POLICY ON PROCESSING CUSTOMERS’ PERSONAL DATA
pursuant to art. 13 of EU regulation 2016/679
WHO IS the Data Controller of your data?
The Data Controller (hereinafter Controller) is AGN ENERGIA Spa, in the person of its pro tempore legal representative, with registered office in 10088 Volpiano (TO), via Amalfi 6, with which you have entered into and/or may enter into a contract. The Company is part of the Quiris Group and has adopted the same technical-organisational measures and best practices regarding protection of personal data as the group. The Data Subject may contact the Controller by writing to the e-mail address: firstname.lastname@example.org or at the telephone number given in the “Contacts” section of the website www.agnenergia.com. They can also contact the Data Protection Officer (RDP or DPO) at the following e-mail address: email@example.com.
What is personal data and WHAT DATA do we process?
“Personal data” means any information suitable to identify, directly or indirectly, a natural person, in this case you, our customer (so called Data Subject) who uses the services offered by the group.
In particular, we collect and process the following personal data needed to carry out the obligations deriving from the supply services offered, including contractual or pre-contractual relationships established with customers:
- identification data: for example the first and last name of the customer or of the customer's contact person;
- contact details: e.g. residence address, landline and mobile phone number, fax number and e-mail address;
- preferences data related to the specific types of service offered;
- in general, any other data and information necessary for the conclusion and execution of the contract (bank details required for payments or proof-of-payment information) and any other data relating to the customer’s solvency and punctuality.
What are the PURPOSES and LEGAL BASES of the processing?
The Data Controller collects and processes personal data (hereinafter also “data”):
A. for purposes necessary for pre-contractual activities and for the management and execution of the contractual relationship established with you (administrative and accounting activities, customer support, claims management, credit recovery)
B. to fulfil the obligations established by law (of an administrative, accounting, tax nature) and requests from the authorities, pursuant to Art. 6.1 c) of the GDPR;
C. for the pursuit of the legitimate interests of the Data Controller, pursuant to Art. 6.1 f) of the GDPR, consisting of:
1. right of defence in court;
2. if you are already our customer, sending newsletters relating to products and/or services similar to those you already use by e-mail;
3. prior to the activation of the contractual relationship, pursuant to that set out by the Privacy Guarantor with Provision No. 9141941 of 09/19/2019, for the purpose of controlling credit risks and for fraud prevention. The aforementioned data is used for the purpose of verifying creditworthiness and payment punctuality and is acquired through access to Credit Information Systems, the computer systems of authorised companies, and from public archives or registers. Moreover, the Controller may use information and data acquired in relation to contractual relationships already in progress or terminated (also combined with the above data).
D. For commercial promotion and marketing purposes. In particular, with a view to continuous improvement of the Customer Experience and in order to offer services "tailored for you", we will process your data to:
- send you newsletters, commercial communications and / or advertising material about the products and / or services offered by the Controller by e-mail, post and/or SMS and/or telephone;
- invite you to participate in events/prize events / initiatives in general, organized by the Controller or in which the Controller will participate in order to promote its services.
The provision of your personal data for purposes A, and B is essential for the management and execution of the contractual relationship and does not require your prior consent. Any refusal to provide the above data would compromise the of the Controller’s ability to provide the Services requested by you.
The provision of your personal data for purpose D is optional, therefore prior and express written consent from you is required. Failure to give consent will in no way compromise or limit processing for other purposes.
What are the PROCESSING METHODS?
The processing of data for the purposes set out above takes place both in automated form, on electronic or magnetic media, and in non-automated form, on paper. It should be noted that the Data Controller does not carry out fully automated decision-making processes.
HOW LONG and WHERE do we keep your personal data?
The main periods of use and storage of your personal data are listed below in relation to the different processing purposes:
A. for purposes necessary both for pre-contractual activities and for the management and execution of the contractual relationship established with you, we will process your data for the entire duration of the relationship, as long as there are obligations or fulfilments connected to the execution thereof and, in any case, no later than 10 years following termination of the contract.
B. to fulfil the obligations established by law (of an administrative, accounting, tax nature) and requests from the Authorities to which the Controller is subject, your data will be processed and stored as long as there is a need for processing to fulfil th
C. For the pursuit of the legitimate interests of the Data Controller, your data will be retained:
- for as long as necessary to allow the defence of our rights, including any pending judgements;
- until such time as you object (opt-out).
D. for commercial promotion and marketing purposes, we will keep your personal data until such time as you object (opt-out).
Under the terms indicated above, the data will be automatically deleted or made anonymous in a permanent and non-reversible manner.
WHO will we communicate your personal data to?
We communicate your data exclusively to the subjects we use to carry out the activities needed to achieve the purposes described above, and who act as independent Controllers or appointed as Data Processors pursuant to Art. 28 of the GDPR, which include, for example, the following subjects:
- companies or other third parties (for example: credit institutions, professional firms, consultants, statutory auditing firms, external companies for the purposes of preventing and controlling the risk of insolvency, fraud control and credit protection, subjects operating in the field of credit recovery, out-of-court and judicial, etc.);
- public authorities, supervisory bodies or judicial authorities for the fulfilment of legal obligations;
- associated or subsidiary companies within the group, if this is necessary for the pursuit of the purposes described above.
WHERE do we transfer your data?
The processing will be carried out by AGN Energia within the European Economic Area (EEA). However, in some cases, your data may be transferred to third countries where the suppliers of SW platforms/services/products used by the group are established. If there are no adequacy decisions or international agreements for these third countries, the transfer is guaranteed by the Standard Contractual Clauses approved by the European Commission and made available by the suppliers.
What are your RIGHTS as a Data Subject?
In relation to the aforementioned processing, you may exercise the rights referred to in articles 15 to 22 of EU Regulation 2016/679.
In particular, in the cases set out in the Regulation, the Data Subject has the right to ask the Data Controller for access to their data (Art. 15 GDPR), rectification (Art. 16 GDPR) or deletion (Art. 17 GDPR). The Data Subject has the right to object to the processing (Art. 17 GDPR) or to request restriction of processing (Art. 18 GDPR) and to obtain their data in a structured, commonly used and machine-readable format (Art. 20 GDPR). You can also revoke the consents given pursuant to Art. 7 of the Regulation (Art. 21 GDPR) at any time.
Pursuant to the applicable legislation, the Data Subject can also lodge a complaint with the Guarantor Authority for the protection of personal data pursuant to Art. 77 of the Regulation if they believe that their personal data has been processed in contravention of current legislation, or can refer to the judicial authority pursuant to Art. 78 GDPR.
Update date: 01/11/2022
The Data Controller
AGN ENERGIA Spa