Iberdrola Group companies' whistle-blower channel terms of use

Terms and conditions of use and privacy notice

The Internal reporting system or whistle-blower channel is the channel that Iberdrola has created for you to report (i) any conduct by any professional of the Iberdrola Group that may involve any irregularity or action contrary to the Law or to the Governance and Sustainability System of the Iberdrola Group or to the rules of conduct of the Code of Ethics aimed at the Group's professionals (ii) the commission by a supplier, by one of its subcontractors or by their respective employees, of any act contrary to the law or to the provisions of the Supplier Code of Ethics in the context of their business relationship with the companies of the Iberdrola group. 

It is not mandatory to identify yourself in order to submit a complaint, but should you decide to do so, Iberdrola guarantees absolute confidentiality of both the information provided and your personal data, together with a commitment of no retaliation.

Iberdrola will acknowledge receipt of the communications received to the informants who identify themselves within the legally established maximum period of seven days following receipt, unless this could jeopardise the confidentiality of the communication.

Iberdrola will process complaints provided that they are not unfounded or implausible and constitute conduct within the objective scope of this channel as indicated above, within a maximum period of three months, except in cases of particular complexity that require an extension of the period, in which case this may be extended for up to a maximum of a further three months.

The processing of claims will be carried out by the competent Compliance Unit or department, which will act with due diligence and promptness, respecting in all cases the right to the presumption of innocence, honour and defence of the persons affected.

Where possible and if deemed necessary, the person responsible for handling the claim may contact the informant and request additional information.

Please note that you may also use the external information channels provided by the competent authorities to report your claims:

When using the Internal reporting system, you have the following obligations:

  • To make responsible use, and under no circumstances should you make allegations that are unfounded or in bad faith.
  • You should be respectful and observe decorum and good manners in your reporting of any other person, as Iberdrola is not responsible for any derogatory comments you may make against any third party.
  • You must ensure, where applicable, that the personal data provided are true, accurate, complete and up to date.

Iberdrola, S. A and the companies that form part of the Iberdrola Group in accordance with commercial law (hereinafter, any of them, “Iberdrola” and, jointly, “Iberdrola Group”) are committed to protecting your privacy and complying with personal data protection legislation, in particular, where applicable, the General Data Protection Regulation ("GDPR") and the personal data protection legislation applicable in each country in which Iberdrola Group companies are domiciled. Your personal data will be processed lawfully, faithfully and transparently for specific, explicit, legitimate purposes, and only where appropriate, pertinent and limited to what is strictly necessary for the purposes for which it is processed. In addition, we will store your data in a form which permits identification only for as long as is necessary to fulfil the purposes of the processing.

Iberdrola has implemented the necessary technical and organisational measures to protect your data from accidental loss or unauthorised alteration, access, use or disclosure, having also established procedures to respond to any security incident that could affect your personal data. 

This privacy notice informs you of the way in which your personal data will be processed due to your query or claim submitted through Iberdrola's Internal reporting system. 

In the event that it becomes necessary to update the terms of this privacy notice, we will notify you in a timely manner.

Who is the data controller for your personal data?

The data controller is the Iberdrola Group company with which you have an employment and/or contractual relationship, or with which your employer company (or for which you provide services) has a contractual relationship, or the company with which your query or claim is linked. 

In any case Iberdrola, S.A. and/or the subholding company of the parent company responsible for the processing will process your personal data in order to comply with the Governance and Sustainability System and to carry out centralised management in the area of compliance of the companies of the Iberdrola Group based on the appropriate coordination and the best performance of the functions of the persons responsible for internal information system.  

Iberdrola has appointed the following Data Protection Officers with respect to the following companies, who may be contacted in relation to any matter related to this privacy notice:

What personal data do we process and how do we collect them?

We will only process personal data that is strictly necessary for the purposes set out in the following section, all of which can be grouped according to the following categories:

  • Identification data: name, surname (s) and email address.

  • Any other personal data that, where appropriate, you include in the query and/or claim.

We obtain the aforementioned data directly when you include them in the Internal reporting system form.

For what purposes will we process your data?

