Endesa is committed to ensuring the transparent and secure use of Customers' personal data, so we would like you to know that you have control of them at all times. As an Endesa Customer, you can decide, whenever permitted under the regulations in force, why we process your personal data, who we transfer this data to, under what conditions and for what purpose.
To make this possible and in accordance with the best Corporate Governance and Compliance practices, we updated our Data Protection Policy under our processes of review and constant improvement. The new version replaces the previous policy with a view to renewing your trust in us and so that you know how we collect, process and protect your personal data.
1) Who can process your data?
3) What personal data do we process?
4) What do we process the data for and on what legal basis?
5) How long will we keep your data?
6) Do we process children's data?
7) What security measures do we have in place?
8) What information do we share with third parties?
9) What rights do I have with regard to the processing of my personal data?
10) How can I contact Endesa's Data Protection Officer?
11) Changes to the Data Protection Policy
1) Who can process your data?
Your personal data may be processed by the following Endesa Group companies:
- Endesa Energía, S.A. ("Endesa Energía") with tax ID no. A81948077 and registered office at: C/ Ribera del Loira, 60, 28042-Madrid.
- Endesa X Servicios S.L. ("Endesa X") with tax ID no. B01788041 and registered office at: C/ Ribera del Loira, 60, 28042-Madrid.
- Endesa X Way S.L. ("Endesa X Way") with tax ID no. B09732520 and registered office at: C/ Ribera del Loira, 60, 28042-Madrid.
In certain cases that will be indicated throughout this Data Protection Policy, these companies may process the data as co-controllers. Endesa Energía, Endesa X and Endesa X Way have signed a co-responsibility agreement that duly reflects their respective roles and relationships as Joint controllers in relation to the Data subjects. The essential aspects of this agreement are available on demand.
As explained below, due to the particularities involved in the provision of energy recharging services for electric vehicles, the energy tariff and the provision of the electric recharging service will be provided jointly by Endesa Energía and Endesa X Way respectively. Similarly, if the customer contracts one of the different types of the "Endesa Única" tariff, services provided by Endesa Energía, Endesa X and/or Endesa X Way may be included.
When processing needs to be undertaken to comply with the conditions or specific services for a product contracted with only one of these companies, this company will be solely responsible for processing.
In order for you to better understand our Data Protection Policy, the concepts included therein are defined below:
- Customer: Natural person who has a contractual relationship with Endesa.
- Contract: Agreement governing the terms and conditions applicable to the purchase of any Endesa product or service.
- Joint controllers: Two or more Data Controllers who jointly establish the objectives and/or means of processing. In this regard, Endesa Energía, Endesa X and Endesa X Way will be Joint Controllers with regard to some of the processing included in this Data Protection Policy. Where this is the case, it will be expressly indicated.
- CUPS: Universal supply point code (Spanish acronym). Alphanumeric code that uniquely identifies an address to certify the energy supply. Each house has one for electricity supply and one for the supply of natural gas. It is permanent and unchanging, i.e. it does not change even if you change your tariff or retailer.
- Distributor: The company responsible for distributing the energy to your home. In the Spanish electricity market it is legally established that consumers may not choose their distribution company. This is determined by the area where they reside.
- Data processor: The natural person or legal entity that processes personal data on behalf of those Responsible or Jointly Responsible for processing.
- Endesa: Endesa Energía, S.A., Endesa X Servicios S.L. and Endesa X Way, S.L. When we refer only to Endesa, we will be referring to the three companies together.
- Endesa Energía: Endesa Energía S.A., a company that supplies electricity and natural gas.
- Endesa X: Endesa X Servicios S.L, a company that retails energy products and services with added value complementary to those provided by Endesa Energía (such as maintenance and electrical and gas repairs, the installation of electric vehicle charging stations, etc.).
- Endesa X Way: Endesa X Way, S.L., a company whose activity involves charging for electric vehicles.
