For Public Entities: The collection of data and requests is carried out exclusively for the purpose of assessing potential interactions with representatives of the Public Entity, with a view to initiating public–private partnership procedures or concession arrangements for the provision of services that the Company is able to offer.

PRIVACY NOTICE REGARDING THE PROCESSING OF PERSONAL DATA

Edison Next S.p.A. (“Edison Next”) and the companies belonging to the Edison Next group, acting as independent data controllers, hereby inform you that, pursuant to Article 13 of the EU General Data Protection Regulation No. 2016/679 (“Regulation” or “GDPR”), and to Legislative Decree 196/2003 as amended, the personal data provided by the data subjects indicated below, in relation to the purposes of processing described under Section 4, will be processed in compliance with the applicable provisions of the GDPR and of the Italian Privacy Code.

1. Source of Data

The personal data subject to processing are collected directly from the data subject.

2. Categories of Data Subjects

This Privacy Notice applies to:

• Users of the website
• Prospective customers (during the expression-of-interest phase or the contract negotiation phase)

Hereinafter, the individuals listed above are referred to as the “data subjects”.

3. Categories of Personal Data Processed

The processed data include: Personal data enabling direct identification (e.g., personal details, contact details); browsing data (data provided through website navigation, processed to ensure the proper functioning of the website). For further information, please refer to the cookie policy available on the website.

4. Purposes of Processing, Legal Bases, and Data Retention Period

Personal data will be collected directly from the data subject and processed for the purposes and on the corresponding legal bases indicated below.

1. Processing based on pre-contractual and/or contractual measures

• To manage and respond to requests submitted voluntarily by the data subject through the online contact form.

2. Processing based on the data subject’s explicit consent

• For promotional, commercial, and marketing activities carried out by Edison Next, including: 1) sending advertising, informative, or promotional material regarding new products/services relating to Edison Next’s integrated offering and that of its Business Units and/or subsidiaries; 2) direct selling of products/services by Edison Next and its subsidiaries through different sales channels; 3) assessment of customer satisfaction with the quality of products/services provided, carried out directly or through specialised companies by means of interviews or other survey tools.

3. Processing based on compliance with a legal obligation

1. To fulfil legal obligations imposed on the Controller under laws, regulations, EU legislation, or binding orders/requests issued by competent Authorities or Supervisory Bodies.
2. To carry out any other activity required to comply with sector-specific regulations, including EU regulations and national laws.

4. Processing based on the Controller’s legitimate interests

1. To establish, exercise or defend legal claims in judicial, administrative, or out-of-court proceedings, including those involving the data subject.
2. To conduct audits to ensure corporate compliance and adherence to the applicable legal framework.

Providing consent to the processing of personal data for the purposes set out under Section 4.2 is optional. A refusal to provide consent does not affect the provision of requested products/services. The data subject may withdraw consent or object to such processing at any time by submitting a request to Edison Next.

Data Retention Period

Personal data will be retained as follows:

• Up to 24 months from collection for purposes related to responding to the data subject’s requests.
• Up to 24 months from the acquisition of valid, current, and updated consent for marketing purposes, unless consent is withdrawn earlier by the data subject.
• For the period strictly necessary to conduct audits.
• For the period strictly necessary to establish, exercise or defend legal claims, including for the entire duration of any disputes and until the expiration of the statutory limitation periods.
• For the period strictly necessary to comply with legal obligations imposed on the Controller and/or to respond to requests from authorised Authorities.

5. Methods of Processing

Data processing will be performed using electronic and telecommunication tools, as well as paper-based media, employing appropriate technical and organisational security measures to ensure confidentiality, integrity, availability and protection of personal data, in accordance with the Regulation.

6. Categories of Data Recipients and Transfers Outside the EU

The data subject’s personal data may be accessed by: (i) employees and contractors of Edison Next and of the Edison Next group companies, acting as persons authorised to process data based on their corporate role and appropriately instructed by the Controller; (ii) employees and contractors of companies controlled by, controlling, or affiliated with the Edison Group, also acting as authorised and instructed persons;
(iii) third-party service providers (technical, technological, mailing, and other providers instrumental to the supply of the contracted products/services; call centres; marketing, advertising and market-research companies for activities subject to the data subject’s consent), duly appointed as Data Processors under Article 28 GDPR;
(iv) Public Security Authorities and Judicial Authorities, acting as independent data controllers.

Your personal data will be processed within the European Union (“EU”) and the European Economic Area (“EEA”) and stored on servers located within the EU/EEA.

Should it become necessary to transfer your personal data to countries outside the EU/EEA, such transfers will be carried out in compliance with Chapter V of Regulation (EU) 2016/679, ensuring adequate protection of the data.

7. Data Disclosure

Personal data will not be disseminated or made publicly accessible outside the company perimeter, nor published on the corporate website, unless required by law or with your specific authorisation.

8. Data Controller and Data Processors

The Data Controllers—i.e., the entities that determine the purposes and means of the processing—are Edison Next S.p.A. and the companies of the Edison Next group acting as independent Controllers.
Data Processors—i.e., entities processing personal data on behalf of the Controller—include Group companies and service providers appointed pursuant to Regulation (EU) 2016/679.

9. Data Protection Officer (DPO)

In compliance with the Regulation, a Data Protection Officer (DPO) has been appointed as the common point of reference for Edison Group companies subject to management and coordination or controlled by Edison S.p.A., as well as other Group companies.
Contact details for the DPO are provided in Section 10 below.

10. Exercise of Data Subject Rights

Pursuant to Regulation (EU) 2016/679, the data subject has the right to access their personal data, including the right to obtain confirmation of whether data concerning them are being processed and to receive information regarding the content, origin, and geographical location of the data, as well as to request a copy. The data subject also has the right to verify the accuracy of the data or request their rectification, updating, completion, restriction of processing, erasure, anonymisation, or blocking of data processed unlawfully, as well as to object to the processing at any time.
Furthermore, the data subject has the right to data portability and the right to lodge a complaint with the competent Supervisory Authority.

Rights may be exercised by contacting the Data Protection Officer (DPO) at:

• Standard e-mail: privacy.edisonnext@gruppoedison.it
• Certified email (PEC): privacy.gruppoedison@pec.edison.it
• Fax: +39 02 62229106
• Postal mail: DPO c/o Edison S.p.A., Foro Buonaparte 31, 20121 Milan (MI), Italy