Iberdrola Group companies' whistle-blower channel terms of use

Terms and conditions of use and privacy notice

The Internal reporting system or complaints channel system is the channel that Iberdrola has created for you to report (i) any conduct by any professional of the Iberdrola Group that may involve any irregularity or action contrary to the Law or to the Governance and sustainability system of the Iberdrola Group or to the rules of conduct of the Code of Ethics aimed at the Group's professionals (ii) the commission by a supplier, by one of its subcontractors or by their respective employees, of any act contrary to the law or to the provisions of the Supplier Code of ethics in the context of their business relationship with the companies of the Iberdrola group. 

It is not mandatory to identify yourself in order to submit a complaint, but should you decide to do so, Iberdrola guarantees absolute confidentiality of both the information provided and your personal data, together with a commitment of no reprisals.

Iberdrola will acknowledge receipt of the communications received to the informants who identify themselves within the legally established maximum period of seven days following receipt, unless this could jeopardise the confidentiality of the communication.

Iberdrola will process complaints provided that they are not unfounded or implausible and constitute conduct within the objective scope of this channel as indicated above, within a maximum period of three months, except in cases of particular complexity that require an extension of the period, in which case this may be extended for up to a maximum of a further three months.

The processing of complaints will be carried out by the competent Compliance Unit or department, which will act with due diligence and promptness, respecting in all cases the right to the presumption of innocence, honour and defence of the persons affected.

Where possible and if deemed necessary, the person responsible for handling the complaint may contact the informant and request additional information.

Please note that you can also address your communication to the external information channels of the competente authorities or bodies.

By using the Internal reporting system, you have the following obligations:

  • To make responsible use, and under no circumstances should you make allegations that are unfounded or in bad-faith.
  • You should be respectful and observe decorum and good manners in your reporting of any other person, as Iberdrola is not responsible for any derogatory comments you may make against any third party.
  • You must ensure, where applicable, that the personal data provided are true, accurate, complete and up to date.

Iberdrola, S. A and the companies that form part of the Iberdrola Group in accordance with commercial law (hereinafter, any of them, “Iberdrola” and, jointly, “Iberdrola Group”) are committed to protecting your privacy and complying with personal data protection legislation, in particular, where applicable, the General Data Protection Regulation ("GDPR") and the personal data protection legislation applicable in each country in which Iberdrola Group companies are domiciled.

Your personal data will be processed lawfully, faithfully and transparently for specific, explicit, legitimate purposes, and only where appropriate, pertinent and limited to what is strictly necessary for the purposes for which it is processed. In addition, we will retain your data in a form which permits identification only for as long as is necessary to fulfil the purposes of the processing.

Iberdrola has implemented the necessary technical and organisational measures to protect your data from accidental loss or unauthorised alteration, access, use or disclosure, having also established procedures to respond to any security incident that could affect your personal data. 

This privacy notice informs you of the way in which your personal data will be processed due to your query or complaint submitted through Iberdrola's Internal reporting system. 

In the event that it becomes necessary to update the terms of this privacy notice, we will notify you in a timely manner.

Who is the data controller for your personal data?

The data controller is the Iberdrola Group company with which you have an employment and/or contractual relationship, or with which your employer company (or for which you provide services) has a contractual relationship, or the company with which your query or claim is linked. You may access the information regarding each data controller at the corporate website: https://www.iberdrola.com/documents/20125/42388/IB_Annual_Financial_Information.pdf (Anex I).  

The data controller will process your personal data to comply with the Governance and sustainability system.

Iberdrola has appointed the following Data Protection Officers with respect to the following companies, who may be contacted in relation to any matter related to this Privacy Policy.

What personal data do we process and how do we collect them?

We will only process personal data that is strictly necessary for the purposes set out in the following section, which you enter directly in the Internal Information System form. 

For what purposes will we process your data?

The information you provide will be processed in order to manage, investigate and respond to the query and complaint sent through the Internal reporting system.

What is the legal basis for processing your data?

The legal basis for the processing of your personal data according to the purposes indicated in the previous section is:

  • Legal obligation, in case of queries and complaints concerning actions or omissions of EU law;
  • Public interest, in the case of queries and claims that refer to shareholders, conduct or omissions that could be contrary to the general or sector-specific regulations that may be applicable;
  • Iberdrola's legitimate interest, in the event of queries and complaints that refer to Iberdrola's internal regulations and Code of ethics, in the detection and prevention by Iberdrola of actions that may be contrary to its Code of ethics, in order to ensure that its activities and those of persons related thereto are carried out in accordance not only with applicable law but also with the Iberdrola Group's Governance and sustainability system and generally accepted principles of ethics and social responsibility.

How long do we store your data?

In the case of queries, the personal data you provide us with when you submit an query to the Internal Information System will be processed for a period of two years from its receipt. 

In the case of complaints, the personal data you provide when you submit a complaint to the Internal Reporting System will be processed for a maximum period of 3 months from receipt, unless the complaint leads to the opening of an investigation file, in which case it will be processed until the file is closed. 

However, in the event that it is proven that the information provided or part of it is not truthful, it will be deleted as soon as this circumstance comes to light, unless this lack of truthfulness may constitute a criminal offence, in which case the information shall be kept for the necessary time during the legal proceedings. Notwithstanding the foregoing, your data may be retained where necessary to provide evidence of the operation of Iberdrola's crime prevention system. 

Once the aforementioned periods have elapsed, your data will be duly blocked until the end of the statute of limitations period for possible legal actions. Complaints that have not led to the opening of an investigation file are exempted from the blocking and will be deleted.

Notwithstanding the fact that your data must be erased from the Internal reporting system and other information systems for internal reports, your data may continue to be processed by the corresponding body when it is necessary to do so in order to adopt disciplinary measures or for any court proceedings that may result.

To whom will your data be disclosed?

We inform you that your identity is confidential and will not be communicated either to the persons affected by the facts reported or to third parties. It may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of the corresponding investigation, whether criminal, disciplinary or sanctioning, informing you beforehand about the disclosure and the reasons for it, unless there is a danger of compromising the investigation.

Your data will also be accessible by internal service providers or service providers with whom Iberdrola may enter into agreements and for the performance of which such access is necessary, such as consultancy services, IT services, file management, etc. We have signed contracts with all of them under which they guarantee that such third parties will comply with their obligations as data processors. In this context, in the event that they are located in the European Union but carry out international transfers of data during the provision of the services for which they are responsible, Iberdrola will ensure that they have the appropriate measures in place so that your data are protected in the destination country and organisation under the same or similar terms to those provided for in European regulations. You may contact Iberdrola at any time to find out the specific safeguards implemented for the adequate and appropriate protection of your personal data.

What are your rights?

You have the right to access your personal data that is being processed, as well as to request that inaccurate data be rectified or, where applicable, erased when it is no longer required for the purposes for which it was collected. You may also exercise your right to object to or limit the processing thereof or the right to seek the portability of your data.

You can submit your requests to exercise your rights by sending an e-mail through the following channels:

Please note that you can also file a complaint with the Spanish Data Protection Agency (www.aepd.es) or the equivalent control authority.