- Endesa Group: The Endesa group consists of the parent company Endesa, S.A., all the subsidiary companies and for the purposes of this policy, Endesa X Way S.L. The full list of companies belonging to the Endesa Group is available on: https://www.endesa.com/en/about-endesa/who-we-are/subsidiaries.
- Data subject: Any identified or identifiable natural person.
- LOPDGDD: Spanish organic law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.
- Packaged Energy Offer: A group of products or services directly related to the field of energy activity, retailed jointly by Endesa Energía, Endesa X and/or Endesa X Way under the brand name Endesa. For example, the supply of gas and the maintenance of the equipment, or the contracting of energy tariffs and electric recharging services.
- Data controller: Natural personal or legal entity that, alone or together with others, establishes the purposes and means of processing.
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- Website User: User who is registered on any of the websites or applications belonging to Endesa Energía, Endesa X or Endesa X Way.
3) What personal data do we process?
Personal data is all information that directly identifies or makes it possible to identify a natural person, including, for example, their first name and surname, e-mail address, and CUPS. Some of this data may have been provided directly to us when signing a contract with us, but other data may be the result of our relationship with you, such as the data corresponding to electricity or gas consumption for the supply point you are a holder of.
The data that may be processed is grouped into the following categories:
- Data collected when registering as a Customer, in the Contract or subsequently provided during the contractual relationship: first name, surname, National Identity Document ("D.N.I."), Foreign Identification Number ("N.I.E."), CUPS, telephone number, e-mail address, contracted tariff and the data included in energy advisory tools, geographical location.
- Data resulting from the provision of services during the contractual relationship: Those related to the service we have been able to provide when you have requested it or incidents resolved or being resolved, the contracting requests that you have made, the results of the satisfaction surveys that we may have asked you to fill in, the commercial communications that we have sent, the historical consumption at the supply point of which you are the holder, your billing history and any data that may be collected during your visits to our websites through the use of "cookies". To see how we process data from cookies, click here.
- Data obtained from third parties: Those obtained from the credit information systems to which reference will be made later, as well as those relating to your consumption, from the Distribution Company, those obtained from the land registry office, referring to the address associated with the supply point and social-demographic data, obtained from Datacentric Solutions, S.A.U., Adsalsa Publicidad, S.L., Beleader Internet Marketing, S.L., Ibrands Medios Interactivos, S.L., Rock Internet, S.L., Webpilots España, S.L. and that are necessary to be able to complete the necessary information to prepare your profile when you have authorised us to do so.
Endesa only processes the data that is strictly necessary for the specific purposes contained in this Data Protection Policy and only for the time required to do so, as stated in paragraph 6, and the principles and obligations contained in both the GDPR and the LOPDGDD are always respected.
The questions below explain in detail why and how we process your data.
4) For what purposes do we process your data and on what legal basis?
1. Processing required to correctly undertake your contractual relationship with ENDESA
1.1 During the contracting process
When you request a contract for an Endesa service, the entity that will provide this service (Endesa Energía, Endesa X and/or Endesa X Way) will process your data in order to manage the contracting process. Where the service you wish to contract involves the joint provision of services by all or some of the above-mentioned entities, they will have Joint Responsibility for processing.
The processing is undertaken based on the legitimacy of the application of the pre-contractual measures necessary for the conclusion of the Contract and the execution thereof, where applicable.
1.2 As long as you have a valid Contract with ENDESA
During the validity of your Contract with Endesa, and for it to be correctly developed, maintained and managed, we will undertake the following processing:
a) Normal management of the contractual relationship: Providing the service and invoicing
If you have contracted a service with Endesa, your data will be processed by the entity with which you have contracted the service (Endesa Energía, Endesa X and/or Endesa X Way) in order to provide services that include the following:
- Invoicing services.
- Your identification when you contact us.
- To send communications to inform you of issues that may affect the service.
Where a contracted service involves the joint provision of services by Endesa Energía, Endesa X and/or Endesa X Way, the entities providing the contracted services will have joint responsibility for processing.
The processing is undertaken on the basis of executing the Contract signed with Endesa Energía, Endesa X and/or Endesa X Way.
