PRIVACY POLICY AND PERSONAL DATA PROTECTION for Applicants

 

1. EDP Commitment

The EDP Group companies (hereinafter jointly referred to as EDP) are committed to protecting the privacy of data subjects and to the security of their personal data.

In this context, this Privacy Policy demonstrates its commitment to and respect for privacy and personal data protection rules, ensuring that the data subjects know how EDP treats the personal data provided to them as part of the recruitment and selection process.

2. Scope

This Privacy Policy is addressed directly to applicants interested in working with EDP and who formalise this interest by registering and/or completing the online application form on online platform provided by EDP for that purpose (hereinafter job application platform), hereinafter referred to as the “Data subjects". This policy refers to the processing of personal data of these Data Subjects by EDP in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - "GDPR"), other legislation applicable at the European level and Brazilian data protection legislation, represented by Law No. 13.709/2018 - General Data Protection Law, in Europe and Brazil respectively.

3. Data controller 

The data controllers for this data are:

EDP - Energias de Portugal, SA with head offices at Avenida 24 de Julho, 12, 1249-300 Lisbon, with the sole registration number at the Commercial Registry Office and legal person number 500 697 256, with share capital of EUR 3,656,537,715 regarding the management and maintenance of the job application platform;

The EDP Group company that, in concrete and that being the case, promotes the recruitment and selection process:

EDP Group Companies in Portugal:

EDP - Energias de Portugal, SA, with head offices at Avenida 24 de Julho, nº 12, 1249-300 Lisbon, with the sole registration number at the Commercial Registry Office and legal person number 500 697 256, with share capital of EUR 3,656,537,715;

EDP - Gestão da Produção de Energia, S.A., with head offices at Avenida 24 de Julho, nº 12, Torre Nascente, 1249-300 Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 503293695, with share capital of EUR 1,233,943,000;

E-REDES - Distribuição de Eletricidade, S.A., with head offices at Rua Camilo Castelo Branco, n.º 43, em Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 504 394 029, with share capital of EUR 200,013,000;

EDP Global Solutions - Gestão Integrada de Serviços, S.A., with head offices at Av. José Malhoa, nº 25, 1070-157, with the sole registration number at the Commercial Registry Office and legal person number 505 938 022, with share capital of EUR 4,550,000;

EDP Real Estate Global Solutions - Imobiliária e Gestão de participações, S.A., with head offices at Av. José Malhoa, nº 25, 1070-157, with the sole registration number at the Commercial Registry Office and legal person number 503 529 524, with share capital € 10,000,000;

Labelec - Estudos, Desenvolvimento e Actividades laboratoriais, S.A., with head offices at Rua Cidade de Goa, nº 4, 2685 038 Sacavém, with the sole registration number at the Commercial Registry Office and legal person number 503326755, with share capital of EUR 2,200,000;

EDP Comercial - Comercialização de Energia, S.A., with head offices at Avenida 24 de Julho, nº 12, 1249-300 Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 503504564, with share capital of EUR 20.842.695,00;

SU ELETRICIDADE, S.A., with head offices at Rua Camilo Castelo Branco, n.º 45, 1050-044 Lisboa, with the sole registration number at the Commercial Registry Office 507846044, with share capital of EUR 10,104,000;

EDP Gás - Serviço Universal, S.A., with head offices at Rua Ofélia Diogo da Costa, n.º 115, 4100-085 Porto, with the sole registration number at the Commercial Registry Office and legal person number 508 257 972, with share capital of EUR 1,050,996;

EDP Inovação, S.A., with head offices at Avenida 24 de Julho, nº 12, 1249-300 em Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 507 088 760, with share capital of EUR 50,000;

Fundação EDP, public utility legal person with the sole registration number at the Commercial Registry Office and legal person number 506 997 286, with head offices at Central Tejo, Avenida de Brasília, 1300-598 Lisboa;

Sãvida - Medicina Apoiada, S.A., with head offices at Avenida 24 de Julho, nº 12, 1249-300, em Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 503293512, with share capital of EUR 450,000;

EDP - Estudos e Consultoria, S.A., com sede na Avenida José Malhoa, nº 25, 1070 158, Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 506042723, with share capital of EUR 50,000;

