Privacy protection

Italgas recognises that the correct management of personal data is a fundamentally important value and therefore intends to pay the utmost attention to the protection of the personal data collected and processed within the scope of its business activities.

 

The approach of Italgas Group to personal data protection, in line with the principles of Corporate Social Responsibility, includes the voluntary adoption of virtuous behaviour that goes beyond mere compliance with regulatory provisions.

The commitment to protect privacy

The Code of Ethics contains a specific paragraph on personal data protection (Sec. III, para. 4.2). The Code of Ethics has contractual value for employees and therefore any violations shall lead to the initiation of disciplinary proceedings under the national collective labour agreement.

As regards the supply chain, Italgas has adopted a specific “Code of Ethics of Italgas Suppliers” which includes a paragraph on privacy protection (para. 4.5). Moreover, suppliers are expected to sign an Ethics Agreement and a specific “Personal Data Processing Agreement” which includes instructions on processing, violation of which is subject to the application of contractual remedies.

Data Protection Organisational Model

When Regulation (EU) 2016/679 – GDPR came into effect in May 2018, the Italgas Group reviewed and updated its personal data governance system, defining a Data Protection Organisational Model inspired by the requirements of the Regulation and a data protection Compliance Standard to define the principles applicable to processing and to formalise the roles and responsibilities within the corporate organisational structure, in order to ensure the correct processing of information relating to the data subjects. This Standard, which applies to all Italgas Group companies, can be downloaded from the link at the bottom of this page.

The Data Protection Organisational Model is integrated into the Italgas Group’s risk management

The Data Protection Organisational Model is integrated into the internal control and risk management system of the Italgas Group. It attests to the Italgas Group’s commitment to protect the rights and fundamental freedoms of the data subjects (whether they be employees, suppliers, final customers, potential customers, or others). All components of the internal control and risk management system (e.g. control activities, monitoring, checks, and the penalty and disciplinary system) include data processing activities and therefore help to ensure compliance with the laws and company standards.

All potential risks to the rights and fundamental freedoms of the data subject that may arise from the processing of personal data are assessed objectively in order to determine the risk level that each data processing operation involves and to define appropriate mitigation measures. The Data Protection Officer and the Data Protection Team, which includes people with legal, organisational, ICT and security expertise, support managers throughout the whole risk assessment and compliance management process. Moreover, the Enterprise Risk Management (ERM) department coordinates the risk monitoring process at group level, including specific potential risks linked to compliance with the privacy regulations raised by the risk owners.

With a view to ensuring adequate management of risks linked to personal data processing, as regards both business risks and those concerning the rights and fundamental freedoms of the data subjects, in addition to compliance with the provisions of the European data protection regulation (Regulation (EU) 2016/679 – GDPR) and national legislation (Legislative Decree 196/2003 as subsequently amended), the Italgas Group has defined appropriate measures which it applies and keeps updated to ensure an adequate level of security. These include both organisational and technical measures suitable to prevent the loss, alteration, unavailability, access and unauthorised use of personal data.

Regulatory System and Data Breach Management

The company’s organisational and regulatory system defines the rules and processes and ensures their implementation and traceability in agreement with the principle of accountability. The procedures applicable at Group level incorporate and maintain up-to-date control and risk mitigation measures relating to personal data processing, including those linked to the supply chain, with a view to the continuous improvement of its privacy management system.

All employees receive instructions on personal data processing on the basis of their role and the context in which they operate, and are informed about the tools to use to report any data breaches.

The Italgas Group has a Compliance Standard specifically dedicated to Data Breach management, which can also be downloaded from the link at the bottom of this page.

The Italgas Group has also adopted a “Data Protection Manual”, with the aim of providing clear and precise operational indications, based on then provisions of Regulation (EU) 2016/679 – GDPR and on guidelines defined by the Italian supervisory authority and the European Data Protection Board (EDPB). The content of the document is divided into sections dedicated to the processes of:

  • Privacy by Design and Privacy by Default;
  • Risk Analysis and Impact Assessment;
  • Management of data subjects’ rights.

Failure to comply with company regulations on personal data protection shall result in the start of disciplinary measures.

Data Protection Officer

Since 2018 Italgas has designated a Data Protection Officer. On 24 February 2021, the Board of Directors of Italgas S.p.A. (Parent Company) appointed Mr Luca Lazzeri as the Data Protection Officer (DPO) for Italgas S.p.A.. The data protection officer is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks assigned to him. the contact details of the Data Protection Officer have been communicated to the supervisory Authority.

