Personal data security and protection
At Endesa, we pledge to guarantee the use of our Customers' personal data in a safe transparent manner; hence, we want you to know that you have control over them at all times. As an Endesa Customer, you can decide, provided that the regulations in force allow it, to whom your personal data is assigned, in what conditions and for what purpose.
For this to be possible and in accordance with the best Corporate Governance and Compliance practices, within our on-going review and improvement processes, we have updated our Data Protection Policy, which substitutes that which previously regulated the processing of your data as a customer of Endesa, to renew your trust in us and to learn how we compile, process and protect your personal data.
- Who can process your data?
- What personal data do we process?
- Why do we process data?
- Why are we authorised to process your personal data?
- How long do we keep your data for?
- Do we process data of minors?
- What security measures are applied?
- What information do we share with third parties?
- What rights do I have in relation to the processing of my personal data?
- How can I contact Endesa's Data Protection Officer?
- Changes in the Data Protection Policy
So that you can better understand our Data Protection Policy, below we define the concepts to be included therein:
- Customer: physical person that has a contractual relationship with Endesa.
- Contract: agreement regulating the terms and conditions applicable to the arrangement of any Endesa product or service.
- Data co-controller: two or more data controllers that jointly determine the processing objectives and/or means. In this regard, Endesa Energía and Endesa X will be co-controllers of processing in relation to certain processing.
- CUPS: Universal Supply Point Code. It is the alphanumeric code that exclusively identifies a domicile to certify energy supply. Each home has one for its electricity supply and one for its gas supply. It is permanent and unchanging, that is, it does not undergo modifications, even if the customer changes rate or marketing company.
- Distributing Company: it is the company responsible for distributing energy to your home. On the Spanish electricity market, the public cannot change their distributing company - it is determined by the area they live in.
- Data processor: natural or legal person that processes personal data for the account of the data controller.
- Endesa: Endesa Energía, S.A.U. and Endesa X Servicios S.L.
- Endesa Energía: Endesa Energía S.A.U., a company that engages in the marketing of electricity and natural gas.
- Endesa X: Endesa X Servicios S.L, a company that engages in the marketing of value-added energy products and services that are complementary to those provided by Endesa Energía.
- Endesa Group: the Endesa Group is formed by its parent Endesa, S.A. and all of its subsidiaries. You can consult the full list of Endesa Group companies here: https://www.endesa.com/es/sobre-endesa/quienes-somos/sociedades.
- Interested party: any identified or identifiable natural person.
- General Data Protection and Digital Rights Protection (GDPDRP) Law: General Data Protection and Digital Rights Protection Law 3/2018, of 5 December.
- Package Energy Offering: series of products or services, directly related with the scope of energy activity, marketed jointly by Endesa Energy and Endesa X under the Endesa brand.
- Potential Customer. physical person that does not have a contractual link with Endesa.
- Data controller: natural or legal person that, alone or with others, determines the processing purposes and resources.
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with respect to the processing of personal data and the free circulation of said data, and which repeals Directive 95/46/EC.
- Website user: user registered on any of the websites of Endesa Energy or Endesa X (www.endesa.com, www.endesax.com and www.endesaxstore.com).
2) Who can process your data?
The following Endesa Group companies will process your personal data as “Data co-controllers”, except for that processing that must be performed to comply with the specific conditions of a particular product or service contracted with one of them, in which case, they will be independently considered to be “Data controllers”:
- Endesa Energía, S.A.U. with Tax ID No. A81948077 and registered office at: C/ Ribera del Loira, 60, 28042-Madrid.
- Endesa X Servicios S.L., with Tax ID No. B01788041 and registered office at: C/ Ribera del Loira, 60, 28042-Madrid.
In this regard, Endesa Energía and Endesa X reached a co-controller agreement, which duly reflects the respective functions and relations of the Data co-controllers in relation to the interested parties. The essential aspects of this agreement will be provided to you if you so request.
3) What personal data do we process?
Personal data are all that information that directly identifies or enables an individual to be identified, which may include your name and surname, email and CUPS. It is possible that you have provided us with some of the data on signing your contract with us, but others may have been inferred from the relationship that we hold with you such as, for example, the consumption of light or gas corresponding to the supply point owned by you.
