Please find below the information on the processing of customer's personal data
Dear Sir / Madam,
Geoside S.p.A. (hereinafter, for the sake of brevity, the "Data Controller" or "Company"), as the data controller, wishes to inform you, pursuant to art. 13 of the European Regulation 2016/679 concerning the protection of personal data ("Regulation") and national legislation, including the individual provisions of the Supervisory Authority (Guarantor for the protection of personal data), where applicable, that your personal data will be processed in compliance with the legislative and contractual provisions in force for the purposes and in the manner indicated below.
1) Type of personal data, purpose and legal basis for the processing
A) Type of personal data
The Company mainly processes the following categories of personal data:
- identification and contact data (such as, for example, name, surname, date of birth, tax code, postal address, e-mail address, telephone contacts, residence, domicile, cadastral data, building permit);
- energy consumption data and environmental data;
- bank data.
For services that include home automation solutions (e.g. SaveHome, SaveTermo) we also process information collected from equipment installed in the customer’s premises, such as: room temperature, brightness, instantaneous power, humidity, total electrical consumption, total thermal consumption, motion alarms.
B) Purpose of the processing and legal basis of the processing
B.1 Purposes for which no consent is required
Your personal data is collected and processed for the following purposes:
a) for the adoption of pre-contractual measures, the conclusion and execution of:
the contract for energy efficiency intervention services and the related preliminary activities, such as, for example, intervention on the furnace, interventions on the central heating, installation of photovoltaic panels, thermo-acoustic insulation, handling of any requests for information, complaints and disputes;
the energy supply contract and the related preliminary and connected activities, such as, by way of example, the activities of connection, switch, activation and termination of the supply, handling of any requests for information, complaints and disputes;
the contract for the supply and possible installation of equipment at the user’s premises, including home automation, and the processing and transmission of reports on energy consumption and environmental data;
and for the fulfilment of legal obligations arising from the contract, including all administrative and accounting formalities;
b) to handle requests for information related to the provision of services by the Company (e.g. energy upgrading services and works on the property, energy saving services and services for the use of renewable energy, including what is necessary for obtaining tax benefits/contributions, energy supply, home automation services, production of reports on consumption and environmental data, other services provided by the Company);
c) to comply with the legal obligations to which the Company is subject, including laws, regulations pro tempore in force and provisions also issued by Authorities legitimated to this effect, as well as for purposes related to the detection and prosecution of crimes;
d) the pursuit of the legitimate interest by the Data Controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, including, by way of example, audit activities and data analysis for the improvement of processes and services;
e) the provision of the services offered by the Company directly or through third party Companies;
f) for control activities aimed at protecting against credit risk and fraud related to the services provided, including activities aimed at identifying economic reliability and your solvency, before or during the contractual relationship. To activate and keep the services active, some personal data from public archives or registers are used relating to any protests, registrations or transcripts (such as foreclosures, insolvency procedures, seizures, mortgages, judicial claims), as well as data from title search and balance sheet;
g) for the protection of credit reasons, the Company may use information relating to the status and punctuality in payments relating to products or services provided in the past;
h) for the assignment of credit rights to customers, arising from the provision of products and services provided by the Company; to verify, in accordance with current legislation, the correctness of bank/postal or payment data, in order to activate bank/postal domiciliation and manage payments;
i) to establish, exercise or defend a right in judicial or administrative proceedings or in arbitration or conciliation proceedings.
For these purposes, consent is not required because the processing is necessary for the performance of the contract or pre-contractual measures adopted at your request (letters a, b, e), the compliance with a legal obligations to which the Company is subject (letter c) and the pursuit of the legitimate interest of the Data Controller (letter d, f, g, h, i).
B.2 Purposes for which consent is required:
Your personal data is also collected and processed for the following purposes:
- sending advertising material, carrying out market research, direct sales, including by telephone, carrying out commercial promotion activities for the services provided by the Company, directly or through third-party companies, specifically appointed as data processors.
For these purposes, your consent is required, as these activities are optional and not binding on the performance of the contract.
In addition, the Company, pursuant to art. 130, paragraph 4, of Legislative Decree 196/2003 and subsequent amendments, without asking your prior consent, may send you communications for the direct sale of products or services similar to those you have already purchased (c.d. soft spam), until you decide to opt out.
2. Methods of processing and nature of the provision
Personal data will be processed by authorized persons of the Company and / or by Processors which the Data Controller may use - as indicated in paragraph 4) of this notice - to store, manage and transmit the data by means of paper, IT and telematic tools according to the principles of law and protecting the privacy of the data subject and his/her rights through the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The provision of your personal data is mandatory for the purposes referred to in point B.1, for the establishment and execution of the contractual relationship, as well as for the related administrative, accounting and tax obligations and for the management of any complaints, and any failure to provide it may affect the provision of the requested services. The provision of your personal data is optional for the purposes referred to in point B.2 and failure to provide the data will make it impossible for the Company to carry out commercial promotion activities.
