PRIVACY POLICY

Pursuant to Regulation (EU) 2016/679 (“GDPR”), Eni S.p.A. (“Company” or “Controller”) provides the below information on the processing of personal data in order to allow users (“User” or “Users”) of website energy4business.eni.com (“Website”)to know its policy regarding the protection of personal data and to understand how the personal information of users and/or registered users is collected and managed while browsing the Website and for the use of its services. In the private area of the Website, registered users can access third party platforms that are not managed by the Company but by independent third parties, duly contracted, who will process data in accordance with their privacy policy for the performance of the services provided by their own terms and conditions, which we invite you to read.

1. Identity and contact details of the Controller

The Controller is Eni S.p.A., with registered office in Rome, Piazzale Enrico Mattei, 1, which can be contacted at the “Contact Eni” section of the Website.

2. Contact Data of the Data Protection Officer

The Company has appointed a Data Protection Officer, who can be contacted at the email address dpo@eni.com.

3. Personal data categories and sources

a. The personal data processed pertain to the category of common personal data as detailed below. The personal data collected refer to any user browsing the Website and using the available services and/or registered users, as specified below.

The computer systems and software procedures used to operate the Website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to a website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and IT environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the website and to check that it is functioning correctly, and is deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the Website.

b. Data of the registered user

The personal data processed are data provided by the companies where the registered user works in order to enable pre-registration. It includes personal details and contact data.

c. Data voluntarily provided by any user

The personal data processed are those related to filling in the contact form that the user can fill in to request information, advice and contact.

d. Cookie

Cookies are small text files that are saved on the user's device when they visit a website. They are used to identify you during your navigation path. The cookies used on the Website are used to facilitate the user's navigation (e.g. by storing the language choice) and will not be used for any other purpose. If necessary, they can be disabled by adjusting the options on your browser. More information on the types of cookies used by the Website can be found in the Cookie Policy.

4. Purposes of the processing and legal basis of the processing

a. Legal purposes

The user's personal data may be processed, without the necessity of his or her consent, in cases where this is necessary to fulfil obligations arising from legal provisions, as well as from regulations, codes or procedures approved by Authorities and other competent Institutions. The provision of personal data is therefore necessary, and without it the services requested by the user cannot be activated.

b. purposes necessary for the provision of services – processing is necessary for compliance with a contractual or legal obligation to which the Controller is subject or to execute a specific request of the data subject

In addition, the user's personal data will also be processed for purposes relating to and/or connected with the provision of services by the Company and requested by the user while browsing the Website, including the collection, storage and processing of data for the purposes of the setting up and subsequent operational and technical management.

Specifically, the data will be processed:
- to ensure the normal use and navigation of the Website
- to allow the user who fills in the relevant form to be contacted in order to request information, advice and any other appropriate information;
- to enable pre-registration and the completion of this process for the registered user, in accordance with the terms and conditions of the Website, as well as customer care;
- to allow redirection to third party platforms, outside of the Controller's control, which are managed independently by third party data controllers, in compliance with their own terms and conditions and privacy policy, which we invite you to read.

This data
- the provision of which is necessary for the operational performance of the service
- will also be processed by electronic means, recorded in special databases, and used strictly and exclusively in the context of navigation on the Website.

Since the communication of the User's personal data for the aforesaid purposes is necessary in order to maintain and provide all the services related to browsing the Website, failure to provide such data will make it impossible to provide the specific services in question.

c. Legitimate interest of the Controller

The Controller may process, without the User's consent, the personal data collected in the following cases:
- in the case of extraordinary operations of merger, sale or transfer of a branch of business, in order to allow the carrying out of the operations necessary for the due diligence activity and preparatory to the sale. It is understood that only the strictly necessary data will be processed for the aforesaid purposes, in aggregate/anonymous form as far as possible.
- analysis in an anonymous and aggregate form of the use of the services to identify users' habits and preferences, to improve the services provided and to meet specific users' needs, i.e. preparation of actions related to the improvement of the services provided.
- to ensure the right of defence of the Controller and/or third parties in judicial and/or extrajudicial proceedings.

5. Recipients of the personal data

For the pursuit of the purposes indicated in point 3, the Controller may communicate the personal data of the User to third parties, such as, for example, those pertaining to the following recipients or categories of recipients:
- police forces, armed forces and other public administrations, for the fulfilment of obligations under the law, regulations or EU legislation. In such cases, according to the applicable legislation on data protection, the obligation to acquire the prior consent of the person regarding such communications is excluded;
- companies, bodies or associations, or parent companies, subsidiaries or affiliated companies pursuant to Article 2359 of the Italian Civil Code, or between them and companies subject to joint control, as well as consortia, networks of companies and groupings and temporary associations of companies and entities linked to them, limited to communications made for administrative and/or accounting purposes.

The Controller takes the utmost care to ensure that the communication of the User's personal data to the aforesaid recipients only concerns the data necessary to achieve the specific purposes for which they are intended. The User's personal data are stored in the Data Controller's databases and will only be processed by authorised personnel. The latter will be provided with specific instructions on the methods and purposes of processing. Such data will also not be communicated to third parties, except as provided for above and, in any case, within the limits indicated therein. Finally, please note that the User's personal data will not be disclosed, except in the cases described above and/or provided for by law.

6. Transfer of personal data outside the EU

For some of the purposes set out in point 3, the personal data of the User may be transferred outside the European Union, including through inclusion in shared databases and managed by third parties belonging or not to Eni S.p.A.’s sphere of control. The management of the database and the processing of such data are bound to the purposes for which they were collected and are carried out in full compliance with the privacy and security standards set out in the applicable personal data protection laws.

Whenever the User's personal data are to be transferred internationally outside the territory of the EU, the Controller will take all appropriate contractual measures necessary to guarantee an adequate level of personal data protection in accordance with that stated within the present information document on the processing of personal data, including, among others, the Standard Contractual Clauses approved by the European Commission

7. Data retention period

The data will be stored for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed in accordance with the provisions of the legal obligations. In particular, (pre-)registration data will be retained in accordance with the ordinary statute of limitations established by law, while data relating to the request for contact and advice will be retained for 6 months after the last response to the data subject, unless reasons for the defence of a right or interest of the Controller and/or third parties require a longer period of time.

8. Rights of the data subjects

As data subject, the User is granted the following rights regarding the personal data collected and processed by the Controller for the purposes indicated in point 3: (i) the right of access, in particular requesting, at any time, confirmation of the existence of personal data of the User in the Company’s archives and the provision of such information in a clear and intelligible way, as well as the right to know the origin, logic and purpose of the processing with express and specific indication of the authorized persons and data processors and third parties to whom the User’s personal data may be disclosed; (ii) the right to obtain, update and rectify data (except for evaluation data), deletion of superfluous data or transformation into an unrecognisable form, as well as the blocking of processing and definitive erasure in case of unlawful processing; and (iii) if these prerequisites are not satisfied, the restriction of the processing and the portability of data. The law also recognises the right of the data subjects to lodge a complaint with the competent Supervisory Authority, should the User discern a violation of their rights in accordance with applicable legislation regarding the protection of personal data.

The User may exercise the rights listed above through the Contacts section, or by writing to the data protection officer at dpo@eni.com.

Users can exercise the above rights at the “Contacts” section of the Website, or by contacting the data protection officer at dpo@eni.com.