We will process the following data for these purposes: Identification data (including first name, surname, identification document, postal and e-mail address and telephone number), data relating to the electricity supply (including CUPS, contracted power, etc.), financial data (such as the bank account used to pay invoices) and the data generated from interactions with us when you make a query or process a complaint.
Refusal to provide the requested personal data, or providing inaccurate or incomplete data, may result in the inability to suitably provide contracted services. In this regard, you are responsible for the accuracy of the data provided and for informing Endesa Energía, Endesa X and/or Endesa X Way of any change to them.
b) Viewing the different channels made available to you
Whenever you make a query or request through one of our customer service channels (including telephone channels, in-person channels and our websites and Apps), your data will be processed by Endesa Energía, Endesa X and / or Endesa X Way depending on the entity to which you make your query or request, in order to manage it with a view to correctly maintaining the contractual relationship.
In this case, we will process the data that enables you to identify yourself as a customer and those relating to the nature of the query you make.
c) Management of your contractual relationship with Endesa Energía, Endesa X or Endesa X Way by means of website services, whenever you request it by registering for the above-mentioned service.
Whenever you register or sign in as a User on the websites of Endesa Energía, Endesa X or Endesa X Way through their Apps, your personal data will be processed by the entity that owns the website for which you have registered or signed in, with a view to managing the services we provide through these websites and Apps. This means that if you provide your e-mail address, this will be the preferred means for sending any type of communication relating to the contractual relationship established with you.
This processing is undertaken in order to correctly execute the terms and conditions governing the use of the website.
1.3 Processing that involves Endesa Energía having a relationship with third parties necessary to correctly manage the Contract.
a) Use of your data to establish an ATR (network access) contract with the distributor.
Endesa Energía will process your personal data to make a contract on your behalf with the Distribution Company that corresponds to the place where the service is provided. This is a contract for access to the networks that is required to be able to supply you, for which we will provide them with the necessary data to make the contract and that will be collected in the Information System for Supply Points regulated by the electricity regulations.
The processing and transfer of data are based on the fact that they are necessary for the Contract signed with Endesa Energía to be properly managed.
b) Completing the necessary procedures for the supply.
Your personal data will also be processed by Endesa Energía in order to complete the procedures and communications with the Distribution Company that are required to be able to guarantee the supply of energy on the basis of the correct management of the Contract between us (for example, to resolve any issues presented to the Distribution Company that are then transferred to Endesa Energía to be resolved).
2. Processing necessary for Endesa Energía, Endesa X and/or Endesa X Way to be able to comply with their legal obligations.
a) Exchange of information by Endesa Energía with the distribution company in order to provide the service and be able to invoice.
In accordance with the provisions of the applicable regulations, Endesa Energía will communicate to the Distribution Company, and will obtain from it, the personal data necessary to suitably provide the contracted service and for it to be invoiced. The personal data obtained from the Distribution Company for these purposes include your identification data and information about your energy consumption at all times and are collected in the Supply Point Information System regulated by electricity regulations.
b) Meeting police, judicial and fiscal requirements.
Endesa Energía, Endesa X and Endesa X Way may be obliged to comply with requirements by the Security Forces and Bodies, judicial bodies and the Public Prosecutor's Office, in compliance with the provisions of article 7 of Organic Law 7/2021, of 26 May, on the protection of personal data processed for the prevention, detection, investigation and prosecution of criminal offences and the enforcement of criminal sanctions.
c) Attention to requirements by supervisory authorities and other Public Administrations
Both Endesa Energía, Endesa X, and Endesa X Way are legally obliged to comply with the requirements of the supervisory authorities to which they are subject, including the Spanish Markets and Competition Commission and the Spanish Data Protection Agency in accordance with the regulations governing the energy sector, the defence of competition and the protection of personal data, respectively.
Endesa Energía, Endesa X and Endesa X Way are also obliged to comply with the obligations imposed on them by law, including the transfer of your personal data to certain Public Administrations (for example, the tax authorities).
