PRIVACY POLICY AND PERSONAL DATA PROTECTION for Applicants
1. EDP Commitment
The EDP Group companies (hereinafter jointly referred to as EDP) are committed to protecting the privacy of Data Subjects and ensuring the security of their personal data.
In this context, this Privacy Policy demonstrates its commitment to and respect for privacy and personal data protection rules, ensuring that the Data Subjects know how EDP processes the personal data provided to it as part of the recruitment and selection process.
2. Scope
This Privacy Policy iapplies to all personal data collected through the SAP SuccessFactors platform (the “SAP SF”), as well as through the jobs.edp.com website (“Website”) and respective reserved area (“Reserved Area”) – in together referred to as “Platform”. The Platform is addressed to candidates who are interested in working with EDP and who formalize this interest by registering and/or filling in the application form on the Platform, hereinafter referred to as “Data Subjects”, and refers to the processing of personal data relating to these Data Subjects by EDP, in accordance with the applicable legislation in each relevant jurisdiction, namely the General Regulation on Data Protection (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 of April 2016 - “RGPD”), other legislation applicable at the European level and Brazilian legislation (Law No. 13.709/2018, General Data Protection Law - “LGPD”) and Colombian laws (Law No 1581 of 2012).
3. Data controller
The data controllers are:
EDP - Energias de Portugal, SA a collective person registered at the Commercial Registry Office with the number 500 697 256, with its head office at Avenida 24 Julho, 12, 1249-300 Lisbon, with a share capital of €3,656,537,715, responsible for the management and maintenance of the application platform;
The EDP Group company that, specifically and as the case may be, promotes the respective recruitment and selection process.
The identity of EDP Group entities can be found by following this link.
4. Data controller contacts
The Data Subject may contact EDP about any matter relating to this Privacy Policy through the following contact points:
I. EDP Group entities in Portugal, Poland and Italy
- Easy4U customer service line: 800 100 113
- Post: Av. José Malhoa 25, 1070-157 Lisbon
- Email: dpo.pt@edp.com; specific addresses should be considered in the case of the following companies:
- E-Redes: dpo.pt@edp.com
- SU Eletricidade: dpo@sueletricidade.pt.
II. EDP Group entities in Spain:
- Email: comunicacionesrgpd@edpenergia.es
- Post: using the addresses shown in the list of EDP Group entities provided via this link
III. EDP Group entities in Brazil: suaprivacidade@edpbr.com.br
IV. EDP Renováveis subgroup entities: dataprotection@edpr.com
5. Responsibilities of the Data Subject
The Data Subject must read this Privacy Policy carefully before completing any form on the application platform. This will ensure he/she can make a free and informed decision as to whether he/she wants to make his/her personal data available to EDP.
The Data Subject declares he/she is of legal age and that the data he/she provides is true, accurate, complete and current, and that he/she is responsible for any inconsistencies.
If the data belongs to a third party, it is the responsibility of the person providing the data to inform the third party (the Data Subject) of the conditions set out in this document and to ensure they are legally entitled to provide such data to EDP under the conditions and for the purposes indicated in this Policy.
6. Data categories, purposes of processing and legal basis
The data collected are those necessary for the management of applications and recruitment and selection procedures, and, where appropriate, those necessary for the pursuit of EDP's legitimate interests in ensuring compliance with the rules and principles of good repute and integrity adopted by the Group, including and in accordance with the jurisdiction/subgroup:
Data categories | EDP Group entities in Portugal and Spain and EDP Renováveis subgroup entities | EDP Group entities in Brazil | EDP Renováveis subgroup entities in Colombia |
---|---|---|---|
Identification data | Full Name, Date of Birth, Nationality, Photograph (optional) | Full Name, Citizen Card Number or other civil identification number, Date of Birth, Nationality, Photograph (optional) | Full Name, Citizen Card Number or other civil identification number, Date of Birth, Nationality, Photograph (optional) |
Professional data | Information in Curriculum Vitae, Skills (optional) | Place of Work, Curriculum Vitae, Skills (optional) | Place of Work, Curriculum Vitae, Skills (optional), student records, certificates and diplomas |
Contact data | Email address, cell phone and professional and academic references | Phone, address, email address, cell phone | Telephone, address, email address, cell phone and professional and academic references |
Data for analysis of candidate’s good repute and integrity (other than those referred to above) | 1. Presence in sanction lists or connection to sanctioned entities, 2. Classification as a Politically Exposed Person ("PEP") or association with persons classified as PEPs,3. History of legal or administrative proceedings, The types of personal data processed in this context may be or may be contained in: reference information, sanctions, criminal records, complaints, claims, legal proceedings, insolvencies, current and former positions of responsibility. | 1. Consultations carried out in public databases, 2. Classification as a Politically Exposed Person ("PEP") or association with persons classified as PEPs. The types of personal data processed in this context may be or may be contained in: reference information, sanctions, criminal records, complaints, claims, legal proceedings, insolvencies, current and former positions of responsibility. | 1. Presence in sanction lists or connection to sanctioned entities, 2. Classification as a Politically Exposed Person ("PEP") or association with persons classified as PEPs,3. History of legal or administrative proceedings, The types of personal data processed in this context may be or may be contained in: reference information, sanctions, criminal records, complaints, claims, legal proceedings, insolvencies, current and former positions of responsibility. |
EDP will process the Data Subject's data collected on the application platform in a manual and/or automated manner, while respecting the principles of lawfulness, fairness and transparency, for the purposes and on the specific legal grounds described below.
i. For managing and maintaining the application platform.
ii. For managing each recruitment and selection procedure, following the completion of the application form on this Applications Platform. The processing of data is necessary within the framework of pre-contractual arrangements at the request of the Data Subject.
iii. With the exception of the Group’s entities in Brazil, for the examination of the candidate's good repute and integrity as part of the Due Diligence procedures, on the basis of EDP's legitimate interests in ensuring the relationship with third parties that comply with internal integrity requirements and policies, as well as ensuring the applicant possesses the professional qualities of good repute and integrity that are necessary and inherent to performance of the duties for which he/she is applying and/or any others to which he/she may come to be assigned, within the scope and pursuit of the mobility principles inherent to the normal management of EDP's human resources.
To this end, checks will be carried out regarding the presence of the applicants on national and international sanction lists, their classification as or relationship with Politically Exposed Persons and history of judicial or administrative procedures.
These checks are necessary to prevent the risk of improper acts and to maintain a suitable level of integrity among employees of Group entities. In this context, the Group’s entities in Brazil may carry out a Due Diligence procedure only in the process of recruitment and movement of candidates to positions classified as being very high risk, with this procedure being conducted by the Human Resources and Compliance departments.
In order to prevent damage and potential negative consequences for Data Subjects, technical and organizational measures have been taken to ensure the proper use of this information and to enhance its confidentiality and security. A balancing test between EDP's legitimate interests and the rights and freedoms of Data Subjects was carried out. The Due Diligence procedure will not involve any decision taken solely on the basis of automated processing of personal data, but will always be dependent on a human decision and human intervention. Data Subjects may object to this processing of data in accordance with point 11.
iv. The Data Subject's personal data may also be processed for any of the following purposes, in accordance with the consent given:
Inclusion in a pool of candidates to be used by EDP, which may be processed, according to the analysis of EDP's recruitment teams, for the purposes of recruitment processes for any position within any EDP Group company worldwide, as identified in the list of EDP Group entities available by following this link.
Inclusion in an EDP candidates pool, which may be processed, according to the analysis of the EDP recruitment teams, for the purpose of recruitment processes for any EDP Group position in any company identified in the list of EDP Group entities available by following this link, based in the country of residence indicated in the registration on the application platform.
Automatically emailed information about the recruitment processes published on this platform by EDP, with possible setting of alerts on the "Job Options/Alerts" menu.
EDP recruitment teams emailing communications on recruitment processes and other initiatives developed by the EDP Group companies in this area.
7. Data Communication to Group Companies
The Data Subjects’ personal data may be communicated between EDP Group companies for the purposes of processing and on the legal grounds referred to in the previous point, with these companies undertaking to process it solely and exclusively for these purposes and in compliance with the requirements of the General Data Protection Regulation, the General Data Protection Law of Brazil, the Personal Data Protection Law of Colombia and other applicable legislation.
8. Communication and sharing of data with Third Parties and Subcontractors
As a rule, EDP does not share the personal data of Data Subjects with third parties with whom it has not established a contractual relationship providing for the processing of such data in accordance with the applicable legislation.
The processing of the Data Subject’s data may be carried out by reputable service providers, with registered office and effective establishment in the European Union, Brazil and Colombia in the case of the Group's entities in Brazil and Colombia, respectively, contracted by EDP to provide services related to the stages of the recruitment and selection process and information technologies, which will process the data exclusively for the purposes established by EDP, in obedience to its instructions, as well as in the strict compliance with the legal rules in force on personal data protection, information security, and other applicable rules.
These service providers will act as EDP subcontractors by processing the data to which they have access in its name and on its behalf, in order to carry out the processing purposes identified above or part thereof, with the obligation to take the necessary technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, or any other form of unlawful processing.
