Privacy protection

The Code of Ethics contains a specific paragraph on personal data protection (Sec. III, para. 4.2). Furthermore, the Code of Ethics emphasizes the importance of employee training and awareness (Sec. II, para. 6.2) and of protection and response to security incidents (Sec. II, para. 6.4). The Code of Ethics has contractual value for all employees and therefore any violations must lead to the initiation of disciplinary proceedings as set under the national collective labour agreements.

All Italgas Group companies in Italy and Greece have adopted the Code of Ethics.

As regards the supply chain, Italgas has adopted a specific “Code of Ethics of Italgas Suppliers” which includes a paragraph dedicated to privacy protection and information security (para. 4.5).

The commitment to protect privacy hence applies to all operations, including those of the Greek companies of the group and suppliers.

The Italgas Group has defined its own personal data governance system, adopting a Data Protection Organisational Model, articulated in three areas (Governance, Implementation & Management, Monitoring), inspired by the requirements of Regulation (EU) 2016/679 and a data protection Compliance Standard. The latter is aimed at setting out the principles applicable to processing and at formalising tasks and functions within the corporate organisational structure, in order to ensure the correct processing of information relating to the data subjects.

The Data Protection Organisational Model embodies Italgas’ commitment to ethical data governance.

2.1 Integration of the Organisational Model into the Italgas Group’s risk management

The Data Protection Organisational Model is integrated into the internal control and risk management system of the Italgas Group. It attests to the Italgas Group’s commitment to protect the rights and freedoms of the data subjects (whether they be employees, suppliers, end customers, potential customers, or others). All components of the internal control and risk management system (e.g. control activities, monitoring, reporting, and the penalty and disciplinary system) include data processing activities and therefore help to ensure compliance with the laws and company standards.

All potential risks to the fundamental  rights and freedoms of the data subject that may arise from the processing of personal data are assessed objectively in order to determine the risk level that each data processing operation involves and to define appropriate mitigation measures. The Data Protection Officer and the Data Protection Team, which includes people with legal, organisational, ICT and security expertise, support managers throughout the whole risk assessment and compliance management process. Moreover, the Enterprise Risk Management (ERM) department coordinates the risk monitoring process at group level, including specific potential risks linked to compliance with the privacy regulations identified by the risk owners.

Furthermore, since 2024 Italgas has implemented its compliance management system, that allows the company to adopt a structured and integrated approach to the management of risks of non-conformity and non-compliance, in relation to all areas of compliance identified, including the protection of personal data. Italgas achieved certification of its Compliance Management System pursuant to technical standard UNI ISO 37301 in December 2024.

In order to ensure adequate management of risks related to personal data processing, both with regard to business risks and those concerning the fundamental rights and freedoms of the data subjects, as well as compliance with the provisions of the European data protection regulation (Regulation (EU) 2016/679 – GDPR) and national legislation (in Italy D.Lgs. 196/2003, in Greece Law nr. 4624/2019), the Italgas Group has defined appropriate measures which it applies and keeps updated to ensure an adequate level of security. These include both organisational and technical measures appropriate to prevent the loss, alteration, unavailability, unauthorised access and use of personal data.

2.2 Organisational and regulatory System

The company’s organisational and regulatory system defines the rules and processes and ensures their implementation and traceability in accordance with the principle of accountability. The procedures applicable at Group level incorporate and maintain up-to-date control and risk mitigation measures related to personal data processing, including those linked to the supply chain, with a view to the continuous improvement of its privacy management system.

All employees receive instructions on personal data processing on the basis of their role and the context in which they operate, and are trained to recognise potential data breaches and on the methods and tools to report them.

An essential element of the Italgas’ Organisational Model is the Data Protection compliance standard, most recently updated on 21 January 2025, which describes the key points of the Model, identifies the key figures of the privacy organisation chart, outlines tasks and functions in accordance with the Guidelines, recommendations and best practices of the European Data Protection Committee and the provisions of the Italian Data Protection supervisory Authority. Furthermore, the Model provides for the consequences of conduct not complying with Data Protection regulations. The Data Protection compliance standard can be downloaded from the link at the bottom of this page.

The Italgas Group has a Compliance Standard specifically dedicated to Data Breach management, updated in March 2024, which can also be downloaded from the link at the bottom of this page.

The Italgas Group has also adopted a “Data Protection Manual”, last updated on January 21, 2025, with the aim of providing clear and precise operational indications, based on the provisions of Regulation (EU) 2016/679 – GDPR and on guidelines defined by the Italian supervisory authority and the European Data Protection Board (EDPB). The content of the document is divided into sections dedicated to the processes of:

• risk assessment and management (Privacy by Design and Privacy by Default, risk analysis, preliminary impact assessment and impact assessment);
• data retention management;
• data subjects’ rights management;
• management of persons authorised to process personal data and of line reference persons;
• consent management.

