Privacy protection

The Code of Ethics contains a specific paragraph on personal data protection (Sec. III, para. 4.2). Furthermore, the Code of Ethics emphasizes the importance of employee training and awareness (Sec. II, para. 6.2) and of protecting against and responding to security incidents (Sec. II, para. 6.4). The Code of Ethics has contractual value for all employees and therefore any violations must lead to the initiation of disciplinary proceedings as set under the national collective labour agreements.

All Italgas Group companies in Italy and Greece have adopted the Code of Ethics.

As regards the supply chain, Italgas has adopted a specific “Code of Ethics of Italgas Suppliers” which includes a paragraph on privacy protection (para. 4.5).

The commitment to protect privacy hence applies to all operations, including the Greek companies of the group and suppliers.

The Italgas Group has defined its own personal data governance system, adopting a Data Protection Organisational Model, structured in three areas (Governance, Implementation & Management, Monitoring), inspired by the requirements of Regulation (EU) 2016/679 and a data protection Compliance Standard. The latter is aimed at setting out the principles applicable to processing and at formalising the roles and responsibilities within the corporate organisational structure, in order to ensure the correct processing of information relating to the data subjects.

The Data Protection Organisational Model embodies Italgas’ commitment to ethical data governance.

2.1 Integration of the Organisational Model into the Italgas Group’s risk management

The Data Protection Organisational Model is integrated into the internal control and risk management system of the Italgas Group. It attests to the Italgas Group’s commitment to protect the rights and fundamental freedoms of the data subjects (whether they be employees, suppliers, final customers, potential customers, or others). All components of the internal control and risk management system (e.g. control activities, monitoring, reporting, and the penalty and disciplinary system) include data processing activities and therefore help to ensure compliance with the laws and company standards.

All potential risks to the rights and fundamental freedoms of the data subject that may arise from the processing of personal data are assessed objectively in order to determine the risk level that each data processing operation involves and to define appropriate mitigation measures. The Data Protection Officer and the Data Protection Team, which includes people with legal, organisational, ICT and security expertise, support managers throughout the whole risk assessment and compliance management process. Moreover, the Enterprise Risk Management (ERM) department coordinates the risk monitoring process at group level, including specific potential risks linked to compliance with the privacy regulations raised by the risk owners.

With a view to ensuring adequate management of risks linked to personal data processing, as regards both business risks and those concerning the rights and fundamental freedoms of the data subjects, in addition to compliance with the provisions of the European data protection regulation (Regulation (EU) 2016/679 – GDPR) and national legislation (in Italy D.Lgs. 196/2003, in Greece Law nr. 4624/2019), the Italgas Group has defined appropriate measures which it applies and keeps updated to ensure an adequate level of security. These include both organisational and technical measures suitable to prevent the loss, alteration, unavailability, access and unauthorised use of personal data.

2.2 Organisational and regulatory System

The company’s organisational and regulatory system defines the rules and processes and ensures their implementation and traceability in agreement with the principle of accountability. The procedures applicable at Group level incorporate and maintain up-to-date control and risk mitigation measures relating to personal data processing, including those linked to the supply chain, with a view to the continuous improvement of its privacy management system.

All employees receive instructions on personal data processing on the basis of their role and the context in which they operate, and are trained to recognise any data breaches and on the methods and tools to report them.

An essential element of the Italgas’ Organisational Model is the Data Protection compliance standard, most recently updated on 30 June 2021, which describes the key points of the Model, identifies the key figures of the privacy organisation chart, outlines roles and responsibilities in accordance with the recommendations and best practices of the European Data Protection Committee and the provisions of the Italian Data Protection Authority. Moreover, the Model provides for the consequences of conduct not complying with Data Protection regulations. The Data Protection compliance standard can be downloaded from the link at the bottom of this page.

The Italgas Group has a Compliance Standard specifically dedicated to Data Breach management, updated in March 2024, which can also be downloaded from the link at the bottom of this page.

The Italgas Group has also adopted a “Data Protection Manual”, with the aim of providing clear and precise operational indications, based on the provisions of Regulation (EU) 2016/679 – GDPR and on guidelines defined by the Italian supervisory authority and the European Data Protection Board (EDPB). The content of the document is divided into sections dedicated to the processes of:

• Privacy by Design and Privacy by Default;
• Risk Analysis and Impact Assessment;
• Management of data subjects’ rights;
• Management of persons authorised to process data

Failure to comply with the rules on the protection of personal data also constitutes a violation of the Code of Ethics and company regulations and, as required by the Data protection standard, involves the opening of a disciplinary measure.