The data that can be processed are grouped into the following categories:
- Data included in the register as a Customer, in the Contract or provided subsequently during the relationship: name, surnames, National Identity Document (“D.N.I.”), Foreigner Identification Number (“N.I.E.”), CUPS, telephone, email, rate contracted and data included in the energy advisory tools, geographical location.
- Data arising from the provision of services during the contractual relationship: the amount of attention given and the incidents resolved or under way, the contract requests made, the results of the satisfaction surveys, the commercial notices made, the historical consumption of the supply point of the holder, the billing history and the data that may be collected from your visits to our website through the use of "cookies".
- Data of Potential Customers that provide their consent for their data to be notified to energy sector companies for commercial purposes: on occasions, we can process the identification data (name and surname), telephone number and address of Potential Customers, provided that they have previously provided their informed consent on an unequivocal basis, through clear affirmative action separate from the other matters, so that their data are transferred to energy sector companies (which include Endesa), to receive advertising on their products and services. If we contact you through campaigns aimed at Potential Customers, we will inform you in the first contact of the identity of the Data controller, the purpose and legitimate basis of processing, origin of the data and specific data categories that we were processing, together with the possibility of exercising your rights with respect to Endesa and to the Data controller that collected your data at source.
At Endesa, we exclusively process that data strictly necessary for the specific purposes included in this Data Protection Policy and only during the time required in this regard, as specified in section 6, always complying with all the principles and obligations included in both the GDPR and the GDPDRP.
The questions included below explain in detail how and why we process data.
4) Why do we process data?
At Endesa, we process your personal data to, among other purposes, manage the provision of products and services that you have taken out with us, manage your register or count as a website User, comply with the legal obligations imposed, for example, in energy or consumption, make commercial communications on Endesa's products and services related with the area of energy activity, to collect information on those interactions that you can make when you navigate on our web pages through the use of “cookies”. Below you will find the specific purposes for which we use your data:
a) Manage the arrangement of an Endesa service
Your data will be processed to be able to manage the arrangement of an Endesa service.
Moreover, you must know that if you arrange an Endesa product or service that it may involve a deferred payment of the provision of a periodic billing service, always in strict compliance with the applicable regulations, we can consult, prior to the arrangement, the asset and credit solvency files that we consider appropriate to value your economic solvency. The outcome of this enquiry could, in any case, condition the entry into force of the Contract. Likewise, in the event of non-payment, Endesa may notify its data to said files, always complying with the guarantees granted by the legislation in force in these cases.
If you have commenced the contracting or registration process through one of our web pages, and provided your personal data, but without being able to complete it, do not worry, we will send you a maximum of two reminders to your email address with support or help so that you can successfully complete the previously initiated contracting or registration process.
When you are a Customer, in order to improve service quality, your data can be used to deal with your queries and requests through all our care channels (including telephone, face-to-face and website channels), make informative communications and surveys on service quality or the satisfaction index with the attention provided, accredit yourself in the contracting processes that you commence with us, bill the energy supply or provide energy advisory services. In the same way, to ensure that Endesa has an efficient business model, your data will be processed to carry out factoring operations.
Furthermore, provided that you have registered on the web page, your personal data may be processed to manage the services available to you as a User of the website, for example, the “electronic invoice services”, for which we will require your email address as a means of submission. In this regard, you must know that, if you provide us with your email, it will be processed as a preferential means to send any type of communication relating to the framework of the contractual relationship that we have with you.
b) Comply with the legal obligations imposed
Your data can also be processed to comply with any type of legal obligation, such as arrange access to the networks with the Distribution Company, perform the procedures required for a good end to supply, exchange information with the Distribution Company to be able to invoice your energy consumption or to meet the requirements of the Spanish Markets and Competition Commission or the Spanish Data Protection Agency, among other legal obligations.
c) Make commercial communications on products and services
Other personal data processing will also be carried out based on Endesa's legitimate interests and which you may oppose, as indicated in section 10.