Failure to comply with the rules on the protection of personal data also constitutes a violation of the Code of Ethics and company regulations and, as required by the Data protection standard, involves the opening of a disciplinary measure.

The Greek companies enaon and enaon EDA also have adopted a Data Protection Organizational Model consistent with the principles that inspired Italgas’ Data Protection Model, albeit designed on their specific needs and organizational structure, including the Data Protection compliance standard, as well as a procedure on data breach management and a Data protection Manual. They have also adopted procedures relating to privacy by design and privacy by default, risk analysis, impact assessment, consent management, privacy notices’ updating, management of data subjects’ requests to exercise rights, as well as for managing requests and communications by the supervisory authority.

2.3 Data Protection Officer

Each company of the Italgas Group, by resolution of the Board of Directors, has appointed the Data Protection Officer (DPO). The Data Protection Officer is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the assigned tasks assigned to him/her. The contact details of the Data Protection Officer have been communicated to the supervisory Authority.

The DPO, as a reference point for data subjects and a contact point for the supervisory authority, can be contacted at the following email address: dpo.gdpr@italgas.it for Italian companies and dpo.gdpr@ena-on.gr for the Group’s Greek companies.

Employees, customers and all interested parties can contact the DPO for any privacy issue.

The DPO responsibilities of all Italian Group companies are allocated within the Internal Audit function of Italgas S.p.A. This position allows the DPO to fulfill his/her functions in full independence and in the absence of conflicts of interest, as well as to create synergies and ensure strong supervision on personal data protection issues.

The Greek companies enaon and enaon EDA have also designated a DPO, in accordance with the provisions of Regulation (EU) 2016/679 – GDPR. In addition, in accordance with Greek law, they have designated a Chief Information Security Officer (CISO).

2.4 Articulation of tasks and functions with regard to the processing of personal data

In accordance with the Data Protection Organisational Model, tasks and functions relating to the processing of personal data are identified within the organisational structure of each company of the Italgas Group, and in particular:

– Privacy Compliance Officer: has the task of ensuring that the personal data processing is carried out in compliance with Regulation (EU) 2016/679 – GDPR and with the current legislation on the protection of personal data. To this end, he/she attributes specific tasks and functions related to the processing of personal data within the company’s organisational structure.

– Data Managers: persons in charge of managing the company’s organizational structures involved in personal data processing operations. They are responsible for directing and supervising processing operations in order to ensure compliance with data processing regulations and company policies.

Furthermore, a Data Protection Team has been established, which includes legal, IT, organisational and security experts. It assists and supports all the people of the Italgas Group involved in processing activities at the time of changes to processes involving data protection, in particular during changes in data protection processes and in innovation–related activities (e.g. Digital Factory), to ensure the development of new solutions and new services with a view to in a perspective of data protection by design and by default.

2.5 Supply chain

Suppliers shall comply with the Code of Ethics of Italgas Suppliers which includes a paragraph on privacy protection (para. 4.5). In addition, suppliers are required to sign an Ethics Agreement and, if required to process personal data on behalf of Italgas, a specific “Personal Data Processing Agreement” (DPA), compliant with the provisions of the GDPR. This agreement designates them as data processors and includes instructions on processing, breach of which will result in the application of contractual remedies.

Each DPA outlines the specific obligations of the processors in handling personal data, ensuring that they:

• process data exclusively for the agreed purposes and in accordance with the company instructions and the contract
• implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• ensure that personnel accessing the data are subject to confidentiality obligations
• assist the company in fulfilling its obligations to respond to requests for exercise  of the data subjects’ rights
• assist the company in ensuring compliance with its obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments
• submit to audits and inspections
• upon the termination of the DPA, delete or return all personal data to the company, unless otherwise required by law.

According to the Data Processing Agreement, the supplier undertakes to fully indemnify, hold harmless and compensate Italgas for any damage suffered by the latter as a result of a breach attributable to itself (and/or its employees, collaborators, subcontractors if any). Moreover, Italgas shall have the right to terminate the Contract with the supplier in the event of violation of the provisions of the Data Processing Agreement.

Pursuant to Article 4 of the GDPR, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.

In compliance with the principles of lawfulness, fairness and transparency, before processing the personal data of a data subject, it is necessary to inform him/her about the main characteristics of the processing.

