Supplier and prospective supplier privacy notice

Date: 22-05-2023

Iberdrola, S.A.has developed a tool for managing its relations with prospective suppliers interested in participating in tenders for the award of contracts with Iberdrola, S.A. or any of the companies of its corporate group (“Iberdrola Group” or “Group”), as well as with suppliers who have a contractual relationship with the Group. This tool (hereinafter referred to as the “Portal” or the “Suppliers and Prospective Suppliers Register” or “Register”) is managed by Iberdrola, S.A. and the information that it contains at any time as a result of interactions with third parties (interested suppliers, approved suppliers and contracted suppliers, as well as, in the case of legal entities, their representatives and contact persons) is accessible to all the companies of the Iberdrola Group, some of which are established outside the European Economic Area. A list of these companies is available at https://www.iberdrola.com/documents/20125/42388/IB_Annual_Financial_Information.pdf [PDF]

Consequently, for the purposes of personal data protection laws and regulations, we hereby inform you that any information about suppliers or prospective suppliers – or, in the case of legal entities, their representatives or contact persons – that is obtained as a result of a request for registration in the Portal or any preliminary contact or initiative with Iberdrola, S.A. or any of the companies in the Iberdrola Group for the purposes of qualifying as a supplier, entails the incorporation of information into the Portal and its subsequent access by any of the companies belonging to the Iberdrola Group.

Iberdrola S.A. and the companies of the Iberdrola Group (hereinafter referred to as “Iberdrola”) are committed to protecting your privacy and to complying with personal data protection laws and regulations, in particular and as may be applicable, the European General Data Protection Regulation (“GDPR”), the Spanish Organic Law on Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”) and local laws in the countries where the Iberdrola Group companies are established. Your personal data will be processed lawfully, faithfully and transparently for specific, explicit, legitimate purposes, and only where appropriate, pertinent and limited to what is strictly necessary for the purposes for which it is processed. Furthermore, we will keep your data accurate and updated. Your personal data will be stored to allow your identification only for the time necessary to comply with the purposes for which it is processed.

Iberdrola has implemented technical and organisational measures to protect your personal data from accidental loss or unauthorised or unlawful modification, access, use and disclosure, having also established procedures to respond to any security incident that could affect your personal data.

Through this Privacy Notice, we inform you about the processing of your personal data as a supplier and/or prospective supplier of the Iberdrola Group – or, in the case of a legal entity, as its representative or contact person – by virtue of your inclusion or that of the company you represent in the Iberdrola Suppliers and Prospective Suppliers Register, for the duration of your registration in this Register and as a result, where applicable, of your contractual relationship with Iberdrola.

In the event that this privacy notice is updated, this will be communicated to you in due course through the Iberdrola website.

In the event that, as a result of your inclusion or that of the entity you represent in the Iberdrola Suppliers and Prospective Suppliers Register and/or, where applicable, the contractual relationship you have entered into with Iberdrola, you provide us with third-party data, such as the names, positions and contact details of your employees, directors, shareholders or representatives, you should, prior to providing us with data, inform the third parties about the processing of the same in the terms set forth in this privacy notice.

This notice is intended to cover suppliers of Iberdrola Group companies globally. This notice may be supplemented with a local notice.

Who is the data controller for your personal data?

The data controller for your data is Iberdrola S.A., with its registered address at Plaza Euskadi 5, 48009 Bilbao, Spain, as the holder of the Iberdrola Group Suppliers and Prospective Suppliers Register and as a provider of procurement services to the companies ofthe Group.

Similarly, any of the companies of the Iberdrola Group are or may become a data controller for the data to the extent that (i) the information incorporated into the Suppliers and Prospective Suppliers Portal is provided by them, (ii) the companies access the content of the Portal, or (iii) you have, where applicable, a contractual relationship with any of them.

