In accordance with Regulation (EU) 2016/679 (“GDPR
”), and in particular Articles 13, 14 and 21 GDPR, Eni Austria GmbH, Eni Marketing Austria GmbH und Eni Mineralölhandel GmbH (Eni Gruppe Austria; “Company
” or “Controller
- Identity and contact details of the Controller
The Controller is Eni Austria GmbH / Eni Marketing Austria GmbH / Eni Mineralölhandel GmbH, with registered office in 1200 Vienna, Millennium Tower, Handelskai 94 – 96, which can be contacted via the Contact us section.
- Contact details of the Data Protection Officer
The Company has appointed a Data Protection Officer, who can be contacted at the email address DPO@eni.com or firstname.lastname@example.org.
- Personal data processed
Personal data which the controller receives in the context of the use of the website or which are transmitted via the contact form are processed. In addition, the data controller processes - insofar as this is covered by the respective justification under Article 6 of the GDPR- data which he receives from other companies and other third parties (e.g. for the execution of orders, for the fulfilment of contracts or on the basis of consent given by you), as well as from publicly accessible sources (e.g. social media channels).
Personal data includes your IP address and data on your use of telemedia offered by us (e.g. time of access to our websites, apps or newsletters, our pages clicked, cookies, etc.), self-generated processing results as well as other data comparable to the categories mentioned above and data to meet legal and regulatory requirements.
In individual cases we also process special categories of personal data (sensitive data).
- Purposes and legal basis of the processing
When requesting your personal data, the Controller will inform you separately whether the data request provides for mandatory or voluntary provision of information.
1. Necessary legal and contractual purposes – processing is necessary for compliance with a legal obligation to which the controller is subject or to execute a specific request of the data subject.
Your personal data may be processed without your consent in cases where this is necessary in order to comply with civil and fiscal obligations and standards, norms and procedures approved by EU legislation and by authorities or other competent bodies.
The processing is also carried out for providing the contractual services and all related administrative activities. The content and scope of the data processing is largely determined by the nature and scope of the underlying business relationship.
Your personal data will also be processed for purposes relating and/or connected to the provision of services for the navigation of the Website by the Company, and specifically:
- to provide the services requested by the user when navigating the Website, including the collection, storage and elaboration of data for the purposes of delivering the services and their subsequent operational and technical management;
- to manage relations with third-party authorities and public bodies for purposes related to particular requests, compliance with legal obligations or particular procedures.
These data, which are required to deliver the service, will also be processed electronically, stored in specific databases, and used strictly and exclusively in relation to navigating the Website.
Given that providing your data for these purposes is necessary to maintain and deliver all the services connected to navigating the website, failure to provide such data will make it impossible to provide the specific services in question.
2. Defence of legal claims
In addition, your data will be processed whenever necessary in order to establish, exercise or defend the legal claims of the Controller or other companies under Eni’s control.
3. Legitimate interest of the controller
The Controller may process your personal data without your consent in the following cases:
- to enable due diligence and other measures to be carried out prior to a sale in cases of extraordinary mergers, sale of companies and businesses and (other) transfers of branches of business. It is noted that only the data required for the above purposes will be processed, and that this will generally only be in anonymized and aggregated form.
- for the aggregate and anonymous analysis of the use of the services accessed, to identify user habits and propensities, to improve the services provided and to meet specific user requirements, or to prepare initiatives regarding the contractual relationship in order to improve the services provided
- for intra-group administrative purposes;
- for testing and optimizing procedures for requirements analysis and direct customer contact
- for measures for business management and further development of services and products
If you have given your consent to the controller to process your personal data (e.g. transfer of data to third parties, for commercial and marketing purposes, geolocalisation, transfer of data to other Group companies unless covered by other justification, etc.), processing will only be carried out in accordance with the purposes and to the extent agreed in the declaration of consent.
Consent that has been granted can be revoked at any time with effect for the future by contacting us via the Contact us section, by sending an e-mail to email@example.com, or by writing directly to the controller.
5. Recipients of personal data
In pursuit of the purposes indicated in point 3, the Controller may communicate your personal data to third parties, such as those belonging to the following organizations or categories of organizations:
- police forces, armed forces and other public authorities, to comply with obligations set out by law, regulations or EU legislation. In such cases, there is no obligation under applicable data protection legislation to obtain the data subject’s prior consent to these communications.
- companies, organizations or associations, or parent companies, subsidiaries or associates pursuant to Article 2359 of the Italian Civil Code, or between them and companies subject to joint control, as well as consortia, networks of companies and groupings and temporary associations of companies and entities belonging to them, limited to communications made for administrative and/or accounting purposes.
- Insurance companies for the handling of claims, collection companies, banking institutions, auditors,
- tax consultants, lawyers, notaries
- Other companies (data processors and joint controllers) who have entered into agreements with us in accordance with Article 26 or 28 GDPR. All data processors are contractually obliged to treat your data confidentially and to process it only within the scope of providing the service.
