In accordance with Regulation (EU) 2016/679 ("GDPR"), Eni S.p.A. ("Company" or the "Owner") is providing the following information regarding the processing of personal data collected or provided by the User when using the services of the website www.eniwaysafe.eni.com (“Sito Web”).

1. Identity and contact details of the Processing Owner

The Processing Owner is Eni S.p.A., with registered office in Rome, Piazzale Enrico Mattei, 1 and offices in San Donato Milanese (Milan), 20097, Via Emilia, 1.

2. Contact details of the Data Protection Officer

The Company has appointed a Data Protection Officer, who can be contacted at the following email address: dpo@eni.com.

3. Purposes of the processing and legal basis of the processing
a. Legal and contractual purposes - processing required to fulfil a contractual or legal obligation to which the Processing Owner is subject or to execute a specific request from the party involved

The User's personal data may be processed, without the need for his consent, in cases where this is necessary to fulfil obligations deriving from legal provisions, as well as rules, codes or procedures approved by Authorities and other competent Institutions.

The User's personal data will also be processed for the purposes related to and/or associated with the provision of services by the Company in the context of browsing the Website, such as:

• for the provision of the Services requested by the User while browsing the Website or by filling the forms contained therein, including the collection, storage and processing of data for the purpose of establishing the subsequent operational and technical management.
• for the provision of the Services requested by the user with the registration on the Website and the creation of his own account and profile including the collection, storage and processing of data for the purpose of establishing the subsequent operational, technical and administrative management of the relationship (and of the account and profile created by the User) related to the provision of the Services and to the implementation of communications relating to the performance of the Services;
• for the management of relations with third-party authorities and public bodies for purposes related to particular requests, fulfilment of legal obligations or special procedures.

These data - whose provision is necessary for the operational execution of the Services - will also be processed with electronic tools, registered in special databases, and used strictly and exclusively in the context of browsing the Website. Since the communication of personal data of the User for the aforementioned purposes is necessary for the maintenance and provision of the Services, failure to communicate will make it impossible to provide to the User the specific Services in question.

b. Purposes based on the legitimate interest of the Owner

The Owner may process the User's personal data based on his own legitimate interest in order to improve the Services and protect his business, in the following cases:

• in the case of extraordinary operations of merger, assignment or transfer of a business unit, in order to allow the performance of the operations necessary for the due diligence and preparatory activity relating to the transfer. It is understood that only the data strictly necessary for the aforementioned purposes will be processed in the most aggregate/anonymous form possible.
• anonymous and aggregated analysis of the use of the services used, in order to identify Users’ habits and inclinations, to improve the services provided and to meet specific User needs, or to set up initiatives connected to the improvement of the services provided.
• whenever it is necessary for the purpose of ascertaining, exercising or defending a right of the Owner or other companies falling within the Company's control perimeter in court

4. Recipients of the personal data

For the pursuit of the purposes indicated in point 3, the Owner may communicate the personal data of the User to third parties, such as, for example, those pertaining to the following individuals or categories of individuals:

• police forces, armed forces and other public administrations, for the fulfilment of law obligations, regulations or community legislation
• companies, institutions or associations, or parent companies, subsidiaries or affiliated companies pursuant to Article 2359 of the Italian Civil Code, or between them and companies subject to joint control, as well as consortia, networks of companies and groupings and temporary associations of companies and entities linked to them, limited to communications made for administrative and/or accounting purposes;
• companies specialized in debt collection;
• companies specialized in the management of commercial or credit information, or advertising promotion;
• other companies contractually linked to the Owner which carry out, for example, consultancy activities, support for the provision of services etc.

The Owner guarantees the utmost care to ensure that the communication of the User’s personal data to the aforementioned recipients only concerns the data necessary to achieve the specific purposes for which they are intended. The User's personal data is stored in the Owner’s databases and will be processed exclusively by authorised personnel. The latter will be provided with specific instructions on the methods and purposes of the processing. Furthermore, these data will not be disclosed to third parties, except as provided above and, in any case, within the limits indicated therein. Finally, we remind you that the User’s personal data will not be disseminated, except in the cases described above and/or required by law.

5. Transfer of personal data outside the European Economic Area

For some of the purposes set out in point 3, the personal data of the User may be transferred outside the European Economic Area (“EEA”). The management of the database and the processing of such data are bound to the purposes for which they were collected and are carried out in full compliance with the privacy and security standards set out in the applicable personal data protection laws. Whenever the User's personal data are to be transferred internationally outside the territory of the EEA, the Owner will take all appropriate contractual measures necessary to guarantee an adequate level of personal data protection in accordance with that stated within the present information document on the processing of personal data, including, among others, the Standard Contractual Clauses approved by the European Commission.

6. Data-retention period

The data will be stored for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed in accordance with the provisions of the legal obligations.

7. Rights of the interested parties

As an interested party, the User is granted the following rights to the personal data collected and processed by the Owner for the purposes indicated in point 3: (i) the right to access, in particular requesting, at any time, confirmation of the existence of personal data of the User in the Company’s archives and the provision of such information in a clear and intelligible way, as well as the right to know the origin, logic and purpose of the processing with express and specific indication of the persons in charge and responsible for the processing and third parties to whom the User’s personal data may be disclosed; (ii) the right to obtain, update and rectify data, the deletion of superfluous data or the transformation into anonymous form, as well as the obstruction of processing and definitive cancellation in case of unlawful processing; (iii) if these prerequisites are not satisfied, the restriction of the processing and the portability of data; and (iv) the right to object, for reasons related to a particular situation, to the processing of data (including profiling) carried out on the basis of the legitimate interest of the Owner or the need for the same processing for the execution of a public interest task .

The law also recognises the right of the User to make a complaint to the Data Protection Authority, should the User discern a violation of his rights in accordance with applicable legislation regarding the protection of personal data. The User may exercise the rights listed above by writing to the data protection Officer at: dpo@eni.com.