Where appliable, the companies of the Iberdrola Group have appointed Data Protection Officers. You can contact them via the email addresses listed below:

- Iberdrola SA: dpo@iberdrola.com

- Other Iberdrola Group companies in Spain: dpo@iberdrola.es

- Iberdrola Energía Internacional SAU, Iberdrola Clientes Internacional SAU and Iberdrola Renovables Internacional SAU: dpoiei@iberdrola.com

- Group companies in the UK: dataprotection_corporate@scottishpower.com

- Group companies in Italy: dpo@iberdrola.it

- Group companies in Portugal: dpo@iberdrola.pt

- Group companies in Ireland: dataprotection@iberdrola.ie

- Group companies in France: dpo@iberdrola.fr

- Group companies in Germany: datenschutz@iberdrola.de

- Group companies in Brazil: dpo@neoenergia.com

What personal data do we collect and process?

We may collect and process the following categories of personal data:

  • Identification data: first name, surname, national identity document/tax identification number/foreign residents ID, passport or similar identity document, postal address, landline/mobile phone number, email, photo and signature. For the contact person, also your email address, and, in some cases, your mobile phone, for the purposes of the two-factor authentication referenced in the section relating to the purposes of the processing.
  • Personal details: civil status, family information, date and place of birth, age, gender, nationality, languages. Furthermore, Avangrid, Inc. and its subsidiaries and other Iberdrola Group companies based in the USA, may collect information relating to race, ethnicity or disability or your status as a veteran with the purpose of complying with certain legislation and regulations, for equal employment opportunities reports and other legal and compliance purposes.
  • Academic and professional data: Professional activity, training, qualifications, work experience, membership of schools or professional associations, profession, job title.
  • Economic, financial and insurance data: Bank details for transfers and payments and tax and social security information, annual financial statements and activity or business.
  • Business data: services provided.
  • Additional information obtained from public registers or records and public reputational risk and compliance databases, which may include: data relating to activities and business, infractions and sanctions, condition of the interested party as a person with public responsibility, public company status or other information necessary to know if the supplier or prospective supplier meets the highest ethical standards that govern procurements by the companies of the Iberdrola Group.

We may ask that you provide the original documentation and deliver a copy of the same, as evidence to support the information you have submitted.

How do we collect your personal data?

We collect your personal data through the information that you provide to us during the registration process in the Iberdrola Suppliers and Prospective Suppliers Register through the various channels authorised for such purposes and, where applicable, during the procurement and contracting processes and during the contractual relationship with you or with the company you represent.

If you do not provide us with the personal data requested, we may not be able to proceed with your registration and qualification, or that of the entity you represent, as a supplier or prospective supplier of Iberdrola, or, where applicable, comply with the contractual relationship, fulfil our legal obligations and manage our activities appropriately.

We ask that you update your personal data in the event of any changes and always provide accurate information, as we must have your up-to-date information.

In addition, Iberdrola may process personal data of natural persons (e.g. representatives, directors or shareholders) associated with the company that is a supplier or prospective supplier of the Iberdrola Group, obtained lawfully from public registers and public reputational risk and compliance databases such as Refinitiv (https://www.refinitiv.com/en/products/world-checkkyc- screening/privacy-statement), Dow Jones (https://djlogin.dowjones.com/privacy/default.aspx?fcpil=es) or Informa (https://www.informa.es/textos-legales#privacidadbd). The supplier or prospective supplier agrees to inform them in accordance with this privacy notice, and to indemnify the Iberdrola Group for any damages that may arise from failure to comply with this obligation.

For what purposes will your personal data be processed and on what legal basis?