EDP Mediadora, S.A., with head offices at Avenida 24 de Julho, nº 12, 1249 300, Lisboa with the sole registration number at the Commercial Registry Office and legal person number 510868509, with share capital of EUR 50,000;

CNET - Centre for New Energy Technologies, S.A., with head offices at Rua Cidade de Goa, 4, 2685 039 Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 513247521, with share capital of EUR 300,000;

EDP Internacional, S.A., with head offices at Avenida 24 de Julho, nº 12, 1249 300, Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 505039273, with share capital of EUR 50,000;

EDP Renováveis Portugal, S.A., with head offices at Rua Ofélia Diogo da Costa, nº 115, 6º, 4050 008, Porto, with the sole registration number at the Commercial Registry Office and legal person number 503161314, with share capital of EUR 7,500,000;

EDPR PT - Promoção e Operação, S.A., with head offices at Rua Ofélia Diogo da Costa, nº 115, 6º, 4100 085, Porto, with the sole registration number at the Commercial Registry Office and legal person number 510412092, com o capital social de € 57.500,00;

Effizency, S.A., with head offices at Avenida 24 de Julho, nº 12, 1249 300, Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 515385336, with share capital of EUR 60,714;

Greenvouga - Sociedade Gestora do Aproveitamento Hidroeléctrico de Ribeiradio-Ermida, S.A., with head offices at Avenida 24 de Julho, nº 12, 1249 300, Lisboa, with the sole registration number at the Commercial Registry Office and legal person number 508432243, with share capital of EUR 1,000,000;

Empresa Hidroeléctrica do Guadiana, S.A., with head offices at Avenida 24 de Julho, nº 12, 1249 300, Lisboa with the sole registration number at the Commercial Registry Office and legal person number 508852382, with share capital of EUR 72,047,035;

TERGEN - Operação e Manutenção de Centrais Termoeléctricas, S.A., with head offices at na Vala do Carregado, 2580 510, Carregado, with the sole registration number at the Commercial Registry Office and legal person number 505643626, with share capital of EUR 250,000;

EDP Group Companies in Spain:

EDP Energías de Portugal, S.A., Sucursal en España, CIF W0104919F, with head offices at Calle Serrano Galvache, 56, 28033, Madrid, España.

EDP España, S.A.U., CIF A33473752, with head offices at Plaza del Fresno, 2, 33007, Oviedo, Asturias, España.

Hidrocantábrico Distribución Eléctrica S.A.U., CIF A33591611, with head offices at Plaza del Fresno, 2, 33007, Oviedo, Asturias, España.

EDP SOLAR ESPAÑA, S.A., CIF A74466178, with head offices at Plaza del Fresno, 2, 33007, Oviedo, Asturias, España.

EDP CLIENTES, S.A., CIF A74472911, with head offices at General Concha, 20, 48010, Bilbao, Vizcaya, España.

EDP Group Companies in Brazil:

EDP Energias do Brasil, registered at the National Register of Legal Entities with nº 03.983.431/0001-03, with head offices at Rua Gomes de Carvalho, 1.996 – Vila Olímpia, São Paulo -SP.

IV.         Outras entidades do Grupo EDP:

•            EDP Energia Pollska sp zoo, with head offices at ul. Aleje Jerozolimskie, 98, 00-87, Varsóvia, PL 7010845524

•            EDP Energia Italia SRL, with head offices at Via Roberto Lepetit 8, CAP, 20124, Milão, IT 10411010969

EDP Renováveis, sociedad anonima española with head offices in Madrid, Calle Serrano Galvache, 56, 28003 and NIF A74219304;

EDP Renewables North America LLC, with head offices at  1501 McKinney, Suite 1300, Houston, TX 77010 and Federal Tax ID No. 26-0860404.

4. Data controller contacts

The data subjects can contact EDP about any question regarding this Privacy Policy at the following contact addresses:

EDP Group Companies in Portugal, Poland and Italy:

easy4U help line: 800 100 113

Postal address: Av. José Malhoa, 25, 1070-157

EDP Group Companies in Spain:

E-mail address: through the contact indicated in Item 11 of this Policy

Postal address: through the respective postal address indicated in Item 3 of this Policy

EDP Group Companies in Brazil: suaprivacidade@edpbr.com.br

EDP Renováveis and EDP Renewables North America LLC

E-mail address: dataprotection@edpr.com

5. Data Subject Responsibilities

The data subject should read this Privacy Policy carefully before completing any form on the job application platform to decide whether to provide EDP with their personal data in an informed and free manner.

