INFORMATION FOR CUSTOMERS CONCERNING THE PROCESSING OF PERSONAL DATA
in accordance with articles 13 of EU Regulation UE 2016/679
The Group is especially committed to protecting your personal data. This commitment is reflected in the value and trust with which the Group manages the relationships with its Customers, Employees, Suppliers and commercial Partners.
With this policy, we wish to provide a clear, transparent overview of the information we gather and process as part of the contractual relationship with our Customers, updating the corporate policies adopted by the Group in order to comply with the new EU General Regulation UE 2016/679 concerning the protection of natural persons with regard to the processing of personal data (hereinafter GDPR or Regulation), which came into force on 24th May 2016 and was implemented throughout the European Union on 25th May 2018.
WHO IS your Data Controller?
The Company Quiris Sapa; Autogas Nord Spa; GTS Spa; Verdenergia Srl; Hydra Energia Srl; Essegei srl; GNL Med Srl; Quiris immobiliare Srl; Alpigas Srl; Autogas Riviera Srl; Tirolgas Srl; Ecoclima Srl; Chiurlo Gas Srl; Sinergigas Srl; Gruppo Energia Italia Srl, represented by the pro tempore legal representative, with registered office stated in the website www.agnenergia.com, in the “contacts” section for each company, where present, with which you entered into and/or may enter into a Services contract, is the Data Controller (hereinafter the Controller).
Each company in the Group is an independent Data Controller, but each has adopted the same technical and organisational measures and best practices in matters of personal data protection.
The Controller can be contacted by writing to the e-mail address: email@example.com, firstname.lastname@example.org or by calling the telephone numbers given in the “contacts” section of the website. The Data Protection Officer (DPO) can be contacted at the following e-mail address: email@example.com.
What does personal data mean and WHAT DATA do we process?
“Personal data” means any information that may identify, directly or indirectly, a natural person, in this case you, our Customer (data subject), who uses the Services offered by the Group.
In particular, we gather and process the following personal data, which are required to fulfil the obligations arising from the supply Services offered, including contractual or pre-contractual relationships established with Customers;
• identification data: name, surname, tax code of the Customer or Customer’s contact person;
• contact data: residence address, fixed and mobile phone numbers, fax number and e-mail address;
• data concerning preferences regarding the specific types of Services offered;
• in general, any other information necessary for concluding and performance of the contract (e.g. VAT number, details of the bank account/s, credit card details).
What are the PURPOSES and LEGAL BASES of the processing?
The Controller gathers and processes the personal data (hereinafter also “data”) supplied by its Customers:
A. for purposes required for pre-contractual activities, as well as for the management and performance of the contractual relationship established with you (administrative and accounting activities, Customer assistance, handling of claims, credit recovery, creation and updating of data records), and for providing the services strictly connected and instrumental to the same; these data are, in fact, strictly required for implementing the product supply Services and/or Services requested by you;
B. to fulfil any legal obligations (of an administrative, accounting, fiscal nature) requested by Authorities to which the Controller is subject;
C. to exercise the Controller’s rights, for example the right to defence before the courts.
The conferral of your personal data for the purposes A, B, C is essential for the management and performance of the contractual relationship and does not require consent from you. Your refusal to provide the foregoing data, in fact, although legitimate, would compromise the ability of the Controller to provide the product supply Services and/or Services requested by you.
D. For sales promotion and marketing purposes. In particular, with a view to continuously improve the Customer Experience and to offer “tailor-made” Services, we will process your data to:
- send you by e-mail, post and/or SMS and/or through telephone contacts, newsletters, commercial communications and/or advertising material concerning the products and/or Services offered by the Group, or invite you to events at which the Group participates to promote its Services.
The conferral of your personal data for the purpose D is optional and, therefore, your prior and specific consent is required, given in writing, which may be withdrawn at any moment. Failure to consent to the processing of your personal data for the purposes stated in letter D will not in any way compromise or limit processing for the purposes stated in letters A, B, C.
What are the processing METHODS?
The Group companies, as Data Controllers, collect your personal data directly and, in certain cases, from third parties with which the Controller has signed a contract to supply data.
In any case, irrespective of the aforementioned methods of collection, we process your personal data in compliance with principles of lawfulness and correctness pursuant to art. 5 of the Regulation and we always operate in such a way as to guarantee the confidentiality and security of the information.
Furthermore, we undertake to ensure that the information and data collected and used are suitable, relevant and limited to what is necessary for the purposes described above, and that your personal data are processed to ensure their security, through appropriate and efficient technical and organisational measures put in place by the Controller, in compliance with the principle of Accountability prescribed by the new EU Regulation, which prevent the risk of loss, unauthorised access, unlawful use and disclosure of the same.
These measures ensure, in any case, that access to your personal data is permitted only to people authorised by the Controller, as well as third parties appointed as Data Processors.
For HOW long and WHERE do we retain your personal data?
We retain your data only for the time necessary to process such data for the aforementioned purposes. The principal lengths of time for using and retaining your personal data based on the purpose of the processing are given in detail below:
A. for the purposes required for pre-contractual activities, and for the management and performance of the contractual relationship established with you, we will process your data for the entire duration of the contract, for as long as obligations or requirements connected to performance of the same exist and, however, for no longer than 10 years from the end of the contractual relationship to fulfil legal obligations or defend our rights,
without prejudice to longer retention times connected to pending lawsuits.
