Privacy Policy

Privacy Policy

Information on the processing of personal data

In accordance with Articles 13 and 14 of EU Regulation No. 2016/679 dated 27 April 2016 (hereinafter “Privacy Regulation”), the following information is provided regarding the processing of the personal data of users who access the www.gruppoa2a.it website and its subdomains. The information notice is not provided for any other websites consulted by the user via links.

1. Who holds the personal data?

The Data Controller of the personal data is A2A S.p.A with registered office in Via Lamarmora, 230 – 25124 Brescia and with management and administrative offices in Corso di Porta Vittoria, 4 – 20122 Milan

 

2. Who can be contacted?

For all matters regarding the processing of your personal data and the exercising of your rights, you may contact the Data Protection Officer (DPO), at dpo.privacy@a2a.it

 

3. Why is personal data processedi?

Purposes of data processing Legal basis for processing
Navigation data is used for the sole purpose of obtaining information on the use of the website, to check its correct functioning and to optmize its service.  The legitimate interest of the Controller in ensuring the proper functioning and optimal use of the website for users.
The data you provide through the contact form is processed for the sole purpose of providing the services that are requested (for example: request for information, sending a CV, sending an investor information request, subscribing to the Press Alert service, receiving newsletters, etc...).  To carry out your request (falling under, more in general, the performance of a contract or to take steps prior to a contract the request of the party concerned, in accordance with Article 6 c. 1 lett. b of the Privacy Regulation).
The Controller analyzes the naviagtion data of the person concerned to improve user experience and implement solutions to make the website more user-friendly.

Consent freely given by the person concerned.
Processing may be aimed at responding to requests from competent authorities and bodies, etc.. Compliance with a legal obligation.

 

4. Which personal data is processed?

The following personal data is processed:

  • navigation data collected during use of the site (e.g. IP addresses or domain names of the computers of users logging into the website, time of request, method used to submit request to server, server response status code, screen size, device type, area in the country where the connection is made and language);
  • personal data (e.g. first name, surname) and contact details (e.g. landline and/or mobile numbers, email address) collected in the forms found on the site;
  • other data that falls under the above categories.

5. How is the data processed?

Processing is carried out by authorized personal as part of their work, with or without the use of electronic means, according to the principles of lawfulness and fairness so as to protect the confidentiality and rights of the person concerned at all times.
Navigation data can be analyzed to improve the website only when prior specific consent has been given.

6. Who is the personal data communicated to?

Your personal data may be made available to:

  • companies providing filing services, IT services, marketing services, social media management services that will act as Data Processors;  
  • competent authorities and bodies that will act as Data Controllers.

Your data will not de disseminated (made available to unspecified parties).

 

7. Will your data be transferred to other countries? 

Your data will be processed within the European Economic Area (“EEA”). Notwithstanding this and by way of exception, should a transfer outside the EEA be necessary, such transfer will take place on the basis of an adequacy decision by the European Commission, if applicable, or with the appropriate guarantees required under the Privacy Regulation.

 

8. . For how long will your data be stored?

Your data will be stored for as long as is necessary to achieve the purposes for which it will be processed or to comply with legal obligations, and in particular:

  • in the CAREERS section, for a CV, it will be kept for 3 years from the date of its collection; 
  • in the INVESTOR section, for requests for information and subscriptions to the Press Alert, it will be stored for 1 month after the user has unsubscribed from the service; for the newsletter service for the entire period that you intend to use the service. If you unsubscribe, you will no longer receive our newsletter and your data will be cancelled from our systems within the following 2 months.

with information request forms (e.g. requests for joint conciliation or privacy issues, etc.), the data collected will be retained for the time necessary to respond to the request, unless there is a further contact with the user or for the completion of any administrative obligations (e.g. a request regarding a complaint or report must be retained beyond the period of its handling for up to a maximum of 10 years from its resolution).

The duration of cookies used on the site can be found in the relevant section of this information notice.
In the event of litigation, the aforesaid storage period may be extended by up to 10 years from the date of settlement of the litigation.
 

