Privacy Disclaimer Eni

Pursuant to Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘GDPR‘), Eni S.p.A. (‘Company‘ or ‘Data Controller‘ provides you with the following information on the processing of your personal data in connection with the handling of requests for information (“Information Requests”) submitted by you (“Data Subject”) through the contact section on the website https://www.eni.com/ravenna-ccs/it-IT/home.html (‘Website‘).

The Data Controller is Eni S.p.A., P. IVA 00905811006 with registered office in Rome, Piazzale Enrico Mattei 1, 00144, Italy;

For any information concerning the processing of personal data, you may contact the Data Protection Officer (‘DPO’) appointed by the Company, by sending an email to the following address: dpo@eni.com.

The subject matter of the processing is the personal and contact data provided directly by the Data Subject as well as the content of Information Requests (‘Personal Data’ or ‘Data’).

Personal Data is processed for:

• fulfilling legal obligations and complying with requests from public authorities;
• providing feedback to the Data Subjects' Information Requests;
• establishing, exercising or defending a right of the Data Controller or a third party in court.

The processing of Personal Data for the purposes referred to in paragraph 4, let. a), pursuant to Art. 6, paragraph 1, let. C) of the GDPR, is based on the provisions of applicable law or a request by public authorities.

The processing of Personal Data for the purposes of paragraph 4, let. b), pursuant to Art. 6, paragraph 1, let. B) of the GDPR, is based on the need to comply with a request of the Data Subjects.

The processing of Personal Data for the purposes referred to in paragraph 4, let. c), pursuant to Art. 6, paragraph 1, let. F) of the GDPR, is based on the legitimate interest of the Company or a third party to protect its rights.

Data may be processed using electronic or automated means, managed by suitable tools that guarantee data security and confidentiality, and will include any operation or series of operations needed for the processing itself.

Personal Data will be processed exclusively by personnel appointed by the Data Controller for the pursuit of the purposes indicated in paragraph 4, as authorised Data Processors.

Personal Data may be communicated by the Data Controller, in addition to public authorities, where required or mandatory by law, to the following categories of recipients, exclusively for the purposes indicated in paragraph 4 above:

• other companies controlled by Eni S.p.A.;
• Snam S.p.A.;
• companies providing IT services;

Personal Data will not be disseminated, however, unless required by law.

With regard to the Personal Data communicated to them, the recipients belonging to the above categories may operate, depending on the case, either as data controllers (and in this case they will receive appropriate instructions from the Data Controller) or as autonomous data controllers.

The Data Controller guarantees utmost care in ensuring that the disclosure of Personal Data to said recipients only regards the information necessary to achieve the specific purposes for which it is intended.

Where this is necessary for the purposes set out in paragraph 4, Personal Data may also be transferred abroad to companies established outside the European Economic Area (‘EEA’). Some jurisdictions outside the EEA may not provide the same level of protection for Personal Data as within the EEA. In this case, the Data Controller undertakes to regulate the transfer and subsequent processing of Personal Data by means of the Standard Contractual Clauses provided by the European Commission as well as by adopting any other necessary measures pursuant to Art. 46 of the GDPR if one of the exceptions set out in Art. 49 of the GDPR cannot be used.

The Data shall be retained in the Data Controller's IT archives and protected by appropriate security measures for the time necessary to process the Data Subject's Information Requests. In any event, Personal Data will be deleted after 1 (one) year from receipt by the Data Controller of the Information Request.

Personal Data may be retained for a later period in the event of possible disputes, requests by competent authorities, as well as in the event of any further retention requirements under applicable law.

Where applicable and within the limits of the GDPR, Data Subjects have the right to:

• obtain confirmation from the Data Controller as to whether or not their Personal Data is being processed and, in this case, to obtain access to the information referred to in Art. 15 of the GDPR;
• obtain the rectification of inaccurate Personal Data concerning them, or, taking into account the purposes of the processing, supplement any incomplete Personal Data pursuant to Art. 16 of the GDPR;
• obtain the erasure of their Personal Data, in the event of one of the reasons referred to in Art. 17 of the GDPR;
• obtain a restriction on the processing of their Personal Data in the cases provided for in Art. 18 of the GDPR;
• receive in a structured, commonly used and machine-readable format the Personal Data provided to the Data Controller concerning them, so that the latter may transmit them to another data controller without hindrance pursuant to Art. 20 of the GDPR;
• object to the processing of their Personal Data on particular grounds unless there are compelling legitimate grounds for processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of a legal claim under Art. 21 of the GDPR.

These rights may be exercised by writing to the DPO at the email address dpo@eni.com.

Without prejudice to any other administrative or judicial recourse, Data Subjects also have the right to lodge a complaint with the competent supervisory authority (in Italy: the Italian Data Protection Authority) where they consider that there has been a violation of their rights regarding the protection of Personal Data.