This policy explains how we manage the personal data of users who create their own digital identity (so-called "Unique ID") in order to access the App as well as the reserved area of the portals of Enel X Way S.r.l. and of the other Enel Group Companies enabled to the "Unique ID".
1. Data Controller
2 Personal Data Protection Officer (DPO)
Enel X Way has appointed a Data Protection Officer (DPO) who can be contacted at the following e-mail address: firstname.lastname@example.org.
3 Object and Processing Methods
3.1 Enel X Way will process the personal data you provide when creating your digital identity ("Personal Data"). In particular, at the time of creation of the Enel Unique ID, some Personal Data are required, such as name, surname, e-mail address, phone number and tax identification number (the latter only for consumer customers)- so-called "registration data" - necessary to successfully complete the registration, access the App and to use the services offered by the individual companies of the Enel Group participating in the Unique ID. Registration data, as well as any data that may already be available to the Data Controller, having been acquired as part of other contractual relationships with the same, shall in no case be transferred to other Enel Group companies. Only registration data are also processed by the companies of the Enel Group that provide the authentication service, specifically appointed for this purpose as data processors (Enel Global Services S.r.l.).
3.3 We inform you that such Personal Data will be processed manually and/or with the support of computer or telematic means.
4. Purpose and Legal Basis of the Processing
4.1 Enel X Way shall process your Personal Data to enable you to register and access the App through the "Unique ID" in performance of the contract. In order to achieve this specific purpose, the submission of your data is necessary: failure to do so will prevent you from registering and accessing the App.
4.2 First Registration: Personal Registration Data is collected at the time you create your Unique ID on one of the web portals or mobile apps that provide registration functionality. The creation of the Unique ID allows you to access, through a single username and password, the reserved area of the web portals and mobile App of the participating Enel Group companies.
Users who were already registered for the digital services of the Enel Group Companies participating in the Unique ID service before the creation of the Unique ID itself, in order to continue to access the App, must accept the Terms and Conditions for the creation of the Unique ID.
Please note that it is not possible to access the service with access credentials generated before September 9, 2019, the date on which the Unique ID was introduced.
4.3 Access after Registration: Access to the App is possible only through the Enel Unique ID. For authentication purposes, the Unique ID system receives the encrypted credentials entered by the user for their verification and validation. Your Personal Data will therefore be processed for the sole purpose of verifying these credentials and allowing you to access them in a simple manner and without further charges from any country in which an authorized Enel Group company is present. It is understood that such data, for the purposes of access to the App, are not in any case made available to other Enel Group companies authorized to use the Unique ID.
4.4 Access to the services available through Enel X Way app is provided in the following ways:
a) via the App after registering the Unique ID;
b) through the use of credentials chosen for the identity created on a social network (so-called "social login"), in particular the identities created on AppleId, Facebook and Google, when the option is available. Following acceptance of the terms and conditions of the service, a Unique ID will be associated with the user.
Enel X Way will retain the identification code associated with your account with the social network service of reference when you use it to log in to Enel X Way or to share content hosted on the site; this will be retained for as long as necessary to provide the services requested. In any case, Enel X Way will have no knowledge of the credentials you use to access the social network.
5. Recipients of Personal Data
Your Personal Data may be made available, for the purposes mentioned above:
a) the employees and collaborators of Enel X Way, specifically appointed as Persons Authorized to the processing;
b) to the Enel Group companies that provide the authentication service (Enel Global Services S.r.l.) as well as to third party companies or other subjects that carry out these same activities in outsourcing on behalf of Enel X Way, specifically appointed as data processors for this purpose;
c) to institutions, public and private authorities, supervisory and control bodies.
6 Transfer of Personal Data
6.1 Your Personal Data will be processed within the European Union and stored on servers located within the European Union. The same data may be processed in countries outside the European Union, provided that an adequate level of protection is guaranteed, as recognized by a specific adequacy decision of the European Commission.
6.2 Possible transfers of Personal Data to non-EU countries, in the absence of an adequacy decision by the European Commission, will only be possible if adequate contractual or covenant-based guarantees are provided by the Data Controllers and Processors involved, including binding corporate rules and standard contractual data protection clauses.
6.3 The transfer of your Personal Data to third countries outside the European Union, in the absence of an adequacy decision or other appropriate measures as described above, will only be made where you have explicitly consented to it or in the cases provided for in the GDPR and will be processed in your interest. In these cases, we inform you that, although the Enel Group adopts operating instructions common to all the countries in which it operates, the transfer of your Personal Data may be exposed to risks related to the peculiarities of local legislation on the processing of Personal Data.
7 Personal Data Retention Period
7.1 Personal Data will be kept in accordance with the principles of proportionality and necessity, in compliance with any legal obligations and in any case until the purposes of the processing have been pursued.
7.2 If the Unique ID is not used to access the web portals or mobile apps of the participating Enel Group Companies, the registration data shall in any case be deleted 5 years after the date of the last access.
8 Rights of the Data Subjects
8.1 Pursuant to articles 15 - 22 of the GDPR, in relation to the Personal Data communicated, you have the right, where applicable, to:
a) access and request a copy;
b) request any corrections;
c) request cancellation;
d) obtain limitations on the processing;
e) object to the processing;
f) to receive such data in a structured, commonly used and machine-readable format and to transmit them without hindrance to another data controller where technically feasible.
8.2 You also have the right not to be subjected to a decision based solely on automated processing unless the decision is necessary: a) for the conclusion or performance of a contract with the Data Controller; b) is authorized by law or c) is based on explicit consent. In cases a) and c) you have the right to express your opinion, dispute the decision and obtain human intervention by the Data Controller.
8.3 To exercise your rights and to revoke any consent you may have given for marketing and/or profiling activities, you may send a communication to the e-mail address: email@example.com.
8.4 For further information regarding your Personal Data, you may contact the Data Protection Officer, who can be reached at the following e-mail address: firstname.lastname@example.org.
8.5. Finally, we remind you that if you believe that the processing of your data has taken place in a manner that does not comply with European Regulation 679/2016 (GDPR), it is your right to lodge a complaint with the Supervisory Authority for the Protection of Personal Data, by:
a) registered letter A/R addressed to Garante per la Protezione dei Dati Personali, Piazza Venezia, 11, 00187 Rome;
b) e-mail at: email@example.com, or firstname.lastname@example.org;