Privacy Notice

Privacy notice of Enel Global Services pursuant to Article 13 of EU Regulation 2016/679 ("GDPR")


Enel Global Services S.r.l. (hereinafter, “Enel” or the “Controller”), with registered office at viale Regina Margherita no. 125, 00198, Rome, VAT No. 15844561009, F.C. 15416261004, manages the qualification processes of Enel Group suppliers on its own behalf and for other Group companies.  

Enel will process your personal data in accordance with the provisions of the applicable Personal Data Protection legislation and this Privacy Notice.

In particular - where Enel carries out the above activities on its own behalf, it shall act as Data Controller, whereas, where it acts on behalf of other companies of the Enel Group (which are in turn Data Controllers), Enel shall also act as Data Processor.


The Controller has appointed a DPO who can be contacted at the following email address:



This notice sets out the methods for processing the personal data of users who make use of the services made available on the WeBUY platform and which may be processed within the scope of the qualification and object of the contractual relationship with the companies of the Group (hereinafter, 'Personal Data').

For the purposes of this notice, the processing of Personal Data means any operation or series of operations carried out on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Please note that such Personal Data will be processed manually and/or with the support of IT or data transmission devices.


In particular, Enel will process the following types of Personal Data, distinguished according to the specific phase of the process considered:

  • Registration data on the WeBuy portal: contact data entered when registering on the WeBuy portal, in particular name, surname and e-mail address.
  • Personal data processed during the qualification and/or tender process: tax code, name, surname, date of birth, residence, identity documents, judicial data, any additional personal data contained in legal declarations, self-declarations and certifications, in compliance with the relevant legislation, including but not limited to the Tenders Code (Legislative Decree no. 36 of 2023), the Anti-Mafia Code (Legislative Decree no. 159 of 2011), Legislative Decree no. 231 of 2001.


The Controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, aimed at preventing and counteracting the loss of Personal Data, as well as unlawful or incorrect use and unauthorised access.



Your Personal Data will be processed in order to manage the qualification process, the tender procedure and the conclusion of the contract, if any.

We also inform you that, as part of the qualification process (both in the start-up phase and throughout the validity of the qualification), reputational surveys may be conducted from public sources.

Specifically, Enel will process your Personal Data only when one or more of the following legal bases apply:

a)    free, specific, informed, unambiguous and express consent to the processing;

b)    performance of a contract to which you are party or the execution of pre-contractual measures adopted at your request;

c)    legitimate interest of Enel;

d)    legal obligation to process Personal Data.


The following table lists the purposes for which your Personal Data are processed by the Controller and the legal basis on which the processing is based.

Processing Purpose
Legal Basis
Allow the use of all the features of the Site
Performance of a contract
Check the proper functioning of the Site
Performance of a contract
Ensure registration on the We Buy portal and allow the use of all its functionalities
Performance of a contract
Ensure unique supplier identification and verification of qualification requirements in order to grant "qualified supplier" status
Legitimate Interest Performance of a contract
Check the documentation required in the call for tenders
Legitimate Interest Performance of a contract Legal obligation
Ascertain liability in the event of computer crimes against the Site
Legitimate Interest Legal obligation
Adopt appropriate security measures for user access to its systems, such as, but not limited to, Multifactor Authentication (MFA)
Legitimate Interest
Reply to a question or request made by the data subject
Execution of pre-contractual measures adopted at the request of the data subject
Remote assistance to support access and use of Enel Group systems
Execution of a contract
Interviews and recordings for survey and quality satisfaction purposes 
Legitimate Interest
Communications relating to initiatives, projects and products promoted by Group companies or Enel's partners
Legitimate Interest Execution of a contract Consent

The provision of your Personal Data is necessary in all cases where the processing is carried out on the basis of a legal obligation or in order to perform a contract to which you are a party or the execution of pre-contractual measures adopted at your request. Your refusal to provide your Personal Data may make it impossible for Enel to carry out the purpose for which your Personal Data is collected.


Your Personal Data may be made accessible for the purposes mentioned above:

a)    to the Judicial Authority;

b)    to the companies of the Enel Group, the employees and contractors as persons authorized to process data;

c)    to third party companies or other entities (Third Parties) that carry out activities in outsourcing on behalf of Enel, in their capacity as data processors or independent controllers.



Your Personal Data will be processed within the European Union and stored on servers located within the European Union. The same Personal Data may be processed in countries outside the European Union, provided that an adequate level of protection is ensured, as recognized by the European Commission's adequacy decision.

Any transfer of Personal Data to non-EU countries, in the absence of an adequacy decision by the European Commission, will only be possible if adequate contractual or pactual safeguards, including Binding Corporate Rules and standard contractual clauses, are provided by the data controllers and data processors involved.

The transfer of your Personal Data to third countries outside the European Union, in the absence of an adequacy decision or other appropriate measures as described above, will only be made where you have explicitly consented to it or in the cases provided for by the GDPR and will be processed in your interest. In these cases, we inform you that, although the Group adopts common operating instructions in all the countries in which it operates, the transfer of your Personal Data may be exposed to risks related to the peculiarities of local legislation on the processing of Personal Data.



The Personal Data being processed for the abovementioned purposes will be conserved in observance of the principles of proportionality and necessity and, in any case, until the purposes of the processing have been achieved.

The specific retention periods for Personal Data, in relation to the relevant legal basis used, are set out below:

a)    contract: 10 years from the termination of the contractual relationship and/or from the last payment;

b)    legal obligation: for the entire duration of the contractual relationship and for the terms provided for by specific legal obligations;

c)    legitimate interest: as long as the data subject does not object.



Pursuant to Articles 15 to 22 of the GDPR, in relation to the Personal Data provided, you have the right to:

a)    access them and request a copy;

b)    request amendment;

c)    request cancellation;

d)    obtain processing limitation;

e)    oppose processing;

f)      receive your data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance, where technically feasible.


In order to exercise your rights, as well as for further information concerning your Personal Data, you may contact Enel's Data Protection Officer, who can be reached at the following e-mail address:


You also have the right to submit a complaint to the Italian Data Protection Authority, by one of the following procedures:

  • hand delivery to the offices of the Italian Data Protection Authority (at the address indicated below);
  • registered mail with return receipt addressed to: Garante per la protezione dei dati personali, Piazza Venezia, 11 - 00187 Roma;
  • certified electronic mail addressed to:


For further information on the processing of personal data by EGS, please see the Global Procurement privacy policy available at the following link: