PRIVACY POLICY AND PERSONAL DATA PROTECTION for Applicants

1. EDP Commitment

The EDP Group companies (hereinafter jointly referred to as EDP) are committed to protecting the privacy of data subjects and to the security of their personal data.

In this context, this Privacy Policy demonstrates its commitment to and respect for privacy and personal data protection rules, ensuring that the data subjects know how EDP treats the personal data provided to them as part of the recruitment and selection process.

 

2. Scope

This Privacy Policy is addressed directly to applicants interested in working with EDP in Portugal and who formalise this interest by registering and/or completing the online application form on the "About.me" platform (hereinafter About.me), hereinafter referred to as the “Data subjects". The policy refers to EDP's processing of personal data relating to these Data Subjects in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - "GDPR").

 

3. Data controller

The data controller for this data is:

  • EDP - Energias de Portugal, SA with the sole registration number at the Commercial Registry Office and legal person number 500 697 256, with head offices at Avenida 24 de Julho, 12, 1249-300 Lisbon, with share capital of EUR 3,656,537,715;
  • EDP Global Solutions Gestão Integrada de Serviços, S.A. with the sole registration number at the Commercial Registry Office and legal person number 505 938 022, with head offices at Avenida José Malhoa, 25, 1070-157 Lisbon, with the share capital of EUR 4,550,000;
  • The EDP Group company that in this case provides the recruitment and selection. The names of the EDP Group companies can be seen in the annex).

With regard to certain processing of personal data, there may be situations of joint responsibility between the company providing the recruitment and selection process and other EDP Group companies responsible for certain human resources management activities.

 

4. Data controller contacts

The data subjects can contact EDP about any question regarding this Privacy Policy at the following contact addresses:

  • easy4U help line: 800 100 113
  • Postal address: Av. José Malhoa, 25, 1070-157

 

5. Data Subject Responsibilities

The data subject should read this Privacy Policy carefully before completing any form on About.me to decide whether to provide EDP with their personal data in an informed and free manner.

The data subject declares they are of legal age and the data they provide is true, accurate, complete and current, and that they are liable for any non-conformities.

If the data belongs to a third party, it is the discloser's liability to inform that third party (the data subject) of the conditions set out in this document and to ensure they are legally entitled to provide such data to EDP under the conditions and for the purposes indicated in this Policy.

 

6. Categories of data, purposes of processing and legal basis

The data collected is required for the management of applications and recruitment and selection procedures in particular:

 

| Data categories    |   Examples

| Identification data   |   Full Name, Citizen Card Number, Photos, Date of Birth, Nationality.

| Professional data   |   Work place, Resume, Employee Number, Medical Fitness Form, type of skills.

| Contact data          | Telephone, address, cell phone.

 

EDP will process the data subject's data, collected in About.me, manually and/or automatically, respecting the principles of lawfulness, faithfulness and transparency, for the purposes and on the specific legal grounds described below.

  •  i . For the management of each recruitment and selection process for senior management, technical or trainee admissions, following the completion of an application form on About.me. The processing of data is necessary in the framework of pre-contractual arrangements at the request of the data subject.
  • ii. For the analysis of the candidate's suitability: i) as an entity obligated under Law 83/2017 of 18 August to prevent money laundering and terrorist financing (data processing is carried out in compliance with legal obligations) and ii) in the scope of carrying out due diligence procedures, based on the pursuit of EDP's legitimate interests in ensuring relations with third parties that comply with internal integrity requirements and policies, for which purpose a weighting test was carried out between EDP's legitimate interests and the data subject’s rights and freedoms.
  • iii. The data subject's personal data may also be processed for any of the following purposes, in accordance with the consent given:

           - Sending, by e-mail, automatic communications about job opportunities and recruitment processes published on this website by EDP, according to selected alert preferences.

           - Sending, by e-mail, by EDP recruitment teams, communications on job opportunities and recruitment processes and other initiatives developed by EDP Group companies in this area.

 

7. Sharing of Data with Group Companies

The data subject's personal data may be shared between EDP Group companies in Portugal for the processing purposes and with the legal basis referred to in the previous point. It undertakes to process it solely and exclusively for such purposes and in compliance with the requirements of the General Data Protection Regulation and other applicable legislation.

 

8. Communication and sharing of data with Third Parties and Subcontractors

As a rule, EDP does not share the personal data of data subjects with third parties with whom it has not established a contractual relationship providing for the processing of such data in accordance with the applicable legislation.

The data subject’s data may be processed by reputable service providers, with headquarters and effective establishment in the European Union, who have been contracted by EDP to provide services related to the recruitment and selection process and information technologies, which will process the data exclusively for the purposes established by EDP, in compliance with its instructions, and in strict compliance with the legal rules in force for the protection of personal data, information security and other applicable rules.

These service providers will act as EDP subcontractors, processing the data they have access to on behalf of EDP, for the processing purposes identified above or part of them, and they will be obliged to take the necessary technical and organisational measures to protect personal data from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, or any other form of unlawful processing.

 

9. International data transfers (to outside the European Economic Area)

The data subject’s personal data will be processed by EDP, preferably within the European Economic Area (EEA). Where there is a need to transfer personal data outside the EEA to a country that does not guarantee a level of protection equivalent to that in the European Union, EDP will make its best efforts to ensure such transfers carry appropriate safeguards to ensure the level of protection of individuals is not compromised, as required by the applicable data protection rules.

If the data subject wishes to obtain further information on the processing of personal data outside the EEA, they can contact the data controller via the contacts in point 4 of this Privacy Policy.

 

 10. Period of Storage

Personal data are kept by EDP 1 (one) year after registering on About.me and/or application.

