The EDPR Group companies always prioritize in their relationship with their employees, service providers, suppliers, partners and other interested parties, strict respect for their privacy. The protection of personal data is a cornerstone of the EDPR Group companies’ activity. Ensuring that we carry out our activities in compliance with all data protection legal requirements and highest standards is fundamental for us.

Hence, the EDPR Group companies adopt and follow specific Privacy Policies comprised in the Group’s global compliance risk management approach, which content is disclosed to relevant data subjects. These Privacy Policies apply to the entire lifespan of data processing operations carried out by Group Companies and Service Providers. Service providers process the personal data only following documented instructions from EDPR.

Data Protection Officer or equivalent officers are appointed in geographies/business units where such legal requirement exists and whenever EDPR deems it relevant, despite the inexistence of such requirement. EDPR also designates teams responsible for ensuring that the organization complies with legal and regulatory requirements, policies and guidelines approved internally, through the implementation of methodologies and procedures aimed at preventing, detecting and addressing any deviation or non-conformity that might occur, as well as supporting Group employees and raising awareness about the rules to be observed when processing personal data.

These Data Protection Officers or equivalent officers are permanently available to the data subjects, also ensuring the interactions with the competent data protection authorities.

The EDPR Group incorporates mechanisms to safeguard data protection in all its new projects, continuously monitoring how they impact the privacy of its data subjects. In this way, we intend to mitigate any data protection risks while ensuring sustainable and ethical innovation and growth. The Group leverages the potential of information technologies in a responsible manner, seeking to avoid any type of discrimination and explaining to all agents involved how such technologies affect their pivacy.


In order to support its firm commitment, the EDPR Group globally observes the following values and principles:

1. LAWFULNESS AND PURPOSE

EDPR Group companies only process personal data for legitimate and clearly defined purposes. The main reason we use data is for the performance of contracts with employees, with service providers and other stakeholders, namely off takers, PPA clients or partners for the management of our operation. On the other hand, there are several laws in the legal system that establish legal obligations, which lead to the processing of personal data. For example, tax obligations, corporate reporting or in the context of preventing money laundering and terrorism financing. The processing of data in these cases is the strictly necessary for the fulfillment of such obligations. Lastly, always subject to the explicit consent of the data subjects which can be withdrawn at any time, we may use the collected data for other purposes such as the publication in our internal and external communication channels of images of employees and other participants in internal and public events.

2. FAIRNESS AND TRANSPARENCY

We inform all our employees, suppliers and partners about how we process their personal data, why we do it, for how long we keep them and with whom we share them. Where appropriate, we ask data subjects for their informed consent, not harming them if they decide not to consent or to withdraw their consent. In the event of a personal data breach, we notify the competent supervisory authority and whenever the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we communicate it to the relevant data subjects. We seek to immediately repair or minimize its negative effects.

3. PROPORTIONALITY

We only collect and use personal data that is strictly necessary in relation to our legitimate purposes. EDPR collects and processes identification data (name and civil or tax identification numbers, contact details: addresses and telephone contacts), from its employees provided by him/her and/or derived from the employment relationship at the beginning of, and throughout the employment relationship. Personal data is also collected and processed from our landowners and certain suppliers for the management of our operations. Personal data will only be accessed by persons or entities that have an effective need to know it. These persons will act on our behalf and under our instructions and observe the strictest confidentiality rules. As described above, personal data may also be accessed by tax authorities, other regulatory or supervisory authorities, courts and other entities to whom EDPR is required to communicate data under the law. Once the data is no longer needed, EDPR Group permanently erases or makes it unintelligible, unless its retention is legally mandatory.

4. CONTROL

All data subjects of personal data used by EDPR Group companies have control over their own data. EDPR Group companies provide adequate channels for the exercise of their rights of access, rectification, erasure, limitation, portability and opposition, ensuring effective and timely responses. At EDPR, we seek to make things clear to you and respect your decisions. In addition, EDPR continuously monitors compliance with its Privacy Policies, both internally and by its external service providers. In case of non-compliance with these regulations, EDPR has a “zero tolerance” approach, applying the appropriate disciplinary or contractual measures.

5. PRIVACY SINCE “0” MOMENT

When designing a new business or service model, EDPR Group companies assess its impact on data subject’s privacy, striving to mitigate the risks that may arise from it. In this context, EDPR implements security techniques (such as pseudonymization) whenever applicable, restricts access to data to a limited number of people and consults with legal advisors or the competent authorities for advice on the best way to comply with data protection legal requirements.

6. RESPONSIBILITY

We define accountabilities, responsibilities and reporting lines in each EDPR Group company to ensure compliance with data protection legislation. In this way, each department and employee is, at all times, aware of the concerns they must consider when processing personal data in the exercise of their functions as well as about how to act in case of detection of a personal data breach that may negatively affect the privacy of data subjects.

7. SECURITY

We implement technical measures in line with the best market practices and develop processes and procedures that allow us to maintain all personal data that we handle in appropriate security conditions, considering the risks involved. In this regard, the EDPR Group limits and controls access to all its IT systems, applies encryption and anonymization techniques to the information it stores and performs periodic backups. EDPR Group Information Systems Security area works continuously to prevent undue access to the personal data we process and to guarantee the permanent resilience of our companies' information systems.

Additionally, EDPR only uses information technology service providers that offer sufficient guarantees of compliance with the rules and data protection in force. EDPR reserves the right to change this Personal Data Protection Policy at any time.

Any changes will be duly publicized on the website.



Approved by the EDPR Board of Directors in a meeting hold on December 16^th, 2020.