Privacy Notice

In accordance with applicable Data Protection Legislation by means of this Privacy Policy, the user is informed of the following:

1. Who is the Data Controller for the processing of the personal data?

  • Data controller: EDP RENOVÁVEIS, S.A.  (hereinafter, "EDPR" or "DataController").

  • Registered office: Plaza del Fresno, number 2 Oviedo (Spain), with registered office at Centro Empresarial Parque Norte Edificio Olmo, 7th floor, 28033 Madrid (Spain).

  • Tax Identification Number: A-74219304

  • Contact details of the Data Protection Officer (DPO) dataprotection@edpr.com

EDPR is the Data Controller for the processing of user data (hereinafter "user" or "data subject") through the website www.edpr.com (hereinafter the "Website").

2. Purposes of processing, categories of personal data and lawful bases  

The Data Controller will process the information, manually or automatically, that the user provides through the Website, in a lawful, fair and transparent manner. To this end, it is important that the user informs of any changes that occur in his/her personal data, in order to keep them up to date.

Means of contact

The Data Controller will process the personal data of users in order to manage and answer queries, doubts or requests made by them, through the means of contact made available to them through the Website.

The Data Controller will process, for this purpose, the following categories of data:

  • Identification data: name, surname;

  • Contact details: e-mail, telephone;

  • Other: any other information provided by the user via email or telephone.

In the event that the user provides personal data related to a third party, the user declares that the provision of personal data is lawful and undertakes to pass on the information contained in this Privacy Policy to said third party.

The lawfulness for the processing of personal data for this purpose is the consent of the user expressed through the sending of his/her query, doubt or request for information, through the means of contact described above, after having read and accepted this Privacy Policy. Users may withdraw their consent at any time, without prejudice to the lawfulness of the processing carried out to date, but it is possible that, as a result, their request for information may not be met.

Suppliers and business contacts as recipients of e-mail communications

The Data Controller will use the contact details of data subjects for the purposes of professional location, management of contractual and commercial relations with the recipient or with the entity in which the recipient provides services, as appropriate, as well as resolution of queries and, where appropriate, complaints addressed to EDPR by the recipient of such communications.

The Data Controller will process, for this purpose, the contact details of the data subjects.

This processing is necessary for the professional location of the data subject for the purpose of maintaining commercial relations.

The lawfulness for this processing is the legitimate interest* of the Data Controller in maintaining commercial relations with third party suppliers through the processing of their contact data. This processing contributes to the achievement of the purposes of the Data Controller, promoting economic activity and productivity in the sector and the interest of the suppliers and business contact in which the data subject provides their services for the initiation or maintenance of the commercial relationship between the parties. In any case, the data subject may object at any time to the processing of his/her data for the aforementioned purpose, in accordance with the provisions of the section on the exercise of rights.

Due diligence measures for sponsorships and/or donations

The Data Controller may conduct an analysis of the adequacy of the Supplier (and specifically of its employees, customers, shareholders, suppliers, related non-governmental organisations or the Supplier itself) in line with the EDPR Group's due diligence procedures, in accordance with EDPR's legitimate interests* in ensuring compliance with internal integrity requirements and policies in its relations with third parties on the occasion of sponsorships and/or donations, for which an assessment between EDPR's legitimate interests and the rights and freedoms of data subjects has been performed. In order to achieve this objective, the following checks will be carried out:

  • controls relating to the Supplier's relationship with Politically Exposed Persons.

  • verification on the Supplier’s inclusion on national and international sanction lists or exclusion lists.

  • verification of the Supplier’s involvement in judicial and/or administrative proceedings that may lead to the commission of unlawful acts, directly or indirectly, related to EDPR, activities.

  • media checks on facts that may reveal reprehensible conduct by the Supplier.

The checks described above are necessary to prevent the risk of committing certain offences and to maintain an adequate level of integrity among the people who maintain relations of any kind with EDPR.

However, in order to prevent damage and potential negative consequences arising from such processing, technical and organisational measures have been taken to guarantee the appropriate use of this information and to reinforce its confidentiality and security. The Supplier may object to this processing in accordance with the provisions of the section on the rights of data subjects with regard to data protection.

