third parties for Purchases, Non-Binding Offers and Confidentiality Agreements

The Data Controller shall use personal data relating to the legal representatives, shareholders, employees or collaborators of the counterparty (hereinafter collectively the "counterparty") for:

• The performance of the obligations set out in the relevant Contract (the non-binding offer, purchases or confidentiality agreement, as the case may be), the lawfulness of which lies in in the execution and performance of the corresponding contractual relationship.
• Compliance with applicable legislation and/or to respond to requests from the authorities, the lawfulness of this processing is, precisely, compliance with the obligations to which EDPR is subject.
• The exercise of legal actions or defence in judicial, administrative and/or extrajudicial proceedings, including in relation to debt recovery proceedings, also through third parties, in accordance with their legitimate interests in effective judicial protection.
• The management of a possible merger, sale of assets or transfer of all or part of the business, by disclosing and transmitting the data to a third party or parties involved in the transaction as part of it, in accordance with the legal empowerment established by law in this regard.
• The analysis of the adequacy of the counterparty in line with EDPR Group's due diligence procedures, in accordance with EDPR's legitimate interests in ensuring compliance with internal integrity requirements and policies in its relationships with third parties, for which an assessment between EDPR's legitimate interests and the rights and freedoms of data subjects has been performed. In order to achieve this objective, the following checks will be carried out:
  • controls relating to the counterparty's relationship with Politically Exposed Persons;
  • checks on the counterparty's inclusion on national and international sanctions lists or exclusion lists;
  • verification of the counterparty's involvement in judicial and/or administrative proceedings that may lead to the commission of unlawful acts that may affect, directly or indirectly, EDPR's activities.
  • Media checks on facts that may reveal reprehensible conduct by the counterparty.
    The checks described above are necessary to prevent the risk of committing certain offences and to maintain an adequate level of integrity among the people who maintain relations of any kind with EDPR. However, in order to avoid damage and potential negative consequences arising from such processing, technical and organisational measures have been taken to guarantee the appropriate use of this information and to reinforce its confidentiality and security. The other party may object to this processing in accordance with the provisions of the section on the rights of data subjects with regard to data protection.

The processing of the counterparty's data for the purposes based on the performance of a contract is necessary to achieve these purposes, as EDPR will not be able to perform the contractual relationship with the counterparty if it does not provide its personal data.

3. How long do we store your personal data?

With regard to personal data arising from the means of contact, the data provided will be stored for as long as their processing is necessary for the purpose for which they were collected, unless you request us to erase them before that date and there is no legal or judicial mandate that obliges us to store the personal data.

With regard to personal data arising from the use of contact details of suppliers and business contacts, the data provided will be kept for as long as the relationship with the data subject subsists, unless you request us to erase them before that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions.

With respect to the personal data arising from the due diligence measures described above, these shall be stored for as long as the relationship with the data subject subsists, unless you request us to erase them prior to that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions.

With regard to personal data arising from contractual relationships with third parties for purchases, non-binding offers and confidentiality agreements described above, these will be stored for as long as the relationship with the data subject subsists, unless you request us to erase them prior to that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions in accordance with applicable law.

4. What security measures do we apply?

In order to safeguard the security of your personal data, the Data Controller has adopted all the technical and organisational measures necessary to guarantee the security of the personal data supplied, in order to prevent their alteration, loss and/or unauthorised processing or access, as required by law, although absolute security does not exist.

Likewise, all our staff, whatever the stage of processing in which they are involved, have undertaken to process your personal data with the utmost care, secrecy, and confidentiality and that it will be processed in accordance with current applicable Data Protection Legislation.

5. To which recipients will personal data be communicated?

The personal data of data subjects may be communicated to:

• entities belonging to the EDPR Group, in accordance with their legitimate interests, exclusively for internal administrative purposes;
• people and/or competent authorities who have a right of access to the data recognised by law or regulation or by provisions issued by authorities legally empowered to do so, for the fulfilment of the obligations to which EDPR is subject;
• potential acquirers of EDPR, and entities resulting from merger processes and any other type of transformation affecting EDPR, in accordance with their legitimate interests.

The Data Controller relies on the cooperation of third-party service providers who may have access to your personal data and who will process the data on behalf of and for the account of the Data Controller, as a consequence of their provision of services.

In this respect, the Controller follows strict criteria for the selection of service providers in order to comply with its data protection obligations and undertakes to enter into the corresponding data processing agreement with them, whereby it will impose on them, among others, the following obligations: to implement appropriate technical and organisational measures to ensure the security of personal data; to process personal data for the agreed purposes and only in accordance with the documented instructions of the Controller; and to erase and return the data to the Controller once the provision of the services has been completed.

6. International data transfers

Personal data of data subjects may be transferred to countries other than the Data Subject Territory and other than Data Controller Territory. In such cases, the data processing could involve international data transfers under the terms of the applicable personal data protection legislation from time to time.

For the purposes of this Privacy Notice, an international data transfer shall be deemed to take place in the following cases:

• Transfer from the EU to a Third Country [i]. The processing of personal data subject to compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, from the territory of a Member State of the European Union to recipients established in countries outside the European Economic Area  (the countries of the European Union, Liechtenstein, Iceland and Norway).
• Transfer from a Third Country to another Third Country. The processing of personal data, from the territory of a Third Country to recipients established in a Third Country other than the territory of the Data Controller.
• Transfer from a Third Country to the EU. The processing of personal data from the territory of a Third Country to the territory of a Member State of the European Union.

EDPR may transfer your personal data to countries with an adequate level of protection recognised by the competent authorities.

In the case of transfers to countries not considered to have an adequate level of protection according to the applicable Data protection Legislation and/or considered by the competent supervisory authority, EDPR has implemented appropriate and adequate safeguards to protect the personal data of data subjects and to ensure an adequate level of security. Accordingly, the personal data of data subjects will be transferred in accordance with the requirements and obligations established by the applicable Data Protection Legislation. In these cases, EDPR guarantees to have subscribed with the recipients, collaborators and/or suppliers who access to personal data, the corresponding Contractual Clauses and determined the additional guarantees, when necessary, for the best protection of your personal data.

For more information on appropriate and adequate security measures, data subjects may contact EDPR through the contact means of their Data Protection Officer at dataprotection@edpr.com.

7. What rights does the data subject have?

In accordance with data protection regulations, the data subject has the right to:

• Access to your personal data. This also includes the right to obtain confirmation as to whether their data is being processed.
• Rectify inaccurate or incomplete data.
• Object to the processing of the data, where the processing is noncompliance with applicable personal data protection legislation.
• To withdraw his/her consent at any time, without prejudice to the lawfulness of the processing previously carried out.
• Request the erasure of your data when they are no longer necessary for the purposes for which they were collected, among other reasons. Where applicable, data shall be anonymised or blocked in accordance with applicable personal data protection legislation.
• Obtain from the Data Controller the restriction of the processing of the data when any of the conditions provided for in the regulations in force are met.
• Request the portability of your data, either for yourself or for transfer to another Data Controller.

In order to exercise the aforementioned rights, you must send your request to the address indicated in the heading of this document, through the channel provided on the website www.edpr.com or through the DPO's e-mail address: dataprotection@edpr.com.

The Data Controller will respond to the right exercised within the legally stipulated period.

Finally, the data subject may, in addition, file a complaint with the competent Control Authority if he/she considers that the Controller has infringed the rights recognised by the applicable data protection regulations.

Last update: July 2024

[i] The term ‘Third Country’ refers to countries outside the European Economic Area.