In accordance with Regulation (EU) 679/2016 ("GDPR"), Data Controller sets out below the statement on the processing of your personal data – obtained directly from you and/or obtained from third parties.
1. Identity and contact details of the Data Controller
Who is responsible for data processing and whom can you contact?
Eni Austria GmbH
Eni Marketing Austria GmbH
Eni Mineral Oil Trading GmbH
Handelskai 94 - 96
Phone: 01 24070-0
2. Contact details of the Data Protection Officer
You may contact the Data Protection Officer appointed by the Controller by sending an e-mail to the e-mail address firstname.lastname@example.org (Austria) or DPO@eni.com (Italy).
3. categories of personal data processed
We (i.e. the aforementioned companies, hereinafter also referred to as "Eni") process the personal data that we receive from you in the course of the business relationship. In addition, we process - data that we receive from credit agencies, debtor lists, other companies and other third parties (e.g. for the execution of orders, for the performance of contracts or on the basis of a consent granted by you), as well as data that we have permissibly received from publicly accessible sources (e.g. register of companies, register of associations, land register, media), insofar as this is covered by the respective justification under Art. 6 DSGVO.
Your master data (name, address, date of birth, etc.), communication data (telephone number, e-mail address, etc.), legitimation and authentication data (identification data, specimen signature, etc.), criminal records, reference and sanction lists, billing data (invoice details, bank data, etc.), documentation data (e.g. conversation notes and e-mails, etc.), information about your financial status (e.g. telephone number, e-mail address, etc.), information about your financial status (creditworthiness data, etc.), advertising and sales data, documentation data, register data, image and sound data, information from your electronic traffic with our company (apps, cookies, etc.), visitor and participant data, self-generated processing results, and data for compliance with statutory and regulatory requirements.
4. The purposes of data processing and its legal basis
a. Legal obligation and contractual purposes - data processing is required to comply with the Data Controller’s contractual or legal obligations, and to comply with a specific request of the data subject.
Your personal data may be processed without your consent, in cases where this is necessary to fulfil the obligations of civil and tax law, and EU legislation, as well as standards, codes or procedures approved by the authorities and other competent institutions.
In addition, your personal data may be processed to comply with requests from the competent administrative or judicial authority and, more generally, public entities in compliance with the formalities of law.
Your personal data will also be processed for purposes related to the provision of services by the Data Controller, in particular:
− for the fulfilment of obligations arising from the General Conditions, the Regulations and/or the provision of ancillary and/or related services to these contracts. In these cases, we wish to inform you that, in accordance with the applicable legislation on personal data, your consent is not required if the processing is necessary to fulfil contractual obligations or to fulfil your specific requests expressed during negotiations and before the signing of the contract;
− in case of participation in a loyalty program and/or rewards plan, including requirements prior to admission to the plan, release of digital cards and/or conversion of analog cards in connection with the respective loyalty program and/or rewards plan, access to all ancillary services available to cardholders, the sending of material relating to the plan, the obtaining and delivery of special prizes and, in general, operational and management requirements related to the participation in or management of the plan;
− if there is the possibility of creating your own account on a website, or if there is a specific app, for the provision of services requested by the customer when registering on the website and/or App and the creation of your account and profile including the collection, storage and processing of data for the establishment and subsequent operational, technical and administrative management of the relationship (and the account and profile created by the customer) connected to the provision of services and the sending of messages related to the performance of services;
− in the case of direct management of payments, i.e. the processing of financial data of customers for the processing of payments (and the subsequent processing of payment details under the terms of the law, including credit card or prepaid card details) for requested services and any additional charges, in accordance with the General Conditions and/or other specific contractual conditions published on the website or in any other way made available to the client; or the fulfilment of legal, accounting, tax, administrative and contractual obligations related to the provision of the requested services.
This data, the provision of which is necessary for implementing the operational, financial and administrative aspects of the service, will be processed using electronic instruments, recorded in special data bases and used strictly and exclusively within the scope of the contract.