Relationship with third parties for Purchases, Non-Binding Offers and Confidentiality Agreements

The Data Controller shall use personal data relating to the legal representatives, shareholders, employees or collaborators of the counterparty (hereinafter collectively the "counterparty") for:

  • The performance of the obligations set out in the relevant Contract (the non-binding offer, purchases or confidentiality agreement, as the case may be), the lawfulness of which lies in in the execution and performance of the corresponding contractual relationship.

  • Compliance with applicable legislation and/or to respond to requests from the authorities, the lawfulness of this processing is, precisely, compliance with the obligations to which EDPR is subject.

  • The exercise of legal actions or defence in judicial, administrative and/or extrajudicial proceedings, including in relation to debt recovery proceedings, also through third parties, in accordance with their legitimate interests in effective judicial protection.

  • The management of a possible merger, sale of assets or transfer of all or part of the business, by disclosing and transmitting the data to a third party or parties involved in the transaction as part of it, in accordance with the legal empowerment established by law in this regard.

  • The analysis of the adequacy of the counterparty in line with EDPR Group's due diligence procedures, in accordance with EDPR's legitimate interests*[i] in ensuring compliance with internal integrity requirements and policies in its relationships with third parties, for which an assessment between EDPR's legitimate interests and the rights and freedoms of data subjects has been performed. In order to achieve this objective, the following checks will be carried out:

    • controls relating to the counterparty's relationship with Politically Exposed Persons;

    • checks on the counterparty's inclusion on national and international sanctions lists or exclusion lists;

    • verification of the counterparty's involvement in judicial and/or administrative proceedings that may lead to the commission of unlawful acts that may affect, directly or indirectly, EDPR's activities.

    • Media checks on facts that may reveal reprehensible conduct by the counterparty.
      The checks described above are necessary to prevent the risk of committing certain offences and to maintain an adequate level of integrity among the people who maintain relations of any kind with EDPR. However, in order to avoid damage and potential negative consequences arising from such processing, technical and organisational measures have been taken to guarantee the appropriate use of this information and to reinforce its confidentiality and security. The other party may object to this processing in accordance with the provisions of the section on the rights of data subjects with regard to data protection.

The processing of the counterparty's data for the purposes based on the performance of a contract is necessary to achieve these purposes, as EDPR will not be able to perform the contractual relationship with the counterparty if it does not provide its personal data.

3. How long do we store your personal data?

With regard to personal data arising from the means of contact, the data provided will be stored for as long as their processing is necessary for the purpose for which they were collected, unless you request us to erase them before that date and there is no legal or judicial mandate that obliges us to store the personal data.

With regard to personal data arising from the use of contact details of suppliers and business contacts, the data provided will be kept for as long as the relationship with the data subject subsists, unless you request us to erase them before that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions.

With respect to the personal data arising from the due diligence measures described above, these shall be stored for as long as the relationship with the data subject subsists, unless you request us to erase them prior to that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions.

With regard to personal data arising from contractual relationships with third parties for purchases, non-binding offers and confidentiality agreements described above, these will be stored for as long as the relationship with the data subject subsists, unless you request us to erase them prior to that date and there is no legal or judicial mandate that obliges us to store the personal data or they serve to meet possible claims or exercise of rights, during the limitation period of the corresponding actions in accordance with applicable law.

4. What security measures do we apply?

In order to safeguard the security of your personal data, the Data Controller has adopted all the technical and organisational measures necessary to guarantee the security of the personal data supplied, in order to prevent their alteration, loss and/or unauthorised processing or access, as required by law, although absolute security does not exist.

Likewise, all our staff, whatever the stage of processing in which they are involved, have undertaken to process your personal data with the utmost care, secrecy, and confidentiality and that it will be processed in accordance with current applicable Data Protection Legislation.

