Personal-Data Processing Policy
Pursuant to Articles 13 and 14 of EU Regulation 2016/679 of 27 April 2016(1) (hereinafter “Privacy Regulation”), we hereby provide you with the following information regarding the processing(2) of personal data of users accessing the website www.a2a.eu and its sub-domains. The policy does not apply to any linked website..
1.
Who processes personal data?
The Data Controller(3) is A2A S.p.A with registered office in Via Lamarmora, 230 – 25124 Brescia and headquarters and administrative offices in Corso di Porta Vittoria, 4 – 20122 Milan
2.
Who can you contact?
For all matters relating to the processing of personal data and exercising your rights, you may contact the Data Protection Officer (DPO) at dpo.privacy@a2a.eu.
3.
Why are personal data processed?
| Processing purposes | Legal basis of processing |
|---|---|
| Browsing data are used only to acquire anonymous statistical information on website usage and to monitor its proper functioning. Users are not identified. | The legitimate interest of the Controller in managing the website. |
| The data voluntarily provided by you through the contact forms are processed for the sole purpose of providing the service requested (for example: sending a curriculum vitae, sending a request for information for investors, subscribing to the Press Alert service to receive notices of publication of press releases, sending proposals, advice and suggestions for the services provided and the company's initiatives in the field of sustainability and innovation, etc.). |
The conclusion, performance of a contract or the response to your pre-contractual requests. |
| To comply with legal obligations (e.g. provisions issued by authorities or the judiciary, etc.). | Compliance with the law. |
4.
Which personal data are processed?
The following categories of data are processed:
- Browsing data (e.g. IP addresses or the domain names of computers used by users connecting to the site, the time of the request, the method used to submit the request to the server, the numeric code denoting the server response, and other parameters relating to the operating system or the browser used by the user);
- Personal details (e.g. name, surname;
- Contact information (e.g. telephone numbers - landline and/or mobile - email address);
- Other data falling under the aforementioned categories
5.
How is the data processed?
Processing is carried out by authorised persons in performing their assigned tasks, with or without the aid of electronic tools, according to the principles of lawfulness and integrity, in order to protect the data-subject's rights and privacy at all times.
6.
To whom is the personal data communicated?
Your personal data may be disclosed to:
- companies that provide storage, IT, marketing and social media management services, and other A2A Group companies which will act as Data Controllers or Data Processors, as appropriate;
- Research bodies and Universities, which will act as Data Controllers;
- Public Administrations and Police Authorities in the fulfilment of legal obligations, which will act as Data Controllers.
Your data will never be disseminated (made available to indeterminate parties).
7.
Are the data transferred to third countries?
Your personal data may be transferred to a third country (outside the EU) based on adequacy decisions of the European Commission or based on adequate guarantees provided for by current legislation.
8.
For how long are the data retained?
I suoi dati saranno conservati per il tempo necessario al conseguimento delle finalità per le quali sono trattati o per adempiere ad obblighi di legge ed in particolare:
Your data will be retained for the time necessary to achieve the purposes for which they are processed or to comply with legal obligations and, in particular:
- In the CAREERS section for sending a curriculum vitae, they will be retained for 3 years from its acquisition;
- in the INVESTORS section for information requests and subscription to the Press Alert service, they will be retained for 1 month from the user's unsubscription from the service;
- in the INNOVATION and SUSTAINABILITY sections for sending proposals, advice and suggestions for the services provided and the company's initiatives in the area of innovation and sustainability, they will be retained for 18 months.
For the duration of any cookies used on the site, please view the “Cookies” section of the instant policy.
In the event of a dispute, the aforementioned retention periods may be extended up to ten (10) years from the settlement of the same.
9.
What rights can you exercise?
You have the right to ask the Data Controller to:
- Confirm whether any processing is being conducted on your personal data, and in such cases, to access the same (access rights);
- Correct any inaccurate personal data, or to supplement incomplete personal data (correction rights);
- Delete the data themselves if one of the reasons contemplated under the GDPR applies (right to be forgotten);
- Limit processing when one of the situations contemplated under the GDPR applies (limitation rights);
- Receive the personal data you supplied to the Data Controller in a structured, commonly used, and machine-readable format, and to transmit such data to another Data Controller (portability rights);
- Object at any time to processing carried out to pursue a Data Controller legitimate interest, and for marketing- and profiling-related purposes (right of objection);
- Revoke consent, if provided, on the processing of your data, at any time, without thereby prejudicing the lawfulness of any processing predicated on your consent prior to such revocation.
To exercise your rights, you may send a written request to Data Controller or to the Data Protection Officer, identifying the A2A Group company to which your request is directed.
Without prejudice to any other administrative or legal remedy, you have the right to lodge a complaint with the Personal Data Protection Authority, should you believe your processing has violated the Privacy Regulation.
10.
What is the source of the personal data?
Browsing data needed for the digital management of the website are acquired by IT systems and by the software systems tasked with running the same.
Personal data collected through contact forms are those submitted by you; any refusal to provide them shall make it impossible to respond to your requests.
11.
Are the data subject to automated decisions?
The data will not be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or which significantly affect you.
12.
Cookie
When you access or otherwise interact with this site and its functions (such as digital services, apps, tools, and messaging systems, if any), the Data Controller may use cookies, web beacons, and similar technologies in order to ensure the functioning of any services offered, to improve site performance, to offer additional functionality, and to send advertising which is targeted to your interests.
WHAT ARE COOKIES?
Cookies are text files containing small quantities of information which are stored (during a user’s visit, or for subsequent visits as well) on the computer or mobile device used by a user to visit a website. On subsequent site visits by the user, any cookies previously stored on the device are sent back to the site which had installed them. This allows the site to recognise a specific device for technical reasons (such as to store any user-defined site-browsing settings and other preferences), and/or analytical and/or profiling when the user has expressly consented to the same. Cookies installed on user devices do not acquire user emails, pull data from the hard drive, or transmit viruses.
Cookies may be divided into two major categories:
- Proprietary cookies: cookies installed by the website manager of the site the user is visiting.
- Third-party cookies: cookies installed by the website manager of a different site, through the site a user is visiting.
TYPES OF COOKIES INSTALLED ON THIS WEBSITE
Please find below a list of the cookie types and characteristics sent to the user's terminal over the course of the user's browsing on the instant site.
- Technical cookies: these are used to communicate with the IT system, for the sole purpose of ensuring proper website function, in order to allow the user to have unimpeded access to the site.
These are strictly necessary to ensure normal site functioning and use. Data-subject consent is not required to install or use technical cookies.
Such cookies may be broken down into:- browsing and session cookies, which ensure normal, correct website browsing and usage; such cookies differ based on the time stored on user's device. Whilst session cookies are deleted automatically at the end of each browsing session, browsing cookies are stored for a longer period (although never longer than one year from data collection).
- analytical cookies, similar to technical cookies when used to collect information, in an aggregate form, on the number of site users and how they visit the website; the storage period for such cookies is provided in the table appearing below. Functional cookies allow the user to browse based on a series of selected criteria (such as the language setting) in order to improve quality of service. These cookies are stored for less than one year from data collection.
- Third-party analytical cookies (Google analytics provided by Google) used by Data Controller solely for purposes of collecting aggregated data such as the number of site users, the most popular pages on the site, etc. These cookies are not used for profiling purposes. Tools which reduce the ability of cookies to identify users have been implemented; the third party does not cross-reference collected information with other data in such third-party's possession..
LIST OF ANALYTICAL COOKIES AND PROFILING COOKIES PRESENT ON THIS SITE, AND HOW TO DISABLE THEM
With respect to the third-parties cookies installed on this website and mentioned above, and subject to the data subject’s option to disable them by changing his/her browser settings as described infra, please find below links to policies and consent forms made available by the third parties in question:
| COOKIE NAME | DURATION |
DESCRIPTION |
DOMAIN | POLICY LINK | OPT-OUT LINK |
|---|---|---|---|---|---|
| _ga | 2 years | Cookies used by Google Analytics to analyse browsing data | .a2a.eu | https://policies.google.com/technologies/partner-sites?hl=it | These cookies may be disabled by clicking on the following link |
| _gat | 1 minute | ||||
| _gid |
24 hours |
To wit, the user may block, delete, or disable individual cookies by changing the user’s browser settings. Most browsers, indeed, allow users to change settings to enable or disable all or a portion of cookies sent out.
Instructions to disable cookies on the most popular browsers are available through the following links:
The data controller wishes to remind you, however, that should you disable cookies, your overall browsing experience may suffer.
For more information, please visit the Data Protection Authority website.
(1)General Data Protection Regulation (GDPR).
(2)Processing: Any operation or set of operations carried out with or without the assistance of automated processes and applied to personal data, or to a set of personal data, such as collection, recording, organisation, structuring, retention, adaptation, modification, extraction, consultation, use, disclosure by transmission, dissemination, or any other method of making the data available, comparison, or interconnection, limitation, deletion, or destruction.
(3)Data Controller: the natural or legal person or public authority which determines the purposes and means of processing of personal data.