The Greek companies enaon and enaon EDA also have adopted a Data Protection Organizational Model consistent with the principles that inspired Italgas’ Data Protection Model, albeit designed on their specific needs and organizational structure, including the Data Protection compliance standard, as well as a procedure on data breach management. Procedures relating to privacy by design and privacy by default, risk analysis and impact assessment, and the management of data subjects’ rights are also being adopted.

2.3 Data Protection Officer

Each company of the Italgas Group, by resolution of the Board of Directors, has appointed the Data Protection Officer (DPO). The Data Protection Officer is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks assigned to him/her. The contact details of the Data Protection Officer have been communicated to the Supervisory Authority.

The DPO, as a point of reference for data subjects and a point of contact for the supervisory authority, can be contacted at the following email address: dpo.gdpr@italgas.it for Italian companies and dpo.gdpr@ena-on.gr for Greek companies of the Italgas Group. Employees, customers and data subjects can contact the DPO for any privacy issue.

The DPO responsibilities of all Italian Group companies are allocated within the Internal Audit function of Italgas S.p.A. This position allows the DPO to fulfill its functions in full independence and in the absence of conflicts of interest, as well as to create synergies and ensure strong supervision on personal data protection issues.

The Greek companies enaon and enaon EDA have also designated the DPO, in accordance with the provisions of Regulation (EU) 2016/679 – GDPR. In addition, in accordance with Greek law, they have designated a Chief Information Security Officer (CISO).

2.4 Articulation of tasks and functions in the field of data protection 

In accordance with the Data Protection Organisational Model, roles and responsibilities with regard to the processing of personal data are identified within the organisational structure of each company of the Italgas Group, and in particular:

– Privacy Compliance Officer: has the task of ensuring that the processing is carried out in compliance with Regulation (EU) 2016/679 – GDPR and with the current legislation on the protection of personal data, as well as identifying company figures to whom it assigns specific powers in this regard.

– Data Managers: persons in charge of managing the company’s organizational structures involved in the processing operations. They are responsible for supervising the performance of processing operations.

Moreover, the Data Protection Team is established, which includes experts in legal, IT, organisational and security matters, assists and supports all the people of the Italgas Group involved in processing activities at the time of changes to processes involving data protection, and in particular in activities linked to innovation (e.g. Digital Factory), in order to ensure the development of new applications and new services with a view to data protection by design and by default.

2.5 Supply chain

Suppliers shall comply with the Code of Ethics of Italgas Suppliers which includes a paragraph on privacy protection (para. 4.5). Moreover, suppliers are required to sign an Ethics Agreement and a specific “Personal Data Processing Agreement” (DPA), compliant with the provisions of the GDPR, which provides for their designation as data processors and includes instructions on processing, violation of which is subject to the application of contractual remedies.

Each DPA outlines the specific obligations of the processors in handling personal data, ensuring that they:

• process data solely for the agreed purposes and in accordance with the company’s instructions and the contract
• implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• ensure that personnel accessing the data are subject to confidentiality obligations
• assist the company in fulfilling its obligations to respond to requests for exercising the data subjects’ rights
• assist the company in ensuring compliance with its obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments
• submit to audits and inspections
• upon the termination of the DPA, delete or return all personal data to the company, unless otherwise required by law.

According to the Data Processing Agreement, the supplier undertakes to fully indemnify, hold harmless and compensate Italgas for any damage suffered by the latter as a result of a breach attributable to itself (and/or its employees, collaborators, subcontractors if authorized and appointed). Moreover, Italgas shall have the right to terminate the Contract in the event of violation of the provisions of the Data Processing Agreement.

Pursuant to Article 4 of the GDPR, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.

In compliance with the principles of lawfulness, fairness and transparency, before processing the personal data of a data subject, it is necessary to inform him/her about the main characteristics of the processing.

3.1 Content of the information

All Italgas Group companies, as Data Controllers, provide the Data Subjects with information on the processing of personal data through privacy notices, in compliance with articles 13 and 14 of the Regulation (EU) 2016/679 – GDPR. The privacy notices shall include, inter alia:

• type of personal data, purpose and legal basis for the processing (includes nature of information and purpose for its use)
• methods of processing and nature of the provision
• data retention (how long the information is kept)
• communication, dissemination and transfer of data (disclosure vs. private and public entities, if any, as well as about the possible transfer to third countries, if applicable)
• rights of the data subject (possibility to decide how personal data is collected, used, retained and processed, as well as the right to lodge a complaint with the supervisory authority)
• contact details of the Data Controller and of the Data Protection Officer
• date of last update of the privacy notice.

3.2 Use of personal data for secondary purposes

Personal data are not used for purposes other than the primary purpose for which they were collected under any circumstances. In particular, in 2023, as well as in the previous two years, customer data were not used for secondary purposes.