In these cases, your data will be processed to comply with the legal obligations to which Endesa Energía, Endesa X and Endesa X Way are subject.
3. Processing based on Endesa's prevailing legitimate interest.
Endesa Energía, Endesa X and Endesa X Way process personal data when it is considered that there is a legitimate interest to do this, providing it does not prejudice to your rights and interests and that it is in accordance with your expectations. To guarantee that this is the case, we undertake a prior weighting analysis to determine the prevalence of these legitimate interests and, where required by law, an assessment is made of the impact on the protection of personal data, so as not to put your rights at risk. The essential features of the weighting reports and impact assessments are available to you on request at the following e-mail address: email@example.com.
You are reminded that you can object to the processing identified in the previous section at any time, and you can exercise your right to object through the channels indicated in section 9 of this Data Protection Policy.
3.1 Processing related to credit information systems.
a) Consultation of the Credit Information Systems when processing a request for a contract and during the validity of the Contract.
When you request to contract a product or service from Endesa Energía, Endesa X and/or Endesa X Way that may involve deferred payment or the provision of a periodic invoicing service, prior to contracting and as long as you maintain a contractual relationship with us, we may consult the BADEXCUG credit information system in order to assess your economic solvency at all times, but always in strict compliance with the applicable regulations.
When the consultation is made before the contracting process has been completed, the result of the consultation may be taken into account to determine whether or not it is appropriate to sign it.
The processing of the data obtained by consulting these systems within the framework of the management of your request is based on Endesa's legitimate interest, in accordance with article 20 of the LOPDGDD.
b) Reporting cases of non-payment of invoices to the Credit Information Systems.
Endesa Energía, Endesa X and/or Endesa X Way may include your data in a report to the above-mentioned BADEXCUG credit information system where payment for any of the contracted services is not made in time. The categories of data that will be reported in these cases are as follows: First name, surname, national identity card number, point of supply address, amount and date of non-payment.
The reporting of this type of data to credit information systems is made on the basis of the legitimate interest of Endesa Energía, Endesa X or Endesa X Way in incorporating information into these systems with a view to contributing to compliance with their function, that is, as a necessary tool to be able to determine any risk that may arise from non-compliance by the interested parties where they are required to make a certain monetary, financial or credit transaction in line with the provisions of article 20 of the LOPDGDD.
The systems should only retain information relating to non-payment that has occurred in the last five years. In any case, if you proceed to make payment for any outstanding debts, Endesa Energía, Endesa X or Endesa X Way will inform the system so that it may proceed to delete the data.
3.2 Processing related to the improvement of Endesa's products and services.
a) Conducting satisfaction surveys
Once you are a Customer, and with a view to improving the quality of the services we provide, your data may be used by the entity with which you have a contractual relationship (Endesa Energía, Endesa X, Endesa X Way, or some of them), to conduct surveys on the quality of the service or satisfaction with the service provided, on the basis of your own legitimate interest in improving these services.
3.3 Transfer of data to companies responsible for factoring.
Endesa Energía, Endesa X or Endesa X Way may process your personal data in order to undertake factoring transactions (partial or total advance of credits transferred to financial institutions), in order to provide Endesa with an efficient business management model. These transfers will be made on the basis of Endesa's legitimate interest in obtaining the necessary financing to undertake its activities efficiently.
This processing will be made in accordance with the strictest security measures and on the basis of Endesa's legitimate interest which involves being able to obtain financing to undertake its commercial activity. For this purpose, your identification data (first name and surname, national identity card number) and economic-financial data relating to the credit rights of Endesa Energía, Endesa X or Endesa X Way will be transferred to these entities as a result of your Contract with them.
3.4 Obtaining additional data so as to take recovery action in case of non-payment.
In the event of a non-payment on your part, the entity with which you have contracted the service, that is, Endesa Energía, Endesa X or Endesa X Way, may process your data as one of the steps required to collect payment for the amount owed. To do this, Endesa may approach third-party companies responsible for processing and who will do what is necessary to recover the debt and this may involve updating the information you have provided for us and obtaining any additional data that may be required for this purpose.