This processing will be carried out to be able to offer you information on products and services related with energy activity or on Package Energy Offerings, similar to the services that you arrange or have arranged. Furthermore below, in section 5 point d), we provide you with further details regarding the reasons behind Endesa's legitimate interest.
In this regard, beforehand your personal details may be analysed in order to prepare a very basic profile with them that enables us to discover whether the sales campaign that is going to be conducted adapts to your energy consumption needs and preferences. This analysis may take into account some of your data (name and surname, telephone number, email, address, national ID document and, where appropriate, CUPS), hence, it may be necessary to make specific communications of your data between Endesa Energía and Endesa X to guarantee that the campaigns and Package Energy Offering which, where appropriate, are made, are not repetitive, unnecessary or bothersome. In any case, your data will only be fully notified between companies if you have provided us with your consent.
In any case, we remind you that you cannot at any time oppose both the reception of commercial communication and the specific communication of your data between Endesa Energía and Endesa X, exercising your rights of opposition through the channels indicated in section 10. Take into account that you will only receive commercial communications of this type while you remain an Endesa Customer, unless you subsequently authorise us in this regard.
Also, as explained in section 5, any complex profiling, in particular, the cases envisaged in article 22 of the GDPR, will be subject to the prior obtainment of your explicit, informed, free and unmistakeable consent. Specifically, we are referring to the decisions which, where appropriate, are adopted, and which are exclusively based on the automated processing, including the preparation of profiles, which have legal effects on the Interested party or which significantly affect them in a similar manner.
Lastly, for the cases in which you have provided us your consent, we can also help you to discover, through any communication channel (including, among others, email, SMS and phone calls), products and services of other companies with which we work and which may be of interest to you, related with home, insurance, car and financial and leisure services. Your data will only be transferred to other Endesa Group companies or to third-party companies related with the previous sectors if you have provided your express consent in this regard.
In any case, we recall that you can withdraw your consent at all times through the channels indicated in section 10 of this Data Protection Policy.
d) Manage the webpage services
Provided that you have signed up or registered on Endesa's web sites, your personal data will be processed to manage the website service(s).
e) Collect information when you navigate on our websites
Endesa's web pages, just like many other Internet portals, use technology known as cookies to collect information on interactions that you can make on its web pages, provided that, where appropriate, you have authorised their use.
If you want to learn how this technology works in greater details, you can consult the “Cookies at Endesa” section.
f) Geographical location to find the closest charging stations
Through the use of the App JuicePass app, and provided that you have provided your consent in this regard, we will process information on your geographical location to offer you indicators, so that you can reach your closest charging station. You can activate or disactivate the location function by changing your device's settings, as follows:
- iOS: Activate or deactivate location. Adjustments > Privacy > Location.
- Android: Adjustments > Location or through Rapid Adjustments, accessible by sliding your finger from top to bottom from the top half of your device's screen.
g) Appointment request with one of our sales agents
Likewise, we can also process your personal data to arrange an appointment with one of our sales agents, provided that the request is made through one of the sites enabled for this purpose.
5) Why are we authorised to process your personal data?
Depending on the specific purpose for which we will process your data (for example, adequately managing the service that you had arranged, complying with the applicable legal obligations, making commercial communications or collecting information when you surf on our websites), we will have the applicable legitimate basis.
For these purposes, we inform you of the legitimate bases that will allow us to perform the following processing:
a) Contract enforcement
The legal base to provide services that you have taken out with us is the Contract's enforcement, which authorises us to perform the personal data processing required (including the email address), to deal with your queries and requests through all our care channels (including telephone, face-to-face and website channels), to make informative communications and surveys on service quality or the satisfaction index with the attention provided, accredit yourself in the contracting processes that you commence with us, bill the energy supply, process payments or provide energy advisory services.
The refusal to supply the personal data requested or the delivery of inaccurate or incomplete data could render it impossible to provide the services arranged in an adequate manner. In this regard, we remind you that you are responsible for the accuracy of the data provided and for notifying Endesa of any modifications thereto.
b) Compliance with legal obligations.