Because the communication of your personal data for the above purposes is necessary to the maintenance and provision of all services related to the contract, failure to do so will result in the specific services in question not being provided.
b. Commercial and marketing purposes – consent
This data processing will only be carried out if Eni has received a declaration of consent from you in this regard. Your personal data may also be processed, subject to your consent, for the following purposes inherent to the activity of the Data Controller or a third party:
− market research, financial analysis and statistics;
− the marketing of the services of the Data Controller and/or a third party, the sending of advertising/information/promotional material and that relating to participation in initiatives and offers aimed at rewarding customers of the Data Controller;
− interactive commercial communications, also via geolocation services (see following point c);
− customer satisfaction surveys on the quality of the services provided.
These activities may involve the products and services of the Data Controller, as well as Eni subsidiaries or their commercial partners, and may also be performed through an automated call system without an operator, email, fax, and MMS (Multimedia Message Service) and SMS (Short Message Service) messages.
Consent to the processing of data and its communication to the parties listed below for the above purposes is optional and may be revoked by contacting Customer Service at telephone number 01 24070-0, by sending an e-mail to the e-mail address email@example.com, a fax message to 01 24070-3017, or by writing to the responsible Eni Austria GmbH/ Eni Marketing Austria GmbH/ Eni Mineralölhandel GmbH, Handelskai 94 - 96, 1200 Vienna.
c. Geolocation – consent
This data processing will only be carried out if Eni has received a declaration of consent from you in this regard.
To facilitate the provision of the requested services – described in the Terms and Conditions of use –, the Company will detect your location using the geolocation service for (e.g. automatic recognition of stations that are part of the service, the location of cars available in the vicinity, etc.) if you have selected the geolocation feature on your device.
Subject to your express consent, your geolocation data will also be used to allow you to receive promotional offers related to the service.
d. Profiling – consent
This data processing will only be carried out if Eni has received a declaration of consent from you in this regard.
When providing the requested services, the Company will be able to identify and perform an analysis of clients' consumer habits and preferences to improve the services provided and to meet their specific requirements.
Subject to your consent, profiling data will also be used to allow you to receive promotional offers related to the service that are customized according to your expressed preferences or your habits when using the Data Controller's services.
e. Security purposes
If you provide your signature on a tablet, the Data Controller will be able to process the personal data obtained with an electronic signature for security reasons, only using authorized staff and those specifically allowed to access the data. Thus, it is ensured that in cases where the signature requires verification the processing is performed exclusively in accordance with procedures established by a rigorous corporate process,.
This data will then be stored using a process that will maintain its integrity, immutability and legibility over time. Once you have completed the subscription process, the documents will be stored on a suitable data carrier.
Data processing will be performed solely with logics and it will be organized strictly in accordance with the obligations, duties and purposes described in this statement and, in the case of e-signing on tablets, the biometric data obtained will not be used for purposes of identification and authentication.
f. Defence of a legal claim
In addition, your personal data will be processed whenever it is necessary to ascertain, exercise or defend a legal claim on the part of the Data Controller or another company within Eni's scope of control.
g. Legitimate interests of the Data Controller
In particular, in the following cases, the data controller is entitled to process your personal data even without your consent in order to protect legitimate interests of us or of third parties:
− to enable due diligence and other pre-sale measures to be carried out in cases of extraordinary mergers, company and business disposals and (other) business transfers. It should be noted that only the data required for the above purposes will be processed, and as a rule only in anonymous and aggregated form.
− to analyze the use of the services offered, to identify the consumption habits and preferences of customers in order to improve the services provided and meet their specific needs, or to prepare initiatives regarding the contractual relationship in order to improve the services provided, such as customer surveys;
− for building and facility security measures, to ensure housekeeping, to prevent and solve crimes, and to obtain other necessary evidence;
− for exchanging data with credit agencies and for determining creditworthiness and default risks;
− for internal Group administrative purposes;
− with regard to the declaration of companies engaged in geolocation of any kind, to set up a vehicle geolocation system and prepare any measures aimed at protecting the fleet from any unlawful and fraudulent acts by customers.
If your personal data is requested, the data controller will inform you separately whether the data request provides for mandatory or voluntary disclosure.
The refusal to give your written consent to the processing of the voluntary data currently or in the future stored by the data controller may lead to your exclusion from the benefits and/or consequences associated with the data processing, without, however, affecting the contractual relationship and the services provided by the data controller.