This processing is undertaken on the basis of the legitimate interest of Endesa Energía, Endesa X or Endesa X Way in managing the debt contracted and processing collection of payment, as well as the obligation to keep any information referring to you updated.
3.5 Commercial actions with regard to services provided by Endesa.
a) Advertising for energy services similar to those contracted by the company of which you are a customer or as part of an Endesa Energy Offer Package.
If you are a Customer of Endesa Energía, Endesa X and/or Endesa X Way, the specific entity of which you are a Customer will process your data to enable you to receive advertising on products and services that are similar to those you have contracted on the basis of your legitimate interest in being kept informed with regard to the products and services. Furthermore, based on their legitimate interest and as Joint Controllers, Endesa Energía, Endesa X and Endesa X Way will process your data so you can be sent advertising on Endesa Energy Offer Packages relating to the service you have already contracted (for example, the joint offer consisting of the electricity supply and the maintenance of the equipment, offers for an energy tariff and the electric vehicle recharging service).
For this purpose, Endesa Energía, Endesa X and Endesa X Way may analyse your personal data so as to create a very basic profile to determine whether commercial actions on energy services similar to those contracted from the company with which you have a contractual relationship or on Endesa Energy Offer Packages may be adjusted to your needs and preferences for energy consumption. In this case, when the commercial action refers to Energy Offer Packages, the entities that provide the services offered will be jointly responsible for this processing.
To create this profile, we will only take into account a very limited number of the data available to Endesa Energía, Endesa X or Endesa X Way and this will consist of your first name and surname, telephone number, e-mail and postal address, national identity card number and, where appropriate, the CUPS.
This processing is undertaken on the basis of Endesa's legitimate interest in informing you and providing you with access to combined offers that will enable you to achieve a more sustainable energy model, by offering services that include the installation of energy equipment, maintenance and repair, automation and electric mobility, as well as avoiding campaigns and Energy Offer Packages that in your case may be considered repetitive, unnecessary or annoying as they are not adjusted to your needs.
b) Inclusion of the customer databases for Endesa Energía, Endesa X and Endesa X Way in order to create Energy Offer Packages.
Endesa Energía, Endesa X and Endesa X Way will communicate the data of their respective customers for the subsequent creation as Joint Controllers, of Energy Offer Packages by non-electronic means, thus avoiding the unnecessary repetition of advertising campaigns.
These communications will be made exclusively for the purpose described, without any transfer of your data between these three companies for other purposes. Specifically, the categories of data that are the subject to this transfer are as follows: First name and surname, contracted product, telephone number, e-mail address, postal address, national identity card number and, where applicable, the CUPS.
4. Processing that Endesa will only undertake if you give us your consent to do so.
Endesa will process your personal data for the purposes detailed below only if you have expressly given us your consent to do so. We would like to remind you that you can withdraw the consent given for any of these purposes without affecting the legality of the processing undertaken prior to this withdrawal, in accordance with the provisions of section 9 of this Data Protection Policy.
However, where consent is given for the provision of a service (for example, sending you an electronic invoice), withdrawal of consent will make it impossible to continue providing this service.
4.1 Provision of other additional services
a) Sending your electronic invoice
If you have registered for Endesa's "electronic invoice service", the entity with which you have signed the Contract will process your e-mail address in order to be able to send you your invoice. This processing is based on the consent you have given when registering for this service.
If you withdraw this consent, Endesa will send you the information regarding invoices for the service by non-electronic means.
b) Processing the data corresponding to location in order to use the "Juice Pass" Application
iOS: Turning location services on or off. Settings > Privacy > Location Services.
Android: Settings > Location or Quick Settings, accessible by swiping from top to bottom on your device's screen
Endesa's websites, like many other Internet portals, use a technology called "cookies" to collect information about the interactions you may make on the pages, provided that you have authorised their use where this is applicable.
If you would like to know in detail how this technology works and the way in which you can consent or not to its use you can consult the section entitled "Cookies in Endesa".