As previously set forth, on occasions, we must use personal data to comply with the legal obligations of any type. Therefore, the legal base that authorises us to carry out such processing precisely consist of compliance with these legal obligations.
Consent constitutes a legitimating basis for the processing that enables Endesa to process data, prior to the obtainment of the express, free, unequivocal and informed consent of the interested party.
In this regard, processing performed to send commercial communication on other products or services offered by third-party companies, related with home, insurance, car and financial and leisure services, together with the transfer of data to these companies, including to other Endesa Group companies, have as their legal base the “consent” that you may have provided. In the same vein, any commercial communication on offers in the area of energy activities aimed at consumers that are not Endesa Customers, are subject to the obtainment of express prior consent for this purpose. In this regard, if you do not withdraw your consent, it is possible that you will continue to receive notifications of this type or that your data may continue under the control of these companies with which we collaborate.
Any complex profiling, in particular, the cases envisaged in article 22 of the GDPR, will be subject to the prior obtainment of the explicit consent of the affected party.
The legitimate basis of the processing of your email address to send the digital invoice is the “consent” that would have been provided in each case.
Processing arising from the activation of your geographical location through the App JuicePass to inform you of your closest charging station, will only occur if you have provided your consent for this purpose.
Likewise, the "consent" that you may have provided to process your personal data to manage the request for an appointment with one of our sales agents has a legal basis.
In any case, we remind you that if you provided your consent for any of the aforementioned purposes, you are entitled to withdraw it at any time, without it having any effect on the products or services that you have arranged. You will find the necessary information to exercise the right to withdraw consent in section 10 of this Data Protection Policy.
d) Legitimate interest
Legitimate interest constitutes a legitimate basis, provided that Endesa's interest in processing its Customer's data is within its reasonable expectations, taking into account the relationship held with Endesa. The interested parties always have the possibility of exercising the right of opposition, as specified in section 10.
In this case, Endesa has prepared a weighting report to assess the suitability of performing direct marketing technique activities for products and services within the scope of energy activity in which, to be precise, it is concluded that (i) Customers benefit from a more competitive and integrated price that covers all the aspects related with energy consumption (ii) in this way, Endesa may maintain its competitive position in the market, in line with other operators which also offer Package Energy Offerings. The essential aspects of this weighting report, together with the impact assessment performed with regard to this processing, are available to you should you request them.
Endesa's interest in performing direct marketing technique activities as governed by Recital 47 of the GDPR relates to its desire to be more competitive in providing products and services related with energy supply, which enables a more sustainable energy model, through the offering of services for the installation of energy, maintenance and repair equipment, automation and electrical mobility, among others.
However, despite the fact that it enters within your reasonable expectations to, for example, receive advertising for an electricity maintenance service if you have signed an electricity contract, you can oppose the processing of your data by Endesa at any time and through any channel, on the basis of legitimate interest.
For such purpose, processing performed to send you information on products or services related with the scope of energy activity or on Package Energy Offers, in line with the service that you arrange or had already arranged, which best adapts to your energy consumption will be carried out on the basis of Endesa's "legitimate interest.
In this regard, we inform you that the regulations in force enable us to use Endesa's legal interest as a legitimate basis to carry out the aforementioned processing based on the expectations that you may have as a result of being our Customer. In this regard, we remind you that you can oppose the processing identified in the previous section at all times, exercising your right of opposition through the channels indicated in section 10.
Also, the processing required to judge your economic solvency, your admission as a Customer or, where appropriate, the notification of your data to credit information systems are also performed on the basis of legitimate interest. Endesa's interest in performing this processing is clear, with regard to the qualification granted by art. 20 of the GDPDRP granted to creditors that provide a periodic billing service, as is our case.
Likewise, the processing for the purposes of factoring operations (partial or total advance payment of loans granted to financial entities), so that Endesa has an efficient business management model will be performed on the basis of Endesa's legitimate interest in being able to obtain financing to carry on its business activities.
6) How long do we keep your data for?
