The EDP Group companies always prioritize in their relationship with their customers, employees, service providers, suppliers, partners and other interested parties, strict respect for their privacy. The protection of personal data is a cornerstone of the EDP Group companies’ activity. Ensuring that we carry out our activities in compliance with all data protection legal requirements and highest standards is fundamental for us.

Hence, the EDP Group companies adopt and follow specific Privacy Policies comprised in the Group’s global compliance risk management approach, which content is disclosed to relevant data subjects. These Privacy Policies apply to the entire lifespan of data processing operations carried out by Group Companies and Service Providers. Service providers process the personal data only following documented instructions from EDP.

Data Protection Officer or equivalent officers are appointed in geographies/business units where such legal requirement exists and whenever EDP deems it relevant, despite the inexistence of such requirement. EDP also designates teams responsible for ensuring that the organization complies with legal and regulatory requirements, policies and guidelines approved internally, through the implementation of methodologies and procedures aimed at preventing, detecting and addressing any deviation or non-conformity that might occur, as well as supporting Group employees and raising awareness about the rules to be observed when processing personal data.

These Data Protection Officers or equivalent officers are permanently available to the data subjects, also ensuring the interactions with the competent data protection authorities.

The EDP Group incorporates mechanisms to safeguard data protection in all of its new projects, products and services, continuously monitoring how they impact the privacy of its customers and other data subjects. In this way, we intend to mitigate any data protection risks while ensuring sustainable and ethical innovation and growth. The Group leverages the potential of information technologies in a responsible manner, seeking to avoid any type of discrimination and explaining to all agents involved how such technologies affect their privacy. 

In order to support its firm commitment, the EDP Group globally observes the following values and principles:

1. LAWFULNESS AND PURPOSE

EDP Group companies only process personal data for legitimate and clearly defined purposes. The main reason we use data is for the performance of contracts with our customers or, for the management of our operation, contracts with employees, contracts with service providers and other stakeholders.

On the other hand, there are several laws in the legal system that establish legal obligations, which lead to the processing of personal data. For example, tax obligations, corporate reporting or in the context of preventing money laundering and terrorism financing. The processing of data in these cases is the strictly necessary for the fulfillment of such obligations.

For example, if we need to use information about the residence or energy consumption of our customers, we will only do so to provide the requested services or to comply with our legal obligations, unless we have obtained the explicit consent of the data subjects or if our business interests do not override their private sphere.

In fact, unless our customers object at the time of the collection of their contact details and on any other occasion, we use our customers' data to electronically communicate our own similar products. We can also use them to collect overdue debts. These processing operations are carried out within the scope of the performance of the contract and, also, under EDP's legitimate interest, always ensuring that fundamental rights and freedoms of the data subjects are not overridden by such interest.

Lastly, always subject to the explicit consent of the data subjects which can be withdrawn at any time, we may use the collected data for other purposes such as the publication in our internal and external communication channels of images of employees and other participants in internal and public events or to communicate to our customers new products and services adapted to their needs and preferences.

2. FAIRNESS AND TRANSPARENCY

We inform all our customers, users, employees, suppliers and partners about how we process their personal data, why we do it, for how long we keep them and with whom we share them. Where appropriate, we ask data subjects for their informed consent, not harming them if they decide not to consent or to withdraw their consent. 

In the event of a personal data breach, we notify the competent supervisory authority and communicate it to the relevant data subjects, whenever the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. We seek to immediately repair or minimize its negative effects.

3. PROPORTIONALITY

We only collect and use personal data that is strictly necessary in relation to our legitimate purposes.
EDP collects and processes identification data (name and civil or tax identification numbers, contact details: addresses and telephone contacts), data from its customers' energy installations and other information related with the contractual relationship, such as products and services acquired, payment or debts information.

Personal data will only be accessed by persons or entities that have an effective need to know it. These persons will act on our behalf and under our instructions and observe the strictest confidentiality rules. As described above, personal data may also be accessed by tax authorities, other regulatory or supervisory authorities, courts and other entities to whom EDP is required to communicate data under the law.
Once the data is no longer needed, EDP Group permanently erases or makes it unintelligible, unless its retention is legally mandatory.

4. CONTROL

All data subjects of personal data used by EDP Group companies have control over their own data. EDP Group companies provide adequate channels for the exercise of their rights of access, rectification, erasure, limitation, portability and opposition, ensuring effective and timely responses. At EDP, we seek to make things clear to you and respect your decisions.

In addition, EDP continuously monitors compliance with its Privacy Policies, both internally and by its external service providers.

In case of non-compliance with these regulations, EDP has a “zero tolerance” approach, applying the appropriate disciplinary or contractual measures.

5. PRIVACY SINCE “0” MOMENT

When designing a new business or service model, EDP Group companies assess its impact on data subject’s privacy, striving to mitigate the risks that may arise from it. In this context, EDP implements security techniques (such as pseudonymization) whenever applicable, restricts access to data to a  limited number of people and consults with legal advisors or the competent authorities for advice on the best way to comply with data protection legal requirements.

6. RESPONSIBILITY

We define accountabilities, responsibilities and reporting lines in each EDP Group company in order to ensure compliance with data protection legislation. In this way, each department and employee is, at all times, aware of the concerns they must consider when processing personal data in the exercise of their functions as well as about how to act in case of detection of a personal data breach that may negatively affect the privacy of data subjects.

7. SECURITY

We implement technical measures in line with the best market practices and develop processes and procedures that allow us to maintain all personal data that we handle in appropriate security conditions, considering the risks involved.
In this regard, the EDP Group limits and controls access to all its IT systems, applies encryption and anonymization techniques to the information it stores and performs periodic backups. EDP Group Information Systems Security area works continuously to prevent undue access to the personal data we process and to guarantee the permanent resilience of our companies' information systems.

Additionally, EDP only uses information technology service providers that offer sufficient guarantees
of compliance with the rules and data protection in force.

EDP reserves the right to change this Personal Data Protection Policy at any time. Any changes will be duly publicized on the website. 

Approved by the EBD in a meeting held in June 2nd, 2020.