5. Recipients of personal data
Within Eni, your data will be received by those offices or employees who need it to perform their contractual, legal and supervisory duties or legitimate interests.
Data will only be transferred to recipients outside Eni if this is permitted or required by law, if you have consented or if we are authorized to provide information.
Under these conditions, recipients of personal data may be:
− police forces and other government security bodies, for the fulfilment of the obligations envisaged by law, regulations or EU legislation. In this case, according to applicable data protection legislation, the prior consent of the data subject is not required;
− companies, organizations and associations, parent companies, subsidiaries and affiliates (e.g. in connection with routex cards), or between them and jointly controlled entities, and between consortia, business networks and groups, temporary joint ventures and related entities, in the context of communications made for administrative and/or accounting purposes;
− insurance companies for the settlement of claims;
− companies specialized in credit recovery, law firms and tax consultants;
− companies specialized in the management of business information or related to credit, or advertising and promotion;
− other companies that provide services similar to those supplied by the Company with whom the Data Controller has agreements of various types (e.g., service station operators);
− other companies contractually bound to the Controller and providing e.g. consulting, service delivery support, etc. such as advertising and social media agencies, IT service providers, service providers in consulting and advisory, service providers for logistics, service providers for telecommunications, service providers for sales and marketing;
− other companies (data processors and joint controllers) that have entered into agreements with Eni pursuant to Art 26 or 28 GDPR;
− other entities and persons for whom you have given us your consent to transfer data.
The Data Controller guarantees the utmost care to ensure that the communication of your personal data to the above recipients includes only the data required to accomplish the specific purposes intended.
Your personal data will be stored in the Data Controller's database and will be processed exclusively by authorized personnel who will be given specific instructions on the methods and purposes of the processing. Your data will not be communicated to third parties, except as provided for above and, in any case, within the limits indicated.
Finally, please note that your personal data will not be disclosed, except in the cases described above and/or as provided for by law.
6. Transfer of personal data outside the EU
In the context of the contractual relations between Eni and its Subsidiaries, and between the Subsidiaries themselves, for some of the purposes indicated in Section 4 above, it is permissible to transfer your personal data outside the EU, including through inclusion in databases shared and managed by third parties both within and outside of Eni's scope of control. The management of the database and the processing of this data are performed only for the purposes for which it was collected and with maximum respect for the privacy and security standards described in applicable personal data protection laws.
Whenever your personal data is transferred outside the EU, the Data Controller shall take every suitable and necessary contractual measure to guarantee an adequate level of personal data protection in accordance with this Privacy Statement, including, among other means, the Standard Contractual Clauses approved by the European Commission.
7. Data retention period
We process your personal data, insofar as necessary, for the duration of the entire business relationship (from the initiation and processing to the termination of a contract) as well as beyond that in accordance with the statutory retention and documentation obligations, which result, among other things, from the Austrian Commercial Code (UGB) or the Federal Fiscal Code (BAO). In addition, the statutory limitation periods, which can be up to 30 years in certain cases (the general limitation period is 3 years) for example according to the General Civil Code (ABGB), must be taken into account for the storage period.
8. Information on video recordings / joint controllership according to Art 26 GDPR.
Video surveillance, especially at service stations (but also at Eni's headquarters and warehouses) takes place using electronic and automated media and is managed by means that ensure the security and confidentiality of the data. Image recordings are permitted under Section 12 of the Data Protection Act if (i) they are necessary in the vital interest of a person, (ii) the data subject has consented to the processing of his or her personal data, (iii) they are permitted by legal provisions or (iv) there are overriding legitimate interests of the data controller (preventive protection of persons or property in publicly accessible places subject to the data controller's domiciliary rights) and proportionality is given.
The legal basis is the legitimate interest, e.g. processing of the recorded footage for the protection of property, the right of domicile or for the purpose of preventing, containing and clarifying conduct relevant under civil, administrative and criminal law. The processing shall take place in accordance with the guarantees provided by the applicable legislation on the protection of personal data and may include any necessary procedures or sets of procedures. These include the transfer of data to the following categories of recipients: (i) other Eni subsidiaries or service station operators; (ii) insurance companies and law firms; (iii) competent police, judicial and/or administrative authorities. The data will be processed by authorized personnel of the Responsible Parties and by data processors for the maintenance of surveillance and video surveillance systems.
