Cibersecurity and personal data

Cibersecurity and personal data at the General Shareholders' Meeting

General Shareholders' Meeting

At Iberdrola, we ensure the security of our shareholders in the digital environment and are committed to protecting personal data. We gather key tips for protecting electronic devices and essential information on data security.


At Iberdrola, we are committed to our shareholders’ security. 

On the occasion of the General Shareholders' Meeting, Iberdrola would like to share some cybersecurity tips to better protect your devices and information. 

Safeguard access to your device: 

  • Use strong passwords and don’t re-use them. One useful tip is to include lowercase and uppercase letters, numbers and punctuation marks.  
  • Enable as many unlocking mechanisms as possible, including PIN, fingerprint, facial recognition, etc. The more secure these mechanisms are, the harder it is for others to access your devices. 
  • Never leave your devices unlocked if you are not using them. 
  • Always make sure your operating system is up to date. This provides added security against possible attacks.
  • Whenever you download and install applications on your devices, do so from official marketplaces, like the Play Store or App Store. Scan all downloads for viruses. 
  • Avoid connecting external drives (USB devices, etc.) of unknown origin to your equipment. 

The following best practices will help keep you safe when receiving e-mails on your devices: 

  • Check whether you know the sender’s address or whether the source page or URL matches the usual one. Delete it if you confirm that the sender is not official. 
  • Do not trust e-mails with eye-catching subject lines or with spelling or grammatical errors. 
  • Never open attachments if you have concerns about the source of the sender. 
  • Do not click on links if you cannot be sure that you are being redirected to a legitimate site.

If you receive an SMS, WhatsApp message or call on your mobile phone:

  • Pay attention to the sender’s name. Don’t open SMS messages from platforms you don’t normally use. 
  • The contents of legitimate messages do not usually contain spelling mistakes. Be wary if the grammar is poor. 
  • Be cautious and check information before accessing pages via links, or passing on information to the sender.
  • Iberdrola will never ask you for sensitive information or confidential data through these channels.
  • If Iberdrola needs to ask you for any personal information, we will first contact you to explain what information we will ask you for.

Personal data

What rules apply to the personal data of shareholders or their proxy representatives participating in the Meeting?

The personal data of shareholders or their proxy representatives are processed by Iberdrola, S.A. (“Iberdrola”) in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Organic Law 3/2018, of 5 December on the Protection of Personal Data and guarantee of digital rights and other applicable legal provisions.

What personal data of shareholders and their proxy representatives will be processed at the Meeting?

First and last names, telephone number, postal and electronic address, DNI, voice, number of shares, electronic signature and QR code, password for electronic or telephonic participation, hash code, and “.json” file generated by means of blockchain technology to ensure the integrity and non-manipulation of the proxies granted and votes cast through the Participation Portal, as well as information that may be generated from the participation of the shareholder or the proxy representatives thereof in the General Shareholders’ Meeting, such as the image and voice of the attendees.

How is personal data obtained at the Meeting?

Such data is obtained directly from the shareholders or their proxy representatives or from entities with which such shareholders have deposited their shares.

For what purposes are the personal data of shareholders or their proxy representatives participating in the Meeting collected?

  • To manage the General Shareholders' Meeting.
  • To comply with, and if applicably verify compliance with, the obligations set out in the Governance and Sustainability System related to the holding of the General Shareholders’ Meeting.

  • To apply the corporate policies to encourage the transparency of the Meeting and the Company’s direct contact with shareholders, including the payment of financial incentives to participate in the Meeting.

  • To perform analyses and prepare reports to optimise the management of the General Shareholders’ Meeting.

  • To record and broadcast the General Shareholders’ Meeting.

What is the legal basis for processing these data?

  • The legal basis for the management of the General Shareholders’ Meeting is compliance with the legal obligations set out in the legal provisions governing corporate enterprises (sociedades de capital).
  • The legal basis for the other purposes is Iberdrola’s legitimate interest in holding General Meetings that fully conform to its Governance and Sustainability System and the rest of its internal rules as well as ensuring the observance and full satisfaction of shareholder rights and adopting measures favouring the achievement of those objectives.

Can Iberdrola communicate these personal data to third parties?

Personal data shall be communicated to the notary who prepares the minutes of the General Meeting pursuant to the regulations governing companies and in accordance with the Commercial Registry Regulations and the Regulations for the General Shareholders’ Meeting. They may also be provided to other shareholders in the exercise of their right to receive information as provided by said legal provisions, but in no event will they be transferred outside of the European Economic Area.

In order to perform certain tasks relating to the purposes described, such as verifying that the General Shareholders’ Meeting is properly held in accordance with applicable procedures and compliance with the obligations related to the holding thereof, as well as preparing statistical information, the Company shall hire third-party service providers, who will have access to personal data within the framework of these tasks, without such data being used for any other purpose. These entities are configured as data processors with which the Company will sign the contracts required by applicable law.

What is the retention period for these personal data?

The data are kept during the life of the Company and up to six years after the termination thereof, except for the image and/or voice of attendees, which are maintained for two years from the recording thereof, without prejudice to holding them on a duly secured basis during the legal limitation periods applicable in each case.

How can one’s rights relating to these personal data be exercised?

The rights of access, rectification, objection, erasure and restriction of processing, and any other rights that apply pursuant to applicable legal provisions on data protection, may be exercised by the personal data subject by providing evidence of their identify in a letter addressed to Iberdrola’s Shareholder’s Office (address: Plaza Euskadi número 5, 48009 Bilbao) and to the e-mail address

For more information on the privacy notice of the Meeting, please refer to the Implementing Rules for the General Shareholders’ Meeting [PDF], available on the Documentation page for the Meeting.

View all information on the 2024 General Meeting