In the latter case, access to your personal data will, however, be limited to the Controller’s Head of Legal Affairs.
B. to fulfil legal obligations (of an administrative, accounting, fiscal nature) required by the Authorities to which the Controller is subject, your data will be processed and retained for as long as the processing is required to fulfil such legal obligations.
C. to exercise the Controller’s rights, for example the right of defence before the courts, the length of time your data are stored shall be the same as in point A.
D. for the purposes of sales promotion and marketing, carried out with your explicit written consent, we will retain your data for a maximum time of 7 years from obtaining your consent (in compliance with the principles of relevance and non-excessiveness of the data and storage limitation); at the end of this period, in the absence of further consent, the data will be automatically deleted or anonymised in a permanent and non-reversible way, without prejudice to you exercising your right to object to processing for marketing purposes or withdrawing your consent expressed previously.
In any case, your personal data will be retained on both properly secured servers located within the European Union and in paper format archived in suitable locked, fire-proof cabinets access to which is reserved to parties authorised by the Controller.
TO WHOM do we communicate your personal data?
We communicate your data only to parties (authorised to perform processing, appointed external Processors or recipients due to legal requirements) used by us to fulfil the aforementioned purposes, to perform the Services requested by you, and for purposes strictly connected and instrumental to managing the precontractual relationship, to perform the contractual relationship and for administrative and accounting management purposes following conclusion of the relationship, in particular:
• to companies or other third parties (credit institutions, professional firms, consultants, legal auditing firms, security service providers, etc.) that perform outsourcing activities on behalf of the Controller;
• to public authorities, supervisory bodies or judicial authorities to fulfil legal obligations;
• to subsidiary or associated companies of the Group, whenever necessary to pursue the purposes described above.
WHERE do we transfer your data?
As a rule we do not transfer your data outside the European Union. However, the Controller reserves the right, whenever it is deemed necessary, to transfer your data outside the EU, but, in this case, guarantees henceforth that this will take place in compliance with applicable laws, even by preparing standard contractual clauses as envisaged by the European Commission or by adopting BCRs (binding corporate rules).
What are your RIGHTS as Data Subject?
At any moment you may exercise, in accordance with articles 15, 16, 17, 18, 19, 20, 21 and 22 of EU Regulation 2016/679, against the Data Controller, the following rights:
• Right to access: the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, as well as the right to receive information regarding the same processing;
• Right to rectification: the right to obtain from the controller the rectification of inaccurate or incomplete personal data concerning him or her;
• Right to erasure (so-called “right to be forgotten”): in certain circumstances envisaged by the Regulation, you have the right to obtain the erasure of your data present within our archives when no longer relevant for the purposes of continuing the contractual relationship or necessary for legal obligations;
• Right to restriction of processing: in the event of certain conditions, you have the right to obtain restriction of the processing when no longer relevant for the purposes of continuing the contractual relationship or necessary for legal obligations;
• Right to data portability: the right to transmit your data to another Controller;
• Right to withdraw consent: the right to withdraw consent to the processing of your data for commercial and/or advertising purposes, as well as the processing of data concerning health in relation to the specific supply Services requested, at any time, which shall not affect the lawfulness of the consent-based processing prior to withdrawal;
• Right to object: the right to object at any moment, on grounds relating to your particular situation, to the processing of personal data that concern you;
• Right to object to automated processing: the right not to be subject to a decision based solely on automated processing, which produces legal effects concerning you or similarly significantly affects you.
• Right to lodge a complaint with the supervisory Authority: at any moment you have the right to put forward requests to exercise your rights. In any case, should you wish to lodge a complaint regarding the methods with which your data have been processed, or regarding the management of a claim made by you, you have the right to submit a request directly to the supervisory Authority.
The aforementioned rights may be exercised towards the companies Quiris Sapa; Autogas Nord Spa; GTS Spa; Verdenergia Srl; Hydra Energia Srl; Essegei srl; GNL Med Srl; Quiris immobiliare Srl; Alpigas Srl; Autogas Riviera Srl; Tirolgas Srl; Ecoclima Srl; Chiurlo Gas Srl; Sinergigas Srl; Gruppo Energia Italia Srl, in their capacity as Controllers, by writing to the e-mail addresses e-mail firstname.lastname@example.org - email@example.com or by contacting them at the telephone numbers given in the “contacts” section of the website www.agnenergia.com.
The exercising of your rights as data subject is free of charge in accordance with article 12 of EU Regulation 2016/679.
The list of external Processors of the personal data concerning you, as well as employees authorised to perform processing, is available from the Controller, which can be contacted at the aforementioned addresses and numbers.
The Data Controller reserves the right to amend and/or implement this policy even if due to legislative amendments made after the pre-contractual or contractual relationships were established with you, or due to recommendations, general authorisations, guidelines, further guarantee measures indicated by the Italian or European Data Protection Authority, but always for the purpose of providing greater protection of your personal data processing. The aforementioned amendments will, however, only occur after you have been informed via a communication on our website. Should the amendments concern processing the legal grounds for which is consent, the Controller shall request you consent again, if necessary.