edp renewables

In accordance with General Data Protection Regulation 679/2016/EU, as well as the rest of the regulations in force, by means of this Privacy Policy, the user is informed of the following:

1. Who is the controller for the processing of the personal data?

  • Data controller: EDP RENOVÁVEIS, S.A.  (hereinafter, "EDPR" or "DataController").
  • Registered office: Plaza de la Gesta, number 2 Oviedo (Spain), with registered office at Centro Empresarial Parque Norte Edificio Olmo, 7th floor, 28033 Madrid (Spain).
  • Tax Identification Number: A-74219304
  • Data Protection Officer (DPO) contact: dataprotection@edpr.com

EDPR is the Data Controller for the processing of user data (hereinafter "user" or "data subject") through the website www.edpr.com (hereinafter the "Website").

2. Purposes of processing, categories of personal data and legitimate basis

The Data Controller will process the information, manually or automatically, that the user provides through the Website, in a lawful, fair and transparent manner. To this end, it is important that the user informs of any changes that occur in his/her personal data, in order to keep them up to date.

Means of contact

The Data Controller will process the personal data of users in order to manage and answer queries, doubts or requests made by them, through the means of contact made available to them through the Website.

The Controller will process, for this purpose, the following categories of data:

  • Identification data: name, surname.
  • Contact details: e-mail, telephone.
  • Other: any other information provided by the user via email or telephone.

In the event that the user provides personal data related to a third party, the user declares that the provision of personal data is lawful and undertakes to pass on the information contained in this Privacy Policy to said third party.

The legitimate basis for the processing of personal data for this purpose is the consent of the user expressed through the sending of his/her query, doubt or request for information, through the means of contact described above, after having read and accepted this Privacy Policy. Users may withdraw their consent at any time, without prejudice to the lawfulness of the processing carried out to date, but it is possible that, as a result, their request for information may not be met.

Suppliers and business contacts as recipients of e-mail communications

The Data Controller will use the contact details of data subjects for the purposes of professional location, management of contractual and commercial relations with the recipient or with the entity in which the recipient provides services, as appropriate, as well as resolution of queries and, where appropriate, complaints addressed to EDPR by the recipient of such communications.

The Data Controller will process, for this purpose, the contact details of the data subjects.

The legitimate basis for this processing is the legitimate interest of the Data Controller in maintaining commercial relations with third party suppliers through the processing of their contact data, which contributes to the achievement of the purposes of the Data Controller, promoting economic activity and productivity in the sector and, additionally, represents a clear benefit for the supplier in which the data subject provides services by increasing its turnover. This processing is in accordance with the empowerment provided by the applicable regulations consisting of the professional location of the data subject for the purpose of maintaining commercial relations. In any case, the data subject may object at any time to the processing of his/her data for the aforementioned purpose, in accordance with the provisions of the section on the exercise of rights.

Due diligence measures for sponsorships and/or donations

The Controller may conduct an analysis of the adequacy of the Supplier (and specifically of its employees, customers, shareholders, suppliers, related non-governmental organisations or the Supplier itself) in line with the EDPR Group's due diligence procedures, in accordance with EDPR's legitimate interests in ensuring compliance with internal integrity requirements and policies in its relations with third parties on the occasion of sponsorships and/or donations, for which an assessment between EDPR's legitimate interests and the rights and freedoms of data subjects has been performed. In order to achieve this objective, the following checks will be carried out:

a. controls relating to the Supplier's relationship with Politically Exposed Persons.

b. verification on the Supplier’s inclusion on national and international sanction lists or exclusion lists.

c. verification of the counterparty's involvement in judicial and/or administrative proceedings that may lead to the commission of unlawful acts that may affect, directly or indirectly, EDPR's activities.

d. media checks on facts that may reveal reprehensible conduct by the Supplier.

The checks described above are necessary to prevent the risk of committing certain offences and to maintain an adequate level of integrity among the people who maintain relations of any kind with EDPR.

However, in order to prevent damage and potential negative consequences arising from such processing, technical and organisational measures have been taken to guarantee the appropriate use of this information and to reinforce its confidentiality and security. The Supplier may object to this processing in accordance with the provisions of the section on the rights of data subjects with regard to data protection.

Relationship with third parties for Purchases, Non-Binding Offers and Confidentiality Agreements

The Controller shall use personal data relating to the legal representatives, shareholders, employees or collaborators of the counterparty (hereinafter collectively the "counterparty") for:

a) The performance of the obligations set out in the relevant Contract (the non-binding offer, purchases or confidentiality agreement, as the case may be), the legitimate basis of which lies in the performance of the corresponding contractual relationship.

b) Compliance with applicable national or European regulations and/or to respond to requests from the authorities, the legitimate basis of which is, precisely, compliance with the obligations to which EDPR is subject.

c) The exercise of legal actions or defence in judicial, administrative and/or extrajudicial proceedings, including in relation to debt recovery proceedings, also through third parties, in accordance with their legitimate interests in effective judicial protection.

d) The management of a possible merger, sale of assets or transfer of all or part of the business, by disclosing and transmitting the data to a third party or parties involved in the transaction as part of it, in accordance with the legal empowerment established by law in this regard.

e) The analysis of the adequacy of the counterparty in line with EDPR Group's due diligence procedures, in accordance with EDPR's legitimate interests in ensuring compliance with internal integrity requirements and policies in its relationships with third parties, for which an assessment between EDPR's legitimate interests and the rights and freedoms of data subjects has been performed. In order to achieve this objective, the following checks will be carried out:

  • a. controls relating to the counterparty's relationship with Politically Exposed Persons,
  • b. checks on the counterparty's inclusion on national and international sanctions lists or exclusion lists.
  • c. verification of the counterparty's involvement in judicial and/or administrative proceedings that may lead to the commission of unlawful acts that may affect, directly or indirectly, EDPR's activities.
  • d. Media checks on facts that may reveal reprehensible conduct by the counterparty.