The DPO, as a point of reference for data subjects and a point of contact for the control authority, can be contacted at the following email address: dpo.gdpr@italgas.it.

The DPO responsibilities of all Group companies are allocated within the Internal Audit function of Italgas S.p.A.. This position allows the DPO to fulfill its functions in full independence and in the absence of conflicts of interest, as well as to create synergies and ensure strong supervision on personal data protection issues.

Since 2018 Italgas has designated a Data Protection Officer. On 24 February 2021, the Board of Directors of Italgas S.p.A. (Parent Company) appointed Mr Luca Lazzeri as the Data Protection Officer (DPO) for Italgas S.p.A.. The data protection officer is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks assigned to him. the contact details of the Data Protection Officer have been communicated to the supervisory Authority.

The DPO, as a point of reference for data subjects and a point of contact for the control authority, can be contacted at the following email address: dpo.gdpr@italgas.it.

The DPO responsibilities of all Group companies are allocated within the Internal Audit function of Italgas S.p.A.. This position allows the DPO to fulfill its functions in full independence and in the absence of conflicts of interest, as well as to create synergies and ensure strong supervision on personal data protection issues.

Data Protection Team

The Data Protection Team, which includes experts in legal, IT, organisational and security matters, assists and supports all the people of the Italgas Group involved in processing activities at the time of changes to processes involving data protection, and in particular in activities linked to innovation (e.g. Digital Factory), in order to ensure the development of new applications and new services with a view to data protection by design and by default.

Activities in 2021

The main activities carried out in 2021 were:

  • annual updating of the record of processing activities by the Data Managers with the support of the Data Protection Team;
  • preparation and updating of notices on personal data processing;
  • update of the “Data Protection” Compliance Standard, in order to include the consequences of conduct that does not comply with the regulations on Data Protection;
  • management of requests by data subjects to exercise their rights;
  • with reference to the Covid-19 emergency, in a context characterized by a changing regulatory framework and with the constant involvement of the DPO, the organisational and security measures to ensure the protection of personal data, as well as the personal sphere of those concerned, have been kept up to date through the updating of Covid-19 protocols and the development of dedicated applications;
  • update of the risk analysis related to personal data processing and assessment of the level of risk, with regard to the need to carry out/update the Data Protection Impact Assessments (DPIA);
  • training and information for staff, also through the use of web platforms;
  • carrying out, in each Internal Audit intervention, of a “GDPR Test” aimed at checking the effectiveness of the risk mitigation measures related to the processing of personal data, as well as compliance with the legislation on personal data protection, as provided for in the “Operational guide to audit activities – section 2″.

With reference to all Italgas Group companies, in the three-year period 2019-21:

  • no data breach reports were received
  • no substantiated complaints relating to personal data breaches were received
  • no requests of any kind have been received from the supervisory Authority
  • no penalties for regulatory breaches concerning personal data protection were applied.

In 2021, the process adopted by the Italgas Group for the management of requests for the exercise of rights by data subjects was subject to third-party audits; the audit did not reveal any relevant gaps.

Personal data are not used for purposes other than the primary purpose for which they were collected under any circumstances. In particular, in 2021 customer data were not used for secondary purposes.

Information on personal data processing

The Privacy Policy page contains information on the processing of the data collected while visiting the website www.italgas.it in compliance with articles 13 and 14 of the Regulation (EU) 2016/679 – GDPR and the Cookie Policy. The information is provided only for the domain indicated above and not also for other websites that may have been visited by the user through links to other domains.

Rights of the data subject

Data subjects, including customers, can exercise the rights provided by Regulation (EU) 2016/679 – GDPR (art. 15 et seq.), including:

  • to withdraw their consent, if given, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal (opt-in consent and opt-out option, where processing is based on consent)
  • to request access to their personal data held by the company (right of access)
  • to obtain the correction or deletion of their personal data (right to rectification and right to erasure)
  • to obtain the restriction of processing, as well as to object to processing of personal data concerning them (right to restriction of processing and right to object)
  • to receive a copy of the data concerning them in a structured, commonly used and machine-readable format and to have the personal data transferred directly from one service provider to another, where technically feasible (right to data portability).

To exercise these rights, data subjects can contact the Data Protection Officer (DPO) by sending an e-mail to dpo.gdpr@italgas.it.

The complete information notice on the processing of the users’ personal data for Gas Emergency Services (in Italian) can also be downloaded below.

Last update: