Privacy Notice

Privacy notice of Enel Global Services pursuant to Article 13 of EU Regulation 2016/679 ("GDPR")



1.1      Enel Global Services S.r.l. (hereinafter, “Enel” or the “Controller”), with registered office at viale Regina Margherita no. 125, 00198, Rome, VAT No. 15844561009, F.C. 15416261004, manages the qualification processes of Enel Group suppliers on its own behalf and for other Group companies.  

1.2      For the purposes related to the qualification process, Enel will process your personal data in accordance with the provisions of the applicable Personal Data Protection legislation and this Privacy Notice.

1.3      In particular - where Enel carries out the above activities on its own behalf, it shall act as Data Controller, whereas, where it acts on behalf of other companies of the Enel Group (which are in turn Data Controllers), Enel shall also act as Data Processor.



2.1      The Controller has appointed a DPO who can be contacted at the following email address:  



3.1          This notice sets out the methods for processing the personal data of the users of this website (hereinafter, the "Site") and the personal data pertaining to the suppliers of the Group (hereinafter, the "Suppliers") that may be processed within the scope of the qualification portal and subject of the contractual relationship with the companies of the Group.

3.2          Enel shall process the personal data communicated by you or legitimately obtained by the Data Controller (hereinafter, the "Personal Data") in compliance with the provisions of the applicable legislation on the protection of personal data and only for the purposes related to the relationship between the Supplier and the Data Controller.

3.3          Enel shall process Personal Data deriving from information communicated by the Suppliers during the registration and/or qualification phases, as part of the checks carried out to verify their accuracy, as well as open public sources.

3.4          For the purposes of this notice, the processing of Personal Data means any operation or series of operations carried out on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.5          Please note that such Personal Data will be processed manually and/or with the support of IT or data transmission devices.

3.6          In particular, Enel will process the following types of Personal Data, distinguished according to the specific phase of the process considered:

-       Browsing data: data acquired by IT and telematic systems as well as by the software procedures used to operate the Site during their normal operation, the transmission of which is implicit in the use of web communication protocols or is useful for better management and optimisation of the system for sending data and e-mails, such as the date and time of access, the pages visited, the name of the Internet Service Provider and the Internet Protocol (IP) address through which you access the Internet, the Internet address from which you connected to our Site, etc..

-       Registration data on the WeBuy portal: contact data entered when registering on the WeBuy portal, in particular name, surname and e-mail address.

-       Personal data processed during the qualification and/or tender process: tax code, name, surname, date of birth, residence, identity documents, judicial data, any additional personal data contained in legal declarations, self-declarations and certifications, in compliance with the relevant legislation, including but not limited to the Tenders Code (Legislative Decree no. 50 of 2016), the Anti-Mafia Code (Legislative Decree no. 159 of 2011), Legislative Decree no. 231 of 2001.



4.1         Enel will process your Personal Data for the achievement of specific purposes and only when there is an appropriate legal basis provided by the applicable data protection law. Specifically, Enel will process your Personal Data only when one or more of the following legal bases apply:

a)    free, specific, informed, unambiguous and express consent to the processing;

b)    performance of a contract to which you are party or the execution of pre-contractual measures adopted at your request;

c)    legitimate interest of Enel;

d)    legal obligation to process Personal Data.

4.2         The following table lists the purposes for which your Personal Data are processed by the Controller and the legal basis on which the processing is based.

Processing Purpose

Legal Basis

Allow the use of all the features of the Site

Performance of a contract

Check the proper functioning of the Site

Performance of a contract

Ensure registration on the We Buy portal and allow the use of all its functionalities

Performance of a contract

Ensure unique supplier identification and verification of qualification requirements in order to grant "qualified supplier" status

Legitimate Interest

Performance of a contract

Check the documentation required in the call for tenders

Legitimate Interest

Performance of a contract

Legal obligation

Ascertain liability in the event of computer crimes against the Site

Legitimate Interest

Legal obligation

Adopt appropriate security measures for user access to its systems, such as, but not limited to, Multifactor Authentication (MFA)


Legitimate Interest


Reply to a question or request made by the data subject

Execution of pre-contractual measures adopted at the request of the data subject

Remote assistance to support access and use of Enel Group systems

Execution of a contract

Interviews and recordings for survey and quality satisfaction purposes 


Legitimate Interest


Communications relating to initiatives, projects and products promoted by Group companies or Enel's partners

Legitimate Interest

Execution of a contract


4.3         The provision of your Personal Data is necessary in all cases where the processing is carried out on the basis of a legal obligation or in order to perform a contract to which you are a party or the execution of pre-contractual measures adopted at your request. Your refusal to provide your Personal Data may make it impossible for Enel to carry out the purpose for which your Personal Data is collected.