The data subject declares they are of legal age and the data they provide is true, accurate, complete and current, and that they are liable for any non-conformities.

If the data belongs to a third party, it is the discloser's liability to inform that third party (the data subject) of the conditions set out in this document and to ensure they are legally entitled to provide such data to EDP under the conditions and for the purposes indicated in this Policy.

6. Categories of data, purposes of processing and legal basis

The data collected is required for the management of applications and recruitment and selection procedures, as well as, if that is the case, for the pursuit of EDP's legitimate interests in ensuring compliance with rules and principles of probity and integrity, in particular:

Data categories

Examples

Identification data

Full Name, Citizen Card Number, Photos, Date of Birth, Nationality, etc.

Professional data

Work place, Resume, Employee Number, Medical Fitness Form, type of skills.

Contact data

Telephone, address, cell phone.

Data for analysis of the candidate's suitability and integrity (in addition to those mentioned above)

1. Presence in sanctions lists or connection to sanctioned entities,

2. Qualification as a Politically Exposed Person (“PEP”) or association with persons qualified as PEP,

3. History of judicial or administrative proceedings or procedures.

The types of personal data treated for this purpose may be or be contained in: reference information, sanctions, criminal records, complaints, claims, legal proceedings, insolvencies, current and previous social positions.

EDP will process the data subject's data, collected in the job application platform, manually and/or automatically, respecting the principles of lawfulness, faithfulness and transparency, for the purposes and on the specific legal grounds described below.

For the management and maintenance of the job application platform.

For the management of each recruitment and selection process for senior management, technical or trainee admissions, following the completion of an application form on the job application platform. The processing of data is necessary in order to take steps prior to entering into a contract at the request of the data subject.

With the exception of the Group entities in Brazil, for the analysis of the candidate's probity and integrity within the scope of Due Diligence procedures, based on the pursuit of EDP's legitimate interests in ensuring the relationship with third parties that comply with internal integrity requirements and policies, as well as ensuring that the candidate has the professional qualities of probity and integrity, necessary and inherent to the exercise of the functions for which he is applying and/or any others he may come to exercise within the scope and in pursuit of the principles of mobility inherent to the normal management of human resources of the EDP or which purpose a weighting test was carried out between EDP's legitimate interests and the data subject’s rights and freedoms. For this purpose, a legitimate interests assessment between the legitimate interests of EDP and the rights and freedoms of data subject has been carried. The Due Diligence procedure will not involve any decision based solely on automated processing of personal data, being always dependent on a decision and human intervention.

The data subject's personal data may also be processed for any of the following purposes, in accordance with the consent given:

- Inclusion in a pool of candidates to be used by EDP for employment opportunities and recruitment processes for any function and for any of the EDP Group companies  identified in section 3 of this Policy, further to the analysis undertaken by EDP recruitment teams.

- Inclusion in a pool of candidates to be used by EDP for employment opportunities and recruitment processes for any function and for any of the EDP Group companies identified in section 3 of this Policy headquartered in the country of Residence indicated in the register on the application platform, further to the analysis undertaken by EDP recruitment teams.

- Sending automatic communications, by e-mail, about job opportunities and recruitment processes published on this platform by EDP, according to selected alert preferences.

- Sending, by EDP recruitment teams and by e-mail, communications on job opportunities, recruitment processes and other initiatives developed by EDP Group companies in this area.

7. Sharing of Data with Group Companies

The data subject's personal data may be shared between EDP Group companies for the processing purposes and under the legal basis referred to in the previous point. EDP entities undertakes to process data solely and exclusively for such purposes and in compliance with the requirements of the General Data Protection Regulation, Brazilian General Data Protection Law and other applicable legislation.

8. Communication and sharing of data with Third Parties and Subcontractors

As a rule, EDP does not share the personal data of data subjects with third parties with whom it has not established a contractual relationship providing for the processing of such data in accordance with the applicable legislation.

