Privacy policy

Pursuant to Regulation (EU) 2016/679 (“GDPR“), Eni S.p.A. (the “Company” or the “Controller“) provides the following information to enable users (“Users“) of the website www.realestate.eni.com (“Website“) to understand how their personal information is collected and processed in connection with their navigation of the Website and use of the services accessible from the Website (“Services“).

1. Identity and contact information of the Data Controller

The data controller is Eni S.p.A., VAT no. 00905811006, with registered office in Piazzale Enrico Mattei, 1, 00144 Rome, Italy.

2. Contact information of the Data Protection Officer

For any information concerning the processing of personal data, you may contact the Data Protection Officer (hereinafter, ‘DPO‘) designated by the Company, by writing to the following e-mail address dpo@eni.com.

3. Categories of personal data processed

The subject of the processing is the following personal data of Users (“Personal Data” or “Data“):

  • personal and contact data required for the use of the Services (e.g. registration for the reserved area of the Website or subscription to the newsletter);
  • information related to the use of the Website, navigation data; technical data for the operation of the Website, including IP addresses, domain names of the computers and terminals used by Users, the URI/URL addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server, other parameters relating to the User’s operating system and computer environment (hereinafter, collectively “Navigation Data“);
  • geolocation data, only in the case of activation of the function referred to in par. 4, lett. c below.

4. Purposes of the processing and legal basis of the processing

a. Compliance with legal requirements and/or provisions issued by relevant Authorities (art. 6, par. 1, lett. c GDPR)

The User’s Personal Data may be processed in cases where this is necessary to fulfil obligations arising from provisions of the law, as well as to comply with requests from public authorities.

b. Execution of contractual measures upon request by the interested party (art. 6, par. 1, lett. b GDPR)

The User’s Data will also be processed for purposes related to and/or connected with the provision of the Services within the context of browsing the Website, specifically:

  • registration in the reserved area;
  • subscription to the newsletter and Mail Alert service, by filling in the appropriate forms on the Website;
  • fulfilment of any requests made by the User, also by e-mail, such as, for example, activation of access to additional documentation relating to specific properties.

c. Legitimate interest of the Controller (Art. 6, par. 1, lett. f GDPR)

  • During User navigation, utilising its computer systems and software procedures, the Website collects certain Navigation Data, the transmission of which is implicit in the use of Internet communication protocols. This Data, necessary for the use of web services, is also processed for the purpose of obtaining statistical information in aggregate and anonymous form with respect to the use of the Services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.), as well as to check the proper functioning of the services offered. These processing activities are based on the legitimate interest of the Company in continuously improving the efficiency and security of its Services.
  • In addition, the User’s Personal Data shall be processed whenever necessary in order to ascertain, exercise or defend a right of the Controller and/or third parties in court, based on the legitimate interest of the Controller and/or third parties in protecting their rights.

d. Consent (Art. 6, par. 1, lett. a GDPR)

Subject to the express consent of the User by means of a pop-up, which can be revoked at any time through the User’s browser settings, the Company may proceed to geolocalize the device used by the User for the sole purpose of activating the function offered by Google Maps, which consists of identifying the User’s position with respect to a property selected by the User.

5. Methods of processing personal data

The Data may also be processed by electronic or automated means, and managed using instruments that guarantee security and confidentiality; this will include any operation or set of operations necessary for the processing itself.

The User’s Personal Data is stored in the Data Controller’s databases and will be processed exclusively by authorised personnel, who will receive special instructions on how to process it.

6. Recipients of personal data

For the pursuit of the above-mentioned purposes, the Data Controller may communicate Users’ personal data to third parties belonging to the following entities or categories of entities:

  • police forces, armed forces and other public administrations, to fulfil the obligations provided for by laws, regulations or community legislation;
  • other companies controlled by Eni S.p.A.;
  • IT service providers.

The Data Controller guarantees to provide the best care possible so that only that Personal Data necessary to achieve these specific purposes is communicated to the aforesaid parties.

