DATA CONTROLLER AND DATA PROCESSOR
Enel Global Services S.r.l. (hereinafter, “Enel” or the “Controller”), with registered office at viale Regina Margherita no. 125, 00198, Rome, VAT No. 15844561009, F.C. 15416261004, manages the qualification processes of Enel Group suppliers on its own behalf and for other Group companies.
Enel will process your personal data in accordance with the provisions of the applicable Personal Data Protection legislation and this Privacy Notice.
In particular - where Enel carries out the above activities on its own behalf, it shall act as Data Controller, whereas, where it acts on behalf of other companies of the Enel Group (which are in turn Data Controllers), Enel shall also act as Data Processor.
PROCESSING PURPOSE AND METHOD
This notice sets out the methods for processing the personal data of users who make use of the services made available on the WeBUY platform and which may be processed within the scope of the qualification and object of the contractual relationship with the companies of the Group (hereinafter, 'Personal Data').
For the purposes of this notice, the processing of Personal Data means any operation or series of operations carried out on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Please note that such Personal Data will be processed manually and/or with the support of IT or data transmission devices.
In particular, Enel will process the following types of Personal Data, distinguished according to the specific phase of the process considered:
- Registration data on the WeBuy portal: contact data entered when registering on the WeBuy portal, in particular name, surname and e-mail address.
- Personal data processed during the qualification and/or tender process: tax code, name, surname, date of birth, residence, identity documents, judicial data, any additional personal data contained in legal declarations, self-declarations and certifications, in compliance with the relevant legislation, including but not limited to the Tenders Code (Legislative Decree no. 36 of 2023), the Anti-Mafia Code (Legislative Decree no. 159 of 2011), Legislative Decree no. 231 of 2001.
The Controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, aimed at preventing and counteracting the loss of Personal Data, as well as unlawful or incorrect use and unauthorised access.
PROCESSING PURPOSE AND LEGAL BASIS
Your Personal Data will be processed in order to manage the qualification process, the tender procedure and the conclusion of the contract, if any.
We also inform you that, as part of the qualification process (both in the start-up phase and throughout the validity of the qualification), reputational surveys may be conducted from public sources.
Specifically, Enel will process your Personal Data only when one or more of the following legal bases apply:
a) free, specific, informed, unambiguous and express consent to the processing;
b) performance of a contract to which you are party or the execution of pre-contractual measures adopted at your request;
c) legitimate interest of Enel;
d) legal obligation to process Personal Data.
RECIPIENTS OF PERSONAL DATA
Your Personal Data may be made accessible for the purposes mentioned above:
a) to the Judicial Authority;
b) to the companies of the Enel Group, the employees and contractors as persons authorized to process data;
c) to third party companies or other entities (Third Parties) that carry out activities in outsourcing on behalf of Enel, in their capacity as data processors or independent controllers.
TRANSFER OF PERSONAL DATA
Your Personal Data will be processed within the European Union and stored on servers located within the European Union. The same Personal Data may be processed in countries outside the European Union, provided that an adequate level of protection is ensured, as recognized by the European Commission's adequacy decision.
Any transfer of Personal Data to non-EU countries, in the absence of an adequacy decision by the European Commission, will only be possible if adequate contractual or pactual safeguards, including Binding Corporate Rules and standard contractual clauses, are provided by the data controllers and data processors involved.
The transfer of your Personal Data to third countries outside the European Union, in the absence of an adequacy decision or other appropriate measures as described above, will only be made where you have explicitly consented to it or in the cases provided for by the GDPR and will be processed in your interest. In these cases, we inform you that, although the Group adopts common operating instructions in all the countries in which it operates, the transfer of your Personal Data may be exposed to risks related to the peculiarities of local legislation on the processing of Personal Data.
PERIOD OF RETENTION OF PERSONAL DATA
The Personal Data being processed for the abovementioned purposes will be conserved in observance of the principles of proportionality and necessity and, in any case, until the purposes of the processing have been achieved.
The specific retention periods for Personal Data, in relation to the relevant legal basis used, are set out below:
a) contract: 10 years from the termination of the contractual relationship and/or from the last payment;
b) legal obligation: for the entire duration of the contractual relationship and for the terms provided for by specific legal obligations;
c) legitimate interest: as long as the data subject does not object.
DATA SUBJECT RIGHTS
Pursuant to Articles 15 to 22 of the GDPR, in relation to the Personal Data provided, you have the right to:
a) access them and request a copy;
b) request amendment;
c) request cancellation;
d) obtain processing limitation;
e) oppose processing;
f) receive your data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance, where technically feasible.
In order to exercise your rights, as well as for further information concerning your Personal Data, you may contact Enel's Data Protection Officer, who can be reached at the following e-mail address: email@example.com.
You also have the right to submit a complaint to the Italian Data Protection Authority, by one of the following procedures:
- hand delivery to the offices of the Italian Data Protection Authority (at the address indicated below);
- registered mail with return receipt addressed to: Garante per la protezione dei dati personali, Piazza Venezia, 11 - 00187 Roma;
- certified electronic mail addressed to: firstname.lastname@example.org.