The data subject’s data may be processed by reputable service providers, with headquarters and effective establishment in the European Union an in Brazil, in the case of Group Entities in Brazil, who have been contracted by EDP to provide services related to the recruitment and selection process and information technologies, which will process the data exclusively for the purposes established by EDP, in compliance with its instructions, and in strict compliance with the legal rules in force for the protection of personal data, information security and other applicable rules.

These service providers will act as EDP subcontractors, processing the data they have access to on behalf of EDP, for the processing purposes identified above or part of them, and they will be obliged to take the necessary technical and organisational measures to protect personal data from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, or any other form of unlawful processing.

9. International data transfers

The data subject’s personal data will be processed by European EDP Group entities, preferably within the European Economic Area (EEA) and by Group Entities in Brazil, preferably in Brazilian territory. Where there is a need to transfer personal data outside the EEA or outside the Brazilian territory, respectively, to a country that does not guarantee a level of protection equivalent, EDP will make its best efforts to ensure such transfers carry appropriate safeguards to ensure the level of protection of individuals is not compromised, as required by the applicable data protection rules.

If the data subject wishes to obtain further information on the processing of personal data outside to third countries, they may contact the data controller via the contacts in point 4 of this Privacy Policy.

10. Retention Period


Personal data are retained by EDP for 1 (one) year after registration on the job application platform and/or submission of an application. In some cases, EDP may retain personal data beyond this period for compliance with legal obligations and for statistical purposes. For this latter purpose EDP shall anonymize the data

11. Data subject rights

The data subject, or their legal representative, has the right of access, rectification, limitation, portability, erasure and the right to object to EDP processing their personal data under certain circumstances, which may be exercised as follows: 

Right to information - means that the data subject has the right to obtain clear, transparent and easily understandable information about how EDP uses their personal data and what their rights are; 

Right of access - means the data subject has the right to obtain information about their personal data EDP processes and certain information about the way that data is processed. This right allows the data subject to know and confirm that EDP processes their data in compliance with data protection laws. EDP may, however, refuse to provide the information requested where, in order to do so, it has to disclose another person's personal data or the information requested would undermine another person's rights; 

Right of rectification - means the data subject has the right to ask EDP to take reasonable steps to correct incorrect, incomplete or outdated personal data; 

Right to erasure (also known as the "right to be forgotten") - means the data subject may request their data be erased, provided there are no valid grounds for EDP to continue to keep or use it or where its use is unlawful.

The data subject can delete their account/profile at the job application platform at any time. To do so, access Settings in the Options menu and choose Delete Profile.

Right to restriction of processing - means the data subject has the right to have their data processed, with the exception of its storage, only with their consent or for the purpose of asserting, exercising or defending the rights of another natural or legal person, or on substantial grounds in the public interest of the Union or a Member State, while EDP assesses a request for rectification or as an alternative to erasure; 

Right to data portability - means the data subject has the right to obtain and reuse certain personal data for their own purposes. This right only applies to personal data provided by the data subject directly to EDP, on the basis of a contract or consent, and which is processed by EDP automatically. 

Right to object - means the data subject has the right to object to certain types of processing on grounds relating to their particular situation at any time during the processing. 

Right to complain – means, under  General Data Protection Regulation,that the data subject has the right to lodge a complaint with the competent supervisory authority, which in Portugal is the Comissão Nacional de Proteção de Dados (CNPD) and in Spain the Agencia Española de Protección de Datos (AEPD), if they believe EDP personal data processing operations violate their rights and/or the applicable data protection laws. 

Right to confirm the existence of processing – means, under the Brazilian General Data Protection Law, that the Data Subject has the right to confirm whether EDP carries out the processing of their personal data.

The data subject or his legal representative may exercise rights through the following channels: 

EDP Group Companies in Portugal, Poland and Italy:

easy4U help line: 800 100 113

Postal address: Av. José Malhoa, 25, 1070-157

EDP Group Companies in Spain:

Email address: comunicacionesrgpd@edpenergia.es

Postal address: through the respective postal address indicated in Item 3 of this Policy for the Group Entity in Spain

EDP Group Companies in Brazil:

Portal de Privacidade EDP Brasil: https://privacyportal-de.onetrust.com/webform/374643dd-c881-4045-8a8d-09d1a208d5c2/8e48da78-5cd0-4ecc-a4bf-559726e47275

IV.          EDP Renováveis and EDP Renewables North America LLC:

E-mail address: dataprotection@edpr.com

The Data Subject or its legal representative may also exercise their rights or ask any question related to this privacy policy before the Data Protection Officer (DPO), through the following contacts:

EDP Group Companies in Portugal: dpo.pt@edp.com. Specific addresses should be considered in the case of the following companies:

E-Redes: dpo@e-redes.pt

SU Eletricidade: dpo@sueletricidade.pt. 