9. International data transfers
The Data Subjects’ personal data will be processed by EDP Group entities in Europe, preferably within the territory of the European Economic Area (EEA), and by Group entities in Brazil and Colombia, preferably on Brazilian and Colombian territory, respectively. In cases where personal data need to be transferred outside the EEA or Brazilian territory, respectively, such transfers will be carried out when there is an adequacy decision by the European Commission for the country receiving the data or when subject to adequate safeguards provided by the applicable data protection regulations. When transferring data to third countries based on adequate safeguards, the responsible entities will use their best efforts to adopt additional measures to ensure that personal data enjoy a level of protection essentially equivalent to that existing in the European Union.
In the case of Colombia and international data transfers, prior checks should be made to determine if the destination jurisdiction is one that is accepted by the Superintendence of Industry and Commerce. If it is not, a declaration of conformity issued by that authority shall be sought.
Additionally, the data collected during your navigation on the Platform, namely through cookies and other similar technologies, may also be transferred outside the EEA if you give your consent for the placement of certain categories of cookies (eg analytical or advertising cookies ). These cookies are placed by third parties that may transfer your data to countries that do not have an adequacy decision from the European Commission and that do not offer a level of protection of personal data essentially equivalent to that of the European Union (eg United States of America) , as is the case with the web analysis and optimization service “Google Analytics”, provided by Google Ireland Limited. For example, sharing data with service providers outside the EEA (such as Google LLC) may result in disproportionate access to your data by government authorities and intelligence services in the country importing the data or inability to effectively exercise their rights. For more information on the use of these cookies, consult our Cookies Policy.
If the Data Subject wishes to obtain further information about the processing of personal data in third countries, he/she should contact the Data Controller using one of the methods indicated in point 4 of this Privacy Policy.
10. Retention period
Personal data shall be kept by EDP for one (1) year after it is recorded on the application platform, without prejudice to the possibility of retaining this data beyond that period for the fulfilment of legal obligations and for statistical purposes, in which case the data will be anonymized.
11. Rights of the Data Subjects
Without prejudice to any other right expressly provided for by the applicable local law, the Data Subject or his/her legal representative shall have the rights listed below, which may be exercised as follows:
- Right to information - means the Data Subject has the right to obtain clear, transparent and easily understandable information about how EDP uses his/her personal data and what his/her rights are;
- Right of access - means the Data Subject has the right to obtain information about the personal data EDP processes and certain information about the way that data is processed. This right allows the Data Subjects to know and confirm that EDP processes their data in accordance with data protection laws. EDP may, however, refuse to provide the requested information when by doing so it must disclose the personal data of another person or the information requested prejudices the rights of another person.In the case of Colombia, this right also allows the Data Subject to request evidence of the authorization granted for processing his/her data.
- Right of rectification - means the Data Subject has the right to ask EDP to take reasonable steps to amend any personal data that is incorrect, incomplete or out of date;
- Right to erase the data (also known as the "right to be forgotten") - means the Data Subject may request the erasure or deletion of his/her data, provided there are no valid grounds for EDP to continue to maintain or use such data, or where the use thereof is unlawful.The Data Subject may delete his/her account/profile on the application platform at any time. To do this, go to "Settings" in the "Options" menu and choose "Delete Profile"
- Right to limitation of processing - means the Data Subject has the right to have his/her data processed, with the exception of retention, only with his/her consent or for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of substantial public interest in the Union or in a Member State, while EDP assesses a request for rectification or as an alternative to erasure;
- Right to data portability - means the Data Subject has the right to obtain and reuse certain personal data for his/her own purposes. This right applies only to personal data supplied by the Data Subject directly to EDP on the basis of a contract or consent, and which are processed by automated means.
- Right to object - means the Data Subject has the right to object to certain types of processing (in particular processing carried out on the basis of EDP's legitimate interest), for reasons related to his/her particular situation, at any time when that processing is taking place. EDP shall cease processing the personal data unless it can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defense of legal claims, and in such cases the Data Subject must be notified. Without prejudice to the above, the Data Subject recognizes that certain types of processing are necessary for the development of the relationship between him/her and EDP.
- Right of complaint - under the General Data Protection Regulation, this means the Data Subject has the right to lodge a complaint with the competent supervisory authority if he/she considers that the processing of personal data carried out by EDP infringes his/her rights and/or the applicable data protection laws.
In Portugal, the competent supervisory authority is the National Data Protection Commission (CNPD).
In Spain, the competent supervisory authority is the Spanish Data Protection Agency (EDPS).
