Privacy Policy

The communication of irregularities in this channel may involve the processing of personal data that will be carried out in the following terms: 

A.  Responsible party for data processing: EDP -- Energias de Portugal, S.A. (EDP) is responsible for processing said data

B.  Purpose of treatment and legal basis: Personal data collected through this channel is intended for irregular practices' communications management related to financial matters or with possible violations of Law no. 83/2017, of August the 18th (Law of Prevention of Money Laundering and Combating the Financing of Terrorism) and the regulations that implement it. The respective treatment of personal data is based on the fulfillment of a legal obligation.

C.  Recipients: The processing of personal data may be carried out by a suitable service provider, hired by EDP. The aforementioned service provider will treat data exclusively for the purposes established by EDP and in compliance with the instructions issued by it, strictly complying with the legal rules on protection of personal data, confidentiality, information security and further applicable rules. EDP may also transmit the data to other entities that qualify themselves as responsible for data processing and using them for their own purposes, if the conditions of the law provided in the General Data Protection Regulation (GDPR) are fulfilled. Such entities include public authorities, for example Tax Authorities, Judicial Courts or competent Regulatory Authorities.

D.  International data transfers: In cases where the processing of personal data involves its communication to third parties established in countries outside the territory of the European Economic Area (EEA), EDP will ensure that these have adequate guarantees to process personal data, due to exposure to risk by data owners. 

E.  Retention period: In the case of reports of irregularities associated with financial matters, the personal data subject to the complaint will be immediately destroyed if they prove to be inaccurate or useless; when there is no place for disciplinary or judicial proceedings; the data that have been subject to proof will be destroyed after a period of 6 (six) months from the end of the investigations; in case of disciplinary or judicial proceedings, the data will be kept until the end of that procedure. For its part, the personal data collected in the scope of the treatment of irregularities' communications related to the Prevention of Money Laundering and Combating the Financing of Terrorism, must be kept under the terms of Law no. 83/2017, of August the 18th, for a period of 7 (seven) years, after the received irregularity communication processing closing date, without prejudice to other legal obligations for data conservation.

F.  Exercise of Rights: 

1) Of the Whistleblower: the data owner, in relation to the data that concern him, can, at any time and free of charge, exercise his rights of access, rectification, elimination of treatment limitation, or the right to oppose to the treatment. For this purpose she/he must send her/his request in writing through the channel itself or through the contacts below.

2) Of the Denounced: the data owner may, at any time and free of charge, exercise her/his rights of access, rectification, deletion of data and treatment limitation, or the right to oppose the treatment. For this purpose she/he must refer her/his request in writing through the channel itself or through the contacts below.

If you believe that EDP has or may have violated your rights under the applicable data protection legislation, you can file a complaint with the National Data Protection Commission.

For any question related to the privacy of personal data, the respective holder may contact EDP data protection officer (DPO), whose email address is dpo.pt@edp.com.