Information on the processing of personal data Art.13 of EU Reg2016/679
- Data Controller and Data Protection Officer
- Purpose and legal basis of the processing
- Categories of processed data
- Recipients or categories of recipients of data
- Rights of the interested parties
5.1 Derogations from the exercise of rights
5.2 How to exercise rights
- Data retention period
- Transfer of data to third countries
- Automated credit scoring techniques or systems
Information on the processing of personal data Art.13 of EU Reg2016/679
- Data Controller and Data Protection Officer
The Data Controller is XL Energia e Gas Srl, via Bruno Buozzi 106 – 06061 – Castiglione del Lago – PG email: contatti@xlenergiaegas.com; P.Iva: 03407520547; tel: 075 953266 – fax: 075 9692086 – in person of the legal representative pro tempore.
- Purpose and legal basis of the processing
The Holder processes personal data of natural persons and / or freelancers (“Interested”) for the following purposes:
- the need to execute a contract for which the interested party is a party or to perform pre-contractual activities upon his request. This need represents the legal basis that legitimizes the resulting treatments. The provision of data necessary for these purposes represents, depending on the case, a contractual obligation or a necessary requirement for the conclusion of the contract; in the absence of these, the owner would be unable to establish the relationship or to implement it;
- the need to comply with legal obligations, instructions issued by the Supervisory Authority, the Magistrates, etc.). This need represents the legal basis that legitimizes the resulting treatments. Providing the data necessary for these purposes is a legal obligation; in the absence of them the owner would be unable to establish relationships and could have the obligation to make reports;
- sale of products and services of the owner and of third-party companies. The legal basis that legitimizes the resulting processing is the consent of the interested party, who is free to give or not and who can, however, revoke at any time. The provision of data necessary for these purposes is not mandatory and the refusal to supply them does not determine any negative consequences, except for the impossibility of receiving commercial communications;
- 3. Categories of processed data
The owner processes personal data collected directly from the interested party, or from third parties, including, but not limited to, personal data (eg name, surname, address, date and place of birth), information on the financial situation (eg financial situation , credit information relating to requests / credit reports), image data (eg photo on identity card) and voice recordings and other data referring to the categories indicated above.
The owner does not ask for and does not process his own personal details (eg data revealing racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, genetic data, data biometrics – designed to uniquely identify a natural person, data relating to a person’s health or sexual life or sexual orientation). However, it is possible that, in order to execute specific requests for services and operations relating to the relationship with the customer (eg payment of membership fees to parties or trade unions, bank transfers to associations, etc.), it should process such data. Since the holder can not intercept or reject these requests, the proposed contract can not be accepted if the interested party has not declared their written consent to the aforementioned treatment. The data in question will be used exclusively to execute the customer’s request.
- Recipients or categories of recipients of data
The data of the Data Subject may be disclosed to the natural and legal persons appointed as Data Processors and to the individuals authorized to process the data necessary for the performance of the duties assigned to them: employees of the Data Controller or other employees, temporary workers, qualified financial consultants to the off-site offer, interns and consultants.
The owner – without the consent of the interested party – can communicate the personal data in his possession:
- to those subjects to whom this communication must be carried out in compliance with an obligation established by law, by a regulation or by community legislation;
- to any companies belonging to the Group, or subsidiaries or associates pursuant to art. 2359 C.C. (also located abroad), when such communication is permitted as a result of a provision of the Privacy Guarantor or a provision of the law;
- in other cases provided for by the regulations in force on data protection, including, in particular, companies on behalf of which the owner carries out brokerage activities for the sale of their products / services.
- Rights of the interested parties
The current legislation on data protection attributes specific rights to the data subject, which, for the financial year
of the same can contact directly and at any time to the Data Controller.
The rights exercisable by the Interested party, described below, are:
- Right of access;
- Right of Rectification;
- Cancellation right;
- Right of limitation;
- Right to portability;
- Opposition law.
Interested parties and legal entities, bodies and associations may at any time modify the optional consent whenever they wish.
Right of access
The right of access provides the possibility for the interested party to know which personal data pertaining to them are processed by the holder and to receive a free copy (in case of further requested copies a contribution based on the costs incurred can be charged). The information provided includes the purposes of the processing, the categories of data processed, the expected retention period or, if not possible, the criteria used to define this period, as well as the guarantees applied in case of transfer of data to third countries. rights exercisable by the Interested party.
Right of rectification
The right of rectification allows the Interested Party to obtain the updating or correction of inaccurate or incomplete data that concern him.
. Cancellation right (e.g. “oblivion”)
The right to cancel, or to be forgotten, allows the interested party to obtain the cancellation of their personal data
in the following special cases:
- personal data are no longer necessary for the purposes for which they were collected and processed;
- the interested party revokes the consent on which the treatment is based, if there is no other legal basis that could otherwise legitimize it;
- the interested party opposes the processing and there is no further legitimate reason to proceed with the processing carried out by the holder for:
o the pursuit of a legitimate own or third party interest and there is no legitimate overriding reason for the holder to proceed with the processing,
or direct marketing purposes, including the related profiling;
- the personal data of the interested party have been unlawfully processed.