The information you provide will be processed in order to manage, investigate and respond to the query and claim sent through the Internal reporting system.

What is the legal basis for processing your data?

The legal basis for the processing of your personal data according to the purposes indicated in the previous section is:

  • Legal obligation, in case of queries and claims concerning actions or omissions of EU law;
  • Public interest, in the case of queries and claims that refer to shareholders, conduct or omissions that could be contrary to the general or sector-specific regulations that may be applicable;
  • Iberdrola's legitimate interest, in the event of queries and claims that refer to Iberdrola's internal regulations and Code of Ethics, in the detection and prevention by Iberdrola of actions that may be contrary to its Code of Ethics, in order to ensure that its activities and those of persons related thereto are carried out in accordance not only with applicable law but also with the Iberdrola Group's corporate governance system and generally accepted principles of ethics and social responsibility.

Finally, we inform you that when the processing is based on the legitimate interest of any of the Iberdrola group companies subject to data protection legislation that so requires, the latter has carried out the corresponding legitimate interest assessment, in order to guarantee that the necessary guarantees have been taken into account for the adequate protection of your rights. If you would like to know the conclusions of any of the legitimate interest assessment, you can request them from the Data Protection Officer at the address indicated in section "Who is the data controller for your personal data?”.

How long do we store your data?

The personal data that you provide us with when you send a query or claim to the Internal reporting system, will be stored for the time necessary to resolve it. Once it has elapsed a three-month minimum period after the reception of the communication without initiating any action, your personal data will be duly blocked, until the conclusion of any associated legal actions.

In the event that personal data are provided to us in a claim, they will be kept for the time necessary to decide whether to initiate an investigation into the reported facts., however if it is proven that the information provided or part of it is not truthful, it will be deleted as soon as this circumstance becomes known, unless the lack of truthfulness may constitute a criminal offence, in which case the information will be kept for the time necessary during the processing of the legal proceedings. Notwithstanding the foregoing, your data may be retained where necessary to provide evidence of the operation of Iberdrola's crime prevention system. Once the aforementioned periods have elapsed, your data will be stored, duly blocked, until the statute of limitations has expired for any possible legal action. With the exception of reports that have not been followed up, which will be kept anonymous.

Notwithstanding the fact that your data must be erased from the Internal reporting system and other information systems for internal reports, your data may continue to be processed by the corresponding body when it is necessary to do so in order to adopt disciplinary measures or for any court proceedings that may result.

To whom will your data be disclosed?

We inform you that your identity is confidential and will not be communicated either to the persons affected by the facts reported or to third parties. It may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of the corresponding investigation, whether criminal, disciplinary or sanctioning, informing you beforehand about the disclosure and the reasons for it, unless there is a danger of compromising the investigation).

Your data may be communicated to Iberdrola, S.A. and/or to the subholding company of the parent company responsible for the processing in order to comply with the Governance and Sustainability System, to carry out centralised management in the area of compliance of the Group companies, based on the appropriate coordination and better performance of the functions of the persons responsible for the internal information system.

Your data will also be accessible by internal service providers or service providers with whom Iberdrola may enter into agreements and for the performance of which such access is necessary, such as consultancy services, IT services, file management, etc. We have signed contracts with all of them under which they guarantee that such third parties will comply with their obligations as data processors. In this context, in the event that they are located in the European Union but carry out international transfers of data during the provision of the services for which they are responsible, Iberdrola will ensure that they have the appropriate safeguards in place so that your data are protected in the destination country and organisation under the same or similar terms to those provided for in European regulations. You may contact Iberdrola at any time to find out the specific safeguards implemented for the adequate and appropriate protection of your personal data.

What are your rights?

You have the right to access your personal data that is being processed, as well as to request that inaccurate data be rectified or, where applicable, erased when it is no longer required for the purposes for which it was collected. You may also exercise your right to object to or restrict the processing thereof or the right to seek the portability of your data.

You can submit requests to exercise your rights through the following channels:

If applicable, you also have the right to lodge a claim to the Spanish Data Protection Agency (Agencia Española de Protección de Datos) or the competent supervisory authority.