This Policy aims to explain how we obtain, process and protect the personal data you provide or we collect from forms and/or cookies on the Viaqua website (hereinafter, the 'website') and the Online Office, so you can decided freely and voluntarily whether you want us to process such data.

The website provides links to platforms and pages managed by third parties offering services for all the companies in the SUEZ group, to which Viaqua belongs. These pages have their own Privacy Policy, which provides information on the data controller and the purposes of processing.

The data controller responsible for processing personal data collected via this website is Viaqua Gestión Integral de Aguas de Galicia, S.A.U (hereinafter referred to as Viaqua”), whose business address Rúa José Villar Granjel, nº 33 CP 15890 and whose tax identification number (NIF) is A66141185.

Visiting the Viaqua website and browsing its different sections does not require users to provide any personal data. However, we will collect some information on your browsing (which does not always let us identify you) by using cookies installed on your computer. For more information, please read our Cookies Policy.

Users of the website can perform transactions which will require their personal data to be processed:

(i) Transactions for which customers do not need to register in our systemsuch as: lodging complaints, reporting fraud and incidents outdoors or in buildings, presenting claims, making inquiries.

Some of these transactions may require the user to provide certain data so they can be processed correctly. Such data may include: identification data (first name, surname, and ID number in some cases); contact details (such as postal address, phone number, email address); other data such as address of the detected fraud or incident.

• Your data will be processed with the aim of responding to the request in the form you have accessed and completed.
• The legal basis is the consent granted by the user providing the data, having contacted Viaqua voluntarily. This consent may be revoked at any time with no retroactive effect (i.e. it does not affect requests that have already been processed).

(ii) Web transactions to register as a customer/account holder, for instance: connection request, registration request, change of name or transfer of a pre-existing contract.

Some of these transactions may require the user to provide certain data so they can be processed correctly. Such data may include: identification data (first name, surname, and ID number); contact details (such as postal address, phone number, email address); data on the property in order to request the supply or change the name of the account holder (property deeds, cadastral reference, rental agreement); representation data (powers of attorney when acting on behalf of another person or legal entity); financial data (bank details for bill payment by direct debit).

• Your data will be processed with the aim of managing your registration as a service customer.
• The legal basis is the consent granted by the user providing the data, having contacted Viaqua voluntarily.

Users interacting with Viaqua to register as a service customer can find more detailed information on how their data is processed in the Customer and Service User Data Protection Policy .

(iii) Web transactions that require the user to be a service customer, account holder or person authorised by the account holder, , such as completing the customer meter reading and online bill payments, among others.

Data provided will be processed in order to carry out the selected transaction as part of your account file in order to generate bills for services received.

If you are managing bill payment online, you will be sent to pages of third parties (online banking) that work with Viaqua. These pages have their own Privacy Policy, which provides information on the data controller and the purposes of processing.

Viaqua processes your data based on the consent of the user providing it, having contacted Viaqua voluntarily.

(iv) Transactions that require registration with the website's 'Online Office' or 'Customer Service Area': from the Online Office, customers can access and enter data in their account (contact details, bank details, etc., as long as the customer is the account holder), enter meter readings, activate e-billing, request duplicate bills and activate the 12 Drops payment plan, among other operations.

Registration with the Online Office requires the user to be a service customer or account holder and accept the Conditions of Use displayed at the start of the registration process.

Data is processed in the Online Office to manage contractual relations between the customer and Viaqua. Viaqua customers can view additional information on processing their personal data in the Customer and Service User Data Protection Policy.

In general terms, website users should only provide their own personal data in the forms available to them. However, users may provide the data from third parties as long as (i) they have obtained the data legally; (ii) they have authorisation; and, where necessary, have informed the affected party of the transaction or inquiry they are performing.

Transactions and inquiries on the website must be carried out by users in their own name. As exceptions to the above, transactions on behalf of third parties will be permitted in the following cases:

• A person with specific authorisation from the account holder.
• Representatives or contact persons acting on behalf of legal entities.
• Official property administrators acting on behalf of owners' associations and other customers.

On the basis of legitimate interest (as stated in Article 19 of Organic Law 3/2018 on data protection and the guarantee of digital rights), the personal data of representatives, contact persons and property administrators will be processed for the sole purpose of managing the request made on behalf of third parties.

