Pursuant to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Eni S.p.A. (“Company” or “Data Controller”) sets out below the privacy notice relating to the processing of Your (“Data Subject”) personal data, transmitted to the Company in the context of the procedure for assessing Your application as a candidate for Your participation in the Safi Jiko Acceleration Programme project (“Project”).
1.Data Controller
The Data Controller is Eni S.p.A., VAT no. 00905811006, with registered office at Piazzale Enrico Mattei, 1, 00144, Rome.
2.Data Protection Officer
The Company appointed a Data Protection Officer (“DPO”), that you can reach out at the following email address: dpo@eni.com.
3.Categories of personal data processed and source
Personal Data processed (“Personal Data” or “Data”) includes Your Data collected via the form provided by E4Impact Foundation (“E4Impact”) for submitting your application to the Project and transmitted by E4Impact to the Data Controller, if you have passed the shortlisting stage. In particular, the Company processes:
- Your Personal Data (first name and surname, phone number and email address, place of residence, age group, marital status, level of education, data concerning your community, data on eventual precedent attendance of training, programs and workshop);
- Data relating to Your business (name and eventual formal registration, information on its duration and activities carried out, Your role, categories and number of customers addressed, average monthly revenue, eventual employees, other information strictly linked to the Project objectives).
4.Purposes and lawful basis for the processing
Personal Data are processed:
- to comply with legal obligations and to respond to requests from public authorities, on the basis that the processing is necessary for compliance with a legal obligation to which the Data Controller is subject or for compliance with a request from a public authority, pursuant to Art. 6(1)(c) GDPR;
- to assess your application submitted for participation in the Project, on the basis that the processing is necessary in order to take steps at your request prior to entering into a contract, pursuant to Art. 6(1)(b) GDPR;
- in the context of extraordinary corporate transactions, including mergers, acquisitions, disposals or transfers of business units, for the purpose of carrying out the activities required for due diligence processes, on the basis of the Company's legitimate interest in ensuring the continuity and development of its business activities, pursuant to Art. 6(1)(f) GDPR;
- to ascertain, exercise or defend a right of the Data Controller or of a third party before the courts or out of the courts, on the basis of the Company's legitimate interest in protecting its rights, pursuant to Art. 6(1)(f) GDPR.
5.Recipients of Personal Data
Personal Data are processed by personnel duly authorised by the Data Controller for the purposes set out in paragraph 4 above. In addition to public authorities, where required or permitted by applicable law, the Data Controller may disclose Personal Data to the following categories of recipients solely for the purposes described in paragraph 4 above:
- companies controlled by Eni S.p.A.;
- law firms and professional advisors engaged in the ordinary management of the Company's activities and in the handling of disputes and litigation;
- providers of IT and technological services.
With regard to the Personal Data disclosed to them, the recipients belonging to the above categories may act, as applicable, either as data processors (in which case they will receive appropriate instructions from the Data Controller) or as independent data controllers.
Personal Data will not be disclosed to the public, except where required by law.
The Company takes the utmost care to ensure that any disclosure of Personal Data to the above recipients is limited to the information strictly necessary for the achievement of the specific purposes for which such data are processed.
6.Transfer of Personal Data Outside the European Economic Area
Where necessary for the purposes set out in paragraph 4 above, Personal Data may be transferred outside the European Economic Area (“EEA”), including through their inclusion in databases shared with and/or managed by third parties, whether or not belonging to the corporate group of the Data Controller.
Whenever Personal Data are transferred internationally outside the EEA and, in particular, to countries that are not subject to an adequacy decision adopted by the European Commission, such transfer shall take place only:
- (i) subject to the execution of the Standard Contractual Clauses adopted by the European Commission pursuant to Article 46 GDPR; or
- (ii) where one of the derogations set out in Article 49 GDPR applies.
7.Means of the processing and storage of Personal Data
Personal Data shall be retained for no longer than is necessary to achieve the purposes for which they were collected, in any case for a maximum period of 12 months, and, thereafter, shall be deleted or otherwise securely disposed of.
In any event, Personal Data may be retained for a longer period where necessary for the establishment, exercise or defence of the Data Controller's rights, in response to requests from competent authorities, or where retention is required by applicable law.
8.Data Subject rights
At any time and to the extent applicable under the GDPR, you have the right to:
- obtain confirmation from the Data Controller as to whether or not your Personal Data are being processed and, where that is the case, access to the information referred to in Article 15 GDPR;
- obtain the rectification of inaccurate Personal Data and, taking into account the purposes of the processing, have incomplete Personal Data completed, pursuant to Article 16 GDPR;
- obtain the erasure of Personal Data where one of the grounds set out in Article 17 GDPR applies;
- obtain the restriction of processing pursuant to Article 18 GDPR;
- receive the Personal Data provided to the Data Controller in a structured, commonly used and machine-readable format and, where technically feasible, have such data transmitted to another data controller without hindrance, pursuant to Article 20 GDPR;
- object, on grounds relating to your particular situation, to the processing of Personal Data based on the Data Controller's legitimate interests, unless compelling legitimate grounds for the processing override your interests, rights and freedoms, pursuant to Article 21 GDPR.
These rights may be exercised by sending an email to the Data Protection Officer at: dpo@eni.com.
Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with the competent supervisory authority (in Italy, the Italian Data Protection Authority – Garante per la Protezione dei Dati Personali) if you believe that the processing of your Personal Data infringes applicable data protection laws.
Further information is available on the Authority's website: www.garanteprivacy.it.