Pursuant to Regulation (EU) 2016/679 ("GDPR"), Eni S.p.A. ("Company" or "Data Controller") provides the following information to enable users of the eni.com website ("Website") to understand how their personal information is collected and processed when browsing the Website and using the services ("Services") provided through it and as provided in the Terms and Conditions of Use ("T&Cs").
The Data Controller is Eni S.p.A., with its registered office in Piazzale Enrico Mattei, 1, 00144, Rome.
The following personal data belonging to users ("Personal Data" or "Data") is the subject of processing:
The Personal Data is processed to:
Personal Data processing for the purposes referred to in paragraph 4(a) is based on the need to fulfill legal obligations (Art. 6, par. 1(c) GDPR).
Personal Data processing for the purposes referred to in paragraph 4(b) is based on the need to fulfill the user's request to receive the Services (Art. 6, par. 1(b) GDPR).
Personal Data processing for the purposes referred to in paragraph 4(c) is based on the user's consent (Art. 6, para. 1(a) GDPR).
Personal Data processing for the purpose referred to in paragraph 4(d) is based on the legitimate interest of the Data Controller to continuously improve the efficiency and security of their Services (Art. 6, para. 1(f) GDPR.
Personal Data processing for the purpose referred to in paragraph 4(e) is based on the legitimate interest of the Data Controller in the continuation of their business activities (Art. 6, para. 1(f) GDPR.
Personal Data processing for the purpose referred to in paragraph 4(f) is based on the legitimate interest of the Data Controller and/or third parties in protecting their rights (Art. 6, para. 1(f) GDPR.
The data may also be processed with the help of electronic or automated means, managed using tools that guarantee security and confidentiality, and will include any operation or set of operations necessary for its processing.
To further the purposes set forth in section 4, the Data Controller may disclose users' personal data to third parties from the following entities or categories of entities:
The Data Controller ensures that the communication of users' personal data to the aforementioned recipients involves only the data necessary to achieve the specific purposes it is intended for.
With regard to the data communicated to them, the recipients belonging to the above categories may operate either as data controllers (in which case they will receive appropriate instructions from the Data controller) or as independent data controllers, depending on the situation.
Finally, please note that users' personal data will not be circulated.
Whenever it is deemed instrumental to the pursuit of the purposes set forth in paragraph 4, the Data may also be sent abroad to companies located outside the European Economic Area (“EEA"). Some of the jurisdictions outside the EEA may not provide the same level of data protection as that which is guaranteed within the EEA. In such a case, the Data Controller undertakes to process the Data with the utmost confidentiality by adopting the standard contractual clauses provided by the European Commission and any other necessary measures referred to in Art. 46 GDPR where it would not be possible to resort to one of the exceptions referred to in Art. 49 GDPR.
The Personal Data will be kept on the Data Controller's computer files and protected by the appropriate security measures for however long it takes to achieve the purposes set out in paragraph 4 above, and will then be deleted.
More specifically, contact and master data for sending Marketing Communications and Newsletters will be retained for two years from when the user give their consent to receive such communications. The Personal Data may be kept for longer in the event of a possible litigation, requests by competent authorities or as per the applicable law.
Where applicable and within the limits of the GDPR, as a data subject, the user is granted the following rights over the Personal Data collected and processed by the Data Controller for the purposes set out in paragraph 4:
These rights may be exercised by writing an email to the DPO at firstname.lastname@example.org.
Without prejudice to any other administrative or judicial remedy, the user also has the right to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) where they believe there has been a violation of their rights regarding Personal Data protection.