OLS Shareholder's Club

CONDITIONS OF USE AND PRIVACY POLICY FOR THE SHAREHOLDERS' ETHICS MAILBOX

The shareholders' ethics mailbox ("Shareholders' Ethics Mailbox") is the channel that Iberdrola has created for you to report: i) conduct that might represent a breach of the Company's Corporate Governance System or ii) the committing by a Group employee of an illegal act or one that contravenes the standards of behaviour in the Code of Ethics specifically aimed at group employees.

Iberdrola guarantees absolute confidentiality both regarding the information provided and your personal data.

You must use the Shareholders' Ethics Mailbox responsibly and under no circumstances should you make reports that are unfounded or malicious. Also, in any statement you make to report any person, you are expected to be respectful and polite. Iberdrola is not responsible for any derogatory comments you may make against any third party. You must also ensure that the personal data provided is true, accurate, complete and current.

Iberdrola, S.A ("Iberdrola") undertakes to protect your privacy and guarantees compliance with the laws governing personal data protection, specifically the General Data Protection Regulation ("GPDR") and the Organic Law on Data Protection and Guaranteeing Digital Rights ("LOPDGDD"). Your personal data will be processed: lawfully, faithfully and transparently; for specific, explicit, legitimate purposes; only where appropriate and pertinent; and to the extent strictly necessary for these purposes. We will also keep your data accurate and updated. The data will be stored to allow your identification only for the time necessary to comply with the purposes for which it is processed.

Iberdrola has implemented the necessary technical and organisational measures to protect your data from accidental loss or unauthorised alteration, access, use or disclosure, and has also established procedures to react to any security incidents that could affect your personal data.

This Privacy Policy informs you about how your personal data is processed when supplied via the Shareholders' Ethics Mailbox.

Who is the Data Controller responsible for processing your personal data?

The data processor is Iberdrola, S.A., with registered office at Plaza Euskadi 5, 48009 Bilbao.

Iberdrola has designated a Data Protection Officer whom you may contact regarding any matter related to this Privacy Notice by sending an email to dpo@iberdrola.com External link, opens in new window..

What personal data do we collect from you and process?

The personal data that we may process about you are those required on the corresponding form regarding your national ID number, full name and email address, as well as any other information you may include in your communication.

How do we obtain your personal data?

You supply us with your personal data through the Shareholders' Ethics Mailbox form.

For what purposes will we process your data?

The information you provide will be processed in order to manage, investigate and respond, as the case may be, to the queries and complaints received via the Shareholders' Ethics Mailbox.

What is the lawful basis for processing your data?

The legal basis for processing your data in accordance with the purposes indicated is Iberdrola's legitimate interest in guaranteeing legality and compliance by its employees with the Code of Ethics or any other internal standard, and public interest when it is a matter of ensuring compliance with the law.

How long will we keep your data?

The personal data you provide when you send a query to the Shareholders' Ethics Mailbox will be kept on file for the period necessary to resolve it and, in any event, for one year from receipt. Once this period has elapsed, your personal data will be kept on file, duly blocked, until the conclusion of any possible associated legal actions.

The personal data you provide when you send a complaint to the Shareholders' Ethics Mailbox will be kept on file for the amount of time required to decide whether an investigation should be launched. It will be erased, at the latest, 3 months after receipt, unless it is required to be retained as evidence of the functioning of Iberdrola's crime prevention model.

Notwithstanding the fact that the data must be erased from the Shareholders' Ethics Mailbox and potentially other information systems for internal complaints, the data may continue to be processed by the corresponding body when it is necessary to do so in order to adopt disciplinary measures or for any court proceedings that may result.

To whom will your data be communicated?

Your personal data will only be communicated to third parties should it become necessary for any court proceedings that might result.

What are your rights?

You have the right to access your personal data, as well as to request that inaccurate information be corrected or that it be removed where the information in question is no longer required for the purposes for which it was initially collected. You also have the right to object to or limit the data processing, and to the portability of your data.

You may submit your requests to exercise your rights free of charge, by writing to cumplimiento@iberdrola.es External link, opens in new window.

You are also entitled to submit a complaint to the Spanish Data Protection Agency.