3. Data retention
Your data will be kept for the period necessary to comply with contractual and legal obligations in compliance with the principles of proportionality and necessity. The retention period of the data depends on the purposes for which they are processed and therefore may vary. The criteria used to determine the applicable retention period are as follows: the retention of personal data covered by this notice will take place for the time necessary (i) to manage your contractual relationship, (ii) to manage complaints or specific claims you have requested, (iii) to assert rights in court and (iv) for the time provided by applicable law.
Personal data and energy consumption data, in any case, will be automatically deleted after 10 years from the termination of the contractual relationship, within the terms of exercise of the contractual actions referred to in the Civil Code, and in any case for the time necessary for the exercise of the rights.
The data collected as part of home automation services and the reports relating to energy consumption will be deleted within 6 months after the termination of the contractual relationship.
For the purposes referred to in point B.2 of this notice, the retention time of your personal data will be 24 months, unless your consent is revoked before the expiry of this period. At the end of this period your personal data will be deleted.
4. Communication, dissemination and transfer of data
Your personal data may be disclosed to:
a) companies of the Italgas Group, or parent companies, subsidiaries and associates of the Company, for administrative-accounting management and control purposes and for the supply of IT services and the management of the Company's technological infrastructure;
b) subjects contractually linked to the Company, such as banking and credit institutions, insurance companies and intermediaries, legal advisors, tax advisors and accountants, debt collection companies, companies that detect financial risks and that carry out fraud prevention activities; entities that carry out on behalf of the Company technical/operational or organizational tasks; that carry out data acquisition services, data entry, storage and processing of data necessary for the use of the services offered to customers; that provide services for the management of the Company’s technological infrastructure; that carry out transmission, enveloping, transport and sorting of communications to the customer; that carry out customer assistance activities; that carry out checks, audits and certification of the activities carried out by the Company, also in the interest of its customers; banks and credit card issuers; other operators of the energy sector for the management of related relationships; assistance and consultancy firms, including legal ones;
c) Public entities for the fulfillment of legal obligations;
d) public authorities and supervisory and control bodies, when this is necessary for the granting of grants, contributions, subsidies and facilities of any kind related to the provision of services, or when required by specific legislative, regulatory and authorization provisions;
e) external companies, including foreign companies, which operate in the sector of granting loans, including payment extensions, when permitted by current legislation, for the purpose of preventing and controlling the risk of insolvency and credit protection;
f) external companies, including foreign companies, operating in the field of the provision of analysis and processing of consumption and environmental data and digital consumption monitoring services.
The subjects belonging to the above categories will process the data as autonomous Data Controllers or as Data Processors or Authorized Persons for the processing, specifically designated by the Company, to whom the Company will issue adequate operating instructions, aimed at adopting adequate security measures, in order to guarantee the confidentiality, security and integrity of the data.
The data provided will not be disclosed to third parties and will not be disseminated in any way. The data may be crossed, for updating and analysis purposes, with other data in legitimate possession of the Company.
The data will be processed within the European Union and stored on servers located within the European Union.
5. Rights of the data subjects
The data subjects may exercise, in relation to the data processing described therein, the rights provided for by the Regulation (articles15-22), including:
- to obtain confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to their personal data, as well as further information on the processing in progress on them (right of access)
- rectificate, modify and/or have incomplete personal data completed (right to rectification);
- request the erasure or the restriction of processing of personal data processed in violation of the law, including those that are no longer necessary in relation to the purposes for which they were collected or otherwise processed (right to be forgotten and right to restriction)
- to object to processing of personal data concerning them (right to object)
- to withdraw their consent, if given, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;
- to lodge a complaint with the supervisory authority in the event of a violation of data protection law;
- to receive a copy of the personal data concerning them in a structured, commonly used and machine-readable format and to have such data transmitted directly from one controller to another, where technically feasible (right to data portability).
To exercise these rights, you can contact the Data Protection Officer (hereinafter, in short, "DPO") by sending an email to firstname.lastname@example.org.
6. Identity and contact details of the Data Controller, of the Data Processors and contact details of the Data Protection Officer
The Data Controller of personal data is Geoside S.p.A., with registered office in Casalecchio di Reno (BO), via Ettore Cristoni 88.
The updated list of data processors is available at the headquarters of the Data Controller.
The Italgas Group has appointed a Data Protection Officer who can be contacted at the e-mail address indicated in point 5, or by ordinary mail at the Company’s headquarters.