Current legislation in force regarding the processing1 of personal data as defined in accordance with the provisions of EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data (General Regulations on Data Protection, hereinafter referred to as “EU Privacy Regulations”) includes provisions to ensure that the processing of personal complies with rights and fundamental freedoms of natural persons, with particular regard to the right to the protection of personal data.
Purpose of the processing and legal basis of the processing
In fulfilment of the obligations provided for by the legislation in force, we hereby inform you that the Data Controller (hereinafter also referred to as the “Controller), performs the processing of your personal data for the purpose of controlling access to the premises of the companies of A2A Group. This processing serves, in particular, to verify the identity of persons accessing corporate areas and to have immediate information on who is on company premises daily, including for reasons of safety. We also wish to inform you that, for reasons of safety and protection of company assets, a video surveillance system with closed-circuit television cameras is in operation on company premises. The images taken are processed by authorized personnel only.
Processing of data may have as its legal basis the pursuit of a legitimate interest by the Data Controller (e.g. protection of corporate assets or defending a right in court) or the eventual fulfilment of an legal obligation (e.g. data communications to the authorities) to which the Data Controller is subject.
Processing methods and data retention period
Processing will be performed with or without the aid of electronic tools, according to the principles of fairness, lawfulness and transparency, in order to protect at all times the confidentiality and rights of the person concerned in compliance with the provisions of the legislation in force.
Personal data will not be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or that in a similar way affect you significantly.
Your data will be retained, in accordance with the regulations in force, for no longer than is necessary to fulfil the purposes for which it is processed.
The retention period of the images taken by the video surveillance systems is a maximum of seven days except for any requests by the police or judicial authorities.
Nature of the provision and possible consequences of refusal
All the data collected within the scope of this processing is used for the declared purposes and for the fulfilment of legal requirements, including those on personal safety. The provision of the personal data required is optional, but the refusal to provide such data precludes access to the premises of the companies of A2A Group, given the urgent need to identify anyone who enters company areas.
Persons authorised to process personal data - Disclosure and dissemination of data
The personal data and images collected are processed by authorized personnel who need to have knowledge of such data in order to perform their duties and by external parties who may act as joint controllers or data processors, as required.
Your personal data may be disclosed to third parties who are responsible for the execution of related activities that are instrumental to this processing, to national authorities, public administrations, other companies of the A2A Group and third parties, in fulfilment of legal obligations.
Your data will not be disseminated.
Data Controller and Processor and Data Protection Officer
The Data Controller is A2A S.p.A., with registered office in Via Lamarmora 230 - Brescia. The role of Data Processor has be assigned to certain companies that provide the Controller with specific processing services or perform activities related to, instrumental. Any queries may be sent in writing to the Data Protection Officer at the following address dpo.privacy@a2a.eu, indicating the Company of the A2A Group (Data controller) intended to receive the request.
Rights of the interested party
According to the EU Privacy Regulations, you have the right to obtain from the Data Controller:
- confirmation as to whether or not your personal data is being processed, and, where that is the case, access to the personal data (right of access).
- rectification of inaccurate personal data, or to have incomplete personal data completed (right of rectification).
- the cancellation of personal data, where one of the grounds provided for by Regulations applies (right of cancellation).
- the restriction of processing where one of the grounds provided for by the Regulations applies (right of restriction).
- to receive your personal data, which you provided to the Controller, in a structured, commonly used and machine-readable format and the right to transmit it to another data controller (right to portability).
- to oppose at any time the processing performed in the pursuit of a legitimate interest of the Controller (right of opposition).
To exercise these rights, you can send an email to securitycontrolroom@a2a.eu or written communication to the Controller.
Without prejudice to any other administrative appeal or judicial review, you have the right to lodge a complaint with a Supervisory Authority if you believe that the processing of your data violates the EU Privacy Regulations.
1) Processing: any operation or set of operations, performed with or without the use of automated processes and applied to personal data or sets of personal data, such as the collection, recording, organization, structuring, retention, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, deletion or destruction.
The current applicable data-processing regulations (1) defined in accordance with the provisions of EU Regulation no. 2016/679 of 27 April 2016 regarding the protection of natural persons with respect to personal-data processing, as well as the free circulation of such data (General Regulation on Data Protection or “GDPR”), contain provisions aimed ensuring personal-data processing takes place in a manner respecting the rights and fundamental liberties of natural persons, with specific reference to the protection of personal data.
- Data Controller
The Data Controller is A2A Security S.c.p.A. with registered office in Milan at Corso di Porta Vittoria 4.
- Data Protection Officer
Data Controller has appointed a Data Protection Officer (DPO) who may be reached via email at dpo.privacy@a2a.eu, for any privacy-related questions or concerns, or to exercise data-subject rights (note the A2A Group company to whom to request is directed).
- Processing Purposes and the Legal Bases therefor
In accordance with the duties contemplated under applicable law, we would like to inform you that the Data Controller (hereinafter “Data Controller” shall process your information to:
- Manage complaints, reports, suggestions, and informational enquiries;
- Carry out all activities necessary or convenient to continually improve service delivery (including but not limited to the analysis and monitoring of customer-service quality, and to conduct customer-satisfaction assessments).
Data Controller would likewise inform you that this call may be recorded solely for the purpose of quality monitoring and assessments on all processes and customer-service efforts.
The data processing may have, as a legal basis:
- Fielding a complaint or information request;
- The pursuit of a Data-Controller interest (disclosure of personal data within the business group for internal administrative purposes, marketing activities falling under the category of soft spam, analysis of customer-service efforts);
- Discharge of a legal duty incumbent on Data Controller (e.g. disclosure of data to the authorities);
- Specific consent expressed voluntarily by you.
-
Categories of Personal Data
Personal data processed by Data Controller shall include but not be limited to:
- Biographical data and other identifiers (e.g. name, surname, Tax ID number, address, place and date of birth);
- Contact information (e.g. telephone numbers - landline and mobile - email address);
- Data relating to the supply agreement (e.g. supply type, POD);
- Voice recordings
- Other data falling under the aforementioned categories
Data Controller may request the processing of its own customers’ data to carry out specific requests
-
Recipients of Personal Data
Your personal data shall be processed by authorised staff who need to access the data in the performance of their job duties, and by third parties taking action as independent Data Controllers and Data Supervisors.
Your personal data may be disclosed to:
- Parties charged with carrying out of operations connected and relating to processing (archival-services companies, IT service providers, social-media-management firms, marketing firms, credit-collection companies, professional firms, default-services operators, brokerages, insurance companies);
- Other companies in the A2A Group, to the authorities, to research institutions or universities;
- Entities of the public administration, and other parties in the discharge of statutory duties;
- Other parties holding a legitimate interest.
Your data shall not be disseminated. -
Data Transfer to Non-EU Countries
Data Controller shall reserve the right to transfer your personal data to any country based on adequacy decisions of the European Commission, pursuant to those adequacy guarantees contemplated by applicable law.
-
Personal-Data Retention Period
Your data shall be retained in accordance with the provisions of applicable privacy regulations for no longer than strictly necessary to pursue those purposes for which they were processed, or as statutory / regulatory duties demand.
Data from recorded calls shall be retained for thirty (30) days.
Should any request be made by the relevant authorities, the aforementioned retention periods shall be extended, whereas in instances of any dispute, the personal data shall be retained until the dispute has been resolved.
-
Processing Method
The processing shall be carried out with or without the assistance of electronic tools, according to the tenets of ethics, lawfulness, transparency, in order to protect the data-subject's rights and privacy at all times in accordance with applicable law.
-
Rights of the Data Subject
The GDPR grants you the ability to exercise certain rights, including the right to ask the Data Controller to:
- Confirm whether any processing is being conducted on your personal data, and in such cases, to access the same (access rights);
- Correct any inaccurate personal data, or to supplement incomplete personal data (correction rights);
- Delete the data themselves if one of the reasons contemplated under the GDPR applies (right to be forgotten);
- Limit processing when one of the situations contemplated under the GDPR applies (limitation rights);
- Receive the personal data you supplied to the Data Controller in a structured, commonly used, and machine-readable format, and to transmit such data to another Data Controller (portability rights);
- Object at any time to processing carried out to pursue a Data Controller legitimate interest, and for marketing- and profiling-related purposes (right of objection);
- Revoke consent, if provided, on the processing of your data, at any time, without thereby prejudicing the lawfulness of any processing predicated on your consent prior to such revocation.
To exercise your rights, you may send a written request to Data Controller or Data Protection Officer.
Without prejudice to any administrative or legal petition or appeal, you have the right to lodge a complaint to any authority, should you believe your processing to have violated the GDPR.
-
Source of the Personal Data
All personal data supplied by you, observed by the Data Controller, or lawfully collected through any third party (e.g. companies providing lists), shall be strictly functional to the purposes described above.
-
Automated Decision-Making Processes
Your data shall not be subject to decisions based solely on automated processing, including profiling, which produce legal effects on the data subject, or which in any other way significantly impact your person.
(1) Processing: Any operation or set of operations carried out with or without the assistance of automated processes and applied to personal data, or to a set of personal data, such as collection, recording, organisation, structuring, retention, adaptation, modification, extraction, consultation, use, disclosure by transmission, dissemination, or any other method of making the data available, comparison, or interconnection, limitation, deletion, or destruction.