Should the personal data provided belong to a third party, the person providing the data must guarantee that the third party has been informed of this Privacy Policy and has obtained due authorisation to provide the data to Viaqua for the indicated purposes. The user similarly guarantees that the data provided are accurate and up to date, and is responsible for any loss or damages, direct or indirect, that may arise as a result of a breach of said obligation.

Viaqua uses service providers to carry out some of the tasks related to the contract. Therefore, such service providers need to access users' data to perform the requested transaction. These providers are considered data processors and will only process personal information in compliance with the instructions of Viaqua. Under no circumstances will the user's personal information be used for purposes other than those detailed in this Policy.

In the interest of efficiency, some of our suppliers are located in countries outside the European Economic Area (EEA) or, although in the EEA, share information with other organisations outside said area. Viaqua guarantees that:

• Transfers are made to countries which the European Commission has determined provide an adequate level of protection.
• In the absence of said adequacy decision, (currently such transfers are made to the USA, amongst other countries), the Commission's standard contractual clauses have been adopted.

This information can be found (in Spanish only) on the AEPD website: https://www.aepd.es/es/derechos-y-deberes/cumple-tus-deberes/medidas-de-cumplimiento/transferencias-internacionales

For further information, please contact the Data Protection Officer of Viaqua.

Viaqua, on the basis of legitimate interest, can transfer your personal data within the SUEZ Group for administrative purposes (Recital 48 GDPR).

Except for in the aforementioned case, Viaqua will not communicate the personal data collected through this website to third parties unless you give your express consent or it is in order to fulfil a legal obligation.

When your consent is required to share your personal data with third parties, we will inform you of the purpose of processing, the data being shared and the identity or sectors of activity to which your personal data from the data collection forms may be transferred.

Viaqua may sometimes share users' data, whether or not they are customers, with government agencies responsible for the services or related fiscal matters when required to do so, when needed in order to process the request or inquiry, or when required for legal proceedings in cases of fraud.

In particular, Viaqua is required to share their customers' personal data with certain government bodies, as stated in section 7 (With whom do we share you data?) of the Customer and Service User Data Protection Policy.

Customer data will be held for as long as contractual relations, are maintained to ensure they are properly managed. Once relations have ended (and the periods for payment of unpaid bills has elapsed and conflicts in relation to the service have been resolved) we are required to keep your data as blocked for an additional period in which there may be liabilities arising from our services or data processing.

Data from non-customers provided other transactions (such as inquiries and reporting frauds) will be kept for the time required to manage your request, and for an additional period in order to meet any possible related legal liabilities.

If you have authorised us to send you commercial information, we will keep your data until you inform us that you no longer wish to receive our offers and in any case at the end of  the contractual relationship.

The Law recognises that, if you have granted your consent, you may withdraw it at any time and exercise the following rights with regard to data protection:

All that is required for you to exercise the above rights or withdraw your consent is to send us your request by any of the following methods:

• By post to the following address: Rúa José Villar Granjel, nº 33 CP 15890.
• Via the contact on our website.
• Registering your request with any of our service offices.

The applicant must be sufficiently identified in the application. When the person responsible for processing has reasonable doubts about the applicant's identity, they may request additional necessary information to confirm their identity. If you act through legal representation, you must also provide the ID card and document accrediting representation.

Viaqua has appointed a Data Protection Officer whom you may contact regarding any doubts or complaints you may have in relation to data protection. You can contact the Data Protection Officer using any of the following methods:

• E-mail address: dpo@viaqua.gal
• Postal address: Rúa José Villar Granjel, nº 33 CP 15890, to the attention of the Data Protection Officer.

Your complaint will be investigated confidentially and you will receive an answer from our Data Protection Officer.

In all cases, as the affected party or data subject, you may lodge a complaint with the competent data protection authority: .

In general, Viaqua's corporate profiles on social media (Twitter, Facebook, etc.) are for information purposes only. If you provide data via inquiries or requests made by private messages on social media, such personal data will be used exclusively to respond to the request under the terms and conditions stated in this Policy. We remind you that you should not include your personal data or that of third parties (such as email addresses, phone numbers and contract numbers) in open messages on social media. If you are not sure whether your message can be read by other people, we recommend you contact us by another channel.

10. WhatsApp Business

Viaqua provides instant messenger services through WhatsApp Business for the purposes indicated in section three of this policy. The use of WhatsApp by users is subject to the WhatsApp Business Terms of Service.