AB Energy S.p.A. and its affiliates (hereinafter referred to as “AB”), as the data controller, wishes to inform you, according to EU Regulation 2016/679 (hereinafter referred to as the “GDPR”) and to applicable national legislation, that the personal data you have provided or collected from public sources, including content made public at social media websites, shall be processed in compliance with applicable laws and contractual provisions in force for the purposes and in the manner set out below.
Type of personal data, purpose and legal basis of the data processing
|Description of the reasons for which AB processes personal data (purpose of the data processing)||Type of persona data1||Legal Basis2|
|1||Management of the contract, if any||Common Data||A e B|
|2||Management of the CRM (Customer Relationship Management) database and consequent marketing activities linked to the management of the commercial relationship (promotion of the AB Group’s products and services, commercial offers, newsletters, information and communication activities on cogeneration, etc.).||Common Data||C|
|3||Management of an information request through the “Contacts” section.||Common Data||C|
|4||Management of personnel selection by AB or by an AB subsidiary or associate company.||Common Data||C|
1.Types of personal data:
(a) Common data: identification and contact details, job position data, images, publicly available information, pre-contractual information, etc.
2.Legal bases of the data processing or the fundamentals of the lawfulness of the processing of personal data: A. Execution of the contract signed between the data subject and AB and/or of any precontractual measures; B. Compliance with a legal obligation; C. AB’s legitimate interests in ensuring that it is able to conduct and improve its business (unless the data subject objects to such treatment, as described below in the “Rights of the data subject” section).
Data processing method
Personal data shall be processed by means of the following operations: collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of the data. The processing of such data may take place with or without the aid of electronic or automated means and in particular, automated processing shall be carried out by AB according to logic strictly related to the purposes described in Article I.
Mandatory or optional provision of personal data
With reference to purposes 1, 2 and 3 described in the previous Article I, the failure to provide personal data shall make it impossible to execute a successful qualification process, consider your offer and/or establish and manage the related relationship in question.
Retention of data
For the period of time necessary and in any case until a relationship with the data subject is ongoing and/or until it is necessary for AB to comply with its legal and contractual obligations at a global level.
Disclosure, dissemination and transfer of personal data
Notwithstanding the communication of data carried out to fulfil legal obligations and obligations relating to the eventual contract, in accordance with the principles of correctness, loyalty and transparency and data minimisation, the following subjects may become aware of all personal data collected and subsequently process such data:
- data processors internal to AB, as well as authorised AB personnel, trained and bound by a duty of confidentiality;
- external data processors appointed by AB under a data processing agreement, in accordance with Article 28 of the GDPR, for the provision of certain supervision services, management services and maintenance of IT systems;
- public bodies and other subjects that operate as an independent data controller, insurance companies, credit and financial institutions, police forces or judicial authorities or subjects to whom disclosure is required by law, consultants and freelancers, including in associate form (lawyers, accountants or tax advisors);
- other subsidiaries, parent companies and affiliates of the AB Energy S.p.A. company, where necessary for internal administrative and coordination purposes relating to the Group, in compliance with the company procedure named “Data Protection Management System_PR038”, which they have adopted in order to guarantee the same level of protection to the data subject provided for by applicable regulations in force and the exercise of the data subject’s rights in accordance with the same;
- customers and suppliers of AB, as well as customers and suppliers of subsidiaries, parent companies and affiliates of the AB Energy S.p.A. company, where required for the execution and participation in tenders or work on security or social security and welfare issues.
Personal data shall not be disseminated.
Rights of the data subject
The data subject may exercise, with regard to the processing of the personal data described here, the rights provided for by Articles 15 to 21 of the GDPR and in particular:
(a) right of access: the right to be informed and to request access to personal data processed;
(b) right to rectification: the right to request the modification or updating of personal data in case of inaccuracy or incompleteness thereof; (c) right to erasure: the right to request the deletion of personal data where provided for by the GDPR;
(d) right to restriction of processing: the right to temporarily or permanently discontinue the processing of all or some of the user’s personal data where provided for by the GDPR;
(e) right to object: the right to object, at any time, to the processing of personal data where provided for by the GDPR (i.e. for reasons connected with the data subject’s specific situation);
(f) right to data portability: the right to request a copy of the user’s personal data in electronic format and that such data is transmitted to another data controller;
(g) right to withdraw consent (where the processing of the data is based on consent), at any time, without prejudice to the lawfulness of the data processing based on consent provided prior to the withdrawal thereof;
(h) right to lodge a complaint with the supervisory authority in case of violation of the GDPR and of applicable national legislation on the processing of personal data. In order to exercise these rights, the data subject may contact the data controller by sending an email to firstname.lastname@example.org or sending a registered letter to the address specified in Article VII of this Privacy Notice.
Regarding marketing communications:
The data subject can exercise his right to prevent marketing communications to himself by checking certain boxes on the forms AB use to collect his personal data, or by utilizing opt-out mechanisms in e-mails sent to him. He can also exercise the right to discontinue marketing communications to himself, or to have his personal data removed from AB’s CRM databases at any time by contacting email@example.com. In such cases, AB will retain minimum personal data to manage the eventual contract, to note that the data subject opted out in order to avoid contacting him again.
The Data Controller is AB Energy S.p.A., with registered office in Orzinuovi (BS), Italy in Via Caduti del Lavoro no. 13 – email: firstname.lastname@example.org, in the person of its Legal Representative.