1. Participation in the qualification process as a prospective supplier of the Iberdrola Group, in accordance with the Group’s standards and Compliance procedures, and periodic verification that the supplier or prospective supplier meets the requirements, pursuant to the following legal basis: (i) if the data belongs to contact persons, directors, representatives or agents of a legal entity, Iberdrola's legitimate interest in verifying whether the prospective supplier or supplier meets the necessary requirements to be registered as an Iberdrola supplier and, if so, including them in the Register; and (ii) in the event that the data belongs to a prospective supplier or supplier who is a natural person, with respect to the data provided by the supplier, the need to process the data as a prerequisite for the potential execution of a contract, at the supplier’s request when registering in the Portal and, therefore, the precontractual measures and, with respect to the additional information obtained by Iberdrola, the legitimate interest of Iberdrola in verifying whether the prospective supplier or supplier meets the necessary requirements to be registered as an Iberdrola supplier and, if so, registering them in the Portal.

2. Management of the participation of prospective suppliers or suppliers in the purchasing processes, in accordance with the following legal basis: (i) if the data belongs to contact persons or representatives of a legal entity, Iberdrola's legitimate interest in managing present and future relations with the supplier; and (ii) in the event that the data belongs to a natural person, the precontractual measures related to the supplier’s request to participate in the aforementioned purchasing processes.

3. Internal management of prospective suppliers and suppliers, on the basis of Iberdrola's legitimate interest in keeping a record of prospective suppliers that have requested their registration as suppliers of Iberdrola and the results of their qualification processes, as well as administering and organizing Iberdrola’s relations with suppliers.

4. Performance of surveys and preparation of statistics and internal reports, on the basis of Iberdrola's legitimate interest in improving its relations with prospective suppliers and suppliers, obtaining statistics and preparing reports on these matters.

5. Communications related to sustainability, ethics, and compliance, on the basis of Iberdrola's legitimate interest in promoting awareness by its suppliers and prospective suppliers on these topics.

6. Maintenance, development and control, in all its aspects, of the contractual relationship, including the management of collections and payments, in accordance with the following legal basis: (i) if the data belongs to the contact persons or representatives of a supplier that is a legal entity, Iberdrola's legitimate interest in managing the relationship entered into with the supplier; and (ii) in the event that the data belongs to a supplier who is a natural person, the performance of the contract .

7. Administrative management, on the legal basis of Iberdrola's legitimate interest in maintaining adequate internal management of the Group.

8. Management of the coordination of business activities, prevention of occupational hazards, and health and safety activities, on the legal basis of compliance with applicable laws and regulations.

9. Transmission of tax data and compliance with other legal obligations and requirements and requests from regulatory, government and judicial authorities, on the legal basis of compliance with applicable laws and regulations.

10. In connection with administrative and judicial proceedings and actions before public authorities, on the legal basis of Iberdrola's legitimate interest in exercising its right to effective legal protection and its right of defense.

11. Management of complaints and inquiries in Iberdrola’s supplier's ethical channel, analysis of possible conflicts of interest and analysis of solvency, anticorruption, fraud, cybersecurity, sustainability, geopolitical, accident and other related risks, on the legal basis of a public interest and Iberdrola's legitimate interest in creating and maintaining information systems through which Iberdrola is made aware of the commission, within it or by third parties who contract with it, of acts that may be contrary to applicable law or the internal policies, rules and procedures of Iberdrola.

12. Access control to facilities and other security activities, on the legal basis of, in Spain, a public interest in protecting the security of people and property and Iberdrola’s facilities in the event of video surveillance activities, and, in all other cases, Iberdrola's legitimate interest in controlling access to the facilities for security purposes.

13. For the email address and, in some cases, the mobile phone number, of the contact person with the Iberdrola Group, to apply two-factor authentication for access to the information systems that consists of adding a second user verification method, on the basis of Iberdrola's legitimate interest in ensuring the security of its computer networks.

14. Invitations to information sessions and awards, on the basis of Iberdrola's legitimate interest in inviting you to events, functions and contests organized by Iberdrola.

15. External audit, on the legal basis of compliance with legal audit obligations for those companies required to carry out an external audit, or Iberdrola's legitimate interest in reviewing its accounts in cases where the Iberdrola Group company has no such legal obligation.