9. What are your rights?

You have the right to ask the Data Controller to:

  • confirm as to whether or not your personal data is being processed and, if so, to obtain access (right to access);
  • rectify any inaccurate personal data or to integrated any incomplete personal data (right to rectification);
  • delete the data on one of the grounds provided for in the Privacy Regulation (right to be forgotten);
  • restrict the processing on one of the grounds provided for in the Privacy Regulation (right to restriction);
  • receive the data you have provided to the Controller in a structured, commonly used and machine-readable format and to transmit such data to another Data Controller (right to data portability).

Right to object. When processing is carried out to pursue a legitimate interest of the Controller, we hereby inform you that you may object to such processing at any time. In this case, the Controller will refrain from further processing your personal data, unless there are compelling legitimate grounds for processing, or for the establishment, exercise or defense of rights in legal proceedings.
You can exercise you rights by sending an email to the DPO (dpo.privacy@a2a.eu) with the company name of the Data Controller, or by writing to the Data Controller.  
Without prejudice to any other administrative or jurisdictional recourse, you may lodge a complaint with the Data Protection Authority, if you consider that the processing that concerns you violates the Privacy Regulation.

 

10. Where is personal data obtained from?

The navigation data necessary for the functioning of the website is generated by the user during navigation and is acquired by the computer systems and software procedures that are used to operate it.
The personal data collected through the contact form is provided by you and any refusal to provide it prevents us from processing your requests.

 

11. Is the data subject to automated decisions?

The data will not be subject to decisions based solely on automated processing, including profiling, that produce legal effects on your person or significantly affect your  person.

12. Cookie

The website uses cookies and tracking tools to collect user browsing data, such as the IP address.
These are usually short strings of text that are placed and stored by the website manager (or by the manger of a third party website,  the so-called “third parties”) inside the user’s device (e.g. a computer, tablet, smartphone, etc.).
The following tools are used in the website.

  • Cookies and technical tools that are strictly necessary to ensure the proper and optimal functioning of the website or to provide the service requested by the user concerned. This category includes some tools (e.g. Google Maps, Sketchfab, Spotify) which, when in operation, carry out limited processing of personal data (this is basically limited to the IP address only) solely to provide the services requested by the user such as displaying maps on the website, displaying and using interactive graphics, displaying 3D images of our facilities, listening to podcasts directly on the website. User consent is not required here.
  • Third party cookies and analytical tools solely for processing aggregated and anonymous statistics. User consent is not required here.
  • Tools aimed at “improving the browsing experience” that allow the user to interact with contents from external platforms and networks (e.g. YouTube Widget Player). The operation of these tools is subject to the user's prior consent, which the user is free to give in the cookie banner and subsequently at any time by accessing the "Change Cookie Preferences" section link in the website footer. Measuring tools (e.g. Hotjar) that track user behavior and “measure” how the website is used. 
    This allows the Data Controller to verify, by means of the aggregated visual maps or the recording of navigation sessions created by these tools, the parts of the website that are most and least visited overall and to examine and take measures aimed at constantly improving the browsing experience. 
    Some of these tools may collect user IP addresses for tracking purposes.
    The operation of these tools is subject to the user's prior consent, which the user is free to give in the cookie banner and subsequently at any time by accessing the "Change Cookie Preferences" section link in the website footer.


For more information on the individual cookies and tracking tools used in the site, please refer to the cookie policy at the following link.  
Further information is available on the website page of the Garante per la Protezione dei Dati Personali 

(1) Regolamento generale sulla protezione dei dati (GDPR).
(2) Trattamento: qualsiasi operazione o insieme di operazioni, compiute con, o senza, l’ausilio di processi automatizzati e applicate a dati personali, o a insiemi di dati personali, come la raccolta, la registrazione, l’organizzazione, la strutturazione, la conservazione, l’adattamento o la modifica, l’estrazione, la consultazione, l’uso, la comunicazione mediante trasmissione, diffusione o qualsiasi altra forma di messa a disposizione, il raffronto o l’interconnessione, la limitazione, la cancellazione o la distruzione.
(3) Titolare del trattamento: la persona fisica o giuridica, l'autorità pubblica, che determina le finalità e i mezzi del trattamento di dati personali.
 

  • Under the terms of articles 13 and 14 of EU Regulation 2016/679 of 26 April 2016 (hereafter referred to as the ‘Privacy Regulation’), we provide the following information relative to the processing of the personal data.

