Privacy management

Privacy management model in the Iberdrola Group

The global data protection office led by the Iberdrola Group's data protection officer (DPO) supports the Iberdrola group in terms of privacy by coordinating the supervision of compliance with current regulations. The global DPO coordinates activities with the DPOs of the various Group companies and with the data protection partners of the various businesses.

This figure is supported by other cross-cutting functions in the Group such as Legal Services, Digital Transformation, Cybersecurity, Corporate Security, Compliance, Internal Audit and Business.

esquema de coordinación de los DPOs
The coordination scheme of the DPOs of the Ibedrola Group is reflected, as well as the coordination with other transversal functions of the Group.

Iberdrola has the Iberdrola  Group's Personal Data Protection Policy [PDF], the approval and modification of which is the responsibility of the Company's Board of Directors and establishes the global strategy on the matter. This policy defines roles, functions and interrelations between the different areas and businesses of the Group. 

The Corporate Security Department, together with the Company's Legal Services, has internal regulations for the global management of data protection at Group level, which has been implemented by the Corporate Security Department and is mandatory for all the Company's managers and employees.

In addition, Iberdrola has a Global Framework for the Protection of the Group's personal data, which establishes the general criteria and the Group's global model for the protection of personal data. This Framework is applicable to all companies belonging to the group whose parent company, in the sense established by law, is the Company, (the "Group") and within the limits established by the legislation applicable to the regulated activities carried out by the Group, in the countries in which it operates and respecting in all cases the special framework of enhanced autonomy applicable to listed subholding companies and their subsidiaries, and that of those unlisted subholding companies that are not wholly owned by the Group and their respective subsidiaries, which are governed by their own personal data protection policies. These are consistent with the group's global strategy on the protection of personal data, the implementation of which is developed by this Global PDP Framework. 

In addition, the Iberdrola Group obtained approval from the Spanish Data Protection Agency (AEPD) of the Binding Corporate Rules (BCR) on data protection in order to be able to carry out international transfers between the Group's companies. These BCRs oblige all member Group Companies [PDF] to comply with their provisions on the collection, collection and processing of personal data, and to enforce them for all their employees.

Relationship structure

The different axes are related through the following forums or interactions:

  • Board of Directors of Iberdrola S.A.: The DPO will report annually to the Board of Directors on the most important aspects of the compliance activity it supervises.
  • Boards of directors of the subholdings: The different DPOs of the Iberdrola Group's holdings report annually to the boards of directors of the different holdings on the most important aspects of the compliance activity they supervise.
  • Cybersecurity and Data Protection Committee: The committee's function is to supervise the general state of Cybersecurity and Personal Data protection in the Group, facilitate its coordination and assist the Corporate Security Department in the implementation of the measures it approves, all under the terms set out in its Internal Regulations.
  • DPO Forums: Every six months, the global DPO organizes a meeting with the different local DPOs with the assistance of a representative of the Legal Advisory function of Privacy, Internal Audit and Digital Transformation. The status of compliance with the Iberdrola Group's Privacy Governance model in each of the jurisdictions is reviewed, and the specific problems that may be transversal to these organisations are reviewed..
reporting-gestion-privacidad
Iberdrola Group's Privacy Governance model in each of the jurisdictions is reviewed, and the specific problems that may be transversal to these organisations are reviewed.

Coordination mechanisms

In order to ensure adequate coordination between the companies of the group, in accordance with the corporate structure and business model of the Iberdrola group, the following lines of coordination are established: 

  • Global operational coordination between the Global Data Protection Coordinators of the Business and Corporate Areas, the Global Data Protection Coordinator of Legal Services and the Global Coordinator, through the Global Cybersecurity Committee. 

  • Operational coordination at the local level between the local data protection officers of the business or corporate areas, the Local Data Protection Coordinator of the Legal Services and the Local Data Protection Coordinator of Corporate Security through the corresponding coordination group. 

  • Operational coordination at the business or corporate level: Local data protection coordinators and officers must report to the corresponding global coordinator on the relevant metrics, incidents and risks in terms of data protection, referring to their field of action.

flujo-coordinacion-gestion-privacidad
Coordination and reporting scheme between the Personal Data Protection Officers in the different businesses and corporate areas, as well as the Data Protection Coordinators, global and local.

Relationships with third parties

In all relations with third parties, the companies of the Group must comply with the data protection legislation of their jurisdiction and that which is applicable depending on the processing of personal data that is carried out. 

They must also apply the following standards of action: 

  • Only processors who offer sufficient guarantees to implement the appropriate technical and organisational measures will be chosen, so that the processing is in accordance with the applicable legislation. 
  • The processor may not subcontract the processing of personal data to another processor without the prior written authorisation, specific or general, of the controller. Once authorized, the processor shall inform the controller of any planned changes in the addition or replacement of other processors that are subcontracted, thus giving the controller the opportunity to object to such changes.
  • The personal data protection requirements to be included in the technical specifications delivered to the suppliers will be identified, taking into consideration the result of the risk assessment of the processing subject to the contract. 
  • The legal services will establish standard clauses that must be included in contracts with third parties and in the systems and platforms that allow access by employees or third parties and/or allow the collection or processing of Personal Data. 
  • In order to comply with the above obligations, a procedure for the protection of personal data in purchases will be developed.