The checks described above are necessary to prevent the risk of committing certain offences and to maintain an adequate level of integrity among the people who maintain relations of any kind with EDPR. However, in order to avoid damage and potential negative consequences arising from such processing, technical and organisational measures have been taken to guarantee the appropriate use of this information and to reinforce its confidentiality and security. The other party may object to this processing in accordance with the provisions of the section on the rights of data subjects with regard to data protection.

The processing of the counterparty's data for the purposes based on the performance of a contract is necessary to achieve these purposes, as EDPR will not be able to perform the contractual relationship with the counterparty if it does not provide its personal data.

3. How long do we store your personal data?

With regard to personal data arising from the means of contact, the data provided will be stored for as long as their processing is necessary for the purpose for which they were collected, unless you request us to erase them before that date and there is no legal or judicial mandate that obliges us to store the personal data.

With regard to personal data arising from the use of contact details of suppliers and business contacts, the data provided will be kept for as long as the relationship with the data subject subsists, unless you request us to erase them before that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions.

With respect to the personal data arising from the due diligence measures described above, these shall be stored for as long as the relationship with the data subject subsists, unless you request us to erase them prior to that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions.

With regard to personal data arising from contractual relationships with third parties for purchases, non-binding offers and confidentiality agreements described above, these will be stored for as long as the relationship with the data subject subsists, unless you request us to erase them prior to that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions.

4. What security measures do we apply?

In order to safeguard the security of your personal data, the Data Controller has adopted all the technical and organisational measures necessary to guarantee the security of the personal data supplied, in order to prevent their alteration, loss and/or unauthorised processing or access, as required by law, although absolute security does not exist.

Likewise, all our staff, whatever the stage of processing in which they are involved, have undertaken to process your personal data with the utmost care, secrecy and confidentiality and that it will be processed in accordance with current regulation on the personal data protection.

5. To which recipients will personal data be communicated?

The personal data of data subjects may be communicated to:

a) third party service providers acting as data processors and who provide services, assistance and/or advice to EDPR, inter alia, in relation to technology, accounting, administration, legal, insurance or IT services, as necessary for the performance of the corresponding contractual relationships;

b) entities belonging to the Group to which EDPR belongs, in accordance with their legitimate interests, exclusively for internal administrative purposes;

c) people and/or competent authorities who have a right of access to the data recognised by law or regulation or by provisions issued by authorities legally empowered to do so, for the fulfilment of the obligations to which EDPR is subject;

d) potential acquirers of EDPR, and entities resulting from merger processes and any other type of transformation affecting EDPR, in accordance with their legitimate interests.

The Data Controller relies on the cooperation of third-party service providers who may have access to your personal data and who will process the data on behalf of and for the account of the Data Controller, as a consequence of their provision of services.

In this respect, the Controller follows strict criteria for the selection of service providers in order to comply with its data protection obligations and undertakes to enter into the corresponding data processing agreement with them, whereby it will impose on them, among others, the following obligations: to implement appropriate technical and organisational measures to ensure the security of personal data; to process personal data for the agreed purposes and only in accordance with the documented instructions of the Controller; and to erase and return the data to the Controller once the provision of the services has been completed.

6. International data transfers

Personal data of data subjects may be transferred to countries within and outside the European Economic Area. For transfers from the EU to countries not considered adequate by the European Commission, EDPR has implemented appropriate and adequate safeguards to protect the personal data of data subjects and to ensure an adequate level of security. Accordingly, personal data of data subjects would be transferred in accordance with the requirements and obligations set out by the applicable data protection regulations.

For more information on appropriate and adequate security measures, data subjects may contact EDPR through the contact means of their Data Protection Officer at dataprotection@edpr.com.

7. What rights does the user have?

In accordance with data protection regulations, the user has the right to:

  • To withdraw his/her consent at any time, without prejudice to the lawfulness of the processing previously carried out.
  • Access toyour personal data.
  • Rectify inaccurate or incomplete data.
  • Request the erasure of your data when they are no longer necessary for the purposes for which they were collected, among other reasons.
  • Obtain from the Data Controller the restriction ofthe processing of the data when any of the conditions provided for in the regulations in force are met.
  • Request the portability of your data, either for yourself or for transfer to another Data Controller.
  • Object to the processing of the data, where appropriate.

In order to exercise the aforementioned rights, you must send your request to the address indicated in the heading of this document, through the channel provided on the website or through the DPO's e-mail address, i.e., dataprotection@edpr.com.

The Data Controller will respond to the right exercised within the legally stipulated period.

Finally, the user may, in addition, file a complaint with the competent Control Authority if he/she considers that the Controller has infringed the rights recognised by the applicable data protection regulations.

 

 

Last update: July 2021.