PRIVACY INFORMATION NOTICE FOR CUSTOMERS
In accordance with Regulation (EU) 2016/679 ("GDPR"), Eni Benelux B.V. ("the Company" or the "Data Controller") sets out below the privacy information on the processing of your personal data – obtained directly from you and/or obtained from third parties - with respect to the provision of services related to lubricants and specialty products.
1. Identity and contact details of the Data Controller
The Data Controller is Eni Benelux B.V., with registered and administrative office and contact address in Rotterdam, Schouwburgplein 30-34, 3012 CL, in the Netherlands.
2. Contact details of the Data Protection Officer
The Company has appointed a Data Protection Officer who can be contacted at the following email address DPO@eni.com
3. The purposes of data processing and its legal basis
a. Necessary legal and contractual purposes - data processing is required to comply with the Data Controller’s contractual or legal obligations, or to comply with a specific request of the data subject
Your personal data may be processed without your consent, in cases where this is necessary to fulfil the obligations of civil and tax law, and EU legislation, as well as standards, codes or procedures approved by the Authorities and other competent Institutions.
In addition, your personal data may be processed to comply with requests from the competent administrative or judicial authority and, more generally, public entities in compliance with the formalities of law.
Your personal data will also be processed for purposes related and/or associated with the provision of services by the Company, in particular:
− for the fulfilment of obligations arising from the General Conditions and/or the provision of ancillary and/or related services to these contracts. In these cases, we wish to inform you that, in accordance with the applicable law on the processing of personal data, your consent is not required if the processing is necessary to fulfil contractual obligations or if the processing is necessary to fulfil your specific requests during negotiations and before the contract is executed;
− for participation in the loyalty plan, including, but not limited to, requirements prior to admission to the plan, the sending of material relating to the plan, the obtaining and delivery of special prizes and, in general, operational and management requirements related to the participation in and management of the plan.
This data, the provision of which is necessary for the implementation of operational, financial and administrative aspects of the service – will be processed using electronic instruments, recorded in special data bases and used strictly and exclusively within the scope of the contract. Because the communication of your personal data for the above purposes is necessary to the maintenance and provision of all services related to the contract, failure to do so will result in the specific services in question not being provided.
b. Commercial and marketing purposes – consent
Your personal data may also be processed, subject to your consent, for the following purposes inherent to the activity of the Data Controller or a third party:
− market research, financial analysis and statistics;
− the marketing of the services of the Data Controller and/or a third party, the sending of advertising/information/promotional material and that relating to participation in initiatives and offers aimed at rewarding customers of the Data Controller;
− customer satisfaction surveys on the quality of the services provided.
These activities may involve the products and services of the Data Controller, as well as Eni subsidiaries or their commercial partners, and may also be performed through an automated call system without an operator, email, fax, and MMS (Multimedia Message Service) and SMS (Short Message Service) messages.
Consent to the processing of data and its communication to the parties shown below for the above purposes is optional and may be revoked by contacting Customer Service by sending an email to the email address privacy_benelux@eni.com.
c. Defence of a legal claim
In addition, your personal data will be processed whenever it is necessary to ascertain, exercise or defend a legal claim on the part of the Data Controller or another company within Eni's scope of control.
d. Legitimate interests of the Data Controller
The Data Controller may process your personal data without your consent in the following cases:
− in the case of extraordinary business branch mergers, sales or transfers to allow the performance of due diligence and other operations prior to the sale. It is understood that only the data required for the above purposes will be processed in the most aggregated/anonymous form;
− to assess the existence of the necessary qualifications according to the law, to the internal regulatory system and to corporate procedures applicable to the assignment of the contract. Additionally, the assessment will be necessary in order to allow an effective application of the internal control and risk management systems, also in the course of execution of the same;
− in order to perform analysis of the use of services, to identify clients' consumer habits and preferences, to improve the services provided and to meet their specific requirements, or the preparation of initiatives related to the contractual relationship to improve the services provided, such as client feedback surveys.
