Italgas recognises that the correct management of personal data is a fundamental value and therefore intends to pay the utmost attention to the protection of the personal data collected and processed within the scope of its business activities.
The approach of Italgas Group to personal data protection, in line with the principles of Corporate Social Responsibility, includes the voluntary adoption of virtuous behaviours that goes beyond mere compliance with regulatory provisions.
The commitment to protect privacy
The Code of Ethics contains a specific paragraph on personal data protection (Sec. III, para. 4.2). The Code of Ethics has contractual value for all employees and therefore any violations must lead to the initiation of disciplinary proceedings as set under the national collective labour agreements.
As regards the supply chain, Italgas has adopted a specific “Code of Ethics of Italgas Suppliers” which includes a paragraph on privacy protection (para. 4.5).
The commitment to protect privacy hence applies to all operations including the Greek companies of the group and suppliers.
Data Protection Organisational Model
When Regulation (EU) 2016/679 – GDPR came into effect in May 2018, the Italgas Group reviewed and updated its personal data governance system, defining a Data Protection Organisational Model inspired by the requirements of the Regulation and a data protection Compliance Standard to define the principles applicable to processing and to formalise the roles and responsibilities within the corporate organisational structure, in order to ensure the correct processing of information relating to the data subjects.
2.1 Integration of the Organisational Model into the Italgas Group’s risk management
The Data Protection Organisational Model is integrated into the internal control and risk management system of the Italgas Group. It attests to the Italgas Group’s commitment to protect the rights and fundamental freedoms of the data subjects (whether they be employees, suppliers, final customers, potential customers, or others). All components of the internal control and risk management system (e.g. control activities, monitoring, checks, and the penalty and disciplinary system) include data processing activities and therefore help to ensure compliance with the laws and company standards.
All potential risks to the rights and fundamental freedoms of the data subject that may arise from the processing of personal data are assessed objectively in order to determine the risk level that each data processing operation involves and to define appropriate mitigation measures. The Data Protection Officer and the Data Protection Team, which includes people with legal, organisational, ICT and security expertise, support managers throughout the whole risk assessment and compliance management process. Moreover, the Enterprise Risk Management (ERM) department coordinates the risk monitoring process at group level, including specific potential risks linked to compliance with the privacy regulations raised by the risk owners.
With a view to ensuring adequate management of risks linked to personal data processing, as regards both business risks and those concerning the rights and fundamental freedoms of the data subjects, in addition to compliance with the provisions of the European data protection regulation (Regulation (EU) 2016/679 – GDPR) and national legislation, the Italgas Group has defined appropriate measures which it applies and keeps updated to ensure an adequate level of security. These include both organisational and technical measures suitable to prevent the loss, alteration, unavailability, access and unauthorised use of personal data.
2.2 Organisational and regulatory System
The company’s organisational and regulatory system defines the rules and processes and ensures their implementation and traceability in agreement with the principle of accountability. The procedures applicable at Group level incorporate and maintain up-to-date control and risk mitigation measures relating to personal data processing, including those linked to the supply chain, with a view to the continuous improvement of its privacy management system.
All employees receive instructions on personal data processing on the basis of their role and the context in which they operate, and are informed about the tools to use to report any data breaches.
An essential element of the Italgas’ Organisational Model is the Data Protection compliance standard, most recently updated on 30 June 2021, which describes the key points of the Model, identifies the key figures of the privacy organisation chart, outlines roles and responsibilities in accordance with the recommendations and best practices of the European Data Protection Committee and the provisions of the Italian Data Protection Authority. Moreover, the Model provides for the consequences of conduct not complying with Data Protection regulations. The Data Protection compliance standard can be downloaded from the link at the bottom of this page.
The Italgas Group has a Compliance Standard specifically dedicated to Data Breach management, which can also be downloaded from the link at the bottom of this page.
The Italgas Group has also adopted a “Data Protection Manual”, with the aim of providing clear and precise operational indications, based on the provisions of Regulation (EU) 2016/679 – GDPR and on guidelines defined by the Italian supervisory authority and the European Data Protection Board (EDPB). The content of the document is divided into sections dedicated to the processes of:
- Privacy by Design and Privacy by Default;
- Risk Analysis and Impact Assessment;
- Management of data subjects’ rights.