4.3 Social login on Endesa's websites and applications
On certain occasions, on Endesa's web pages or applications, we will give you the option to register or access your private customer area by logging in through the Facebook social network or with your Google account or Apple ID. To do this, you will need to give express consent for your personal identification data (first name, surname, e-mail address and password) that appear on Facebook, Google or Apple ID, depending on the means you have chosen, to be shared with Endesa Energía, Endesa X or Endesa X Way (depending on the company that is providing access to your private customer area) so that you can access or register without having to create a new account for that website.
4.4 Creation of profiles and commercial actions
(a) Creation of complex profiles
Where you have given us your consent by ticking the box expressly established for this purpose or by providing the same by telephone, Endesa Energía, Endesa X or Endesa X Way, will process your data to create a more complex profile with regard to your preferences and consumption habits, in order to be able to take the commercial actions referred to in sections b) and c) below, as well as to advertise energy services similar to those contracted with the company of which you are a customer and for the creating Energy Offer Packages.
To create this profile we will process the required personal data, as well as those relating to your energy consumption at all times (hourly load curve) and we will also make use of statistical sources that may affect your consumption, such as those relating to the area where you reside, the nature of your home, meteorological information, etc. The data relating to your consumption will refer to the last year.
This profiling will not involve taking any type of decision that will have a legal effect or significantly affect you. Whenever Endesa undertakes this type of processing, you will be informed and your consent requested where necessary.
b) Advertising for products and services provided by third parties
If you have given your consent by ticking the corresponding box enabled for this purpose or as a result of a telephone call, Endesa will process your personal data so you can receive advertising relating to other products and services provided by third parties (relating to home, insurance, vehicles, financial services and leisure) and that we feel are in line with your needs. Endesa may process your data so you can receive advertising on products and services provided by third parties via any communication channel (including e-mail, SMS and telephone calls).
c) Communication of your data to third parties so they can offer you their products and services
Provided you have given us your consent by ticking the corresponding box or as a result of a telephone call, Endesa may communicate your data to third parties in the sectors indicated in section b) above, so you can receive advertising with regard to their products and services. The categories of data that will be communicated in these cases are the following: First name and surname, mobile phone number, e-mail and post code.
Under no circumstances will the data subject to communication include the profile that Endesa Energía, Endesa X or Endesa X Way may have created in accordance with the provisions of section a).
d) Advertising for Endesa products and services when you are no longer a customer.
If you give your consent by ticking the corresponding box or as a result of a telephone call, when you are no longer a customer you may receive advertising for products and services provided by Endesa through any communication channel (including e-mail, SMS, telephone calls and WhatsApp).
5) How long will we keep your data?
We will keep your data as long as it is necessary for the purpose that justifies the processing. Specifically:
- The personal data provided during the contracting process, as well as that collected as a result of consulting the credit information systems, will be kept for these purposes until a Contract has been signed, and in this case they will be processed within the framework of the contractual relationship. If you do not sign a Contract with Endesa, the data will be kept for a period of one (1) month so you will be able to conclude the contracting process if you so wish.
- The personal data that you provide us as a Customer and that are processed for the purposes relating to the Contract, including any legal obligations that Endesa may contract as a result of this relationship, will be kept while the Contract remains valid and during the periods established in the legislation applicable to the service provided (electricity or gas). Once the Contract has been terminated, if there are no outstanding debts or charges, Endesa will proceed to block your data, in accordance with the following:
- The data relating to your basic profiling, where your consent is not required, will be kept for a maximum limited period of one (1) year or until you object to Endesa continuing to process your data.
- The personal data provided to process queries or requests or to arrange an appointment with our commercial agents will be kept until the process has been completed.
- The personal data that we process as a result of you being a User of our website will be kept as long as this condition is maintained. However, if we find that for a period of two (2) years you have not used or interacted with your account or any of our website services, we will cancel your account. This means that if you then want to reuse any of the website services, you will need to register again.
