In accordance with Regulation (EU) 2016/679 (‘GDPR’), Versalis S.p.A. (‘Company’ or the ‘Data Controller’) provides the following information regarding the processing of your personal data so that you can learn about our privacy policy and understand how your personal information is managed when you use services on the Website www.versalis.eni.com (‘Website’).

1. Identity and contact details of the Data Controller

The Data Controller is Versalis S.p.A., with registered office in San Donato Milanese (MI), Piazza Boldrini 1 (20097), who can be contacted at the following email address info@versalis.eni.com.

2. Contact details of the Data Protection Officer

The Company has appointed a Data Protection Officer, who can be contacted by email at dpo@eni.com.

3. Type of personal data processed

Your personal data processed fall into the category of so-called common personal data and concern data that we receive directly from your device and browser, such as navigation data and other information through the installation of cookies, to enable the operation and maintenance of the Website, to protect its security and to conduct statistical analyses.

Any data you provide by filling in the fields provided for this purpose on other websites to which the links on the Website refer will be processed in accordance with the privacy policy provided for on those websites, which we always recommend that you to consult.

4. Purpose of processing and legal basis for processing

a. Legal purposes – processing necessary for compliance with a legal obligation to which the data controller is subject

Your personal data may be processed, without the need for your consent, in cases where this is necessary to fulfil obligations arising from provisions of the law, as well as standards, codes or procedures approved by Authorities and other competent institutions. The conferment of data is required and if not provided the Data Controller will be unable to fulfil its legal obligations.

b. Contractual purposes – processing necessary to fulfil the User's request, as well as for the execution of the agreement concluded by accepting the Conditions

Your personal data will also be processed for purposes relating to and/or connected with the provision of the services you requested from the Company in connection with your navigation of the Website, specifically in order to ensure normal usability and navigation of the Website, the reading of news and the consultation of articles and sections, even if not registered.

For the above-mentioned purposes, the conferment of data is necessary and without it the Data Controller will not be able to fulfil your requests. For more information on the use of navigation data, please see the Cookie Policy.

c. Defence of a right in a legal proceeding.

In addition, your personal data will be processed whenever necessary in order to establish, exercise or defend a right of the Data Controller or other companies within Eni’s control in court. The legal basis for the processing is legitimate interest in the defence of the Data Controller.

d. Legitimate interest of the Data Controller

The Data Controller may process your personal data without your consent in the following cases:

• in the event of extraordinary operations involving a merger, sale or the transfer of a business unit, in order to allow the operations necessary for the activity of due diligence and preparations for the sale to be carried out. It is understood that data will only be processed for the aforementioned purposes if they are exclusively necessary, in aggregate/anonymous form as far as possible.
• analysis in an anonymous and aggregate form of the use of the services provided, in order to identify User habits and propensities, to improve the services provided and to meet specific User needs, i.e. preparation of initiatives related to the improvement of the services provided.

5. Recipients of personal data

For the pursuit of the purposes indicated in point 4, the Data Controller may communicate your personal data to third parties, such as, for example, those belonging to the following entities or categories of entities:

• police, armed forces and other government agencies, to fulfil obligations pursuant to laws, regulations or European Union legislation. In such cases, under the applicable law on data protection, there is no obligation to obtain the prior consent of the data subject for such communications;
• providers of IT Services who deal with the use of the multimedia and computer services required for Website functionality and the services set out in the Conditions;
• companies involved in market analysis and promotional communications via the web;
• companies, organizations or associations, or parent, subsidiary or associated companies pursuant to Article 2359 of the Civil Code, or between these and companies subject to joint control, and between consortia, business networks and groups and temporary joint ventures and connected entities, limited to communications made for administrative and/or accounting purposes.

With reference to the data communicated to them, the recipients belonging to the above categories may operate, depending on the case, as data processors (and in this case they will receive appropriate instructions from the Data Controller) or as autonomous data controllers. A complete list is available by contacting the Company or the DPO.

Your personal data are also stored on Data Controller databases and will be processed solely by authorised personnel. The latter will be provided with special instructions on the methods and purposes of processing. The data will not be shared.

6. Transfer of personal data outside the European Economic Area ('EEA')

For some of the purposes set out in point 4, your personal data may be transferred outside the EEA, including by means of inclusion in databases shared and managed by third companies, whether or not they are part of Eni's boundary of control. Management of the database and the processing of such data are linked to the purposes for which they were collected and are carried out in strict compliance with the standards of confidentiality and security set out in the applicable data protection laws.
Whenever your personal data is transferred internationally outside the EEA, the Data Controller shall take all appropriate and necessary contractual measures to ensure an adequate level of protection of your personal data in accordance with the provisions of this privacy policy, including, among others, the Standard Contractual Clauses approved by the European Commission.

7. Data retention period

The data will be stored for a period not exceeding that which is necessary for the purposes for which they have been collected or subsequently processed in accordance with the obligations of law. In particular, navigation data and cookies, where not instantaneous/temporary, will be retained in accordance with the timeframe set out in the Cookie Policy.

8. Rights of data subjects

As the data subject, you have the following rights over the personal data collected and processed by the Data Controller for the purposes indicated in point 3: (i) the right of access, in particular by requesting, at any time, confirmation of the existence of your personal data in the Company's archives and the provision of such information in a clear and intelligible manner, as well as the right to know the origin, logic and purpose of the processing with express and specific indication of the persons in charge and those responsible for processing and third parties to whom your data may be communicated; (ii) the right to obtain the updating and rectification of data (except for evaluation data), the deletion of superfluous data or their transformation into anonymous form, as well as the blocking of processing and definitive erasure in the event of unlawful processing; and (iii) if the conditions are met, the restriction of processing and data portability. The law also gives you the right to lodge a complaint with the Data Protection Authority, should you discover a violation of your rights under the applicable legislation concerning data protection.

You can exercise the rights listed above via the contact details in the Contacts section or by writing to the data protection officer dpo@eni.com.