With regard to the Data disclosed to them, these recipients may either operate as data controllers (in which case they will contractually receive appropriate instructions from the Controller), or as independent data processors.

Finally, note that Users’ personal data will not be disseminated.

7. Transfer of personal data outside the European Economic Area

Where this is instrumental to the pursuit of the purposes set out in paragraph 4, the Data may also be transferred abroad to companies based outside the European Economic Area (“EEA“). Certain non-EEA jurisdictions may not provide the same level of data protection as within the EEA. In this case, the Data Controller undertakes that the Data will be treated with the utmost confidentiality by adopting the standard contractual clauses provided for by the European Commission and any other necessary measures pursuant to Article 46 GDPR where it is not possible to resort to one of the exceptions referred to in Article 49 GDPR.

8. Period of Data Retention

Data will be kept for a period of time not exceeding that necessary for the purposes for which it was collected. In addition, Personal Data may be retained for a later period in the event of disputes, requests by competent authorities or under applicable law.

9. Rights of the data subjects

Where applicable and within the limits of the GDPR, as a data subject, the User is granted the following rights over the Personal Data collected and processed by the Controller for the purposes indicated in point 4:

  • pursuant to Article 15 GDPR, to obtain from the Controller confirmation as to whether or not Personal Data is being processed and, if so, to obtain access to the following information: (i) the purposes of the processing; (ii) the categories of Personal Data in question; (iii) the recipients or the categories of recipients to whom or which the Personal Data has been or will be communicated, in particular if recipients located in third countries or international organisations; (iv) when possible, the period of storage of the Personal Data provided for or, if not possible, the criteria used to determine this period; (v) the right to lodge a complaint with a supervisory authority; (vi) if the data has not been collected from the User, all the information available on their origin; (vii) the existence of an automated decision-making process, including profiling, and information on the logic used and the expected consequences of this processing;
  • pursuant to Article 16 GDPR, obtain the rectification of inaccurate Data concerning the User or, taking into account the purposes of the processing, the integration of incomplete Personal Data;
  • pursuant to Article 17 GDPR, obtain the deletion of Personal Data, if one of the following reasons exists: (i) the Personal Data is no longer necessary with respect to the purposes for which it was collected or otherwise processed; (ii) the Personal Data is being processed illicitly; (iii) the User has withdrawn the consent on the basis of which the Data Controller had the right to process the Data and there is no other legal foundation that enables the Data Controller to perform the processing activity; (iv) the User has objected to the processing activity and there is no prevailing legitimate reason; (v) the Personal Data must be deleted to fulfil a legal obligation. However, the Company is entitled to disregard the request to exercise the aforementioned deletion rights if this is necessary to (a) carry out a legal obligation or the perform a task carried out in the public interest; or (b) to defend its own rights in court;
  • Pursuant to Article 18 GDPR, obtain limitations on the processing of Personal Data when one of the following cases occurs: (i) in the case the User has disputed the accuracy of Personal Data concerning them, for the period necessary for the Controller to verify the accuracy of such Personal Data; (ii) in case of unlawful processing of Personal Data, if the User objects to their deletion (iii) in case it is necessary for the establishment, exercise or defence of legal claims in court; (iv) for the period necessary to verify whether the legitimate reasons of the Controller prevail over the User’s request to object to the processing;
  • pursuant to Article 20 GDPR, receive in a structured, commonly used and readable format the Personal Data provided to the Company and processed by it based on the consent or contract with the user, as well as the right to transmit such data to another data controller without hindrance;
  • pursuant to Article 21 GDPR, object, on grounds relating to the User’s particular situation, to the processing of Data carried out on the basis of the legitimate interest of the Data Controller;
  • withdraw consent for the processing of personal data where consent is the legal basis.

Without prejudice to any other administrative or jurisdictional recourse, the law recognises the possibility for data subjects to lodge a complaint with the Garante per la protezione dei dati personali (Italian Data Protection Authority), should the User perceive a violation of their personal data protection rights.

The User may exercise the rights listed above by writing to the DPO at the following e-mail address dpo@eni.com.