16. Maintaining information about previous contracts entered into by Iberdrola and the supplier, and the supplier’s participation in Iberdrola Group tenders, for the assessment purposes in relation to future contracts, on the basis of Iberdrola's legitimate interest in keeping a record of contracts and tenders to facilitate future contracting processes with the supplier.

With respect to the purposes indicated in sections 1 and 11 above and, specifically, with regards to the risk analysis, we hereby inform you that we may use personal data obtained lawfully from public registers and public reputational risk and compliance databases as noted in the section “How do we obtain your personal data?”.

Finally, we inform you that, where required by applicable law, when the processing of data is based on Iberdrola's legitimate interest, Iberdrola conducts a balancing test between Iberdrola’s legitimate interests and the rights of the data subject. When applicable, if you would like to know the conclusions of such balancing test, you can request them from the Data Protection Officer at the address indicated in the section “Who is the data controller for your personal data?”.

How long do we keep your data?

Your personal data will be processed during the timeframes indicated below:

- Purpose 1: (i) in the event that the supplier does not pass the initial Iberdrola supplier qualification process, the personal data will be processed until the end of the process, and (ii) in the event that the supplier does pass the initial qualification process, as well as for purposes 2, 3 and 16 above, the data will be kept for as long as the supplier or prospective supplier remains in the Iberdrola Suppliers and Prospective Suppliers Register and does not express a wish to no longer be considered for future tenders that Iberdrola may promote.

- Purpose 4: personal data will be processed until the survey, statistic or report has been prepared.

- Purposes 5 and 14: personal data will be processed for as long as the data subject does not object to such processing.

- Purposes 6, 7, 8, 9 and 13: personal data will be processed during the period necessary to comply with the purpose for which it was collected and, at least until the end of the contractual relationship.

- Purpose 10: personal data will be processed until the expiration of any obligations and liabilities derived from enforcement of a final and non-appealable administrative or judicial resolution.

- Purpose 11: in the event of management of complaints and inquires in Iberdrola’s suppliers ethical channel, (i) in Spain, for the time required to decide whether to launch an investigation with respect to the facts included in the complaint or inquiry and, as a maximum, for three months from the date the data arrived to the ethics mailbox; and (ii) in Iberdrola Group companies domiciled in other countries, in accordance with its internal procedures. After these periods, the data may continue to be processed, outside of the ethics mailbox, by authorized users, until the conclusion of the investigation.

- Purpose 12: personal data will be kept in accordance with our internal procedures. With respect to personal data obtained by video surveillance cameras by Iberdrola Group companies located in Spain, data will be maintained for one month from the date it was obtained, at which time it will be deleted, unless it needs to be maintained to evidence the commission of acts that affect the integrity of people, property or facilities.

- Purpose 15: personal data will be processed at least until the end of the financial year in which the audit takes place and, where appropriate, afterwards, insofar as is required by law or regulatory requirements.

Data processed for the other purposes will be kept for as long as the supplier or prospective supplier remains registered in the Iberdrola Suppliers and Prospective Suppliers Register.

Once the previous periods have expired, the data may be kept blocked until the expiration of the statute of limitations of (i) obligations to which Iberdrola may be subject (including, for such additional periods as may be required by applicable law or regulation, court, administrative or arbitration proceedings, legal, regulatory or audit requirements, etc.) and (ii) potential actions or liabilities related to the contractual relationship or to the personal data processing. Thereafter, data will be deleted or dispose of in a manner intended to protect the privacy of such information (for example, and without limitation, by shredding, destroying, anonymizing or de-identifying personal data) and in accordance with our internal procedures and applicable law.

Who will receive your personal data?