This right can be exercised even after the withdrawal of consent.
Right of limitation
The right of limitation can be exercised by the interested party in case:
- violation of the conditions of lawfulness of the processing, as an alternative to the deletion of data;
- request for rectification of data (pending adjustment) or opposition to their processing (pending the decision of the holder).
Without prejudice to the conservation, any other processing of the data whose limitation is requested is prohibited.
Right to portability
The right to portability allows the Data Subject to use their data held by the owner for other purposes. Each interested party may request to receive the personal data referred to him or request the transfer to another holder, in a structured format, commonly used and legible (Right to portability).
In particular, the data that can be object of portability are the personal data (eg name, surname, address, date and place of birth, residence), as well as a set of data generated by the transactional activity that the holder has defined for each macro -category of products / services (eg existing or extinct relationships, handling). This right does not apply to non-automated treatments (eg archives or paper records).
Opposition right
The right of opposition allows the interested party to oppose at any time, for reasons related exclusively to his situation, the processing of personal data concerning him
5.1 Derogations from the exercise of rights
Data protection legislation recognizes specific exceptions to the rights granted to the data subject. The holder must however continue to process the personal data of the interested party upon the occurrence of one or more of the following applicable conditions:
- execution of a legal obligation applicable to the holder;
- resolution of pre-litigation and / or litigation (own or third parties);
- internal and / or external investigations / inspections;
- requests by the Italian and / or foreign public authorities;
- reasons of significant public interest;
- execution of an existing contract between the holder and a third party;
- any other technical conditions / blocking status identified by the owner.
5.2 Method of exercising rights
Each interested party to exercise his rights may contact the owner at the e-mail address contatti@xlenergiaegas.com or submit a written request to XL ENERGIA SRL at the registered office in via Bruno Buozzi 106 – 06061 – Castiglione del Lago – PG.
The deadline for the reply is 15 (fifteen) days.
The exercise of rights is, in principle, free; the owner, considering the complexity of the processing of the request and, in the event of manifestly unfounded or excessive (even repetitive) requests, reserves the right to request a contribution.
The holder has the right to request additional information necessary for the identification purposes of the applicant.
- Period of data retention
The owner treats and keeps the personal data of the interested party for the entire duration of the contractual relationship, for the execution of the related and consequent obligations, for the respect of the applicable legal and regulatory obligations, as well as for own or third party defensive purposes , until the expiry of the data retention period. In particular, the retention period of the personal data of the interested party runs:
- from termination or withdrawal of the service supply contract;
- from the closing date of the User;
There is the obligation for the holder to inform of the cancellation request other holders who process the personal data of which the interested party has requested the cancellation. At the end of the applicable retention period, personal data relating to data subjects will be deleted or stored in a form that does not allow identification of the interested party, unless their further processing is necessary for one or more of the following purposes:
- resolution of pre-litigation and / or litigation initiated before the expiry of the retention period;
- to follow up investigations / inspections by internal control functions and / or external authorities initiated before the expiry of the retention period;
- resolution of pre-litigation and / or litigation initiated before the expiry of the retention period;
- Transfer of data to third countries
Personal data may also be transferred to countries outside the European Union or to the European Economic Area (so-called “Third Countries”) recognized by the European Commission having an adequate level of personal data protection or, if not, only if it is contractually guaranteed by all the suppliers of the holder located in the Third Country a level of personal data protection appropriate to that of the European Union (eg through the signing of the standard contractual clauses provided by the European Commission) and that the exercise is always guaranteed of the rights of the interested parties.
- Automated credit scoring techniques or systems
In order to assess the reliability of payments of the interested party, the holder uses some data concerning him, directly supplied by him or obtained by consulting some databases, also through the use of techniques or automated systems for the assessment of merit. credit score (credit scoring) ensuring compliance with the following principles:
- automated credit scoring techniques or systems are used only for the preparation of a credit application or for the management of established credit relations;
- the statistical analysis models or factors, as well as the algorithms for calculating judgments, indicators or scores, are periodically checked at least annually and updated according to the results of these checks. In view of the consultation of personal data relating to negative credit information in one or more databases, the request for credit may not be accepted.
The provision of personal data necessary for these purposes is mandatory and the related processing can not be object of opposition by the interested party, as deriving from a legal obligation.
COMPLAINTS OR REPORTING TO THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
If the interested party considers that he has suffered a violation of his rights, he can lodge a complaint or make a report to the Guarantor for the Protection of Personal Data or appeal to the Judicial Authority. The contacts of the Guarantor for the Protection of Personal Data are available on the website www.garanteprivacy.it