Pursuant to Articles 13 and 14 of EU Regulation 2016/679 of 27 April 2016 (hereinafter referred to as the "GDPR"), we provide you with the following information regarding the processing of your personal data.
1. Who processes personal data?
The data controller is the company belonging to the A2A group (hereinafter, the "Data Controller" or "Company") that obtains personal data in the context of establishing and executing partnerships or agreements with counterparties.
2. Who is the Data Protection Officer?
The Data Controller has appointed a Data Protection Officer (DPO) who can be contacted by email at the following address: dpo.privacy@a2a.it .
3. Who are the data subjects?
The individuals whose personal data is processed are the legal representatives, directors, employees, collaborators and, more broadly, company representatives of counterparties involved in the agreements and/or partnerships.
Hereinafter, these individuals are referred to as "data subjects".
4. Why is personal data processed?
| Purpose of processing | Legal basis for processing |
|---|---|
| The data will be processed to: - manage the contract and fulfil the related obligations; - allow access to the A2A group's IT systems through the creation and management of personal user accounts, if applicable; - carry out administrative and accounting activities (of organisational, administrative, financial and accounting nature). | The performance of a contract to which the data subject is or will be a party or the implementation of pre-contractual measures taken at the request of the data subject. |
| Preventing fraud. | The legitimate interest of the Data Controller to prevent fraud. |
5. What personal data is processed when obtained from third parties?
The Data Controller may lawfully obtain the following categories of personal data from the contractual counterparty in its capacity as your employer or client:
- personal identification data;
- contact data;
- image.
6. To whom is your personal data communicated?
Your personal data may be made available to:
- third parties responsible for performing activities connected with and instrumental to the processing carried out by the Data Controller, including, for example, companies that provide IT services, companies that provide storage services, consulting firms and other companies within the A2A group;
- Competent authorities and institutions (where required).
These parties will act as data controllers or data processors, as applicable.
Furthermore, if the Data Controller is a company subject to the management and coordination of A2A S.p.A., your data may be made available to A2A S.p.A. itself, as the parent company, appointed as data processor, for the purpose of providing contracted intra-group services.
Your data will not be disclosed (made available to unspecified parties).
7. Is data transferred to third countries?
Your personal data will be processed within the European Economic Area ("EEA"). If, in exceptional circumstances, it becomes necessary to transfer your personal data outside the EEA, this transfer will take place on the basis of an adequacy decision by the European Commission, if applicable, or in the presence of the appropriate safeguards required by the GDPR.
8. How long is the data retained?
Your data will be stored for the time necessary to achieve the purposes for which it is processed or to comply with legal obligations; in particular, the following retention periods will apply:
| Purpose of Processing | Retention Period |
|---|---|
| - manage the contract and fulfil the related obligations; - allow access to the A2A group's IT systems through the creation and management of personal user accounts, if applicable; - carrying out administrative and accounting activities (of organisational, administrative, financial and accounting nature). | 10 years from the termination/last fulfilment related to the contract or from the moment of interruption of the statute of limitations |
| Preventing fraud. | 5 years from the performance of the verification activity. |
In the event of litigation or pre-litigation, all the above retention periods may be extended up to 10 years from the settlement of the dispute.
9. What rights can you exercise?
You have the right to request the Data Controller, in the cases provided for by law, to:
- confirm as to whether or not your personal data is being processed and, if so, obtain access to it (right of access);
- rectify inaccurate personal data or integrate incomplete personal data (right to rectification);
- erase the data if one of the conditions set forth in the GDPR applies (right to erasure) ;
- restrict the processing when one of the cases provided for in the GDPR applies (right to restriction);
- receive the personal data you have provided to the Data Controller in a structured, commonly used and machine-readable format and to transmit that data to another Data Controller (right to portability).
Right to object. Should processing be carried out based on the legitimate interest of the Data Controller, we hereby inform you that you may object to such processing at any time. In this case, the Data Controller will refrain from further processing your personal data, unless there are compelling legitimate grounds for the processing or for the establishment, exercise or defence of legal claims.
To exercise your rights, you can send a message to the email address compliance.privacy@a2a.it or a written communication addressed to the Data Controller. Where it is not possible to respond to your requests directly through the channel you used to contact us (such as if your email address is deactivated/unreachable), we reserve the right to use other channels relating to you, if they are already available in our systems.
We inform you that you can receive further information regarding processing based on legitimate interest (specifically, the assessment carried out to balance the interests of the Data Controller and the rights and freedoms of the data subject) or the transfer of data outside the EEA by writing to the contact channels provided in this Notice.
In any case, the data subject retains the right to lodge a complaint with the Data Protection Authority and/or to initiate legal proceedings to protect their rights pursuant to Articles 77 and 79 of the GDPR. For further information: https://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-tuoi-dati-personali.
10. What are the consequences of not providing data?
Failure to provide the data necessary for the conclusion of the contract or the performance of any consequential and ancillary services, including those carried out on the basis of regulatory and statutory obligations or requirements, will prevent the contractual relationship from being established.
Useful resources
Services
A2A S.p.A. - P.I. 11957540153