PRIVACY POLICY OF IBERDROLA CLIENTES PORTUGAL, UNIPESSOAL, LDA.

This privacy policy is applicable to the handling of personal data by IBERDROLA CLIENTES PORTUGAL, UNIPESSOAL, LDA. (hereinafter referred to as "IBERDROLA Clientes" or "IBERDROLA") on its websites, apps and any other digital platform or electronic medium in which personal data are handled. This policy will also be applicable to, in that it may affect, the handling of data of users of social networks where IBERDROLA carries out any processing of their data, and in relation to their relationship with IBERDROLA.

HOW WILL PERSONAL DATA BE HANDLED?

Who is responsible for handling your data?

IBERDROLA CLIENTES PORTUGAL UNIPESSOAL, LDA., with corporate TIN no: 502124083, and registered office at Avenida da Liberdade, no. 180 A, 6th floor, Tivoli Fórum, 1250-146 Lisbon, is responsible for handling data provided by the Customer, and guarantees its security and its confidential treatment, in compliance with the content of the General Data Protection Regulation ("GDPR") and of any other applicable legislation.

The user may contact the Data Protection Manager for clarification of queries regarding the treatment of their personal data, at dpo@iberdrola.pt.

What do we use your personal data for?

In IBERDROLA's digital platforms, collection and handling of users' personal data will be done in accordance with the company's relationship with the user, for the following purposes:

For user registration, to provide access to the digital platform and to the contract data and contact information available to said user, as well as in order to access and use the digital platform and to meet IBERDROLA's legal obligations as an information service provider company.

If the user has a Touch ID access enabled on their mobile device (smartphone or tablet), it will be possible to access his account with a Touch, by giving us consent through activating it in the app. The user has the power, at any moment, to disable the Touch ID, which is stored in his mobile device.

Iberdrola has no access to the Touch ID information registered in your mobile or tablet, as this information is only kept by Apple/Google, regarding its legal terms and conditions and privacy policies.

For making queries or orders, the data will be used to process these.

Similarly, browsing and user cookies data may be handled in order to improve your user accessibility, for customising and analysing your browsing, as well as for displaying advertising that is based on your interests, in accordance with our cookies policy, which must be accepted by the user prior to browsing our digital platform.

Other specific purposes indicated in the data collection forms on the digital platform, and without which IBERDROLA cannot process the form in question.

For contracting services or products via the digital platform, the purpose is to manage your relationship with IBERDROLA, provide the services requested, manage customer services and, in general, comply with the Contract's obligations. Likewise, IBERDROLA may consult asset and credit solvency files in order to assess the Customer's economic solvency and, based on this, take decisions affecting the Customer, without prejudice to applicable legal and regulatory obligations. Even so, IBERDROLA will always allow the Customer to claim everything the Customer deems pertinent in order to defend their rights or interests.

IBERDROLA may, with the user's consent, update and enrich the user's personal data by acquiring databases from public access sources that allows improved management of the relationship, and contact with the user.

IBERDROLA will also handle personal data with a view to offering, via electronic media, in a segmented and personalised way, information on the supply of energy, products and services, from itself or from third parties promoted by IBERDROLA, if said third parties have an energy, telecommunications, financial, home and entertainment licence, a purpose for which IBERDROLA may use automated support systems and other means to define the profiles of the target audiences of campaigns, activities or actions, using for these information from IBERDROLA, as well as information from third party sources, if the user has also consented to this. These actions in relation to customers may be carried out even after ending of the contractual relationship with the Customer, if the Customer has so consented.

Additionally, IBERDROLA may use the data in a manner that is dissociated from the user, always preserving their anonymity, even after the end of the contractual relationship, in order to use said data in their support systems for decision-making and business management.

How long will we keep your data?

The personal data provided by users for contracting products and services will be handled by IBERDROLA during the time in which the contractual relationship remains in force, beginning when the Contract is formalised, and ending, regardless of the Contract's term, after all contractual obligations have been met, such as fulfilment of requests for information, and customer complaints and billing review, without prejudice to the data retention obligations resulting from the applicable regulations in each case.

If the user has provided consent, their data may be handled after termination of the Contract or after cancellation by a user who has no existing contracts, for a period of 2 years, without prejudice to the data retention obligations required by applicable legislation in each case, in order to meet emerging data-handling responsibilities.

For remaining users, the data retention period will be 2 years from collection of same, without prejudice to the data retention obligations resulting from applicable legislation in each case.

What provides legitimacy for the handling of your data?

Legitimacy for the handling of your data is provided via the user consents obtained when using the digital platforms, as a result of contracting products or services, from regulations applicable to the supply of electricity, gas and similar products and services, and any other regulations applicable at any time.

User consents are obtained both when the user registers, and during the different contracting or ordering actions carried out on the digital platform, and may be modified at any time by the user, by the exercising of their rights. Handling may also be based, in the case of customers with contracts in force, on IBERDROLA's legitimate interests for supplying energy, and related products and services, loyalty actions, including sports, cultural and charitable actions in which IBERDROLA participates, in making profiles for offering products or services similar to those contracted, and for communicating these data to third parties in order to carry out administrative procedures for customer admission, fraud prevention, registering of claims, and debt collection.

Legitimate interest includes the handling of user data for security management and access control for information support systems.