5.1          Your Personal Data may be made accessible for the purposes mentioned above:

a)    to employees and contractors of Enel, as persons authorised to process data;

b)    to the companies of the Group that commissioned the project;

c)    to third party companies or other entities (Third Parties) that carry out activities in outsourcing on behalf of Enel, in their capacity as data processors or independent controllers. These parties operate in the field of banking, financial and insurance services, payment systems, tax collection and treasury; supply and management of IT procedures and systems; management of customer communications;

d)    to the Authorities, the public information systems set up within the public administrations, such as  “Centrale Rischi presso la Banca di Italia” (Risks Centre at the Bank of Italy), “Ufficio Centrale Antifrode dei Mezzi di Pagamento” (Central Payment Instruments Fraud Office - UCAMP), “Sistema pubblico di prevenzione amministrativa delle frodi nel settore del credito al consumo con specifico riferimento al furto di identità” (Public administrative fraud prevention system in the consumer credit sector with specific reference to identity theft - SCIPAFI), as well as “Anagrafe Tributaria” (Tax Registry) and “Archivio dei rapporti con operatori finanziari” (Archive of relations with financial operators).



6.1          Your Personal Data will be processed within the European Union and stored on servers located within the European Union. The same Personal Data may be processed in countries outside the European Union, provided that an adequate level of protection is ensured, as recognised by the European Commission's adequacy decision.

6.2          Any transfer of Personal Data to non-EU countries, in the absence of an adequacy decision by the European Commission, will only be possible if adequate contractual or pactual safeguards, including Binding Corporate Rules and standard contractual clauses, are provided by the data controllers and data processors involved.

6.3          The transfer of your Personal Data to third countries outside the European Union, in the absence of an adequacy decision or other appropriate measures as described above, will only be made where you have explicitly consented to it or in the cases provided for by the GDPR and will be processed in your interest. In these cases, we inform you that, although the Group adopts common operating instructions in all the countries in which it operates, the transfer of your Personal Data may be exposed to risks related to the peculiarities of local legislation on the processing of Personal Data.



7.1          The Personal Data being processed for the abovementioned purposes will be conserved in observance of the principles of proportionality and necessity and, in any case, until the purposes of the processing have been achieved.

7.2         The specific retention periods for Personal Data, in relation to the relevant legal basis used, are set out below:

a)    contract: 10 years from the termination of the contractual relationship;

b)    legal obligation: for the entire duration of the contractual relationship and for the terms provided for by specific legal obligations;  

c)    legitimate interest: as long as the data subject does not object.   

7.3         In any case, Personal Data will be kept for 10 years from the end of the qualification and/or registration or from the expiry of the last contract issued. 


8.             DATA SUBJECT RIGHTS

8.1          Pursuant to Articles 15 to 22 of the GDPR, in relation to the Personal Data provided, you have the right to:

a)    access them and request a copy;

b)    request amendment;

c)    request cancellation;

d)    obtain processing limitation;

e)    oppose processing;

f)      receive your data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance, where technically feasible.

8.2          We hereby inform you that you have the right to object, at any time, to the processing of your Personal Data for marketing purposes. If you object to processing for marketing purposes, your Personal Data will no longer be processed for such purposes.

8.3          In order to exercise your rights, as well as for further information regarding your Personal Data, you may contact Enel's Data Protection Officer, who can be reached at the following dedicated e-mail address:

8.4          You also have the right to submit a complaint to the competent Data Protection Authority. In Italy, you can submit a complaint to the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), by one of the following procedures:

a)    hand delivery to the offices of the Italian Data Protection Authority (at the address indicated below);  

b)    registered mail with return receipt addressed to: Garante per la protezione dei dati personali, Piazza Venezia, 11 - 00187 Roma;

c)    certified electronic mail addressed to: