STANDARD OF CUSTOMER PRIVACY POLICY

In accordance with Regulation (EU) 679/2016 ("GDPR"), the "Data Controller" sets out below the statement on the processing of your personal data – obtained directly from you and/or obtained from third parties.

1. Identity and contact details of the Data Controller
The Data Controller can be contacted at the following address.
Eni Austria GmbH
Eni Marketing Austria GmbH
Eni Mineralölhandel GmbH
Handelskai 94 – 96
1200 Wien
Telefon: 01 24070-0
E-Mail: info.at@eni.com

2. Contact details of the Data Protection Officer
The Company has appointed a Data Protection Officer who can be contacted at the following email address DPO@eni.com or datenschutz.at@eni.com.

3. The purposes of data processing and its legal basis
a. Necessary legal and contractual purposes - data processing is required to comply with the Data Controller’s contractual or legal obligations, or to comply with a specific request of the data subject.
Your personal data may be processed without your consent, in cases where this is necessary to fulfil the obligations of civil and tax law, and EU legislation, as well as standards, codes or procedures approved by the Authorities and other competent Institutions.

In addition, your personal data may be processed to comply with requests from the competent administrative or judicial authority and, more generally, public entities in compliance with the formalities of law.
Your personal data will also be processed for purposes related and/or associated with the provision of services by the Company, in particular:

− for the fulfilment of obligations arising from the General Conditions, the internal Regulations and/or the provision of ancillary and/or related services to these contracts. In these cases, we wish to inform you that, in accordance with the applicable legislation on personal data, your consent is not required if the processing is necessary to fulfil contractual obligations or if the processing is necessary to fulfil your specific requests during negotiations and before the contract is signed;

− in the case of a loyalty and/or rewards plan for participation in the plan, including, but not limited to, requirements prior to admission to the plan, release of digital cards and/or conversion of analogue cards, access to all ancillary services available to cardholders, the sending of material relating to the plan, the obtaining and delivery of special prizes and, in general, operational and management requirements related to the participation in and management of the plan;

− if there is the possibility to create your own account on a website, or if there is a specific app for the provision of services requested by the customer when registering on the website and/or App and the creation of your account and profile including the collection, storage and processing of data for the establishment and subsequent operational, technical and administrative management of the relationship (and the account and profile created by the customer) connected to the provision of services and the sending of communications related to the performance of services;

− in the case of the direct management of payments and, therefore, the processing of the financial data of clients for the processing of payments (and the subsequent processing - under the terms of the law - of payment details, including credit card or prepaid card details) for requested services and any additional charges, in accordance with the General Conditions and/or other specific contractual conditions published on the website or in any other way made available to the client; or the fulfilment of legal, accounting, tax, administrative and contractual obligations related to the provision of the requested services;

This data, the provision of which is necessary for implementing the operational, financial and administrative aspects of the service – will be processed using electronic instruments, recorded in special data bases and used strictly and exclusively within the scope of the contract.

Because the communication of your personal data for the above purposes is necessary to the maintenance and provision of all services related to the contract, failure to do so will result in the specific services in question not being provided.
b. Commercial and marketing purposes – consent
Your personal data may also be processed, subject to your consent, for the following purposes inherent to the activity of the Data Controller or a third party:

− market research, financial analysis and statistics;

− the marketing of the services of the Data Controller and/or a third party, the sending of advertising/information/promotional material and that relating to participation in initiatives and offers aimed at rewarding customers of the Data Controller;

− interactive commercial communications, also via geolocation services (see point c of Chap. 3);

− customer satisfaction surveys on the quality of the services provided.

These activities may involve the products and services of the Data Controller, as well as Eni subsidiaries or their commercial partners, and may also be performed through an automated call system without an operator, email, fax, and MMS (Multimedia Message Service) and SMS (Short Message Service) messages.

Consent to the processing of data and its communication to the parties shown below for the above purposes is optional and may be revoked by contacting Customer Service at this number 01 24070-0 , or by sending an email to the email address datenschutz.at@eni.com, or a fax to 01 24070-3017 , or by writing to the Data Controller Eni Austria GmbH/ Eni Marketing Austria GmbH/ Eni Mineralölhandel GmbH, Handelskai 94 – 96, 1200 Wien.

c. Geolocation – consent
To facilitate the provision of the requested services – described in the Terms and Conditions of use –, the Company will detect your location using the geolocation service for automatic recognition of stations that are part of the service, the location of cars available in the vicinity, etc., if you have selected the geolocation feature on your device.

Subject to your express consent, your geolocation data will also be used to allow you to receive promotional offers related to the service.

d. Profiling – consent
When providing the requested services, the Company will be able to identify and perform an analysis of clients' consumer habits and preferences to improve the services provided and to meet their specific requirements.
Subject to your consent, profiling data will also be used to allow you to receive promotional offers related to the service that are customized according to your expressed preferences or your habits when using the Data Controller's services.

e. Security purposes
In the case of providing your signature on a tablet, the Data Controller will be able to process the personal data obtained with an electronic signature for security reasons - only using authorized operators and those specifically allowed to access the data – ensuring that the processing is performed exclusively in accordance with procedures established by a rigorous corporate process, in cases where the signature requires verification.
This data will then be stored using a process that will maintain its integrity, immutability and legibility over time and, once you have completed the subscription process, the documents will be stored on a suitable data carrier.
Data processing will be performed solely with logics and it will be organized strictly in accordance with the obligations, duties and purposes described in this statement and, in the case of e-signing on tablets, the biometric data obtained will not be used for purposes of identification and authentication.

f. Defence of a legal claim
In addition, your personal data will be processed whenever it is necessary to ascertain, exercise or defend a legal claim on the part of the Data Controller or another company within Eni's scope of control.

g. Legitimate interests of the Data Controller
The Data Controller may process your personal data without your consent in the following cases:
− in the case of extraordinary business branch mergers, sales or transfers to allow the performance of due diligence and other operations prior to the sale. It is understood that only the data required for the above purposes will be processed in the most aggregated/anonymous form.