3.1 Content of the information

All Italgas Group companies, as Data Controllers, provide the Data Subjects with information on the processing of personal data through privacy notices, in compliance with articles 13 and 14 of the Regulation (EU) 2016/679 – GDPR. The privacy notices shall include, inter alia:

• type of personal data, purpose and legal basis for the processing (includes nature of information and purpose of its use)
• methods of processing and nature of the provision
• data retention (how long the information is kept)
• communication, dissemination and transfer of data (disclosure vs. private and public entities, if any, as well as about the possible transfer to third countries, if applicable)
• rights of the data subject (possibility to decide how personal data is collected, used, retained and processed, as well as the right to lodge a complaint with the supervisory authority)
• contact details of the Data Controller and of the Data Protection Officer
• date of last update of the privacy notice.

3.2 Use of personal data for secondary purposes

Personal data are not used for purposes other than the primary purpose for which they were collected under any circumstances. In particular, in 2024, as well as in the previous two years, customer data were not used for secondary purposes.

3.3 Rights of data subjects

Data subjects, including customers, can exercise the rights provided by Regulation (EU) 2016/679 – GDPR (art. 15-22 et 77), including:

• to request access to their personal data held by the company (right of access)
• to obtain the correction or deletion of their personal data (right to rectification and right to erasure)
• to obtain the restriction of processing, as well as to object to processing of personal data concerning them (right to restriction of processing and right to object)
• to receive a copy of the data concerning them in a structured, commonly used and machine-readable format and request that such data be transferred to other service providers, where technically feasible (right to data portability).

Data subjects also have the right to withdraw consent at any time, where given, without prejudice to the lawfulness of the processing based on consent before its withdrawal (opt-in consent and opt-out option, where processing is based on consent).

To exercise these rights, data subjects may contact the Data Protection Officer (DPO) by sending an e-mail to dpo.gdpr@italgas.it (for Italy) or dpo.gdpr@ena-on.gr (for Greece). The contact details of the DPO can be found in all privacy notices.

Moreover, data subjects have the right to lodge a complaint with the supervisory authority if they consider that the processing of personal data relating to them infringes Regulation (EU) 2016/679 – GDPR.

Italgas conducts both internal and external audits on compliance with privacy legislation, as well as of its privacy policy compliance, and verifies the degree of adequacy of its Data Protection Organisational Model.

This activity is carried out through:

• third-party audits, commissioned to an external audit firm specialised in this field (in 2024, to EY Advisory S.p.A.)
• Internal Audit activities
• other surveillance activities, promoted directly by the DPO

Furthermore, Italgas undergoes third-party audits for the purpose of certifying its compliance management system; Italgas obtained certification pursuant to the UNI ISO 37301 standard for the first time in December 2024.

Each Internal Audit report includes a “GDPR focus”, dedicated to verifying the effectiveness of risk mitigation measures related to the processing of personal data, as well as compliance with personal data protection regulations. As part of Internal Audit activities, sample checks are also carried out on suppliers that process personal data on behalf of Italgas (data processors). The DPO is always involved in carrying out the GDPR focus.

Information on the results of the audit activities carried out in 2024 is set out in paragraph “Activities in 2024”.

5.1 Main activities carried out during the year

• introduction of a new section of the Data Protection Manual, dedicated to the management of persons authorised to process personal data, containing operating procedures for their identification and instruction;
• annual updating of the record of processing activities by the Data Managers with the support of the DPO and the Data Protection Team;
• preparation and updating of privacy notices on personal data processing;
• management of requests by data subjects to exercise their rights within the terms provided for by the legislation;
• formalization of a document containing indications for the correct application of the Guidelines on cookies of June 2021 of the Italian Supervisory Authority;
• update of the risk analysis related to personal data processing and assessment of the level of risk of each processing activity, also with regard to the need to carry out/update the Data Protection Impact Assessments (DPIA);
• Updating all Data Protection Impact Assessments related to processing activities that involve in a high risk. The DPO supervised the process and issued its opinion on each of them.
• training and information for staff, also through the use of web platforms. In 2023, a new e-learning course was designed and launched, specifically dedicated to persons authorised to carry out processing operations.
• analysis of potential technological solutions with a data protection impact, in particular with reference to AI applications to improve safety at work and to increase productivity.
• activities aimed at the adoption, by the Greek companies enaon and enaon EDA, of a Data Protection Organizational Model consistent with the principles that inspired Italgas’ model, albeit designed on its specific needs and organizational structure.

In 2023, the Data Protection Team met on 44 occasions.

5.2 Audit and surveillance activities

Also in 2023, the Group underwent a third-party audit, conducted by EY Advisory S.p.A. and relating to the process adopted by the Group Companies for the stipulation of contracts with suppliers, with regard to the protection of personal data. The audit was extended to all Italian companies of the Group and did not reveal any significant gaps.