If, in order to process any contract or specific order, it is necessary for the user to provide personal data of person/s other than the holder, the user must inform them in advance, and specifically of the content of this policy, and obtain their prior consent for the handling of their data.

In order to register as a user on IBERDROLA's digital platforms, it is necessary to declare that the users are of adult age, because such registration is not permitted for minors. Therefore, with registration you are declaring and guaranteeing that you are of legal age. In any event, IBERDROLA exempts itself from responsibility for the handling of minors' data, such as is carried out without the consent of said minors' parents or guardians.

Who will your data be given to?

For contracts, the data necessary for managing access to the network will be communicated to the Distributor and will be put in a file that is their responsibility (registration of delivery point), which may be accessed at any time by those permitted to by legislation.

IBERDROLA, in turn, works with third-party service providers, such as sales channels, administrative support, telephone answering services, banks, collection companies, marketing and advertising companies, auditors and others, which, in certain cases and with the necessary guarantees, will be able to access your data, for processing purposes.

IBERDROLA may transfer the data to competent authorities or public bodies for compliance with legal and tax obligations. The data relating to this Contract will be sent to the Tax and Customs Authorities in accordance with Article 125 of the Municipal Property Tax Code (approved by Decree-Law no. 287/2003, November 12, with subsequent amendments) and with other applicable legal provisions. On the other hand, data relating to Customers with special requirements, or Priority Customers, will be sent to the Distributor, for the purposes of registering their information, in accordance with the terms set forth, respectively, in Articles 101 and 104 of the Electricity and Natural Gas Sector Service Quality Regulation (Regulation of Energy Services Regulatory Body, no. 629/2017, in RD, 2nd series, no. 243, of December 20, 2017).

Users may communicate with IBERDROLA via their profile on social networks, such as Facebook and Twitter, located in the United States. Data transfers will be covered by the EU-US Privacy Shield agreement (more information available at https://www.privacyshield.gov/welcome ) or by explicit consent of the interested party, where applicable.

What are your rights when you've given us your data?

In order to access certain services, you must become a registered user on the digital platform. The data for completing the Registration Form are provided in a free and voluntary way, and the data must be true and accurate. The user undertakes to make careful use of, and not to make available to third parties, his/her username and password, and to communicate to IBERDROLA, as soon as possible, the loss or theft thereof, or any risk with regard to access by a third party.

The data the user provides in order to contract services or products are necessary for maintaining the contractual relationship, and failure to provide such data would render the management of such a relationship impossible.

The user is responsible for the veracity of the data provided, and should request modification of said data whenever such is necessary in order to guarantee its correct processing, correct provision of the services contracted, and correct execution of communications.

The user may exercise their rights of access, rectification or, where appropriate, request deletion of their data, when such are no longer necessary for the purposes for which they were collected, among other reasons.

The user may request limited handling of their data, for the cases established in Article 18 of the GDPR, in which case said data will only be kept for exercising or defending any complaints.

The user may withdraw their consent at any time, by opposing the use of their data for a particular purpose, without affecting the lawfulness of the use, based on the consent given prior to its withdrawal, or oppose the latter, in which case the user's personal data will only be kept for exercising or defending any complaints.

The user may contact IBERDROLA to challenge any decision they believe might affect their rights and freedoms or legitimate interests, and such as is based on an automated decision, including production of profiles. This right allows the user to challenge such a decision and to obtain a direct response from IBERDROLA's managers.

The user may request from IBERDROLA portability of their personal data, obtaining an electronic copy of same, either by sending it to the e-mail address they provide, or in the pertinent section of IBERDROLA's website.

All of these rights may be exercised by means of a letter addressed to IBERDROLA CLIENTES PORTUGAL, UNIPESSOAL, LDA., Apartado 12011, EC Picoas, 1061-001 Lisboa, or through any of IBERDROLA's channels: Customer Service Telephone no. 808 502 050; e-mail: protecaodados.comercial@iberdrola.pt; "My Client Area" at www.iberdrola.pt, as well as at any of the Service Points, indicating the identification data, address or contact email, reasons for the request, and supporting documentation, therefore you must provide a copy of a document proving your identity.

If the user does not obtain the desired response or satisfaction, IBERDROLA informs them of their right to file a complaint with the National Data Protection Commission, based at Avenida Dom Carlos I, no. 134, 1200-651 Lisboa, or via the internet, at www.cnpd.pt

Security measures

Access to the digital platforms, via which the user of the website or App contracts IBERDROLA products or services, is done in a secure environment. To confirm that you are at our Company's website, check that, in your browser's address bar, the link is marked with with the word "seguro" (secure) in green. Similarly, you can ensure you are in a secure environment by checking the "url" address that appears in properties (by right-clicking). This "url" address starts with "https", where the "s" indicates that the content is being offered via a secure server.

Links

IBERDROLA's digital platforms sometimes provide links to other digital platforms or content owned by third parties. The sole purpose of these links is to provide the user with the ability to access further information via them. In no event shall IBERDROLA be liable for the results that may impinge on the user due to accessing such links.

The user and, in general, any natural or legal person who seeks to establish any technical means of connecting, from its digital platform, to any of IBERDROLA's digital platforms, must obtain IBERDROLA's prior written authorisation. Establishment of any such connection does not imply, in any event, the existence of relations between IBERDROLA and the owner of the platform with which the connection is established, nor does it imply IBERDROLA's acceptance or approval of its contents or services.