- The personal data that we process for you to be able to access or register as a User of our website by using your social network profile, will be kept as long as you do not withdraw your consent to access the website in that way or, where applicable and as indicated in the previous section, if we detect that for a period of two (2) years you have not used your account or interacted with any of our website services, we will proceed to cancel your account.
- In the event of a non-payment, the personal data processed by Endesa with regard to this will be kept as long as they are needed to take the necessary steps to proceed to collect payment.
- The data processed for the purposes based on your consent will be processed by Endesa Energía, Endesa X and/or Endesa X Way as long as your consent is not withdrawn. If you are no longer a customer of Endesa but have not withdrawn your consent, your data will be kept for a maximum period of two (2) years from the termination of your Contract.
At the end of the above-mentioned time frames, the data will be blocked during the period in which they may be needed to process complaints or in the defence against administrative or court actions, as well as for the statute of limitations of criminal, civil, commercial and/or administrative responsibilities and may only be unblocked and processed again for this reason. When this period comes to an end, the data will be permanently deleted.
Specifically, Customers' personal data will be kept for the duration of the contractual relationship. After that period, and once any debts or charges have matured, the data will be kept in a blocked state for 6 years, in accordance with the limitation period of the obligation to keep commercial and accounting documentation. After that time, the data will be definitively cancelled.
6) Do we process children's data?
Endesa ensures the proper use of the data corresponding to minors, guaranteeing respect for applicable laws by taking any measures that are reasonably appropriate and this means that no personal data is collected with regard to minors without the prior consent of their parents, guardians or legal representatives.
7) What security measures do we have in place?
With the aim of making its Data Protection Policy effective, Endesa has adopted the technical and organisational security measures that are necessary to prevent alteration, loss, misuse, processing and unauthorised access or theft thereof, depending on the status of the technology, for all channels on which personal data may be processed, including, therefore, all websites, telephone service and face-to-face channels.
8) What information do we share with third parties?
1. Transfer of data
As we pointed out when describing the different processing that Endesa undertakes with regard to your personal data, Endesa may transfer your data to the following entities:
- To the Distribution Company which will need the data to conclude the network access contract necessary for the provision of the service you have contracted with Endesa.
- To the entities that manage the credit information systems when you have not settled any outstanding debts with Endesa, providing this is done in accordance with the applicable regulations.
- To third-party companies with which Endesa collaborates relating to the home, insurance, automotive, financial services and leisure sectors, in order to receive information about the products or services offered by these companies, but always providing you have given your consent.
- To credit institutions with which factoring contracts have been signed, for the sole purpose of meeting the commitments included therein.
- To the Security Forces and Bodies, the Public Prosecutor's Office and the Courts and Tribunals when required to do so by Law.
- To those bodies responsible for supervising Endesa, including the Spanish Markets and Competition Commission, the Spanish Agency for Data Protection and the tax authorities, in accordance with the corresponding regulations.
Whenever it is deemed necessary, Endesa Energía, Endesa X and Endesa X Way will exchange data by non-electronic means to be able to present Packaged Energy Offers, so as to avoid you unnecessarily receiving repeated commercial campaigns relating to their services.
2. Access to your data by service providers (data processors)
We would also like to inform you that Endesa will provide access to your personal data to third-party service providers collaborating with Endesa when undertaking its activity and who will need to process the personal data they require in order to provide you with the contracted services. These third parties may assist in the provision of services related to the following: sales, customer service, payment recovery, marketing, advertising and professional services.
These suppliers will act as data processors for Endesa, but following the instructions provided by Endesa at all times and they will not be able to use the data for other purposes. They will guarantee the confidentiality, security and secrecy of the information to which they have access. To ensure this, Endesa analyses that these suppliers adopt measures that guarantee respect for the protection of your personal data and signs a Contract with them, in which they undertake to process the personal data to which they have access in accordance with the requirements of both the GDPR and the LOPDGDD (Spanish legislation regarding data protection).