EDP Group Companies in Spain:

Email address: comunicacionesrgpd@edpenergia.es

Postal address: Plaza del Fresno, 2, 33007, Oviedo

EDP Group Companies in Brazil: suaprivacidade@edpbr.com.br

EDP Renováveis and EDP Renewables North America LLC: dataprotection@edpr.com

If the requests made by the data subject or their legal representative are manifestly unfounded or excessive, in particular because of their repetitive nature, EDP may require the payment of a reasonable fee that takes into account the administrative costs of providing the information, communicating and taking the action requested, or may refuse to comply with the request. 

 

12. Consent and Withdrawal 

EDP asks data subjects for explicit, free, informed, specific and unambiguous consent to the processing of data for purposes for which it is required. 

The data subject's acceptance that their data can be processed or transferred can always be withdrawn, but not retroactively (which means that withdrawal of consent does not compromise the lawfulness of the processing carried out until that date on the basis of consent previously given). 

To withdraw this consent, the data subject shall contact EDP through the channels referred to in point 11. Rights of the data subjects.

 

13. Security and Integrity

Personal data will be processed by EDP for the purposes identified in this policy, in accordance with EDP's internal policies and rules and using technical and organisational measures designed in accordance with the risks associated with the specific processing of personal data.

These technical and organisational measures ensure the security and integrity of personal data to the maximum extent possible, in particular with regard to unauthorised or unlawful processing of the data subject's personal data and its accidental loss, destruction or damage.

 

14. Confidentiality

EDP recognises the confidential nature of the data shared by the data subject. 

EDP does not make the personal data commercially or otherwise available to any third party and undertakes not to disclose, copy, reproduce or distribute any part of the confidential information without the prior written consent of the data subject (except for communications required by law).

EDP preserves the confidentiality and integrity of the data subject’s data and protects it in accordance with this privacy policy and the legislation in force. 

15. Cookies policy

Cookies are small pieces of information that are sent to your equipment or mobile device when you visit a website (“site”).

Cookies are sent back to the original site on each subsequent visit or to another site that recognises that cookie.

Cookies are useful because they allow a website to recognise a user's device, allowing them to navigate smoothly between pages, remembering their preferences and generally improving the user experience.

Some of the cookies issued by the "About.me" platform only last for the web session and expire when you close your browser.

Other cookies that are used to remember you when you return to a site last longer.

Most web browsers automatically accept cookies. You can change your browser settings to prevent or notify you each time a cookie is defined.

You can find more information about cookies, including how to see which cookies have been set on your device and how to manage and delete them using different types of browsers, at: www.allaboutcookies.org.

You can also enable, disable or delete cookies from your web browser. Follow the instructions provided by your browser (usually in the "Help", "Tools" or "Edit" options). Disabling a cookie or a category of cookies does not delete the cookie from the browser, you will need to do so manually in the browser.

If you block or delete the cookies used by EDP, you may not be able to make the most of the site's features.

We use the following cookies:

Name

Purpose

Duration

BIGpServerP_SITES12AJ80

Server ID

Until the browser session ends

JESSIONID

Content ID

Until the browser session ends

Rmk12

Save Domain Path

30 years or until the data subject deletes cookies

16. Alterations to the Privacy and Personal Data Protection Policy

EDP reserves the right at all times, without prior notice and with immediate effect, but notwithstanding the legal rights conferred to the data subjects, to change, add or revoke this privacy policy partially or in whole. Any changes will be published immediately on the usual communication channels. 

If EDP substantially changes the way it handles your personal data and therefore this privacy policy, it will notify the data subject of such changes through the contact methods they provided. 

 

This privacy policy was revised on 10/08/2021.