5. To which recipients will personal data be communicated?

The personal data of data subjects may be communicated to:

  • entities belonging to the EDPR Group, in accordance with their legitimate interests*, exclusively for internal administrative purposes;

  • people and/or competent authorities who have a right of access to the data recognised by law or regulation or by provisions issued by authorities legally empowered to do so, for the fulfilment of the obligations to which EDPR is subject;

  • potential acquirers of EDPR, and entities resulting from merger processes and any other type of transformation affecting EDPR, in accordance with their legitimate interests*.

The Data Controller relies on the cooperation of third-party service providers who may have access to your personal data and who will process the data on behalf of and for the account of the Data Controller, as a consequence of their provision of services.

In this respect, the Controller follows strict criteria for the selection of service providers in order to comply with its data protection obligations and undertakes to enter into the corresponding data processing agreement with them, whereby it will impose on them, among others, the following obligations: to implement appropriate technical and organisational measures to ensure the security of personal data; to process personal data for the agreed purposes and only in accordance with the documented instructions of the Controller; and to erase and return the data to the Controller once the provision of the services has been completed.

6. International data transfers

Personal data of data subjects may be transferred to countries other than the Data Subject Territory and other than Data Controller Territory. In such cases, the data processing could involve international data transfers under the terms of the applicable personal data protection legislation from time to time.

For the purposes of this Privacy Notice, an international data transfer shall be deemed to take place in the following cases:

  • Transfer from the EU to a Third Country[ii]. The processing of personal data subject to compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, from the territory of a Member State of the European Union to recipients established in countries outside the European Economic Area  (the countries of the European Union, Liechtenstein, Iceland and Norway).

  • Transfer from a Third Country to another Third Country. The processing of personal data, from the territory of a Third Country to recipients established in a Third Country other than the territory of the Data Controller.

  • Transfer from a Third Country to the EU. The processing of personal data from the territory of a Third Country to the territory of a Member State of the European Union.

EDPR may transfer your personal data to countries with an adequate level of protection recognised by the competent authorities.

In the case of transfers to countries not considered to have an adequate level of protection according to the applicable Data protection Legislation and/or considered by the competent supervisory authority, EDPR has implemented appropriate and adequate safeguards to protect the personal data of data subjects and to ensure an adequate level of security. Accordingly, the personal data of data subjects will be transferred in accordance with the requirements and obligations established by the applicable Data Protection Legislation. In these cases, EDPR guarantees to have subscribed with the recipients, collaborators and/or suppliers who access to personal data, the corresponding Contractual Clauses and determined the additional guarantees, when necessary, for the best protection of your personal data.

For more information on appropriate and adequate security measures, data subjects may contact EDPR through the contact means of their Data Protection Officer at dataprotection@edpr.com.

7. What rights does the user have?

In accordance with data protection regulations, the user has the right to:

  • Access toyour personal data. This also includes the right to obtain confirmation as to whether their data is being processed.

  • Rectify inaccurate or incomplete data.

  • Object to the processing of the data, where the processing is noncompliance with applicable personal data protection legislation.

  • To withdraw his/her consent at any time, without prejudice to the lawfulness of the processing previously carried out.

  • Request the erasure of your data when they are no longer necessary for the purposes for which they were collected, among other reasons. Where applicable, data shall be anonymised or blocked in accordance with applicable personal data protection legislation.

  • Obtain from the Data Controller the restriction ofthe processing of the data when any of the conditions provided for in the regulations in force are met.

  • Request the portability of your data, either for yourself or for transfer to another Data Controller.

In order to exercise the aforementioned rights, you must send your request to the address indicated in the heading of this document, through the channel provided on the website or through the DPO's e-mail address: dataprotection@edpr.com.

The Data Controller will respond to the right exercised within the legally stipulated period.

Finally, the user may, in addition, file a complaint with the competent Control Authority if he/she considers that the Controller has infringed the rights recognised by the applicable data protection regulations.

 

Last update: December 2022.

 

[i]If you are a data subject resident in Colombia or, in any case, when the personal data protection legislation in force in Colombia is applicable, the applicable legal basis is the data subject’s consent in all cases and for all purposes in which legitimate interest is identified as the applicable legal basis.

[ii]The term "third country" refers to countries outside the European Economic Area.