Privacy management

Iberdrola has a Personal Data Protection Policy [PDF], which the Board of Directors approves and amends and which establishes the Group’s basic principles and overall strategy in this area. This Policy defines the framework of action applicable to the Company and also guides regulatory developments within the Group’s companies, including country subholding companies and their subsidiaries, in line with the Group’s ethical and sustainability principles. It also sets out the roles, functions and obligations regarding data protection, including the principles of lawfulness, data minimisation, accuracy, storage limitation, integrity, confidentiality, proactive accountability, transparency and data subjects' rights, which must guide the actions of all areas of the Iberdrola Group.

The Corporate Security Department together with Legal Services also has a comprehensive internal data protection policy applicable to the entire Group, which is mandatory for managers and employees.

Furthermore, Iberdrola has a global model for the protection of personal data applicable to all Group companies in the countries where it operates whilst respecting the specific requirements of the country subholding companies.

The Iberdrola Group has Binding Corporate Rules (BCRs) approved by the Spanish Data Protection Agency (AEPD), which establish an internal legal framework to ensure an adequate and uniform level of personal data protection across all participating companies. These BCRs enable international data transfers within the Group in full compliance with applicable regulations and oblige all entities that have adopted them to apply the internal data protection measures, principles and standards defined by Iberdrola, thereby ensuring consistent, secure and responsible management of personal information across the entire Group.

Governance and reporting

The Iberdrola Group’s privacy model is structured through various bodies and forums that ensure effective, consistent oversight aligned with the Group’s Governance and Sustainability System.

Board of Directors of Iberdrola, S.A.

The Data Protection Officer (DPO) reports annually to the Board of Directors on the most relevant aspects of data protection compliance activities, including key compliance indicators and the evolution of the model, in line with the powers attributed to this body within the Group's internal regulatory framework.

Boards of Directors of the country subholding companies

The DPOs of the country subholding companies submit annual reports to their respective Boards, ensuring adequate supervision of compliance and alignment with corporate data protection principles.

Security, Resilience and Digital Technologies Committee 

The Security, Resilience and Digital Technologies Committee, established as a cross-functional body supporting the Security and Resilience Department, ensures proper coordination at Group level regarding security, operational resilience and technology risk management. In accordance with the provisions of the Governance and Sustainability System, this committee oversees the implementation of internal procedures relating to personal data protection, including incident management, technical and organisational measures and associated control mechanisms, ensuring their consistency with corporate guidelines and with the enhanced autonomy framework applicable to listed country subholding companies.

Global Cybersecurity and Data Protection Group

The role of the Global Cybersecurity and Data Protection Group is to oversee the general state of cybersecurity and personal data protection within the Group, facilitate coordination and assist the Corporate Security Department in implementing the measures it approves, all in accordance with the terms set out in its internal regulations.

DPO Forums

A forum is held every six months bringing together the Global DPO, local DPOs and representatives from Legal Services, Internal Audit and IT. During these sessions, compliance with the Group's governance model is reviewed, common risks are assessed and cross-cutting issues are analysed, promoting consistency and the continuous improvement of the Global Privacy Programme.

Coordination mechanisms

To ensure consistent, coordinated and efficient action on privacy matters within a multinational and decentralised Group, the following coordination mechanisms have been established, in line with the provisions of the Iberdrola Group's guidelines for definition and coordination.

Global operational coordination

The global data protection coordinators of the business units and corporate areas, the global Legal Services coordinator and the global Corporate Security coordinator organise this level within the framework of the Global Cybersecurity Group. This level ensures strategic consistency and the uniform application of corporate principles.

Operational coordination at local level

Each business unit or area has local data protection officers who participate in specific coordination groups. This ensures compliance with local regulations and the effective application of corporate procedures whilst respecting the principle of subsidiarity that characterises the Group's organisational model.

Operational coordination at business or corporate area level

Business units and corporate areas report to the global coordinator on relevant metrics, incidents, developments and risks, facilitating traceability, consistency and centralised monitoring of compliance, and contributing to the proactive approach to responsibility set out in the Group's Data Protection Policy.

Relations with third parties

These principles apply to all activities of the Iberdrola Group and its value chain, including suppliers and third parties that process personal data on behalf of the Group:

• In all dealings with third parties Group companies must comply with applicable data protection legislation and apply the following standards:
• Select only data processors that provide sufficient guarantees regarding technical and organisational measures.
• Require prior authorisation, whether specific or general, for any outsourcing of personal data processing.
• Include data protection requirements in the technical specifications provided to suppliers in accordance with the risk analysis carried out.
• Incorporate into contracts the standard clauses defined by the Legal Services and required for the access or processing of personal data.
• Apply specific data protection procedures in procurement processes.

Periodic assessments, audits and reviews

Iberdrola carries out the following on a regular and documented basis:

• Data Protection Impact Assessments (DPIAs) for processing operations that may pose high risks.
• Privacy impact assessments (PIA) prior to the implementation of new projects or technologies.
• Internal compliance audits.
• Regular operational reviews as part of the continuous improvement cycle of the Global Privacy Programme.

Privacy training and culture

All Group employees receive training in data protection and information security, tailored to their role and responsibilities.

In addition, Iberdrola runs regular awareness campaigns, internal communications and training materials aimed at strengthening the privacy culture throughout the organisation.
Iberdrola reviews this training periodically.

Users' rights and options

Iberdrola provides users with clear channels to exercise control over their personal data.

Users may, amongst other things:

• Manage consent for marketing communications.
• Manage their privacy and cookie preferences.
• Withdraw consent previously given.
• Request access, rectification, erasure, restriction, objection or portability.

We only disclose personal data to third parties when necessary for the provision of services, compliance with legal obligations or the exercise of the Group's legitimate interests, ensuring an adequate level of protection in all cases.

Incident management and breach notification

Iberdrola has an internal security incident management procedure, which includes:

• Identification and analysis of incidents.
• Coordination of the response.
• Notification to the supervisory authority where applicable.
• Communication to affected individuals where legally required.

Assessment and supervision of third parties (due diligence)

The Group applies a structured due diligence process regarding privacy and security when third parties access personal data.

This process includes prior assessments, reinforced contractual obligations, ongoing monitoring and, where appropriate, supplier audits.

Responsible management of personal information

Iberdrola promotes the appropriate and respectful handling of personal information by all its staff in the performance of their duties, ensuring an approach based on respect for established rights and safeguards.

Certifications: The most stringent standards in privacy

Iberdrola has reaffirmed its commitment to privacy by becoming the first European energy company to obtain the Europrivacy European Data Protection Seal, the only certification scheme officially approved by the European Data Protection Board (EDPB) under Article 42(5) of the GDPR and recognised in all EU and EEA Member States.

Obtaining this seal, together with the recent renewal by the AEPD of the Group's Binding Corporate Rules, consolidates Iberdrola's position as a European leader in privacy, demonstrating an ethical, robust digital strategy that is fully aligned with the principles of protecting users' rights and freedoms in the digital environment.