In Colombia, the competent supervisory authority is the Superintendence of Industry and Commerce, and the Data Subject must have submitted his/her complaint directly to the responsible authority before submitting a complaint to the supervisory authority.
- Right to confirmation of the existence of processing - under Brazil’s General Data Protection Law, this means the Data Subject has the right to confirm whether EDP is processing his/her personal data.
The Data Subject or his/her legal representative may exercise his/her rights through the following channels:
I. EDP Group entities in Portugal, Poland and Italy:
- Easy4U customer service line: 800 100 113
- Post: Av. José Malhoa 25, 1070-157 Lisbon
- Email: dpo.pt@edp.com; specific addresses should be considered in the case of the following companies:
- E-Redes: dpo@e-redes.pt
- SU Eletricidade: dpo@sueletricidade.pt.
II. EDP Group entities in Spain:
- Email: comunicacionesrgpd@edpenergia.es
- Post: at the addresses shown in the list of EDP Group entities available by following this link to the respective EDP Group entity in Spain.
III. EDP Group entities in Brazil:
- EDP Brasil Privacy Portal: https://privacyportal-de.onetrust.com/webform/374643dd-c881-4045-8a8d-09d1a208d5c2/8e48da78-5cd0-4ecc-a4bf-559726e47275
The Data Subject or his/her legal representative may also exercise his/her rights or raise any privacy policy issue with the Data Protection Officer (DPO) through the following contacts:
I. EDP Group entities in Portugal: dpo.pt@edp.com, specific addresses should be considered in the case of the following companies:
- E-Redes: dpo@e-redes.pt
- SU Eletricidade: dpo@sueletricidade.pt
II. EDP Group entities in Spain:
- Email: dpd@edpenergia.es; specific addresses should be considered for the following companies:
- E-Redes: dpd@eredesdistribucion.es
- Post: Plaza del Fresno, 2, 33007, Oviedo
III. EDP Group entities in Brazil: suaprivacidade@edpbr.com.br
IV. EDP Renováveis subgroup entities: dataprotection@edpr.com
If the requests submitted by the Data Subject or his/her legal representative are manifestly unfounded or excessive, in particular due to their repetitive nature, EDP may require payment of a reasonable fee taking into account the administrative costs of providing the information, communicating and taking the measures requested in the case of entities subject to application of the GDPR, or refuse to comply with the request, responding to it in the negative.
12. Consent and Revocation
EDP requests explicit, free, informed, specific and unambiguous consent from the Data Subjects for the purposes that require it.
The acceptance by the Data Subjects that their data may be processed or transferred will always be revocable, without retroactive effect (meaning that withdrawal of consent does not compromise the lawfulness of the processing carried out up to that date on the basis of the consent previously given).
To withdraw this consent, the Data Subject should contact EDP through the channels referred to in point 11. Rights of the Data Subjects.
13. Security and Integrity
The personal data will be processed by EDP for the purposes identified in this Policy, in accordance with EDP's internal policies and standards, and using technical and organizational measures designed according to the risks associated with the specific processing of personal data.
The technical and organizational measures designed will, as far as is possible, ensure the security and integrity of personal data, in particular in relation to the unauthorized or unlawful processing of the Data Subject’s personal data and their loss, destruction or accidental damage.
14. Confidentiality
EDP recognizes the confidential nature of the data shared by its Data Subjects.
EDP does not make the personal data commercially or otherwise available to any third party, and undertakes not to disclose, copy, reproduce, or distribute any part of the confidential information without the prior written consent of the Data Subject (except for communications required by law, for the purposes of compliance with obligations arising therefrom).
EDP preserves the confidentiality and integrity of the Data Subject’s data and protects it in accordance with this privacy policy and the legislation in force.
15. Third Party Pages
Through the Platform, the Data Subject can access social media platforms, namely on which EDP is registered: LinkedIn, Twitter, Youtube and Instagram. EDP cannot be held responsible for the processing of your personal data carried out by these platforms following their sharing. Therefore, the user should carefully read the Terms and Conditions and Privacy Policies of these platforms before sharing news.
16. Changes to the Privacy and Personal Data Protection Policy
Without prejudice to the legal rights granted to the Data Subjects, EDP reserves the right at any time, without prior notice and with immediate effect, to alter, add to, or revoke this Privacy Policy in whole or in part. Any changes will be disclosed immediately via the normal communications channels.
Should EDP substantially change the way in which it processes their personal data and, therefore, this Privacy Policy, EDP shall notify the Data Subjects of said changes through the means of contact it has obtained from the Data Subjects.
This privacy policy was reviewed on 11/14/2022.