Records are as a rule retained only for the maximum period of 72 hours, after which they are permanently deleted if they are no longer needed for the purpose for which they were obtained and there are no other retention obligations provided for by law. In particular, if there is a corresponding request from judicial authorities or a delegated body in connection with ongoing investigations, the retention period may be longer.
The provision of personal data collected by video surveillance systems is necessary for the aforementioned purposes and occurs automatically when the data subject enters the area of the cameras belonging to the video surveillance system. Please note in this regard the video surveillance pictograms on site, on which the (joint) controllers are suitably identified.
For any video recordings in the store area of service stations, the respective service station operator is the sole controller as defined by the GDPR; only if the video recordings are also made for purposes related to the protection of Eni (video surveillance of the petrol pumps, the car wash, etc.), the service station operator and Eni are joint controllers within the meaning of Art 26 GDPR.
Moreover, the essential content of the agreement concluded between the Service Station Operator and Eni as joint controllers is as follows:
− The service station operator shall ensure that access to image recordings and subsequent modification by unauthorized persons is excluded and shall log every processing operation and delete recorded personal data if they are no longer required for the purpose for which they were collected and no other legal retention obligation exists (retention for longer than 72 hours must be proportionate and must be logged and justified separately) and appropriately mark the image recordings.
− Eni warrants that the cameras and equipment provided are state of the art.
− The central point of contact for the exercise of data subject rights (see paragraph 9.), in particular the right to information, is Eni.
9. Rights of data subjects
As the data subject, you have the following rights concerning the personal data collected and processed by the Data Controller for the purposes listed at Section 4 above.
a. Right of access
You have the right to ask the Data Controller for confirmation that your personal data is being processed and obtain access to your personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular if the recipients are in third countries or international organizations; (iv) if possible, the intended retention period of the personal data or, if this is not possible, the criteria used to determine this period; (v) the existence of a right to rectification or erasure, to restriction of processing or a right to object; (vi) the right to lodge a complaint with a supervisory authority:
Austrian Data Protection Authority
Phone: +43 1 52 152-0
b. Right of rectification and cancellation
You have the right to rectify any inaccurate personal data, as well as, taking into account the purposes of the processing, complete any incomplete personal data, including by providing a supplementary statement.
You also have the right to obtain cancellation of your personal data for any of the following reasons: (i) your personal data is no longer required for the purposes for which it was collected or otherwise processed; (ii) the data was processed unlawfully; (iii) you have revoked your consent on the basis of which the Data Controller had the right to process your data and there is no other legal basis allowing the Data Controller to process it; (iv) you did not agree to the processing and there is no overriding legitimate reason to perform it; (v) your personal data must be deleted to comply with a legal obligation.
The above data erasure rights do not apply insofar as the processing is necessary (i) for the exercise of the right to freedom of expression and information, (ii) for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority, (iii) for the establishment, exercise or defense of legal claims.
c. Right to data portability
You have the right to receive the personal data provided to the Company and processed by it on the basis of consent, or other legal basis, in a structured, customary and readable format, as well as the right to transmit this data to another Data Controller without hindrance.
b. The right to restrict processing
You have the right to ask the Company to restrict processing as follows: (i) for the period required by the Data Controller to verify your personal data when you have disputed its accuracy; (ii) if your personal data has been processed unlawfully; (iii) even if your personal data is not required for the purposes of processing but you need it to be processed for the determination, exercise or defence of a legal claim; (iv) for the period required to check on the possible prevalence of the Data Controller's legitimate reasons with respect to your opposition to the processing.
e. Right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art 6(1)(e) DSGVO (data processing in the public interest) and Art 6(1)(f) DSGVO (data processing on the basis of a balance of interests); this also applies to profiling based on these provisions. The objection can be made without any formalities.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or for the assertion, exercise or defense of legal claims.
In individual cases, we process your personal data to conduct direct marketing. You have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
You can exercise the above mentioned rights by contacting the data protection officer by e-mail firstname.lastname@example.org or DPO@eni.com.
In the event of unlawful processing of your data, you are also entitled to contact the competent data protection authority.