4. Recipients of personal data
For the purposes indicated in Section 3, the Data Controller may disclose your personal data to third parties, such as, for example, those belonging to the following categories:
− police forces, the armed forces and other government bodies, for the fulfilment of the obligations envisaged by law, regulations or EU legislation. In this case, according to applicable data protection legislation, the prior consent of the data subject is not required;
− companies, organizations or associations, or parent, subsidiary or associated companies under Article 2359 of the Civil Code, or between these and companies subject to joint control, and between consortia, business networks and groups, and temporary joint ventures and connected entities, limited to communications made for administrative and/or accounting purposes;
− insurance companies responsible for the settlement of claims;
− companies specialized in credit recovery;
− companies specialized in the management of business information or related to credit, or advertising and promotion;
− other companies that provide ancillary services to those supplied by the Company with whom the Data Controller has agreements of various types;
− other companies contractually bound to the Data Controller that provide consultancy, service delivery support, etc.
The Data Controller will take the utmost care to ensure that the communication of your personal data to the above recipients involves only the data required to accomplish the specific purposes for which it is intended.
Your personal data is stored in the Data Controller's database and will be processed exclusively by authorized personnel who will be given specific instructions on the methods and purposes of the processing. Your data will not be communicated to third parties, except as provided for above and, in any case, within the limits indicated.
Finally, please note that your personal data will not be disclosed, except in the cases described above and/or as provided for by law.
5. Transfer of personal data outside the EU
In the context of the contractual relations between Eni S.p.A. and its subsidiaries, and between the subsidiaries themselves, for some of the purposes indicated in Section 3 above, your personal data may be transferred outside the EU, including through insertion in databases shared and managed by third parties both within and outside of Eni's scope of control. The management of the database and the processing of this data are performed only for the purposes for which it was collected and with maximum respect for the privacy and security standards described in the applicable personal data protection laws.
Whenever your personal data is transferred outside the EU, the Data Controller shall take every suitable and necessary contractual measure to guarantee an adequate level of personal data protection in accordance with this Privacy Information Notice, including, among other means, the Standard Contractual Clauses approved by the European Commission.
6. Data retention period
The data will be kept for no longer than required for the purposes for which it has been collected or processed, in accordance with the applicable legislation.
Your data will be kept for seven years from the termination of the contractual relationship in order to allow the Company to defend itself against possible claims in relation to the contract. At the end of this period, all data will be deleted or otherwise irreversibly de-identified, unless the continued retention of some or all of the data is required by law.
7. Rights of data subjects
7.1 As the data subject, you have the following rights concerning the personal data collected and processed by the Data Controller for the purposes listed at Section 3 above.
a. Right of access
You have the right to ask the Data Controller for confirmation that your personal data is being processed and obtain access to your personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular if the recipients are in third countries or international organizations; (iv) when possible, the intended retention period of the personal data or, if this is not possible, the criteria used to determine this period; (v) the right to lodge a complaint with a supervisory authority.
b. Right of rectification and cancellation
You have the right to rectify any inaccurate personal data, as well as, taking into account the purposes of the processing, complete any incomplete personal data, including by providing a supplementary statement.
You also have the right to obtain cancellation of your personal data for any of the following reasons: (i) your personal data is no longer required for the purposes for which it was collected or otherwise processed; (ii) the data was processed unlawfully; (iii) you have revoked your consent on the basis of which the Data Controller had the right to process your data and there is no other legal basis allowing the Data Controller to process it; (iv) you did not agree to the processing and there is no overriding legitimate reason to do it; (v) your personal data must be deleted to comply with a legal obligation.
The Company has the right, nevertheless, to waive these rights of cancellation if the right to freedom of expression and information prevails, or to exercise a legal obligation or defend a legal claim.
You also have the following rights:
a) The right to data portability
You have the right to receive the personal data provided to the Company and processed by it on the basis of consent, or other legal basis, in a structured, customary and readable format, as well as the right to transmit this data to another Data Controller without hindrance.
b) The right to restrict processing
You have the right to ask the Company to restrict processing as follows: (i) for the period required by the Data Controller to verify your personal data when you have disputed its accuracy; (ii) if your personal data has been processed unlawfully; (iii) even if your personal data is not required for the purposes of processing but you need it to be processed for the determination, exercise or defense of a legal claim; (iv) for the period required to check on the possible prevalence of the Data Controller's legitimate reasons with respect to your opposition to the processing.
You can exercise the above mentioned rights by contacting the Data Controller, by sending an email to the email address privacy_benelux@eni.com, or by writing to the data protection officer DPO@eni.com.
You also have recourse to the competent data protection authority if your data has been processed unlawfully.
