Privacy Policy

Headquarters Eni Rome

Pursuant to Regulation (EU) 2016/679 ("GDPR"), Eni S.p.A. ("Company" or "Data Controller") provides the following information to enable users of the eni.com website ("Website") to understand how their personal information is collected and processed when browsing the Website and using the services ("Services") provided through it and as provided in the Terms and Conditions of Use ("T&Cs").

The Data Controller is Eni S.p.A., with its registered office in Piazzale Enrico Mattei, 1, 00144, Rome.

The Company has appointed a Data Protection Officer ("DPO"), who can be contacted at the following e-mail address dpo@eni.com.

The following personal data belonging to users ("Personal Data" or "Data") is the subject of processing:

  • data needed to request Services (e.g., first name, last name, and e-mail address to subscribe to the newsletter);
  • information provided during the use of the Services (by way of example, text from the message drafted within the "Write to us" form);
  • information related to the use of the Website; browsing data; technical data for operation of the Website; information related to the devices used.

The Personal Data is processed to:

  1. fulfil obligations imposed by the applicable regulations and complying with requests from the public authorities;
  2. to follow up on user requests for the Services. For the aforementioned purpose, Personal Data will also be processed within the context of the administration and management of the Services, support, as well as to comply with the obligations arising under the T&Cs, as well as to fulfill specific user requests;
  3. for the preparation of commercial, promotional, advertising and marketing initiatives, as well as sending advertising and/or informational material about products, services and initiatives of the Data Controller or third parties (hereinafter "Marketing Communications”) via email;
  4. to conduct analysis of the use of the Services on an aggregate basis in order to improve the Services provided and meet specific user needs;
  5. as part of extraordinary mergers, the sale or transfer of business operations, to carry out prodromal activities for such operations including due diligence;
  6. to ascertain, exercise, defend a right of the Data Controller and/or a third party including in court.

Personal Data processing for the purposes referred to in paragraph 4(a) is based on the need to fulfill legal obligations (Art. 6, par. 1(c) GDPR).

Personal Data processing for the purposes referred to in paragraph 4(b) is based on the need to fulfill the user's request to receive the Services (Art. 6, par. 1(b) GDPR).

Personal Data processing for the purposes referred to in paragraph 4(c) is based on the user's consent (Art. 6, para. 1(a) GDPR).

Personal Data processing for the purpose referred to in paragraph 4(d) is based on the legitimate interest of the Data Controller to continuously improve the efficiency and security of their Services (Art. 6, para. 1(f) GDPR.

Personal Data processing for the purpose referred to in paragraph 4(e) is based on the legitimate interest of the Data Controller in the continuation of their business activities (Art. 6, para. 1(f) GDPR.

Personal Data processing for the purpose referred to in paragraph 4(f) is based on the legitimate interest of the Data Controller and/or third parties in protecting their rights (Art. 6, para. 1(f) GDPR.

The data may also be processed with the help of electronic or automated means, managed using tools that guarantee security and confidentiality, and will include any operation or set of operations necessary for its processing. 

Personal data recipients

To further the purposes set forth in section 4, the Data Controller may disclose users' personal data to third parties from the following entities or categories of entities:
 

  • police forces, armed forces and other public administrations to comply with obligations laid down by law, regulations or EU legislation.
  • other subsidiaries of Eni S.p.A.;
  • IT service providers.

The Data Controller ensures that the communication of users' personal data to the aforementioned recipients involves only the data necessary to achieve the specific purposes it is intended for.
With regard to the data communicated to them, the recipients belonging to the above categories may operate either as data controllers (in which case they will receive appropriate instructions from the Data controller) or as independent data controllers, depending on the situation.
Finally, please note that users' personal data will not be circulated.

The transfer of personal data outside the EU

Whenever it is deemed instrumental to the pursuit of the purposes set forth in paragraph 4, the Data may also be sent abroad to companies located outside the European Economic Area (“EEA"). Some of the jurisdictions outside the EEA may not provide the same level of data protection as that which is guaranteed within the EEA. In such a case, the Data Controller undertakes to process the Data with the utmost confidentiality by adopting the standard contractual clauses provided by the European Commission and any other necessary measures referred to in Art. 46 GDPR where it would not be possible to resort to one of the exceptions referred to in Art. 49 GDPR. 

Data retention period

The Personal Data will be kept on the Data Controller's computer files and protected by the appropriate security measures for however long it takes to achieve the purposes set out in paragraph 4 above, and will then be deleted.

More specifically, contact and master data for sending Marketing Communications and Newsletters will be retained for two years from when the user give their consent to receive such communications. The Personal Data may be kept for longer in the event of a possible litigation, requests by competent authorities or as per the applicable law. 

Rights of data subjects

Where applicable and within the limits of the GDPR, as a data subject, the user is granted the following rights over the Personal Data collected and processed by the Data Controller for the purposes set out in paragraph 4:

  • pursuant to Article 15 GDPR, to obtain confirmation from the Data Controller that Personal Data is or is not being processed and if so, to obtain access to the following information: (i) the purposes of the processing; (ii) the categories of Personal Data concerned; (iii) the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, particularly if they are recipients in third countries or international organisations; (iv) whenever possible, the expected retention period of the Personal Data or, if not possible, the criteria used to determine such period (v) the right to lodge a complaint with a supervisory authority; (vi) if the data is not collected from the user, all available information about its origins; (vii) the existence of automated decision-making, including profiling, as well as information about the logic used and the expected consequences of such processing;
  • pursuant to Article 16 GDPR, to obtain the rectification of inaccurate Data concerning them or, taking into account the purposes of the processing, to complete missing Personal Data;
  • pursuant to Article 17 GDPR, to obtain the deletion of Personal Data if any of the following reasons exist: (i) the Data is no longer necessary in relation to the purposes it was collected or otherwise processed for; (ii) the Data is being processed unlawfully; (iii) the user has withdrawn the consent under which the Data Controller had the right to process the Data and there is no other legal basis for the Data Controller to process the Data; (iv) the user has objected to the processing and there is no overriding legitimate reason; (v) the Personal Data must be deleted to fulfill a legal obligation. However, the Company has the right to disregard the request to exercise the aforementioned cancellation rights if this is necessary for (a) the exercise of a legal obligation or the performance of a task performed in the public interest; or (b) to defend its own right in court;
  • pursuant to Article 18 GDPR, to obtain the restriction to the Personal Data processing when one of the following occurs: (i) in the event that the user has disputed the accuracy of the Personal Data concerning them for the time necessary for the Controller to verify the accuracy of such Personal Data; (ii) in the event of unlawful Personal Data processing, if the user objects to its deletion; (iii) where it is necessary for the establishment, exercise or defence of a right in a court of law; (iv) for the time necessary to verify whether the Data Controller's legitimate reasons prevail over the user's request to object to the processing;
  • pursuant to Article 20 GDPR, to receive the Personal Data provided to the Company and processed by it on the basis of consent or contract with the user in a structured, commonly used and readable format, as well as the right to transmit such data to another Data Controller without hindrance;
  • pursuant to Art. 21 GDPR, for reasons related to the user’s particular situation, to object to the Data processing carried out on the basis of the legitimate interest of the Data Controller.
  • to revoke consent for the personal data processing with consent as the legal basis.


These rights may be exercised by writing an email to the DPO at dpo@eni.com.
Without prejudice to any other administrative or judicial remedy, the user also has the right to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) where they believe there has been a violation of their rights regarding Personal Data protection.



Back to top
Back to top