We would also like to inform you that it is possible that some of these third parties acting as Data Processors may be located outside the European Economic Area and that they have not been declared to be States with an equivalent level of data protection. Specifically, Endesa has contracts with what it deems to be fully trustworthy suppliers located in: United States, India, Colombia, Peru and Morocco. In any case, Endesa has made an assessment to ensure that the processing of your personal data in these countries complies with the same guarantees required by European regulations and has taken the appropriate measures required to ensure the protection of your data, specifically by including the standard contractual clauses approved by the European Commission in contracts with these suppliers. For details of these Data processors, please click here[MBL1] . You may also request information on the guarantees made by Endesa for the international transfer of your personal data, including a copy thereof, by contacting firstname.lastname@example.org.
For CCDD Business: Include here the link that already appears in the following link: https://www.endesa.com/en/data-protection-endesa/managers-treatment).
9) What rights do you have regarding the processing of your personal data?
The GDPR and LOPDGDD provide for the following rights with regard to the processing of your personal data, which you may exercise with regards to and against each of the Data controllers.
- Access: This confirms whether we are processing your personal data and, if so, which.
- Rectification: This enables you to help us correct errors and modify data that may be inaccurate or incomplete.
- Erasure: This enables you to request the erasure of your data, meaning that Endesa will stop processing it unless there is a legal obligation for its storage or there are other legitimate reasons for processing it.
- Object: This enables you to ask us to stop processing your personal data in which we consider that we have a legitimate interest for its processing, based on the reasons you give us for doing so. Endesa will stop processing the data unless there are overriding legitimate reasons, or it is necessary to address complaints or to exercise defence against administrative or judicial actions, in which case they will remain duly blocked. However, if we are processing your data in order to make offers for products and services, all you need to do is make a request and Endesa will stop processing your data.
- Restriction to processing: You may ask Endesa to restrict the processing of your data in the following cases:
- While a challenge to the accuracy of the data you have provided is being verified.
- When the processing is illegal, but you oppose the deletion of your data.
- When Endesa does not need to process your data but you need them to make or manage a complaint.
- When your objection to the processing of your data is in accordance with a matter of public interest or to meet a legitimate interest, while it is being verified whether the legitimate reasons for the processing prevail over yours.
- Portability: This enables you to receive your personal data in a structured, commonly used and mechanically readable format to be able to transmit it to another Data controller.
- Withdrawal of consent: this enables stopping your data from being processed for a purpose that was previously authorised, such as receiving commercial communications from third parties with which we collaborate.
To exercise these rights, you should contact Endesa using one of the following channels:
- Post, and unless we are able to verify your identity by other means, you should include a photocopy of your ID, passport, foreigner's ID no. or any other valid identification document, and details of your request, sent to: Apartado postal 1128, 41080 Sevilla, A/A. Endesa Operaciones y Servicios Comerciales.
- E-mail, to email@example.com, with the following information: The data subject's first name and surname(s), address, photocopy of the national identity card, foreigner's ID number or any other government-issued identity document unless we are able to verify your identity by other means, and specific details for the request.
We remind you that the regulations in force allow you to file a complaint with the Spanish Data Protection Agency, whose contact details are as follows:
Agencia Española de Protección de Datos
Calle Jorge Juan, 6 – CP: 28001, Madrid.
Telephone numbers: 901 100 099 / 91 266 35 17
10) How can I contact Endesa's Data Protection Officer?
Endesa S.A., the parent company of the Endesa Group of which Endesa Energía, Endesa X and Endesa X Way are members, has appointed a Data Protection Officer for these companies.
If you have any doubts regarding the purposes of Endesa's processing of your personal data, its legitimacy or any other matter relating to the protection of personal data, you can contact our Data Protection Officer by post to the following address: C/ Ribera del Loire, 60, 28042-Madrid, or by sending an email to: firstname.lastname@example.org.
11) Changes to the Data Protection Policy
Whenever Endesa updates this Data Protection Policy, particularly as a result of new processing of personal data, we will inform you of this in sufficient time so that you can send us any type of enquiry or, where appropriate, exercise the rights recognised by the regulations in force at that time.
Thank you for the trust you have placed in Endesa.