IBERDROLA SHAREHOLDER'S CLUB

Terms of use and legal conditions

Iberdrola, S.A. ("Iberdrola" or the "Company") is committed to protecting your privacy and guarantees compliance with the legislation on the protection of personal data and, in particular, that your personal information will be processed: in a lawful, loyal and transparent manner; in accordance with specific explicit and legitimate purposes; only if it is adequate, relevant and limited to what is necessary in relation to the processing; accurate and up to date; in such a way as to allow identification of the data subject only for the time necessary for the purposes of processing; guaranteeing their security.

In accordance with the provisions of current legislation on the protection of personal data, specifically the General Data Protection Regulation ("GDPR"), we inform you about the processing(1) of the personal data as member of Shareholders' Club during your relationship with Iberdrola and after it has ended.

You should read this notice, and any updates to it, in order to know the purpose of the processing of your personal data and the circumstances thereof.

What personal data do we collect and process from you?

Iberdrola shall only process your data needed to comply with the purposes detailed below. The data are your name and surname, identity card or passport, country, postal and/or electronic address, phone number, date of birth, numbers of shares and the social networks that you use if you have communicated them to us.

How do we collect your personal data?

You provide us with your personal information through your registration in the Shareholders' Club.

If you do not provide us with your requested personal information, we may not be able to manage your registration.

We ask you to update your personal data as it changes, and always provide truthful information, as we must have your current information.

Who is responsible for the processing of your personal data?

IBERDROLA, S.A.
Plaza Euskadi 5, Bilbao
Data Protection Officer: dpo@iberdrola.com

For what purposes do we process your data?

The information you provide us with will be treated in accordance with the following purposes:

1. Control, monitoring and verification of your status as a shareholder.

2. Sending of permanent information of the quarterly evolution as well as of the strategy and its industrial group, of the main financial events and the current situation of the company, as well as of the information relative to the exercise of its rights as shareholder.

3. Direct and personalized telephone service through the Shareholder Office (900.10.00.19).

4. Receive invitations to corporate, cultural and leisure events organized by the Company and exclusive for shareholders; offer the possibility to participate in raffles and special prizes; offer the possibility of participating in the surveys to know your opinion about the Society.

What is the legitimacy for the processing of your data?

The legal basis for the treatment of your data with the purpose detailed in paragraph 1 above is the legitimate interest of Iberdrola. Such processing is carried out with respect to your right to the protection of your personal data, to your honor and to your personal and family privacy.

The legal basis for the treatment of your data with the purpose detailed in paragraphs 2, 3 and 4) above is the providing of the services that Iberdrola upon you required when you register in Shareholders' Club.

How long do we keep your data?

The personal data provided will be kept to the extent you remain as a member of the Shareholders' Group, during the provision of the services requested and, in any case, once the statute of limitations for any legal actions involved has expired.

However, the personal data provided may be kept duly blocked for as long as required by the applicable regulations.

We also inform you that Iberdrola will be able to check annually if you are still a shareholder and, if you have lost that condition, we will proceed with your withdrawal from the Shareholder's Club.

To whom will your information be communicated?

Your data will be communicated to third parties when necessary for the execution of the legal obligations and to official bodies in compliance with legal obligations.

Your data will also be accessible by external service providers linked to the contractual relationship such as computer services, with which we have subscribed the legally required contracts under which they guarantee the fulfillment of their obligations as data controller.

What are your rights?

You have the right of access to the personal data being processed, as well as the right to request the rectification of inaccurate data or, where appropriate, to request their erasure when the data are no longer necessary for the purposes for which they were collected, as well as the right to object and restrict the processing and the data portability. If your consent was obtained, you have the right to revoke it at any time.

You may submit their requests to exercise their rights free of charges (including a copy of your national identity card or equivalent document) through the following channels:

  • By mail accionistas@iberdrola.com.
  • By call to Shareholder's Call Center: 900 100 019.
  • Sending a written notice to: Oficina del Accionista, C/ Tomás Redondo, 1, 28033 Madrid.
  • Data Protection Officer: Tomás Redondo 1, 28033 or dpo@iberdrola.com.

In the event that you have not obtained satisfaction in the exercise of your rights, you may file a complaint with the Spanish Data Protection Agency or equivalent control authority.

More Information

We have implemented the necessary technical measures to protect your data and information from accidental loss, unauthorized access, use and disclosure. However, despite the diligent implementation of such measures, the user should be aware that security measures are not indefeasible. Iberdrola is not responsible for the actions of third parties who, in violation of these measures, access the aforementioned data and information.

We have established procedures for any data security incident.

 

(1) Any operation or set of operations carried out on personal data, whether automated or not, such as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of access, checking or interconnection, limitation, deletion or destruction.