1. DATA CONTROLLER AND DATA PROCESSOR
1.1. In its capacity as Data Controller, Enel S.p.A., with registered office in Viale Regina Margherita n. 137, 00198, Rome, VATIN 00934061003, fiscal code 00811720580 (hereinafter “Enel” or “Data Controller”), shall process your personal data provided via the website globalprocurement.enel.com (hereinafter the “Site”) in compliance with the applicable legislation in matters of privacy/the protection of personal data and in accordance with this notice.
1.2. When subscribing to or accessing the various services, the names of any and all data controllers and data processors shall be disclosed.
2. DATA PROTECTION OFFICER (DPO)
2.1. The Data Controller has appointed a Data Protection Officer (DPO) who can be contacted at the e-mail address email@example.com.
3. PURPOSE AND MANNER OF PROCESSING
3.1. Enel shall process personal data that is disclosed by you or that has been legitimately procured by the Data Controller (“Personal Data”). The following Personal Data is processed in particular:
3.1.1. Contact details: First name, surname, e-mail address, telephone number, the content of the message sent by you and any other Personal Data that you may have provided in your communications with us. We shall process this Personal Data when you ask us questions, request information or communicate with us in any way.
You transferred this Personal Data to us when you contacted us. It is necessary to process this Personal Data in order to make a comparison with the communications received or with the requests that you have made. The further collection of Personal Data is entirely optional.
3.1.2. Navigation data: During normal operation, the computerised and electronic systems and the software used to operate this Site collect certain data (e.g. the time/date the website was accessed, the pages you visited, the name of your Internet Service Provider, the IP address you use to access the Internet, the Internet address from which you arrived at our Site, etc.), the transmission of which is implicit in the use of web communication protocols or is used to improve the management and optimisation of the system used for sending data and e-mails.
3.2. For the purposes of this notice, processing of Personal Data shall mean any operation or set of operations which is performed using automated means and applied to Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
3.3. Please note that this Personal Data shall be processed manually and/or with the aid of computerised or electronic means.
4. PURPOSE AND LEGAL BASIS OF PROCESSING
4.1. Enel shall process your Personal Data to fulfil precise purposes and only on a specific legal basis provided for by the applicable law on matters of privacy and the protection of personal data. More specifically, Enel shall process your Personal Data only when one or more of the following legal bases exist(s):
- You have given your free, specific, informed, unambiguous and explicit consent to processing;
- Processing is necessary for the performance of a contract to which you are party or by the implementation pre-contractual measures taken in response to your request;
- Enel has a legitimate interest in processing your Personal Data;
- Enel is legally obliged to process Personal Data.
4.2. The table below lists the purposes for which your Personal Data is processed by the Data Controller and the legal basis for this processing.
Purpose of processing
|To allow use of the functions and features of the Site||Performance of a contract|
To check that the Site is working correctly
Performance of a contract
To ascertain responsibility in the event of cybercrime or damage to the Site; to detect, prevent, mitigate and investigate fraudulent activities in relation to the services provided on the Site; to carry out the security checks required by law
To respond to a query or request made by the data subject
To implement pre-contractual measures taken in response to a request by the data subject
4.3. It is necessary to collect your Personal Data in all cases where processing is required by law or is needed to perform a contract to which you are party or is necessitated by the implementation of pre-contractual measures taken in response to your request. Refusal to allow your Personal Data to be collected could make it impossible for Enel to fulfil the purpose for which the Personal Data is being collected.
4.4. For the fulfilment of other purposes, however, consenting to your Personal Data being collected is optional; not giving your consent to this will not have any effect on the conclusion of the contract. Whether data collection is mandatory or optional shall be specified upon collection.
5. RECIPIENTS OF PERSONAL DATA
5.1. Your Personal Data may be made accessible for the purposes mentioned above:
a) To persons working for (or with) the Data Controller who have been appointed data processors for that purpose, or to companies in the Enel Group residing in the European Union for the performance of organisational, administrative, financial or accounting activities;
b) To companies outside the Group or other individuals who, in their capacity as external data processors, perform outsourcing activities on behalf of the Data Controller so as to enable the Site to work.
6. TRANSFER OF PERSONAL DATA
6.1. Your Personal Data will be processed within the European Union and stored on servers located within the European Union. The same data may be processed in countries outside the European Union, provided that an adequate level of protection is guaranteed, recognized by a specific adequacy decision of the European Commission.
Any transfers of Personal Data to non-EU countries, in the absence of a European Commission adequacy decision, will only be possible if Data Controllers and Data Processors involved provide adequate guarantees of contractual nature, including Binding Corporate Rules and Standard Contractual Clauses.
The transfer of your Personal Data to third countries outside the European Union, in the absence of an adequacy decision or other appropriate measures as described above, will be made only if you have explicitly consented to it or in the cases provided for by the GDPR and will be processed in your interest. In these cases, we inform you that, although the Enel Group adopts operating instructions common to all the countries in which it operates, the transfer of your Personal Data may be exposed to risks related to the peculiarities of local legislation regarding the processing of Personal Data.
7. STORAGE PERIOD OF PERSONAL DATA
7.1. Personal Data processed for the purposes mentioned above shall be stored according to proportionality and necessity and, in any case, until the purposes of processing have been achieved.
8. RIGHTS OF THE DATA SUBJECTS
8.1. Pursuant to Articles 15–21 of EU Directive 2016/679 (GDPR), in relation to the Personal Data disclosed, you have the right to:
a) Access your Personal Data and request copies;
b) Request that Personal Data be rectified;
c) Request that your Personal Data be erased;
d) Request that processing of your Personal Data be restricted;
e) Object to your Personal Data being processed;
f) Obtain your Personal Data in a structured, commonly used, machine-readable format, and to transfer your Personal Data to another data controller without hindrance, where technically feasible.
8.2. Please also be aware that you have the right to object, at any time, to the processing of your Personal Data where this data is processed in the legitimate interests of Enel.
8.3. Should you object to your Personal Data being processed as described in section 8.2, the Data Controller shall stop processing your Personal Data unless it can demonstrate compelling legitimate reasons for continuing with processing or unless it requires this data to establish, exercise or defend legal claims.
8.4. To exercise your rights and to withdraw your consent, you can write to the e-mail address firstname.lastname@example.org.
8.5. For more information about your Personal Data, please contact the Enel Personal Data Protection Officer at the e-mail address email@example.com, making sure to include “Privacy” in the subject line.
8.6. Please remember that you have the right to file a complaint with the competent personal data protection authority.
8.7. If the competent authority is the Italian Personal Data Protection Authority (Garante per la Protezione dei Dati Personali), you can lodge a complaint by:
a) Registered letter addressed to "Garante per la Protezione dei Dati Personali, Piazza di Monte Citorio, 121 00186 Rome, Italy"
b) E-mail: firstname.lastname@example.org or email@example.com
c) Fax: 06/69677.3785.