3.3 Rights of data subjects

Data subjects, including customers, can exercise the rights provided by Regulation (EU) 2016/679 – GDPR (art. 15-22 et 77), including:

• to withdraw consent at any time, where given, without prejudice to the lawfulness of the processing based on consent before its withdrawal (opt-in consent and opt-out option, where processing is based on consent)
• to request access to their personal data held by the company (right of access)
• to obtain the correction or deletion of their personal data (right to rectification and right to erasure)
• to obtain the restriction of processing, as well as to object to processing of personal data concerning them (right to restriction of processing and right to object)
• to receive a copy of the data concerning them in a structured, commonly used and machine-readable format and request that such data be transferred to other service providers, where technically feasible (right to data portability).

To exercise these rights, data subjects may contact the Data Protection Officer (DPO) by sending an e-mail to dpo.gdpr@italgas.it (for Italy) or dpo.gdpr@ena-on.gr (for Greece). The contact details of the DPO can be found in all privacy notices.

Moreover, data subjects have the right to lodge a complaint with the supervisory authority if they consider that the processing of personal data relating to them infringes Regulation (EU) 2016/679 – GDPR.

Italgas carries out internal audits and undergoes third-party audits to review the degree of adequacy of its Data Protection Organisational Model in terms of compliance with applicable regulations.

This activity is carried out through:

1. third-party audits, commissioned to an external audit firm specialised in this field (in 2023, to EY Advisory S.p.A.)
2. Internal Audit activities
3. other surveillance activities, promoted directly by the DPO

In each Internal Audit report a “GDPR focus” is included, dedicated to verifying the effectiveness of risk mitigation measures related to the processing of personal data, as well as compliance with the legislation on the protection of personal data. As part of Internal Audit activities, sample checks are also carried out on suppliers that process personal data on behalf of Italgas (data processors). The DPO is always involved in carrying out the GDPR focus.

Information on the results of the audit activities carried out in 2023 is set out in paragraph “Activities in 2023”.

5.1 Main activities carried out during the year

• introduction of a new section of the Data Protection Manual, dedicated to the management of persons authorised to process personal data, containing operating procedures for their identification and instruction;
• annual updating of the record of processing activities by the Data Managers with the support of the DPO and the Data Protection Team;
• preparation and updating of privacy notices on personal data processing;
• management of requests by data subjects to exercise their rights within the terms provided for by the legislation;
• formalization of a document containing indications for the correct application of the Guidelines on cookies of June 2021 of the Italian Supervisory Authority;
• update of the risk analysis related to personal data processing and assessment of the level of risk of each processing activity, also with regard to the need to carry out/update the Data Protection Impact Assessments (DPIA);
• Updating all Data Protection Impact Assessments related to processing activities that involve in a high risk. The DPO supervised the process and issued its opinion on each of them.
• training and information for staff, also through the use of web platforms. In 2023, a new e-learning course was designed and launched, specifically dedicated to persons authorised to carry out processing operations.
• analysis of potential technological solutions with a data protection impact, in particular with reference to AI applications to improve safety at work and to increase productivity.
• activities aimed at the adoption, by the Greek companies enaon and enaon EDA, of a Data Protection Organizational Model consistent with the principles that inspired Italgas’ model, albeit designed on its specific needs and organizational structure.

In 2023, the Data Protection Team met on 44 occasions.

5.2 Audit and surveillance activities 

Also in 2023, the Group underwent a third-party audit, conducted by EY Advisory S.p.A. and relating to the process adopted by the Group Companies for the stipulation of contracts with suppliers, with regard to the protection of personal data. The audit was extended to all Italian companies of the Group and did not reveal any significant gaps.

In order to verify the implementation and effectiveness of the Data Protection Organizational Model and the policies adopted in the field of privacy, also in 2023 the Italgas Group, as part of its Internal Audit activities, devoted a specific focus on privacy issues. In each Internal Audit intervention, a “GDPR Test” was carried out, to verify the effectiveness of the risk mitigation measures related to the processing of personal data, as well as compliance with the legislation on personal data protection. The results are included in the Internal audit reports.

In addition, the DPO carried out its surveillance activities with reference to processes and methodologies to guarantee data protection compliance, lawfulness of processing, updating of risk analysis and application of related security measures, verification of the correct management of cookies on the Group’s websites and portals, as well as the performance of Data protection Impact Assessments.

5.3 Communications and sanctions

With reference to all Italgas Group companies, in the three-year period 2021-2023:

• no data breach reports were received
• no substantiated complaints relating to personal data breaches were received
• no requests of any kind have been received from the supervisory Authority
• no penalties for regulatory breaches concerning personal data protection were applied.

In 2023, the Supervisory Authority informed Italgas Reti S.p.A. that it had opened a proceeding following a complaint, and that it had archived it following an independent analysis of the documents and documentation received.