Privacy Policy
Introduction
This Privacy Policy is provided pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter also referred to as the “Regulation” or “GDPR”), in order to inform users who interact with the Home – Driv& Loyalty App website of Italiana Petroli S.p.A. and ESE S.r.l. (hereinafter the “Website”) about how personal data is processed when browsing, consulting and interacting with the Website.
This Privacy Policy is provided exclusively for the Website indicated above and not for other websites or sections/pages/spaces owned by third parties that can be consulted by the user through specific links, for which reference is made to the respective privacy policies
1. Joint Controllers and DPO
The joint controllers for the processing of your personal data within the IPiù loyalty program marketed as “DRIV&” and its Website (hereinafter also referred to as the “Program“) are:
- Italiana Petroli S.p.A. with registered office in Rome (RM), Via Salaria no. 1322, postcode 00138
and
- ESE S.r.l. with registered office in Rome (RM), Via Salaria no. 1322, Post Code 00138;
In the remainder of this Privacy Policy, IP and ESE are also referred to individually as “Joint Controller” and jointly as “Joint Controllers“, having jointly determined the purposes and means of processing related to the Program and its ancillary services through the conclusion of a specific agreement pursuant to Article 26 of the GDPR.
As part of this agreement, IP has been designated as the point of contact for all your requests relating to the processing of your personal data and the exercise of your rights deriving from the GDPR; it remains understood that you can exercise your privacy rights pursuant to Article 15 and following of the GDPR in respect of each Joint Controllers.
We also inform you that the Joint Controllers have appointed a Data Protection Officer (hereinafter the “Data Protection Officer” or “DPO“) who can be contacted at the following addresses:
- e-mail, at: dpoitalianapetroli@pec.gruppoapi.com
- ordinary mail, to the address of both Joint Controllers, with registered office in Rome (RM), Via Salaria no. 1322, Post Code 00138, for the attention of the Data Protection Officer.
2. Personal data subject to processing
We inform you that, by using the Website, the Joint Controllers may collect and process information and personal data relating to you. The personal data processed belong to the category of “ordinary” data (hereinafter also referred to as “Personal Data”) and, in particular, consist of:
a. Browsing data
The Joint Controllers will process the Personal Data collected as part of your browsing on the Website. In particular, the computer systems and software procedures used to operate the Website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This data is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This data category includes IP addresses or the domain names of computers used by users to connect to the Website, URI (Uniform Resource Identifier) addresses of the requested resources, time of the request, method used to submit the request to the server, size of the file obtained in response, numerical code indicating the server response status (successful, error etc.) and other parameters pertaining to the user’s operating system and IT environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website, to check its correct functioning and to identify anomalies and/or abuse; the data is usually deleted after processing, unless it is necessary to identify those responsible in the event of hypothetical computer crimes against the Website or third parties.
b. Cookies
The Joint Controllers will process the Personal Data collected through cookies and other tracking tools. For more information on Personal Data processed through cookies and other tracking tools, please consult the relevant Cookie Policy.
c. Data processed due to the services rendered through the Website
This Privacy Policy is intended to be provided, in addition to the processing resulting from the consultation of the Website, for which the Personal Data described in letters a) and b) of this paragraph are processed, also for the processing of the data provided by you for the purpose of using the services rendered through the “Assistance” section of the Website. In this context, the Joint Controllers inform you that the assistance services present in the homonymous section of the Website, consisting of the telephone assistance service (“CALL NOW”) and the assistance service by filling out an ad hoc form (“WRITE US ON IP”) are governed by two separate information notices on the processing of personal data, which can be consulted at the following links:
- “Driv& Customer Service” policy
- “write us on IP” policy
3. Purposes of processing and legal bases
Your data will be processed for the following purposes:
a. To allow browsing of the Website, including the management of its security
The Joint Controllers will process, pursuant to Article 6.1, letter b) of the Regulation (legal basis: […] perform of a contract of which the data subject is a party or the execution of pre-contractual measures adopted at the request of the same), the Personal Data referred to in paragraph 2 to allow access and navigation of the Website, as well as to guarantee its correct functioning.
b. Provide the Assistance Service
The Joint Controllers will process, pursuant to Article 6.1, letter b) of the Regulation (legal basis: […] perform of a contract of which the data subject is a party or the execution of pre-contractual measures adopted at the request of the same), the Personal Data referred to in paragraph 2 to allow you to use the assistance services on the Website.
The provision of Personal Data for the purposes referred to in letters a) and b) above is optional, but failure to provide it would prevent the Joint Controllers from providing the requested services.
Once provided, your Personal Data may also be processed for the following purposes:
c. To fulfil the obligations provided for by EU laws, regulations or legislation, or to comply requests from the competent authorities
The Joint Controllers will process, pursuant to Article 6.1, letter c) of the Regulation (legal basis: legal obligation), the Personal Data referred to in paragraph 2 to comply with the regulatory obligations in force.
d. To meet any legal defence purposes, including the identification, prevention, mitigation and detection of fraudulent or illegal activities in relation to the services offered on the Website
The Joint Controllers will process, pursuant to Articles 6.1, letter f) and 9.2, letter a) of the Regulation (legal basis: legitimate interest), the Personal Data referred to in paragraph 2 to protect their rights and/or legitimate interests in judicial and extrajudicial proceedings.
4. Recipients of personal data
Your Personal Data may be shared with the parties indicated below (also referred to as “Recipients”):
- persons authorised by the Joint Controllers to process personal data pursuant to Articles 29 of the GDPR and 2-quaterdecies of the Privacy Code (e.g. the internal staff of the Joint Controllers, etc.);
- entities or authorities to which your Personal Data must be disclosed by virtue of legal provisions provided for by European Union law or by that of the Member State to which the Joint Controllers are subject;
- third parties such as the police and public authorities to protect the rights of the Joint Controllers, or to follow up on a request validly made by them;
- subjects who, in the provision of services, typically act as data processors pursuant to Article 28 of the GDPR (by way of example, suppliers/contractors of goods or services related to the provision of the benefits obtainable through the loyalty points accumulated by the Customer, or to the technical management of the Program).