In order to verify the implementation and effectiveness of the Data Protection Organizational Model and the policies adopted in the field of privacy, also in 2023 the Italgas Group, as part of its Internal Audit activities, devoted a specific focus on privacy issues. In each Internal Audit intervention, a “GDPR Test” was carried out, to verify the effectiveness of the risk mitigation measures related to the processing of personal data, as well as compliance with the legislation on personal data protection. The results are included in the Internal audit reports.

In addition, the DPO carried out its surveillance activities with reference to processes and methodologies to guarantee data protection compliance, lawfulness of processing, updating of risk analysis and application of related security measures, verification of the correct management of cookies on the Group’s websites and portals, as well as the performance of Data protection Impact Assessments.

5.3 Communications and sanctions

With reference to all Italgas Group companies, in the three-year period 2021-2023:

• no data breach reports were received
• no substantiated complaints relating to personal data breaches were received
• no requests of any kind have been received from the supervisory Authority
• no penalties for regulatory breaches concerning personal data protection were applied.

In 2023, the Supervisory Authority informed Italgas Reti S.p.A. that it had opened a proceeding following a complaint, and that it had archived it following an independent analysis of the documents and documentation received.

5.1 Main activities carried out during the year

• preparation of the proposal for updating the Data Protection Organisational Model, which also includes the “Data Protection” standard, which is an essential part of it. The updated Model, which includes additional accountability elements and strengthened information flows, was approved by the Board of Directors of Italgas S.p.A. on January 21, 2025.
• approval, on March 27, 2024, of the updated “Data Breach Management” Compliance standard. Updated with reference to the Guidelines adopted by the European Data Protection Board (EDPB) on December 14, 2021, the updated Compliance standard incorporates organisational changes and changes to the flow of activities and was revised, in general, with an aim of improving accountability.
• development of a proposal for updating the “Data Protection Manual” to improve the description of risk management methods and incorporate data retention and consent management. The updated Manual was approved by the Privacy Compliance Manager on January 21, 2025;
• annual updating of the record of processing activities (RPA) by the Data Managers with the support of the DPO and the Data Protection Team. In the record it is indicated if the processing can present a high risk and if it must therefore be subject to impact assessment;
• preparation and updating of privacy notices on personal data processing;
• management of requests by data subjects to exercise their rights within the terms established by GDPR Regulation;
• update of the risk analysis related to personal data processing and assessment of the level of risk of each processing activity, also with regard to the need to carry out/update Data Protection Impact Assessments (DPIAs);
• update of Data Protection Impact Assessments related to processing activities that are likely to result in a high risk. The DPO monitored their performance and provided advice on each of the updated DPIAs.
• training and information activities for staff, also through the use of web platforms. In 2024 a training refresh program was started, with the release of the first e-learning “pills” dedicated to HR, operations, and commercial staff.
• analysis of potential technological solutions with a data protection impact, in particular with reference to AI applications to improve safety at work and to increase productivity (e.g., pilot project for the implementation of Copilot).
• adoption, by the Greek companies enaon and enaon EDA, of the Data Protection Organizational Model and data protection policies and procedures, in line with those of Italgas.

In 2024, the Data Protection Team met on 37 occasions.

5.2 Audit and surveillance activities

In 2024, the Group underwent a third-party audit, conducted by EY Advisory S.p.A. and regarding its whistleblowing management process, focusing on personal data protection aspects. The audit was extended to all Italian companies of the Group and did not reveal any significant gaps. Furthermore, in 2024 Italgas underwent third-party audits for the purpose of achieving certification of its compliance management system pursuant to the UNI ISO 37301 standard; the certification was obtained in December 2024 and the findings of the certification body were managed through the definition and implementation of appropriate corrective actions.

In order to verify the implementation and effectiveness of the Data Protection Organizational Model and the policies adopted in the field of privacy, also in 2024 the Italgas Group, as part of its Internal Audit activities, devoted a specific attention on privacy issues. Each Internal Audit intervention included a “GDPR focus” dedicated to verifying the effectiveness of the risk mitigation measures related to the processing of personal data, as well as compliance with personal data protection regulations. The findings are included in the Internal audit reports.

In addition, the DPO has deployed its surveillance activities with reference to processes and methodologies to ensure data protection compliance, lawfulness of processing, updating of risk analysis and application of related security measures, monitoring participation in training courses on data protection issues, as well as the performance of Data protection Impact Assessments.

5.3 Communications and sanctions

With reference to all Italgas Group companies, in the three-year period 2022-2024:

• no data breaches were reported to the supervisory Authority
• no substantiated complaints relating to personal data breaches were received
• no requests of any kind have been received from the supervisory Authority
• no penalties for regulatory breaches concerning personal data protection were applied.