The personal data that you provide to us as a Customer will be conserved while it is necessary for the provision of the services included in the Contract. Once they are no longer required for this purpose, the data will be blocked during the period required to deal with claims or exercise defence with regard to administrative or legal actions, and for the time in which the criminal, civil, mercantile and/or administrative liability becomes statute-barred, and they can only be unblocked and processed for this reason. After this period, the data shall be definitively deleted.
Specifically, the Customer's personal data shall be conserved during the term of the contractual relationship. Once said period has ended and once any debt or burden that may exist has expired, the data will be conserved during the blockage stage for six years, in accordance with the statute-barred period for the obligation to conserve mercantile and accounting documentation. After this period, the data shall be definitively deleted.
The previous period will not apply in those cases in which you provided your express consent to receive advertising on Endesa's products or services related with the scope of energy, in which case, your data will be conserved while you do not withdraw the consent provided through the channels indicated in section 10, or during a maximum period of two (2) years.
If you are a User of the website, we will keep your personal data while you continue to be a User. However, if we detect that during a two (2) year period, you have not used or interacted in your account or with any of our web services, we will cancel your account by blocking your data. Accordingly, if you want to use any of the web services, you must register once again.
7) Do we process data of minors?
At Endesa, we ensure an adequate use of data of minors, guaranteeing compliance with the applicable laws and using the measures that, where appropriate, are reasonably appropriate and, accordingly, the personal data of minors are not collected without the prior consent of their parents, tutors or legal representatives.
8) What security measures are applied?
To make its Data Protection Policy effective and efficient, Endesa has adopted the technical and organisational security measures that are reasonably required to avoid the alteration, loss, misuse, processing and unauthorised access or theft of such data, based on the state of the technology, for all channels in which personal data can be processed, including, therefore, all the web pages, telephone helplines and face-to-face channels
9) What information do we share with third parties?
Endesa exclusively exchanges personal data with third parties that will be deemed to be Data processors - with respect to which we will not require your authorisation - in order to adequately manage the contractual relationship, or with other collaborating companies when we have been authorised through your consent.
We will also provide your data to credit information systems in the cases covered by the prevailing legislation, and to the credit institutions to perform factoring transactions or with the public administrations, authorities and bodies to comply with legal obligations.
Below are the details of this processing, its recipients and its legitimate basis:
a) Access by third parties to the service arranged
Service suppliers contracted or which may be contracted by Endesa and which have the status of Data processors may have access to your personal data (including other Endesa Group companies), which will perform the personal data processing necessary to provide the services arranged in line with the instructions considered appropriate by Endesa, at all times guaranteeing the confidentiality, security and secrecy of the information to which they have access. These third parties can, for example, help us in the provision of services related with: sales, customer services, recovery, marketing and advertising and professional services.
Furthermore, we inform you that it is possible that some of these third parties that act as Data Processors are located outside of the European Economic Area. More specifically, fully-trusted suppliers in the following countries can access your personal data: United States, India, Colombia, Peru and Morocco. In any case, we are legally qualified to make this type of transfer, since we are authorised by the Director of the Spanish Data Protection Agency or, on offering adequate guarantees, the standard data protection clauses adopted by the European Commission have been signed. You can find out who these Data processors are by clicking here.
b) Specific notification of data between Endesa Energía and Endesa X
The specific notification of data between Endesa Energía and Endesa X to make, by non-electronic means, Package Energy Offers, and to avoid the unnecessary repetition of sales drives, is based, as indicated previously, on Endesa's legitimate interest.
Communications will be made specifically and for the purpose described, without leading, under any circumstances, to permanent or full transfers of your data between these two companies for other purposes. Specifically, the data categories that form the scope of this specific transfer, are as follows: name and surnames, telephone number, email, address, national ID document number and, where appropriate, CUPS.
You will only receive commercial communications by electronic means regarding Package Energy Offers arising from another Endesa Group company other than the company with which you have taken it out, when you have provided consent to receive said notices.
c) Transfer of data to third parties with which we collaborate
Under no circumstances, will personal data be transferred to third-party companies unless you have previously granted us your consent.