Failure to comply with the rules on the protection of personal data also constitutes a violation of the Code of Ethics and company regulations and, as required by the Data protection standard, involves the opening of a disciplinary measure.
The newly consolidated Greek companies EDA Thess, EDA Attikis and DEDA also have adopted a privacy organisational model, in line with the accountability principle of GDPR regulation, as well as an internal procedure for the management of personal data breaches.
2.3 Data Protection Officer
Since 2018 Italgas has designated a Data Protection Officer. On 24 February 2021, the Board of Directors of Italgas S.p.A. (Parent Company) appointed Mr Luca Lazzeri as the Data Protection Officer (DPO) for Italgas S.p.A.. The data protection officer is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks assigned to him. The contact details of the Data Protection Officer have been communicated to the supervisory Authority.
The DPO, as a point of reference for data subjects and a point of contact for the supervisory authority, can be contacted at the following email address: email@example.com.
The DPO responsibilities of all Italian Group companies are allocated within the Internal Audit function of Italgas S.p.A. This position allows the DPO to fulfill its functions in full independence and in the absence of conflicts of interest, as well as to create synergies and ensure strong supervision on personal data protection issues.
The newly consolidated Greek companies EDA Thess, EDA Attikis and DEDA have their own DPOs, in line with the provisions of GDPR regulation.
2.4 Data Protection Team
The Data Protection Team, which includes experts in legal, IT, organisational and security matters, assists and supports all the people of the Italgas Group involved in processing activities at the time of changes to processes involving data protection, and in particular in activities linked to innovation (e.g. Digital Factory), in order to ensure the development of new applications and new services with a view to data protection by design and by default.
2.5 Supply chain
Suppliers shall comply with the Code of Ethics of Italgas Suppliers which includes a paragraph on privacy protection (para. 4.5). Moreover, suppliers are required to sign an Ethics Agreement and a specific “Personal Data Processing Agreement”, compliant with the provisions of the GDPR, which includes instructions on processing, violation of which is subject to the application of contractual remedies.
According to the Data Processing Agreement, the supplier undertakes to fully indemnify, hold harmless and compensate Italgas for any damage suffered by the latter as a result of a breach attributable to itself (and/or its employees, collaborators, subcontractors if authorized and appointed). Moreover, Italgas shall have the right to terminate the Contract in the event of violation of the provisions of the Data Processing Agreement.
Information on personal data processing
Pursuant to Article 4 of the GDPR, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.
3.1 Content of the information
All Italgas Group companies, as Data Controllers, provide the Data Subjects with information on the processing of personal data through privacy notices, in compliance with articles 13 and 14 of the Regulation (EU) 2016/679 – GDPR. The privacy notices shall include, inter alia:
- type of personal data, purpose and legal basis for the processing (includes nature of information and purpose for its use)
- methods of processing and nature of the provision
- data retention (how long the information is kept)
- communication, dissemination and transfer of data (disclosure vs. private and public entities, if any)
- rights of the data subject (possibility to decide how personal data is collected, used, retained and processed)
- contact details of the Data Controller and of the Data Protection Officer.
3.2 Use of personal data for secondary purposes
Personal data are not used for purposes other than the primary purpose for which they were collected under any circumstances. In particular, in 2022, like in 2021, customer data were not used for secondary purposes.
3.3 Rights of data subjects
Data subjects, including customers, can exercise the rights provided by Regulation (EU) 2016/679 – GDPR (art. 15-22 et 77), including:
- to withdraw consent at any time, where given, without prejudice to the lawfulness of the processing based on consent before its withdrawal (opt-in consent and opt-out option, where processing is based on consent)
- to request access to their personal data held by the company (right of access)
- to obtain the correction or deletion of their personal data (right to rectification and right to erasure)
- to obtain the restriction of processing, as well as to object to processing of personal data concerning them (right to restriction of processing and right to object)
- to receive a copy of the data concerning them in a structured, commonly used and machine-readable format and request that such data be transferred to other service providers, where technically feasible (right to data portability).