 

11. Data subject rights

The data subject, or their legal representative, has the right of access, rectification, limitation, portability, erasure and the right to object to EDP processing their personal data under certain circumstances, which may be exercised as follows: 

  • Right to information - means that the data subject has the right to obtain clear, transparent and easily understandable information about how EDP uses their personal data and what their rights are; 
  • Right of access - means the data subject has the right to obtain information about their personal data EDP processes and certain information about the way that data is processed. This right allows the data subject to know and confirm that EDP processes their data in compliance with data protection laws. EDP may, however, refuse to provide the information requested where, in order to do so, it has to disclose another person's personal data or the information requested would undermine another person's rights; 
  • Right of rectification - means the data subject has the right to ask EDP to take reasonable steps to correct incorrect or incomplete personal data; 
  • Right to erasure (also known as the "right to be forgotten") - means the data subject may request their data be erased, provided there are no valid grounds for EDP to continue to keep or use it or where its use is unlawful.

           The data subject can delete their About.me account/profile at any time. To do so, access Settings in the Options menu and choose Delete Profile.      

  • Right to restriction of processing - means the data subject has the right to have their data processed, with the exception of its storage, only with their consent or for the purpose of asserting, exercising or defending the rights of another natural or legal person, or on substantial grounds in the public interest of the Union or a Member State, while EDP assesses a request for rectification or as an alternative to erasure; 
  • Right to data portability - means the data subject has the right to obtain and reuse certain personal data for their own purposes. This right only applies to personal data provided by the data subject directly to EDP, on the basis of a contract or consent, and which is processed by EDP automatically. 
  • Right to object - means the data subject has the right to object to certain types of processing on grounds relating to their particular situation at any time during the processing. 
  • Right to complain - means the data subject has the right to lodge a complaint with the competent supervisory authority, which in Portugal is the National Data Protection Commission (CNPD), if they believe EDP personal data processing violates their rights and/or the applicable data protection laws. 

 

The data subject may exercise their rights through the following channels: 

  • easy4U help line: 800 100 113
  • Postal address: Av. José Malhoa, 25, 1070-157

If the requests made by the data subject or their legal representative are manifestly unfounded or excessive, in particular because of their repetitive nature, EDP may require the payment of a reasonable fee that takes into account the administrative costs of providing the information, communicating and taking the action requested, or may refuse to comply with the request. 

 

12. Consent and Withdrawal 

EDP asks data subjects for explicit, free, informed, specific and unambiguous consent to the processing of data for purposes for which it is required. 

The data subject's acceptance that their data can be processed or transferred can always be withdrawn, but not retroactively (which means that withdrawal of consent does not compromise the lawfulness of the processing carried out until that date on the basis of consent previously given). 

To withdraw this consent, the data subject shall contact EDP through the channels referred to in point 11. Rights of the data subjects.

 

13. Security and Integrity

Personal data will be processed by EDP for the purposes identified in this policy, in accordance with EDP's internal policies and rules and using technical and organisational measures designed in accordance with the risks associated with the specific processing of personal data.

These technical and organisational measures ensure the security and integrity of personal data to the maximum extent possible, in particular with regard to unauthorised or unlawful processing of the data subject's personal data and its accidental loss, destruction or damage.

 

14. Confidentiality

EDP recognises the confidential nature of the data shared by the data subject. 

EDP does not make the personal data commercially or otherwise available to any third party and undertakes not to disclose, copy, reproduce or distribute any part of the confidential information without the prior written consent of the data subject (except for communications required by law).

EDP preserves the confidentiality and integrity of the data subject’s data and protects it in accordance with this privacy policy and the legislation in force. 

 

15. Cookies policy

Cookies are small pieces of information that are sent to your equipment or mobile device when you visit a website (“site”).

Cookies are sent back to the original site on each subsequent visit or to another site that recognises that cookie.

Cookies are useful because they allow a website to recognise a user's device, allowing them to navigate smoothly between pages, remembering their preferences and generally improving the user experience.

Some of the cookies issued by the "About.me" platform only last for the web session and expire when you close your browser.

Other cookies that are used to remember you when you return to a site last longer.

Most web browsers automatically accept cookies. You can change your browser settings to prevent or notify you each time a cookie is defined.

You can find more information about cookies, including how to see which cookies have been set on your device and how to manage and delete them using different types of browsers, at: www.allaboutcookies.org.

You can also enable, disable or delete cookies from your web browser. Follow the instructions provided by your browser (usually in the "Help", "Tools" or "Edit" options). Disabling a cookie or a category of cookies does not delete the cookie from the browser, you will need to do so manually in the browser.

If you block or delete the cookies used by EDP, you may not be able to make the most of the site's features.

We use the following cookies:

 

| Name                                     | Purpose        | Duration                                    |

| BIGpServerP_SITES12AJ80 | Server ID       | Until the browser session ends  |

| JESSIONID                            | Content ID     | Until the browser session ends  |

| Rmk12                                   | Save Domain Path | 30 years or until the data subject deletes cookies |

 

16. Alterations to the Personal Data Protection Policy

EDP reserves the right at all times, without prior notice and with immediate effect, but notwithstanding the legal rights conferred to the data subjects, to change, add or revoke this privacy policy partially or in whole. Any changes will be published immediately on the usual communication channels. 

If EDP substantially changes the way it handles your personal data and therefore this privacy policy, it will notify the data subject of such changes through the contact methods they provided. 

For any question related to this privacy policy, the data subject or their legal representative can contact EDP's Data Protection Officer (DPO) at dpo.pt@edp.com; in the case of E-Redes they should use  DPO@e-redes.pt; in the case of SU Eletricidade they should use dpo@sueletricidade.pt.
 

This privacy policy was revised on 21/02/2021.