INFORMATION FOR CUSTOMERS CONCERNING THE PROCESSING OF PERSONAL DATA
in accordance with articles 13 of EU Regulation UE 2016/679
The Group is especially committed to protecting your personal data. This commitment is reflected in the value and trust with which the Group manages the relationships with its Customers, Employees, Suppliers and commercial Partners.
With this policy statement, we wish to provide a clear, transparent overview of the information we gather and process as part of the contractual relationship with our Customers, in compliance with the General Regulation UE 2016/679 concerning the protection of natural persons with regard to the processing of personal data (hereinafter GDPR or Regulation).
WHO IS your Data Controller?
The Companies Quiris Sapa; Autogas Nord Spa; GTS Spa; Verdenergia Srl; Autogas Riviera Srl; Ecoclima Srl; Chiurlo Gas Srl; Gruppo Energia Italia Srl, Splendorgas Srl, represented by the pro tempore legal representative, with registered office stated in the website www.agnenergia.com, in the “contacts” section, or in that of each company, where present, with which you entered into and/or may enter into a Services contract, is the Data Controller (hereinafter the Controller).
Each company in the Group is an independent Data Controller, but each has adopted the same technical and organisational measures and best practices in matters of personal data protection.
The Controller can be contacted by writing to the e-mail address: email@example.com, firstname.lastname@example.org or by calling the telephone numbers given in the “contacts” section. The Data Protection Officer (DPO) can be contacted at the following e-mail address: email@example.com.
What does personal data mean and WHAT DATA do we process?
“Personal data” means any information that may identify, directly or indirectly, a natural person, in this case you, our Customer (data subject), who uses the Services offered by the Group.
In particular, we gather and process the following personal data, which are required to fulfil the obligations arising from the supply Services offered, including contractual or pre-contractual relationships established with Customers;
- identification data: for example name and surname of the Customer or Customer’s contact person;
- contact data: for example residence address, fixed and mobile phone numbers, fax number and e-mail address;
- data concerning preferences regarding the specific types of Services offered;
- in general, any other information necessary for concluding and performance of the contract (e.g. VAT number, details of the bank account/s, credit card details).
What are the PURPOSES and LEGAL BASES of the processing?
The Controller gathers and processes the personal data (hereinafter also “data”) supplied by its Customers:
- for purposes required for pre-contractual activities, as well as for the management and performance of the contractual relationship established with you (administrative and accounting activities, Customer assistance, handling of claims, credit recovery), and for providing the services strictly connected and instrumental to the same; these data are, in fact, strictly required for implementing the Services requested by you;
- to fulfil any legal obligations (of an administrative, accounting, fiscal nature) requested by Authorities to which the Controller is subject;
- to exercise the Controller’s rights, for example the right to defence before the courts.The conferral of your personal data for the purposes A, B, C is essential for the management and performance of the contractual relationship and does not require prior consent from you. Your refusal to supply the aforementioned data, while legitimate, would make it impossible for the Controller to provide the product supply Services requested by you.
- For sales promotion and marketing purposes. In particular, with a view to continuously improve the Customer Experience and to offer “tailor-made” Services, we will process your data to:
- send you by e-mail, post and/or SMS and/or through telephone contacts, newsletters, commercial communications and/or advertising material concerning the products and/or Services offered by the Controller, or invite you to events at which the Controller participates to promote its Services.
The conferral of your personal data for the purpose D is optional and, therefore, your prior and specific consent is required, given in writing, which may be withdrawn at any moment. Failure to consent to the processing of your personal data for the purposes stated in letter D will not in any way compromise or limit processing for the purposes stated in letters A, B, C.
What are the processing METHODS?
The companies of the Group, as Data Controllers, collect your personal data directly and, in certain cases, from third parties with which the Controller has signed a contract to supply data.
The processing of data for the purposes stated will take place using both automated methods, on electronic or magnetic media, and non-automated methods, on hard copy, in compliance with the rules of confidentiality and security provided by art. 32 of the Regulation, subsequent regulations and internal provisions.
For HOW long and WHERE do we retain your personal data?
We retain your data only for the time necessary to process such data for the aforementioned purposes. The principal lengths of time for using and retaining your personal data based on the purpose of the processing are given in detail below:
- for the purposes required for pre-contractual activities, and for the management and performance of the contractual relationship established with you, we will process your data for the entire duration of the contract, for as long as obligations or requirements connected to performance of the same exist and, however, for no longer than 10 years from the end of the contractual relationship to fulfil legal obligations or defend our rights, without prejudice to longer retention times connected to pending lawsuits.
- to fulfil legal obligations (of an administrative, accounting, fiscal nature) required by the Authorities to which the Controller is subject, your data will be processed and retained for as long as the processing is required to fulfil such legal obligations.
- to exercise the Controller’s rights, for example the right of defence before the courts, the length of time your data are stored shall be the same as in point A.
- for the purposes of sales promotion and marketing and for profiling activities, carried out with your explicit written consent, we will retain your data for a maximum time of 2 years from obtaining your consent; at the end of this period, the data will be automatically deleted or anonymised in a permanent and non-reversible way, without prejudice to you withdrawing your consent expressed previously.
TO WHOM do we communicate your personal data?
We communicate your data only to parties (authorised to perform processing, appointed external Processors or recipients due to legal requirements) used by us to fulfil the aforementioned purposes, to perform the Services requested by you, and for purposes strictly connected and instrumental to managing the pre-contractual relationship, to perform the contractual relationship and for administrative and accounting management purposes following conclusion of the relationship, in particular:
- to companies or other third parties (credit institutions, professional firms, consultants, legal auditing firms, security service providers, etc.) that perform outsourcing activities on behalf of the Controller;
- to public authorities, supervisory bodies or judicial authorities to fulfil legal obligations;
- to subsidiary or associated companies of the Group, whenever necessary to pursue the purposes described above.
WHERE do we transfer your data?
As a rule we do not transfer your data outside the European Union. However, the Controller reserves the right, whenever it is deemed necessary, to transfer your data outside the EU, but, in this case, guarantees henceforth that this will take place in compliance with applicable laws, even by preparing standard contractual clauses as envisaged by the European Commission or by adopting BCRs (binding corporate rules).
What are your RIGHTS as Data Subject?
In relation to the aforementioned processing, you may exercise the rights pursuant to articles 15 to 22 of EU Regulation 2016/679.
In particular, in the cases set out in the Regulation, the data subject has the right to request from the Data Controller access to his/her data, rectification or erasure of the same, the right to object to processing or to request restriction of the processing and to obtain his/her data in a structured, commonly used and machine-readable format. The data subject may also, at any time, withdraw consent given in accordance with art. 7 of the Regulation.
The aforementioned rights may be exercised towards the Controller by writing to the e-mail addresses firstname.lastname@example.org - email@example.com or by contacting the Controller at the telephone numbers given in the “contacts” section. The Data Protection Officer (DPO) may also be contacted at the following e-mail address: firstname.lastname@example.org
In accordance with applicable legislation, the data subject may also make a claim to the Italian Data Protection Authority (Garante) in compliance with art. 77 of the Regulation whenever it is deemed that the processing of their Personal Data is contrary to legislation in force.
The Data Controller reserves the right to amend and/or implement this policy even if due to legislative amendments made after the pre-contractual or contractual relationships were established with you, or due to recommendations, general authorisations, guidelines, further guarantee measures indicated by the Italian or European Data Protection Authority, but always for the purpose of providing greater protection of your personal data processing. The aforementioned amendments will, however, only occur after you have been informed via a communication on our website. The policy is available on the website in an updated version as at the date given below.