The personal data of the supplier and/or prospective supplier – or, in the event that the supplier is a legal entity, its representatives or contact persons – may be communicated to third parties or public authorities (i) when this is necessary for the management, performance or enforcement of the contractual relationship, including compliance with our obligations or the exercise of our rights, on the basis of the performance of such a relationship; or (ii) if we are required to do so by law or regulation, including the compliance with court orders, legal process or government, judicial or regulatory requests. In addition, your data will be communicated to (i) external auditors to carry out their activities in those cases in which Iberdrola is obliged to do so in order to comply with its legal auditing obligations or, if not, on the basis of Iberdrola's legitimate interest in reviewing its accounts; and (ii), if necessary, to insurance and reinsurance companies, for the conclusion of contracts with such companies, on the basis of the execution of such contracts.

We may also communicate your data to third parties involved in corporate transaction processes and, specifically, in the due diligence processes related thereto, so that such third parties may access and review the information necessary within the framework of such transactions, the basis for the legitimisation of the communication is the legitimate interest of Iberdrola and the third parties in the success of such transactions.. We may also communicate your data to third parties involved in corporate transactions, including during the due diligence processes related to the transactions.

The supplier's data – or that of its representatives or contact persons, in the event that the supplier is a legal entity – may be communicated to companies of the Iberdrola Group who may have an interest in entering into a contract with the supplier. The Iberdrola Group companies are those listed in Iberdrola’s corporate website https://www.iberdrola.com/documents/20125/42388/IB_Annual_Financial_Information.pdf [PDF]

In this context, in the event that the communication of your personal data occurs from Iberdrola Group companies located in the European Union to Iberdrola Group companies located outside the European Union, in countries that do not offer an adequate level of personal data protection, equivalent to that established in the European Union, we inform you that any such transfers are done in accordance with applicable data protection laws and with our binding corporate rules (“BCRs”). Having the BCRs means that all the entities of the Group that adhere to them must comply with the GDPR and with the same internal rules when processing personal data transferred from the European Union. This also means that your rights remain the same regardless of where Iberdrola processes your data. You can download a copy of the Iberdrola Group's BCRs at https://www.iberdrola.com/privacy-policy/binding-corporate-rules

Your data will be accessible by affiliates and third-party entities that provide, as data processors, services to Iberdrola, such as invoicing and payment services, administration of accounts payable, consultancy and reporting services, IT, Register management, training, security services. We sign contracts with third party providers which address their obligations as data processors. With respect to Iberdrola Group companies located in the European Union, when the affiliates and third parties are based in a third country that does not offer an adequate level of personal data protection, equivalent to that established in the European Union, Iberdrola Group companies established in the European Union will ensure that the third party has adequate measures in place to protect your data in the country and in the destination organisation under identical or similar terms to those applicable in European and, where appropriate, Spanish legislations. You may contact Iberdrola at any time to find out the specific measures implemented for the adequate and appropriate protection of your personal data.

What are your rights?

You have the right to access your personal data, as well as to request the rectification of inaccurate data or, where applicable, to request the erasure of data when it is no longer required for the purposes for which it was collected. You may also exercise your right to object to or limit the processing thereof or the right to seek the portability of your data. If we rely on your consent to process your data, you can revoke it at any time without this affecting the lawfulness of the processing carried out previously. To exercise your rights, please write to:

- For Iberdrola Group companies based in the European Union: Administration Department, Plaza Euskadi 5, 48009 Bilbao or at the following addresses Gestionterceros@iberdrola.es and desarrollosuministradores@iberdrola.es

- For ScottishPower Group companies: Administration-Vendors@scottishpower.com or Data Protection Officer, Scottish Power UK Plc, 320 St Vincent Street, Glasgow, G2 5AD.

- For Iberdrola Group companies based in Mexico: Gestionterceros@iberdrola.es o Boulevard Manuel Ávila Camacho No. 24, piso 19, Col. Lomas de Chapultepec, C.P. 11000, Ciudad de México.

- For Avangrid Group companies, VendorMaintenance_AdminUSA@avangrid.com or AVANGRID General Administration, 162 Canco Road, Portland, Maine 04103.

You can file a claim with the Spanish Data Protection Authority (www.aepd.es) or an equivalent supervisory authority.