To exercise these rights, data subjects in Italy can contact the Data Protection Officer (DPO) by sending an e-mail to firstname.lastname@example.org. Data subjects in Greece can contact the DPO by writing to the email address indicated in the privacy notices.
Italgas carries out audits to review the degree of adequacy of its Data Protection Organisational Model in terms of compliance with the applicable regulations.
This activity is carried out through:
- third-party audits, commissioned to an external audit firm specialised in this field (in 2022, to EY Advisory S.p.A.)
- Internal Audit activities
- other surveillance activities, promoted directly by the DPO
In each Internal Audit report a “GDPR focus” is included, dedicated to verifying the effectiveness of risk mitigation measures related to the processing of personal data, as well as compliance with the legislation on the protection of personal data. As part of Internal Audit activities, sample checks are also carried out on suppliers that process personal data on behalf of Italgas (data processors). The DPO is always involved in carrying out the GDPR focus.
Information on the results of the audit activities carried out in 2022 is set out in paragraph 5. Activities in 2022
Activities in 2022
5.1 Main activities carried out during the year
- annual updating of the record of processing activities by the Data Managers with the support of the Data Protection Team;
- preparation and updating of privacy notices on personal data processing;
- start of the activities to update the “Data Breach Management” Compliance Standard, in order to implement the indications of the European Data Protection Board (EDPB) of 14 December 2021, organizational changes and, in general, with a view to improving accountability;
- management of requests by data subjects to exercise their rights within the terms provided for by the legislation;
- review of the privacy notices for visitors and users of the websites and portals of Italian Italgas Group companies, in order to ensure compliance with the Guidelines on cookies of June 2021 of the Italian Supervisory Authority;
- the mapping of the life cycle of personal data of end customers, promoted and coordinated by the DPO and carried out with the involvement of the Sales Department of Italgas Reti S.p.A. and Bludigit S.p.A.. An analysis of the processes for the end-to-end management of the end customer was carried out, to arrive at an overall representation of the personal data managed by the gas distribution companies on the various technological components and related flows.
- update of the risk analysis related to personal data processing and assessment of the level of risk, with regard to the need to carry out/update the Data Protection Impact Assessments (DPIA);
- training and information for staff, also through the use of web platforms;
- assessment of the compliance of the newly acquired Greek companies EDA Thess, EDA Attikis and DEDA, which resulted the recognition of a situation of substantial compliance.
In 2022, the Data Protection Team met on 41 occasions.
It should also be noted that the Covid-19 green certifications of employees, acquired in compliance with and for the purposes dictated by the Italian national regulatory requirements applicable until 30 April 2022, have been erased.
5.2 Audit and surveillance activities in 2022
Also in 2022, the Group underwent a third-party audit, conducted by EY Advisory S.p.A. and relating to the verification and analysis of the information provided to data subjects pursuant to articles 13 and 14 of the GDPR. The audit was extended to all Italian companies of the Group and did not reveal any significant gaps.
In order to verify the implementation and effectiveness of the Data Protection Organizational Model and the policies adopted in the field of privacy, also in 2022 the Italgas Group, as part of its Internal Audit activities, developed a specific focus on privacy issues. In each Internal Audit intervention, a “GDPR Test” was carried out, to verify the effectiveness of the risk mitigation measures related to the processing of personal data, as well as compliance with the legislation on personal data protection. The results are included in the Internal audit reports.
In addition, the DPO carried out its surveillance activities with reference to processes and methodologies to guarantee data protection compliance, lawfulness of processing, updating of risk analysis and application of related security measures, verification of the correct management of cookies on the Group’s websites and portals, as well as the performance of Data protection Impact Assessments.
5.3 Communications and sanctions
With reference to all Italgas Group companies, in 2022:
- no data breach reports were received
- no substantiated complaints relating to personal data breaches were received
- no requests of any kind have been received from the supervisory Authority
- no penalties for regulatory breaches concerning personal data protection were applied.
The “Data Protection” and “Data Breach Management” Compliance Standards can be downloaded below.