− analysis of the use of services, to identify clients consumer habits and preferences, to improve the services provided and to meet their specific requirements, or the preparation of initiatives related to the contractual relationship to improve the services provided, such as client feedback surveys;

− preparation of a vehicle geolocation system and any measures to protect the vehicle fleet against any act by clients that is illegal or fraudulent.

4. Recipients of personal data
For the purposes indicated in point 3, the Data Controller may disclose your personal data to third parties, such as, for example, those belonging to the following categories:

− police forces, the armed forces and other government bodies, for the fulfilment of the obligations envisaged by law, regulations or EU legislation. In this case, according to applicable data protection legislation, the prior consent of the data subject is not required;

− companies, organizations or associations, or parent, subsidiary or associated, or between these and companies subject to joint control, and between consortia, business networks and groups, and temporary joint ventures and connected entities, limited to communications made for administrative and/or accounting purposes;

− insurance companies responsible for the settlement of claims;

− companies specialized in credit recovery;

− companies specialized in the management of business information or related to credit, or advertising and promotion;

− other companies that provide [services similar to those supplied by the Company] with whom the Data Controller has agreements of various types;

− other companies contractually bound to the Data Controller that provide [consultancy, service delivery support, etc.]

− You may rest assured that the Data Controller will take the utmost care to ensure that the communication of your personal data to the above recipients involves only the data required to accomplish the specific purposes for which it is intended.
Your personal data is stored in the Data Controller's database and will be processed exclusively by authorized personnel who will be given specific instructions on the methods and purposes of the processing. Your data will not be communicated to third parties, except as provided for above and, in any case, within the limits indicated.
Finally, please note that your personal data will not be disclosed, except in the cases described above and/or as provided for by law.

5. Transfer of personal data outside the EU
In the context of the contractual relations between Eni and its Subsidiaries, and between the Subsidiaries themselves, for some of the purposes indicated in Section 3 above, your personal data may be transferred outside the EU, including through inclusion in databases shared and managed by third parties both within and outside of Eni's scope of control. The management of the database and the processing of this data are performed only for the purposes for which it was collected and with maximum respect for the privacy and security standards described in applicable personal data protection laws.
Whenever your personal data is transferred outside the EU, the Data Controller shall take every suitable and necessary contractual measure to guarantee an adequate level of personal data protection in accordance with this Privacy Statement, including, among other means, the Standard Contractual Clauses approved by the European Commission.

6. Data retention period
The data will be kept for no longer than required for the purposes for which it has been collected or processed, in accordance with the applicable legislation.

In particular, the processing of your personal data for the purposes of profiling will stop one year after the end of the contractual relationship with you. Likewise, your personal data will stop being processed for marketing purposes two years after the termination of your contractual relationship.

Your data will be kept for ten years from the termination of the contractual relationship in order to allow the Company to defend itself against possible claims in relation to the contract. At the end of this period, all data will be deleted or otherwise irreversibly de-identified, unless the continued retention of some or all of the data is required by law.

7. Rights of data subjects
7.1 As the data subject, you have the following rights concerning the personal data collected and processed by the Data Controller for the purposes listed at Section 3 above.

a. Right of access
You have the right to ask the Data Controller for confirmation that your personal data is being processed and obtain access to your personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular if the recipients are in third countries or international organizations; (iv) when possible, the intended retention period of the personal data or, if this is not possible, the criteria used to determine this period; (v) the right to lodge a complaint with a supervisory authority:
Österreichische Datenschutzbehörde
Wickenburggasse 8
1080 Wien
Telefon: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at

b. Right of rectification and cancellation
You have the right to rectify any inaccurate personal data, as well as, taking into account the purposes of the processing, complete any incomplete personal data, including by providing a supplementary statement.
You also have the right to obtain cancellation of your personal data for any of the following reasons: (i) your personal data is no longer required for the purposes for which it was collected or otherwise processed; (ii) the data was processed unlawfully; (iii) you have revoked your consent on the basis of which the Data Controller had the right to process your data and there is no other legal basis allowing the Data Controller to process it; (iv) you did not agree to the processing and there is no overriding legitimate reason to do it; (v) your personal data must be deleted to comply with a legal obligation.
The Company has the right, nevertheless, to waive these rights of cancellation if the right to freedom of expression and information prevails, or to exercise a legal obligation or defend a legal claim.
You also have the following rights:

c) The right to data portability
You have the right to receive the personal data provided to the Company and processed by it on the basis of consent, or other legal basis, in a structured, customary and readable format, as well as the right to transmit this data to another Data Controller without hindrance.

d) The right to restrict processing
You have the right to ask the Company to restrict processing as follows: (i) for the period required by the Data Controller to verify your personal data when you have disputed its accuracy; (ii) if your personal data has been processed unlawfully; (iii) even if your personal data is not required for the purposes of processing but you need it to be processed for the determination, exercise or defence of a legal claim; (iv) for the period required to check on the possible prevalence of the Data Controller's legitimate reasons with respect to your opposition to the processing.

You can exercise the above mentioned rights by sending an email to DPO@eni.com or datenschutz.at@eni.com.
You also have recourse to the competent data protection authority if your data has been processed unlawfully.