Conditions of use and privacy policy of the suppliers' ethics mailbox

The suppliers' ethics mailbox ("Suppliers' Ethics Mailbox") is a channel provided by Iberdrola for you to report (i) any conduct by an employee of Iberdrola Group that may entail an irregularity or violation of the law or the Corporate Governance System of the Iberdrola Group, or (ii) any illegal act or crime perpetrated by a supplier or one of its subcontractors or employees, or violation of any law or the provisions in the Suppliers' Code of Ethics within the framework of their business relationship with companies in the Iberdrola Group. You can also use the Suppliers' Ethics Mailbox to ask questions or send suggestions concerning the Suppliers' Code of Ethics.

You are under no obligation to identify yourself should you wish to make an allegation. Furthermore, Iberdrola guarantees said anonymity, as well as the absolute confidentiality not only of the information provided, but also of your personal data should you decide to identify yourself. Iberdrola is also bound to prohibit any retaliation against those employees who choose to use these good faith channels.

It is your obligation to use the Suppliers' Ethics Mailbox in a responsible manner, whereby you must never make allegations that are unfounded or in bad faith. Furthermore, any statement you make to report another person must be respectful and maintain decorum and decency. Iberdrola may not be held liable for any disrespectful comments you make against a third party. What is more, you must warrant that the personal data provided are true, correct, complete and current.

Iberdrola, S.A ("Iberdrola") undertakes to protect your privacy and ensure compliance with the laws governing personal data protection, most particularly the General Data Protection Regulation ("GPDR") and the Organic Law on Data Protection and Guaranteeing Digital Rights ("LOPDGDD"). Your personal data will be processed: lawfully, faithfully and transparently; for specific, explicit, legitimate purposes; only if they are appropriate and pertinent; and such processing shall be limited to that which is strictly necessary for these purposes. We will keep your data accurate and updated. The data will be stored to allow your identification only for the time necessary to comply with the purposes for which it is processed.

Iberdrola has implemented the necessary technical and organisational measures to protect your data from accidental loss or unauthorised alteration, access, use or disclosure, and has also established procedures to react to any security incident that could affect your personal data.

By way of this privacy policy we inform you how the personal data that you provide through the Suppliers' Ethics Mailbox will be processed.

Who is responsible for processing your personal data?

The party responsible for the processing is the Iberdrola Group company that you selected when completing the data collection form (company with which you have a business relationship, "Iberdrola") whose identification appears in your contractual documentation.

Iberdrola has appointed the following Data Protection Officers with respect to the companies listed below. They may be contacted regarding any matter related with this privacy policy:

What personal data do we obtain from you and process?

Your personal data that we may process are those required in the corresponding form in relation to your name, surname and email address, as well as any other data which you include in your communication.

How do we obtain your personal data?

You provide us with your personal data via the Suppliers' Ethics Mailbox form.

For what purposes do we process your data?

The information you provide to us will be processed for the purpose of managing, investigating and responding to, as the case may be, enquiries and allegations submitted through the Suppliers' Ethics Mailbox.

What is the legitimation for processing your personal data?

In accordance with the abovementioned purposes, the legal basis for processing your data is the legitimate interest of Iberdrola to guarantee legality and that the employees of any supplier or third party that has relationships with Iberdrola complies with the Code of Ethics or any other internal regulation and public interest when it comes to compliance with the provisions of the law.

How long do we keep your data?

The personal data that you provide to us when you send an enquiry to the Suppliers' Ethics Mailbox is kept for as long as necessary to address the same, and in all cases for one year from receipt. Once this period has passed, the information will be duly blocked until any time limits on any potential associated legal action have passed.

The personal data that you send to us when submitting a report to the Suppliers' Ethics Mailbox will be held for the time required to decide whether an investigation should be launched and will be deleted in all cases once 3 months have passed from its submission, unless retaining the same is required to provide evidence of implementation of the Iberdrola crime prevention model.

Notwithstanding the required elimination of the data from the Suppliers' Ethics Mailbox and other possible information systems for internal whistleblowing, your data may be processed further by the corresponding organisation when so required to adopt disciplinary measures or implement legal proceedings.

To whom is your data disclosed?

Your data will only be disclosed to third parties when so required to process legal proceedings.

What are your rights?

You have the right to access your personal data subject to processing, and to request for the rectification of inaccurate data or, when appropriate, ask that they be erased when no longer required for the purposes for which they were collected, as well as to exercise your right to object to and limit the processing and portability of the data.

You may submit your requests to exercise your rights free of charge by contacting

You are also entitled to lodge a complaint with the Spanish Data Protection Agency.

(1) Nota Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making data available, alignment or combination, blocking, erasure or destruction.