If you have provided your consent in this regard, it is possible that your data will be shared with Endesa Group companies or third-party companies, related with home, insurance, car and financial and leisure services, to receive information on the products or services offered by these companies. Hence, data will be transferred if it has been consented to, if it is necessary for the purpose notified and on the basis of the data categories authorised.
You can discover which companies form part of the Endesa Group here: https://www.endesa.com/es/sobre-endesa/quienes-somos/sociedades.
d) Notification of information to credit information systems
As set forth previously, it is possible that, in line with current regulations, that we can notify your data to the asset and credit solvency files that we consider appropriate if you have failed to pay a frequently invoiced service that you have taken out with us, in line with a legitimate interest. The data categories that will be notified in these cases are as follows: name, surnames, national ID document number, supply point address, amount and date of non-payment.
e) Performance of factoring transactions
You can notify data to credit entities for the sole purpose of performing factoring transactions to ensure that Endesa has an efficient business model. Such processing will take place in line with the strictest security measures and on the basis of Endesa's legitimate interest in being able to obtain financing to perform its commercial activities. The data categories that form the scope of said notification are as follows: name and surnames, national ID document number, town and economic-financial data.
f) Compliance with legal obligations
Your personal data may be transferred to the public administrations, authorities and bodies, including State security forces and bodies, courts and tribunals, the Spanish Markets and Competition Commission and the Spanish Data Protection Agency, tax authorities, among others, all in accordance with the applicable regulations.
10) What rights do you have in relation to the processing of your personal data?
The GDPR and the GDPDRP include the following rights in relation to the processing of your personal data that you can exercise to act with respect to and against each of the Data controllers.
- Access: enables confirmation that we are processing your personal data and, if so, the type of data being processed.
- Rectification: allows you to help us to correct errors and modify the data that may be inaccurate or incomplete.
- Deletion: enables you to request that your data be deleted, which will lead Endesa to cease to process them unless a legal obligation exists to retain them, in which case, they will be duly blocked, or in the event that other legitimate motives prevail for us to process such data.
- Opposition: enables you to request that we cease to process your personal data with respect to which we consider that we have a legitimate interest to process, for example, on the basis of your expectations as a Customer, as occurs in the provision of product and service offerings. At Endesa, we will cease to process your data, unless legitimate imperious reasons exist or it is necessary to meet claims or exercise defence with respect to administrative or legal actions, in which case they will remain duly blocked.
- Portability: enables your personal data to be received in a structured format, of common use and mechanical reading so that you can transfer them to another Data controller.
- Withdraw consent: enables your data to cease to be processed for a purpose previously authorised by you, for example, the receipt of commercial communications from third-party companies with which we work. To exercise these rights you can address Endesa through any of the following channels:
- By post, attaching a photocopy of your National ID Card, passport, foreigner ID no. or any other ID document in force, and the application specifying the request, to PO Box 1128, 41080 – Seville, A/A. Endesa Operaciones y Servicios Comerciales.
- Email to the address email@example.com, with the following information: name and surnames of the interested party, address for notification purposes, photocopy of your National ID Card, passport, foreigner ID no. or any other ID document in force, and the application specifying the request.
Also, we remind you that the regulations in force allow you to present a claim to the Spanish Data Protection Agency, whose contact details are as follows:
Spanish Data Protection Agency
Calle Jorge Juan, 6 – CP: 28001, Madrid.
Tel.: 901 100 099 / 91 266 35 17
11) How can I contact Endesa's Data Protection Officer?
Endesa S.A., parent of the Endesa Group of which Endesa Energía and Endesa X form part, has been appointed as a Data Protection Official for these companies.
Should you have any doubts regarding the purpose of the processing of your personal data by Endesa, regarding their legitimacy or any other matter relating to personal data protection, you may contact our Data Protection Official, by post at the following address: C/ Ribera del Loira, 60, 28042-Madrid, or by email: firstname.lastname@example.org.
12) Changes in the Data Protection Policy
Provided that Endesa updates this Data Protection Policy as a result of new personal data processing, we will duly inform you in sufficient time so that you can send us any type of query or, where appropriate, exercise the rights to which you are entitled under the regulations in force at that time.
Thank you for the trust that you have placed in Endesa.