     

    1. Who holds the personal data?

    The holder of the personal data is A2A S.p.A. with registered office in Via Lamarmora 230, 25124 Brescia, Italy, and head office in Corso di Porta Vittoria 4, 20122, Milan, Italy.

     

    2. Who can be contacted?

    For all queries related to the processing of personal data and the exercising of rights, contact the Data Protection Officer (RPD - Responsabile della Protezione dei Dati personali) at the following e-mail address: dpo.privacy@a2a.it.

     

    3. Why is personal data processed? 

    Your data is processed so that it is possible to check who accesses the premises of A2A Group companies. In particular, the processing enables the identification of people entering company premises and immediately knowing who is present there each day, also for reasons of personal safety. 
    We wish to inform you that, on these premises, for reasons of security and the protection of corporate assets, a closed-circuit videosurveillance system is in operation.

    The legal grounds for this are as follows:

    • the pursuit of a legitimate interest on the part of the data controller (eg. protection of corporate assets, safety of people present on the premises, defence of a right in a judicial proceeding); 

    the fulfilment of a legal obligation to which the data controller is subjected (eg. communication of data to public authorities and official agencies).

     

    4. Which personal data is processed? 

    The following categories of data are processed:

    • personal and identifying information (eg. name, surname, tax identification code, address, date and place of birth);
    • data related to the image (eg. identity card photograph and images recorded by the videosurveillance equipment);
    • other data relative to the categories inidcated above

     

    5. How is the data processed? 

    The processing is carried out by the personnel authorized to do so in the performance of their duties, with or without the support of electronic equipment, in accordance with the principles of lawfulness and correctness so as to safeguard at all times the confidentiality and the rights of the party involved.

    6.  Who is the personal data communicated to? 

    Your personal data can be made available to:

    • companies that provide IT, surveillance and security services and other companies of Group A2A that may act as data controller; 
    • public bodies and official agencies (when required) in the execution of their legal duties, which will act as data controller.

    Your data will not be divulged (made available to unspecified parties).

     

    7.  Is the data sent to other countries? 

    Your personal data will be processed within the European Economic Area (EEA). Should it be necessary, in exceptional circumstances, to transfer your personal data outside the EEA, this will take place on the basis of a decision of acceptability by the European Commission, if applicable, or in the presence of adequate guarantees requested by the Privacy Authority.

    8. For how long is the data kept?

    Your data will be stored for the time necessary to achieve the purposes for which it is being processed or to ensure compliance with the law and no longer than:

    • 7 days from the recording of images carried out for reasons of security and protection of corporate assets, with the exception of requests from judicial authorities or from the police;
    • 10 years from the verification of identity of those entering company premises.

    In the event of disputes, the length of time for which data can be held can be extended to 10 years from the definition of the dispute.

    9. Which rights can be exercised?

    You have the right to ask the Data Controller:

    • for confirmation that processing of your personal data is or is not under way and, if under way, that you can have access (right of access);
    • for correction of personal data that is incorrect or the completion of incomplete personal data (right of rectification);
    • for the deletion of the data if there is motivation as foreseen in the Privacy Regulation (right to erasure);
    • for limitation of the processing when one of the cases foreseen by the Privacy Regulation exists (right to restrict processing);
    • to receive the information provided to the data controller in a structured format, for normal use and readable using an automatic device, and to transmit such data to another data controller (right to data portability);
    • to object at any moment to the processing of your data for a legitimate interest on the part of the data controller and for marketing and profiling purposes (right to object); 

    To exercise your rights, you can make a written request to the Data Controller or Data Protection Officer, indicating the A2A Group company to which the request is addressed.
    Except in the case of other administrative or legal complaints or appeals, you have the right to ask the Privacy Authority to ensure protection of your personal data should you deem that its processing violates the privacy Regulation. 

     

    10.  From which source does the personal data originate and what are the consequences if the data is not given?

    All of the data gathered in the sphere of this processing is strictly functional to the stated purposes and to compliance with laws, including those relative to personal safety. The communication of personal data is discretionary but refusal to provide such data impedes access to A2A Group premises given the essential need to identify those entering the property.

     

    11.  Is the data subjected to automated decision making?

    The data will not be subjected to decisions based solely on automated processing, including profiling, which may have legal effects that concern or significantly affect your person.