Conditions of use and privacy policy of the suppliers' ethics mailbox

The suppliers' ethics mailbox (“Suppliers' Ethics Mailbox”) is a channel provided by Iberdrola for you to report (i) any conduct by an employee of Iberdrola Group that may entail an irregularity or violation of the law or the Corporate Governance System of the Iberdrola Group, or (ii) any illegal act or crime perpetrated by a supplier or one of its subcontractors or employees, or violation of any law or the provisions in the Suppliers' Code of Ethics within the framework of their business relationship with companies in the Iberdrola Group. You can also use the Suppliers' Ethics Mailbox to ask questions or send suggestions concerning the Suppliers' Code of Ethics.

Iberdrola guarantees that all information and personal data provided through the aforementioned mailbox will be kept fully confidential.

It is your obligation to use the Suppliers' Ethics Mailbox in a responsible manner, whereby you must never make allegations that are unfounded or in bad faith. Furthermore, any statement you make to report another person must be respectful and maintain decorum and decency. Iberdrola may not be held liable for any disrespectful comments you make against a third party. What is more, you must warrant that the personal data provided are true, correct, complete and current.

In accordance with the provisions of current legislation on personal data protection, specifically the General Data Protection Regulation (“GDPR”) we hereby inform you how(1) Nota the personal data that you provide through the Suppliers' Ethics Mailbox will be processed.

Who is responsible for processing your personal data?

The party responsible for the processing is the Iberdrola Group company that you selected when completing the data collection form (company with which you have a business relationship, “Iberdrola”) whose identification appears in your contractual documentation.

Contact details of the data protection delegate:

What personal data do we obtain from you and process?

Your personal data that we may process are those required in the corresponding form in relation to your name, surname and email address, as well as any other data which you include in your communication.

How do we obtain your personal data?

You provide us with your personal data via the Suppliers' Ethics Mailbox form.

For what purposes do we process your data?

The information you provide to us will be processed for the purpose of managing, investigating and responding to, as the case may be, enquiries and allegations submitted through the Suppliers' Ethics Mailbox.

What is the legitimation for processing your personal data?

The legal basis for processing your data is to ensure fulfilment of the contract signed between you and Iberdrola, and the legitimate interest of Iberdrola to identify and investigate potential legal violations, irregular conduct or breaches of applicable regulations by any supplier or third party that has relationships with the Group or its employees.

How long do we keep your data?

The personal data that you provide to us when you send an enquiry to the Suppliers' Ethics Mailbox is kept for as long as necessary to address the same, and in all cases for one year from receipt. Once this period has passed, the information will be duly blocked until any time limits on any potential associated legal action have passed.

The personal data that you send to us when submitting a report to the Suppliers' Ethics Mailbox will be held for the time required to decide whether an investigation should be launched and will be deleted in all cases once 3 months have passed from its submission, unless retaining the same is required to provide evidence of implementation of the Iberdrola crime prevention model.

Notwithstanding the required elimination of the data from the Suppliers' Ethics Mailbox and other possible information systems for internal whistleblowing, your data may be processed further by the corresponding organisation when so required to adopt disciplinary measures or implement legal proceedings.

To whom is your data disclosed?

Your data will only be disclosed to third parties when so required to process legal proceedings.

What are your rights?

You have the right to access your personal data subject to processing, and to request for the rectification of inaccurate data or, when appropriate, ask that they be erased when no longer required for the purposes for which they were collected, as well as to exercise your right to object to and limit the processing and portability of the data.

You may submit your requests to exercise your rights free of charge, ensuring that you attach a copy of your National Identity Card or equivalent document, via the aforementioned addresses of the data protection delegate.

If you are not satisfied that your rights have been asserted, you can lodge a complaint with the Spanish Data Protection Agency.

Information security

We have implemented the necessary technical measures to protect your data and information from accidental loss and unauthorised access, use and disclosure. However, despite the diligent implementation of such measures, the user should be aware that the security measures are not foolproof. Iberdrola is not responsible for the actions carried out by third parties who, in violation of said measures, access the aforementioned data and information.

We have established procedures for responding to any incident related to data security.

(1) Nota Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making data available, alignment or combination, blocking, erasure or destruction.