Cibersecurity and personal data
Cibersecurity and personal data at the General Shareholders' Meeting
At Iberdrola, we are committed to our shareholders’ security.
On the occasion of the 2023 General Shareholders’ Meeting, Iberdrola would like to share some cybersecurity tips to better protect your devices and information.
Safeguard access to your device:
- Use strong passwords and don’t re-use them. One useful tip is to include lowercase and uppercase letters, numbers and punctuation marks.
- Enable as many unlocking mechanisms as possible, including PIN, fingerprint, facial recognition, etc. The more secure these mechanisms are, the harder it is for others to access your devices.
- Never leave your devices unlocked if you are not using them.
- Always make sure your operating system is up to date. This provides added security against possible attacks.
- Whenever you download and install applications on your devices, do so from official marketplaces, like the Play Store or App Store. Scan all downloads for viruses.
- Avoid connecting external drives (USB devices, etc.) of unknown origin to your equipment.
The following best practices will help keep you safe when receiving e-mails on your devices:
- Check whether you know the sender’s address or whether the source page or URL matches the usual one. Delete it if you confirm that the sender is not official.
- Do not trust e-mails with eye-catching subject lines or with spelling or grammatical errors.
- Never open attachments if you have concerns about the source of the sender.
- Do not click on links if you cannot be sure that you are being redirected to a legitimate site.
If you receive an SMS, WhatsApp message or call on your mobile phone:
- Pay attention to the sender’s name. Don’t open SMS messages from platforms you don’t normally use.
- The contents of legitimate messages do not usually contain spelling mistakes. Be wary if the grammar is poor.
- Be cautious and check information before accessing pages via links, or passing on information to the sender.
- Iberdrola will never ask you for sensitive information or confidential data through these channels.
- If Iberdrola asks you for any personal information, we will contact you beforehand to inform you what information we will ask you for.
What rules apply to the personal data of shareholders or their proxy representatives participating in the Meeting?
The personal data of shareholders or their proxy representatives are processed by Iberdrola, S.A. (“Iberdrola”) in accordance with Regulation (EU) 2016/679of the European Parliament and of the Council of 27 April 2016, Organic Law 3/2018, of 5 December on the Protection of Personal Data and guarantee of digital rights and other applicable legal provisions.
What personal data of shareholders and their proxy representatives will be processed at the Meeting?
First and last names, telephone number, postal and electronic address, DNI, voice, number of shares, electronic signature and QR code, password for electronic or telephonic participation, hash code, and “.json” file generated by means of blockchain technology to ensure the integrity and non-manipulation of the proxies granted and votes cast through the Participation Portal, as well as information that may be generated from the participation of the shareholder or the proxy representatives thereof in the General Shareholders’ Meeting.
How is personal data obtained at the Meeting?
Such data is obtained directly from the shareholders or their proxy representatives or from entities with which such shareholders have deposited their shares.
For what purposes are the personal data of shareholders or their proxy representatives participating in the Meeting collected?
- To manage the General Shareholders' Meeting.
To comply with, and if applicably verify compliance with, the obligations set out in the Governance and Sustainability System related to the holding of the General Shareholders’ Meeting, as well as the corporate policies and the resolutions that are submitted to the shareholders, including the Company’s direct contact with shareholders and the payment of dividends.
To perform analyses and prepare reports to optimise the management of the General Shareholders’ Meeting
- To record and broadcast the General Shareholders' Meeting.
What is the legal basis for processing these data?
- The legal basis for the management of the General Shareholders’ Meeting is compliance with the legal obligations set out in the legal provisions governing corporate enterprises (sociedades de capital).
- The legal basis for the other purposes is Iberdrola’s legitimate interest in holding General Meetings that fully conform to its Governance and Sustainability System and the rest of its internal rules as well as ensuring the observance and full satisfaction of shareholder rights and adopting measures favouring the achievement of those objectives.
- Finally, the legal basis for participating in the draw for the 20 electric bicycles is consent.
Can Iberdrola communicate these personal data to third parties?
Personal data may be communicated to the notary who prepares the minutes of the General Meeting pursuant to the regulations governing companies and in accordance with the Commercial Registry Regulations and the Regulations for the General Shareholders’ Meeting. They may also be provided to other shareholders in the exercise of their right to receive information as provided by law, but in no event will they be transferred outside of the European Economic Area.
Iberdrola may also hire entities to perform certain tasks relating to the purposes described, such as verifying that the General Shareholders’ Meeting is properly held in accordance with applicable procedures and compliance with the obligations related to the holding thereof, as well as preparing statistical information, signing the contracts required by applicable law to give those entities access to personal data, which will not under any circumstances used for purposes other than those specified above.
What is the retention period for these personal data?
The data will be kept during the life of the Company and up to six years after the termination thereof, except for the image and/or voice of attendees, which will be maintained for two years from the recording thereof, without prejudice to holding them on a duly secured basis during the legal limitation periods applicable in each case.
How can one’s rights relating to these personal data be exercised?
The rights of access, rectification, objection, erasure and restriction of processing, and any other rights that apply pursuant to applicable legal provisions on data protection, may be exercised by the personal data subject by providing evidence of their identify in a letter addressed to Iberdrola’s Shareholder’s Office (address: plaza Euskadi número 5, 48009 Bilbao) and to the e-mail address firstname.lastname@example.org.
For more information on the privacy notice of the Meeting, please refer to the Implementing Rules for the General Shareholders’ Meeting [PDF], available on the Documentation page for the Meeting.