CIBERSECURITY AND PERSONAL DATA

Cibersecurity and personal data at the General Shareholders' Meeting

PERSONAL DATA

What rules apply to the personal data of shareholders or their proxy representatives participating in the Meeting?

The personal data of shareholders or their proxy representatives will be processed by Iberdrola in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights and other applicable legal provisions.

What personal data of the shareholders and their proxy representatives are processed at the Meeting?

First and last names, telephone number, postal and electronic address, DNI, number of shares, electronic signature and QR code for electronic voting, as well as information that may be generated from the participation of the shareholder or the proxy representatives thereof in the General Shareholders' Meeting.

How is personal data obtained at the Meeting?

Such data is obtained directly from shareholders or their proxy representatives or from the entities with such shareholders have deposited their shares.

For what purposes are the personal data of shareholders or their proxy representatives participating in the Meeting collected?

  • To manage the General Shareholders' Meeting.
  • To comply with the obligations set out in the Governance and Sustainability System related to the holding of the General Meeting and with the Company's transparency and engagement policies, including the Company's direct contact with shareholders, and, where appropriate, to verify such compliance.
  • To analyse and prepare reports to optimise the management of the General Shareholders' Meeting.
  • To record and broadcast the General Shareholders' Meeting.

What are the legal grounds for the processing of these data?

  • The legal basis for the management of the General Shareholders' Meeting is compliance with legal obligations and with the contractual relationship arising from shareholder status.
  • The legal basis for the other purposes is the legitimate interest of Iberdrola in holding General Meetings that fully conform to its Governance and Sustainability System and to the rest of its internal rules, as well as to ensure the observance and full satisfaction of shareholder rights and to adopt measures favouring the achievement of those objectives.

Can Iberdrola communicate these personal data to third parties?

Personal data may be communicated to the notary who prepares the minutes for the General Shareholders' Meeting. They may also be provided to other shareholders in the exercise of their right to receive information as provided by law, but in no event will be transferred outside of the European Economic Area.

Iberdrola may also hire entities to perform certain tasks, signing the contracts required by the applicable legal provisions to give them access to personal data, which in no case may be used for purposes other than those indicated above.

What is the retention period for these personal data?

The data will be kept during the life of the Company and up to six years after the termination thereof, without prejudice to the retention thereof, duly blocked, during the legal periods of prescription applicable in each case.

How can one's rights relating to these personal data be exercised?

The rights of access, rectification, objection, erasure and restriction of processing may be exercised in accordance with the Implementing Rules for the General Shareholders' Meeting [PDF], available on the Documentation page for the Meeting, which contains more detailed privacy-related information.

CIBERSECURITY

Iberdrola may contact you in connection with the holding of the 2021 General Shareholders' Meeting to keep you informed about significant issues that could affect you.

We would like to give you some recommendations that will help you avoid falling victim to a cybercrime and to detect anything strange or suspicious, in order to ensure that your participation will be as secure as possible:

  • Sender: Iberdrola will only send you email using the company's own domain name: @Iberdrola.es. Do not circulate the information provided; it is personal and non-transferable.
  • Subject: Most fraudulent emails use alarming or suggestive language in the subject line to catch your attention. Keep this in mind!
  • Purpose of message: Iberdrola will never ask you to provide your personal details by email or through phone calls. If you are contacted for this purpose, ALWAYS beware; it may be a sign of possible fraud.
  • Text: Be suspicious if there are spelling or grammatical errors, or if it looks like the text has been machine-translated.
  • Links: Hover your cursor over the link to check the real URL to which it redirects. The address should always start with https://. If you access the website, make sure there is a padlock icon to the left of the address bar.

FOLLOW THESE RECOMMENDATIONS AND ENJOY THE 2021 GENERAL SHAREHOLDERS' MEETING RISK-FREE!