1. Personal Data controller and processor
1.1. Enel Cuore Onlus with registered office in Viale Regina Margherita no. 137, 00198, Rome, and VAT Code 97317010581 (hereafter, "Enel Cuore" or the "Data Controller"), as Data Controller, will process your personal data provided via the website www.enelcuore.it (hereinafter, the "Website") in accordance with the provisions of the applicable privacy and personal data protection legislation and of this policy.
1.2. When subscribing to or accessing any of the various services, the names of any additional data controllers or processors shall be provided.
2. Data Protection Officer (DPO)
2.1. The Data Controller has appointed a Data Protection Officer (DPO) who can be contacted at the following email address firstname.lastname@example.org.
3. Purpose and method of processing
3.1. Enel Cuore shall process any personal data that you have provided or that has been legitimately obtained by the Data Controller ("Personal Data"). In particular, the following Personal Data is processed:
3.1.1. Contact details: name, surname, email address, telephone number, the content of the message you sent and any other Personal Data you may have provided to us during your communications. We shall process such Personal Data, should you submit any enquiries, request information or send us communications of any type.
You sent us this Personal Data when you contacted us. This Personal Data needs to be processed to enable us to provide a response to your enquiries or requests. The provision of any further Personal Data by you should be considered completely optional.
3.1.2. Browsing data: in the course of their normal operation the IT and telecommunications systems, as well as the software processes put in place to ensure the proper functioning of the Website, will collect certain data (e.g. access date and time, pages visited, name of the Internet Service Provider and Internet Protocol (IP) address used to access the internet, the internet address from which you connect to our Website, etc.), the transmission of which is implicit in the use of web communications protocols or is pertinent for improving the management or for optimising the data or email sending system.
3.2. In the context of this policy, Personal Data processing refers to any operation or set of operations which is performed on Personal Data using automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3.3. We hereby inform you that this Personal Data will be processed manually and/or using IT and telecommunications tools.
4. Purposes and legal bases of processing
4.1. Enel Cuore shall process your Personal Data for specific purposes and only where there is a specific legal basis for doing so as laid down by the applicable personal data privacy and protection legislation. Specifically, Enel Cuore shall process your Personal Data only when one or more of the following legal bases apply:
- you have freely given your specific, informed, clear and unambiguous consent to the processing of such data;
- the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
- Enel Cuore has a legitimate interest in processing such data;
- Enel Cuore is legally obliged to process the Personal Data.
4.2. The following table sets out the purposes for which the Data Controller processes your Personal Data and the legal bases for doing so.
Purpose of processing
To enable users to utilise all the Website’s functions
Performance of a contract
To check the correct functioning of the Website
Performance of a contract
To ascertain responsibility in the event of computer crimes detrimental to the Website; detection, prevention, mitigation or verification of fraudulent or illegal activities in connection with the services provided by the Website; implementation of security controls required by law
To respond to a query or request submitted by the data subject
Take steps at the request of the data subject prior to entering into a contract
4.3. The provision of your Personal Data is necessary in all cases where the data processing is a legal requirement or when it is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. Any refusal on your part may make it impossible for Enel Cuore to fulfil the purpose for which your Personal Data is collected.
4.4. However, the provision of your Personal Data is voluntary when required for any other purposes and the absence of your consent in such cases shall have no impact on the completion of the contract. The obligatory or optional nature of the data provision shall be indicated at the time of its collection.
5. Personal Data recipients
5.1. In the context of the afore-mentioned purposes, your Personal Data may be made available to:
a) the Data Controller's employees and consultants who are responsible for data processing, or to Enel Group companies within the European Union for the purposes of performing organisational, administrative, financial and accounting activities;
b) third party companies or other entities which, in their role as external data processors, provide outsourced services to the Data Controller to enable the Website to function.
6. Transfer of Personal Data
6.1. Your Personal Data shall be processed within the European Union and stored on servers located within the European Union. Such data may be processed in countries outside the European Union, provided that an adequate level of protection is guaranteed, as recognised by a specific decision of adequacy taken by the European Commission.
Any transfer of Personal Data to non-EU countries for which a decision of adequacy has not been taken by the European Commission, shall only be possible if the Controllers and Processors involved provide adequate contractual or legal guarantees, including binding corporate rules and standard data protection contractual clauses.
The transfer of your Personal Data to third countries outside the European Union, in the absence of a decision of adequacy or other adequate measures as described above, shall occur only if you have explicitly provided your consent or in the cases laid down by the GDPR and shall only be processed for purposes that are in your interest. Please be informed that, in such cases, although the Enel Group adopts a common set of operating instructions across all the countries in which it operates, the transfer of your Personal Data may be exposed to risks associated with the peculiarities of the local Personal Data processing legislation.
7. Personal Data storage period
7.1. Any Personal Data processed for the afore-mentioned purposes shall be stored in accordance with the principles of proportionality and necessity and, in any case, until the purposes of the data processing have been completed.
8. Rights of data subjects
8.1. With respect to the Personal Data provided, in accordance with articles 15 – 21 of EU Regulation 2016/679 (GDPR), you have the following rights:
a) to access the data and request a copy;
b) to rectification;
c) to erasure;
d) to restriction of processing;
e) to object to the processing;
f) to receive the Personal Data in a structured, commonly used and machine-readable format and to transmit such data to another controller without hindrance, where technically feasible.
8.2. Please be informed that you have the right, at any time, to object to the processing of your Personal Data, when it has been gathered for the purpose of pursuing Enel Cuore’s legitimate interests.
8.3. Should you object to the processing of your Personal Data as per article 8.2, the Data Controller shall suspend the further processing of such data, except where legitimate mandatory reasons for continuing with the processing are demonstrated or where it is necessary for the establishment, exercising or defence of a right in a court of law.
8.4. You can exercise your rights and withdraw your consent by writing an e-mail to email@example.com.
8.5. For further information regarding your Personal Data please contact Enel’s DPO at firstname.lastname@example.org. When doing so it is essential to write the word "Privacy" in the subject line of the e-mail.
8.6. Please be aware that it is your right to submit a complaint to the competent Personal Data protection authority.
8.7. If you do wish to make a complaint to the Personal Data protection authority, you may do so in one of the following ways:
a) registered letter with return receipt to Garante per la Protezione dei Dati Personali (The Italian Data Protection Authority), Piazza Venezia 11, 00187 Roma, Italy;
b) e-mail to: email@example.com, or firstname.lastname@example.org;
c) fax to: +39 06 69677 3785.