The complete list of Recipients is available from the Joint Controllers or the DPO at the addresses indicated in paragraph 11 of this Privacy Policy, to which the updated list of Data Processors may also be requested.
5. Transfers of personal data
The Joint Controllers do not normally transfer your data outside the European Union. In certain circumstances (e.g. for purposes related to the electronic storage and management of data) some of your data may be provided to recipients who transfer them to third countries. In this case, the Joint Controllers ensure that any processing of personal data by recipients located in Third Countries outside the European Economic Area (EEA) or international organisations will take place in compliance with the law or in one of the ways permitted by law pursuant to Articles 44-49 of the GDPR, such as the consent of the data subject, the adoption of Standard Clauses approved by the European Commission, the selection of subjects adhering to international programs for the free circulation of data, in compliance with recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board.
You can request more information on the data transfers made and the guarantees adopted for this purpose by writing to the Joint Controllers or the DPO at the addresses indicated in paragraph 11 of this Privacy Policy.
6. Data processing methods
Personal Data will be processed using IT, manual and/or telematic tools and media, with logic strictly related to the purposes of the processing and in any case ensuring the confidentiality and security of the data and in compliance with the applicable Regulations and Provisions of the Data Protection Authority.
More information is available from the Joint Controllers or the DPO who can be contacted at the addresses indicated in paragraph 11 of this Privacy Policy.
7. Retention of personal data
Personal Data processed for the purposes indicated in paragraph 3, letters a) and b) of this Privacy Policy will be kept for the time strictly necessary to achieve these purposes, in accordance with the principles of minimisation and limitation of storage provided for by Article 5, paragraph 1, letters c) and d) of the Regulation.
Personal Data processed for the purposes referred to in paragraph 3, letter c) of this Privacy Policy will be kept up to the time required by the specific obligation or applicable law.
The Joint Controllers also reserve the right to keep the Personal Data for as long as necessary to ascertain and exercise their right and/or satisfy any legal defence purposes in court as well as in the out-of-court context and in the stages preceding the litigation.
More information regarding the data retention period and the criteria used to determine this period can be requested by writing to the Joint Controllers or the DPO at the addresses indicated in paragraph 11 of this Privacy Policy.
8. Rights of the Data Subject
You, as a data subject, may, at any time, exercise the following rights:
- Right to withdraw any consent given (Article 7 of the GDPR) – You have the right to withdraw any consent given at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal;
- Right of access (Article 15 of the GDPR) – You have the right to obtain confirmation as to whether or not your personal data is being processed, as well as the right to receive any information relating to such processing;
- Right of rectification (Article 16 of the GDPR) – You have the right to obtain the rectification of your personal data, if they are incomplete or inaccurate;
- Right to erasure (Article 17 of the GDPR) – in certain circumstances, you have the right to obtain the erasure of your personal data from our archives;
- Right to restriction of processing (Article 18 of the GDPR) – upon the occurrence of certain conditions, you have the right to obtain the restriction of the processing of your personal data;
- Right to portability (Article 20 of the GDPR) – You have the right to obtain the transfer of your personal data to a different data controller as well as the right to obtain the data concerning you in a structured format, commonly used and readable by an automatic device;
- Right to object (Article 21 of the GDPR) – You have the right to object to the processing of your personal data in which you give evidence of the reasons justifying the objection; the Joint Controllers reserve the right to evaluate this request, which may not be accepted if there are compelling legitimate reasons to proceed with the processing that prevail over your interests, rights and freedoms.
- Right to lodge a complaint with the Supervisory Authority (Article 77 of the GDPR) – in the manner indicated in the following paragraph, if you believe that the processing of your personal data violates the legislation on the protection of personal data, you can lodge a complaint with the Supervisory Authority of the Member State in which you usually reside, work or the place where the alleged violation occurred;
- Right to appeal to the appropriate courts (Article 79 of the GDPR).
To exercise the aforementioned rights with regard to the Joint Controllers, you may proceed in writing by contacting the following e-mail address: privacy@italianapetroli.it. The exercise of these rights is subject to certain exceptions aimed at safeguarding the public interest (e.g. the prevention or identification of crimes) and the interests of the Joint Controllers (e.g. the maintenance of professional secrecy). In the event that you exercise any of the aforementioned rights, it will be the responsibility of the Joint Controllers to verify that you are entitled to exercise it and to respond to your request, as a rule, within one month.
9. Complaints
If you believe that the processing of your Personal Data is in violation of the provisions of the GDPR and the legislation on the protection of personal data, you have the right to lodge a complaint with the Data Protection Authority, using the references available on the website www.garanteprivacy.it or to take legal action.
10. Amendments
The Joint Controllers reserve the right to modify or simply update the content of this Privacy Policy, in part or completely, also due to changes in the applicable legislation. The Joint Controllers therefore invite you to visit this section regularly to become aware of the most recent and updated version of the Privacy Policy in order to be always updated on the data collected and the related processing by the Joint Controllers.
11. Contacts of the Joint Controllers and the relevant Data Protection Officer (DPO)
You may at any time contact the Joint Controllers at the following e-mail address, identified as the single point of contact for the exercise of your rights: privacy@italianapetroli.it, or at the following e-mail addresses:
- for Italiana Petroli S.p.A.: dpoitalianapetroli@pec.gruppoapi.com.
- for ESE S.r.l.: dpoese@pec.gruppoapi.com.