Italgas recognises that the correct management of personal data is a fundamentally important value and therefore intends to pay the utmost attention to the protection of the personal data collected and processed within the scope of its business activities.
The approach of Italgas Group to personal data protection, in line with the principles of Corporate Social Responsibility, includes the voluntary adoption of virtuous behaviour that goes beyond mere compliance with regulatory provisions.
The commitment to protect privacy
The Code of Ethics contains a specific paragraph on personal data protection (Sec. III, para. 4.2). The Code of Ethics has contractual value for employees and therefore any violations shall result in the start of disciplinary proceedings under the national collective labour agreement.
As regards the supply chain, Italgas has adopted a specific “Code of Ethics of Italgas Suppliers” which includes a paragraph on privacy protection (para. 4.5); moreover, suppliers are expected to sign an Ethics Agreement and a specific “Personal Data Processing Agreement” which includes instructions on processing, violation of which is subject to the application of contractual remedies.
Data Protection Organisational Model
When Regulation (EU) 2016/679 – GDPR came into effect in May 2018, the Italgas Group reviewed and updated its personal data governance system, defining a Data Protection Organisational Model inspired by the requirements of the Regulation and a data protection Compliance Standard to define the principles applicable to processing and to formalise the roles and responsibilities within the corporate organisational structure, in order to ensure the correct processing of information relating to the data subjects. This Standard, which applies to all Italgas Group companies, can be downloaded from the link at the bottom of this page.
The Data protection Organisational Model is integrated into the Italgas Group’s risk management
The Data Protection Organisational Model is integrated into the internal control and risk management system of the Italgas Group. It attests to the Italgas Group’s commitment to protect the rights and fundamental freedoms of the data subjects (whether they be employees, suppliers, final customers, potential customers, or others). All components of the internal control and risk management system (e.g. control activities, monitoring, checks, and the penalty and disciplinary system) include data processing activities and therefore help to ensure compliance with the laws and company standards.
All the potential risks for the rights and fundamental freedoms of the data subject that may derive from the processing of personal data are assessed objectively in order to determine the risk level that each data processing operation involves and to define appropriate mitigation measures. The DPO and the Data Protection Team, which includes people with legal, organisational, ICT and security expertise, support managers throughout the whole risk assessment and compliance management process. Moreover, the Enterprise Risk Management (ERM) department coordinates the risk monitoring process at group level, including specific potential risks linked to compliance with the privacy regulations raised by the risk owners.
With a view to ensuring adequate management of risks linked to personal data processing, as regards both business risks and those concerning the rights and fundamental freedoms of the data subjects, in addition to compliance with the provisions of the European data protection regulation (Regulation (EU) 2016/679 – GDPR) and national legislation (Legislative Decree 196/2003 as subsequently amended), the Italgas Group has defined appropriate measures which it applies and keeps updated to ensure an adequate level of security. These include both organisational and technical measures suitable to prevent the loss, alteration, unavailability, access and unauthorised use of personal data.
Regulatory System and Data Breach Management
The company’s organisational and regulatory system defines the rules and processes and ensures their implementation and traceability in agreement with the principle of accountability. The procedures applicable at Group level incorporate and maintain up-to-date control and risk mitigation measures relating to personal data processing, including those linked to the supply chain, with a view to the continuous improvement of its privacy management system.
All employees receive instructions on personal data processing on the basis of their role and the context in which they operate, and are informed about the tools to use to report any data breaches.
The Italgas Group has a Compliance Standard specifically dedicated to Data Breach management, which can also be downloaded from the link at the bottom of this page.
Failure to comply with company regulations on personal data protection shall result in the start of disciplinary measures.
Data Protection Officer
Since 2018 Italgas has designated a Data Protection Officer. On 24 February 2021, the Board of Directors of Italgas S.p.A. (Parent Company) appointed Mr Luca Lazzeri as the Data Protection Officer (DPO) for Italgas S.p.A.
The DPO, as a point of reference for data subjects and a point of contact for the control authority, can be contacted at the following email address: firstname.lastname@example.org.
Data Protection Team
The Data Protection Team, which includes experts in legal, IT, organisational and security matters, assists and supports all the people of the Italgas Group involved in processing activities at the time of changes to processes involving data protection, and in particular in activities linked to innovation (e.g. Digital Factory), in order to ensure the development of new applications and new services with a view to data protection by design and by default.
Activities in 2020
The main activities carried out in 2020 were:
- Annual updating of the record of processing activities by the Data Managers with the support of the Data Protection Team.
- Preparation and updating of information on personal data processing.
- Management of requests by data subjects to exercise their rights.
- With reference to the Covid-19 emergency, appropriate organisational and security measures have been taken to ensure the protection of personal data, as well as of the personal sphere of people, through the adoption of specific protocols.
- Updating of the contractual formats on data protection, already adopted in 2018, to be included in the contracts with suppliers, designated as data processors.
- Preparation and updating of the Data Protection Impact Assessment (DPIA).
- Training and information for staff, also through the use of web platforms.
- Raising awareness of phishing by sending emails to all employees, simulating a phishing attack.
- Updating of the “Operating Guide to Audit Activities – Section 2” approved in December 2020 and in force since 1 January 2021, envisaging that each audit shall include a “GDPR Test” to check the effectiveness of the risk mitigation measures associated with personal data processing, as well as compliance with the regulations on personal data protection.
Personal data protection monitoring was also significantly strengthened through the creation on 1 November 2020, within the Internal Audit department of Italgas S.p.A., of the DPO – Data Protection Officer unit, which will be assigned the DPO responsibilities of all the Group companies.
With reference to all Italgas Group companies, in 2020:
- No data breach reports were received.
- No substantiated complaints relating to personal data breaches were received.
- No requests of any kind have been received from the supervisory Authority.
- No penalties for regulatory breaches concerning personal data protection were applied.
In 2020 the data of customers / final customers were used for purposes other than the main one for which they were collected only to present offers for the supply of services to some customers of Gaxa SpA. At the Group level, the percentage of customers / final customers data used for purposes other than the main one for which they were collected was less than 0.1%.
Information on personal data processing