The Controller warrants that the utmost care will be taken to ensure that the communication of your personal data to the aforementioned recipients only involves the data necessary to achieve the specific purposes for which they are intended.
Your personal data is stored in the Controller’s database and will be processed exclusively by authorized personnel. Said personnel will be given specific instructions on the methods and purposes of the processing. The data will not be disclosed to third parties except as provided above and, in any case, within the indicated limits.
Finally, it should be noted that your personal data will not be disclosed, except in the cases described above and/or the cases required by law.
6. Transfer of personal data outside the EU
As part of the contractual relations between Eni and its subsidiaries, and between said subsidiaries, for some of the purposes indicated in point 3, your personal data may be transferred outside the EU, including by means of their inclusion in shared databases managed by third-party companies that may or may not be under Eni’s control. The management of the database and the processing of this data is restricted to the purposes for which the data was collected and must be carried out in full compliance with the confidentiality and security standards set forth in applicable personal data protection laws.
7. Data storage period
The controller processes your personal data, as far as necessary, for the duration of the entire business relationship (from the initiation, processing to the termination of a contract) as well as beyond that in accordance with the legal storage and documentation obligations, which result, among other things, from the Austrian Corporate Law (UGB) or the Austrian Federal Tax Code (BAO). In addition, the statutory periods of limitation, which can be up to 30 years in certain cases (the general period of limitation is 3 years), e.g. according to the Austrian General Civil Code (ABGB), must be taken into account for the storage period
8. Rights of data subjects
As a data subject, you have the following rights with regard to the personal data collected and processed by the data controller for the purposes set out in section 3 above.
a. Right of access by the data subject
You are entitled to request the data controller to confirm the processing of your personal data and to have access to your personal data as well as the following information: (i) the processing purposes; (ii) the categories of personal data; (iii) the recipients or categories of recipients to whom the personal data has been or will be disclosed, especially if recipients are located in third countries or if they are international organizations; (iv) if possible, the intended retention period of the personal data or, if this is not possible, the criteria used to determine this period; (v) the right to rectification or erasure, the restriction of processing or the right to object (vi) the right to lodge a complaint to the data protection authority:
Austrian data protection authority
Telephone: +43 1 52 152-0
b. Right to rectification and right to erasure
You have the right to correct inaccurate personal data and to complete incomplete personal data, taking into account their processing purposes, including by submitting a supplementary declaration.
You also have the right to have your personal data deleted for one of the following reasons: (i) Your personal data is no longer required for the purposes for which it was collected or otherwise processed; (ii) the processing of the data was unlawful; (iii) You have withdrawn your consent, which was necessary for the authorization of the controller to process your data, and the controller has no other authorization to lawfully process the data; (iv) you have not given your consent to the processing of data and there is no overriding legitimate reason to do so; (v) Your personal data must be deleted in order to comply with a legal obligation.
The above data erasure rights do not apply if the processing is necessary (i) to exercise the right to freedom of expression and information, (ii) to fulfil a legal obligation or to perform a task that is in the public interest or in the exercise of official authority, (iii) to assert, exercise or defend legal claims.
You also have the following rights:
c. Right to data portability
You have the right to receive the personal data provided to and processed by the controller in a structured, common and machine-readable format and to transfer this data to another controller without hindrance, provided that the processing is based on appropriate consent or on contract performance and processing is carried out using automated processes.
d. Right to restriction of processing
You have the right to request the controller to restrict data processing in the following cases: (i) for the duration that the controller needs to verify your personal data if you contest its accuracy; (ii) your personal data has not been lawfully processed; (iii) your personal data is no longer required for processing purposes, but you do need your processing to establish, exercise or defend a legal claim; (iv) for the period of the review of a possible justification of legitimate reasons on the part of the controller in connection with your objection to processing of the data.
e. Right to object
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 paragraph 1 letter e of the GDPR (data processing in the public interest) and Article 6 paragraph 1 letter f of the GDPR (data processing based on a balancing of interests), including profiling based on these provisions. The objection can be made without any formality.
If you lodge an objection, the controller will no longer process your personal data, unless the controller can prove compelling reasons for processing that are worthy of protection, that outweigh your interests, rights and freedoms or that serve to assert, exercise or defend legal claims.
In individual cases, the data controller processes your personal data for direct marketing. You have the right to object at any time to the processing of personal data concerning you for the purposes of such direct marketing. If you object to the processing for direct marketing purposes, the controller will no longer process your personal data for those purposes.
You can exercise the above rights via the Contact us section, or by contacting the data protection officer at DPO@eni.com or Datenschutz.firstname.lastname@example.org.
In the event of unlawful processing of your data, you are also entitled to contact the Austrian Data Protection Authority, Wickenburggasse 8, 1080 Vienna, telephone: +43 1 52 152-0, e-mail: email@example.com