Information on the processing of Personal data

1. JOINT CONTROLLERS

The joint controllers for the processing of your personal data carried out as co-promoters within the IPiù loyalty program marketed as “DRIV&” (hereinafter also referred to as the “Program”) are:

• Italiana Petroli S.p.A. with registered office in Rome (RM), Via Salaria no. 1322, postcode 00138
• ESE S.r.l. with registered office in Rome (RM), Via Salaria no. 1322, Post Code 00138;

In the remainder of this Privacy Policy, IP and ESE are also individually defined as “Joint Controller” and jointly as “Joint Controllers“, having jointly determined the purposes and means of processing attributable to the Program through the conclusion of a specific agreement pursuant to Article 26 of the GDPR.

As part of this agreement, IP has been designated as the point of contact for all your requests relating to the processing of your personal data and the exercise of your rights deriving from the GDPR; it remains understood that you can exercise your privacy rights pursuant to Article 15 and following of the GDPR in respect of each of the Joint Controllers. The essential content of the agreement is made available to you upon your specific request.

We also inform you that the Joint Controllers have appointed a Data Protection Officer (hereinafter the “Data Protection Officer” or “DPO“) who can be contacted at the following addresses:

• e-mail, at: dpoitalianapetroli@pec.gruppoapi.com.
• ordinary mail, to the address of both Joint Controllers, with registered office in Rome (RM), Via Salaria no. 1322, Post Code 00138, for the attention of the Data Protection Officer.

2. PERSONAL DATA SUBJECT TO PROCESSING AND SOURCE FROM WHICH THEY ORIGINATE

The Joint Controllers collect the following categories of personal data concerning you (the term “Personal Data” shall mean all the categories listed below, considered jointly):

• personal/identification data, such as: name, surname, tax code and date of birth
• contact details, such as: telephone number and e-mail address;
• data relating to transactions carried out at IP and ESSO branded points of sale;
• data relating to consumption preferences and purchasing habits;
• where necessary for the purpose of providing discounts or rewards, bank or payment details strictly necessary for the execution of the transactions;

With reference to the source from which the aforementioned Personal Data originates, it should be noted that it is collected from you, both as part of the registration to the Program through the App and by scanning the Italian Health Insurance Card in the App and by registering with scanning of the health card through the POS available at the IP and ESSO branded points of sale.

The Joint Controllers specify that by scanning the Italian Health Insurance Card through the POS, only the Personal Data relating to: name, surname and date of birth will be processed, with the exclusion of the personal data relating to the place of birth.

In some cases, the Joint Controllers acquire your Personal Data from subjects who act as independent data controllers. This occurs, for example, if you have already joined the “IPiù” loyalty program promoted by IP. In this case, IP, as part of the Program, shares with the Joint Controllers the information collected as an independent data controller, including that provided by you when you join the “IPiù” program. Similarly, the Joint Controllers may receive your Personal Data from third parties, independent data controllers, following your choice to create the profile by connecting with your pre-existing social network account (Apple, Google or Facebook) using the appropriate social log-in button in the App. These third parties, as independent data controllers, transmit to the Joint Controllers the personal data strictly necessary for your identification and the creation of the profile (Social ID, personal data and contact details).

3. HOW WE COLLECT YOUR PERSONAL DATA

The Joint Controllers collect and process your Personal Data in the following circumstances:

• upon your registration in the Program, by registering with the App;
• upon your registration in the program by scanning your Italian Health Insurance Card through the POS available at IP and ESSO branded points of sale;

or

• if you have already joined the “IPiù” loyalty program, your personal data will be shared by IP, as an independent data controller, with the Joint Controllers.

4. PURPOSE AND LEGAL BASIS FOR THE PROCESSING OF YOUR PERSONAL DATA

Your Personal Data, as indicated above, is processed by the Joint Controllers for one or more of the following purposes, on the basis of the legal basis indicated from time to time:

• a) for the issue, verification of the requirements for participation, use and management of the DRIV& CODE of the Program, both through the App and through the use of the Italian Health Insurance Card as a method of identification; for the management of the collection of points, access to the prizes and discounts referred to in the regulations; to ensure full accessibility, regardless of the access channel, to all the services offered by the Joint Controllers with reference to the Program and the related logic referred to in the regulations; for the sending, also by SMS, e-mail and notifications in the App, of information and service communications concerning the Program (such as changes in the regulations or methods of accrual of points, notification of delivery of prizes and gifts requested by the Customer, etc.); for any other administrative-accounting activity connected to the Program. Legal basis for processing: perform of a contract to which you are a party or execution of pre-contractual measures adopted at your request, pursuant to Article 6, paragraph 1, letter b) of the GDPR. The provision of your personal data for this purpose is mandatory and, in its absence, it will not be possible for you to register and participate in the Joint Controllers’ Program. (Operational management of your registration in the Program and purposes closely related to it)
•  b) For the sending of marketing communications: forwarding by automated telephone calls and similar methods of contact (such as WhatsApp, e-mail, sms, mms, notifications in APP, etc.), as well as traditional (such as paper mail and telephone calls with operator) of commercial and promotional communications, customer satisfaction surveys and market research relating to products, services and offers of the Joint Controllers and their commercial partners, belonging to the following product categories Food & Beverage, Entertainment, Transport and mobility, Payment services, Insurance, Car rental, Large Organised Distribution, Supply of electricity and gas, Tourism, Hospitality, Catering, Recreational services and Sale of basic necessities/souvenirs, Beauty and Personal Care, Publishing. Legal basis for processing: your express and specific consent, pursuant to Article 6, paragraph 1, letter a), of the GDPR; failure to provide such consent does not preclude or entail consequences regarding your registration in the Program.
  (Direct marketing)

It should be noted that for this direct marketing purpose, the Joint Controllers collect a single consent that includes both the use of automated tools and non-automated tools, pursuant to the General Provision of the Data Protection Authority “Guidelines on promotional activities and combating spam” of 4 July 2013, for which, you will be able to exercise the right to object pursuant to Article 21 of the GDPR or the revocation of the consent given pursuant to Article 7 of the GDPR, even in part, i.e. by objecting to or revoking the consent, for example, only to the sending of communications made with automated tools by writing to the e-mail address: privacy@italianapetroli.it.

• c) for personalised management and personalised marketing purposes: collection and analysis of your Personal Data (including, by way of example, the types of products and services purchased, the volumes and values of expenditure, as well as the information provided through any surveys or questionnaires completed on your interests, preferences and socio-demographic data) in order to process and propose commercial communications and promotional initiatives personalised according to your consumption habits and propensities, both through automated tools and similar methods of contact (such as WhatsApp, e-mail, SMS, MMS, notifications in APP, etc.), and through traditional ones (such as paper mail and telephone calls with operator). Legal basis for processing: your express and specific consent, pursuant to Article 6, paragraph 1, letter a), of the GDPR; failure to provide such consent does not preclude or entail consequences regarding your registration in the Program. (Profiling)

For the purpose of profiling, you will be able to exercise the right to object pursuant to Article 21 of the GDPR or the revocation of the consent given pursuant to Article 7 of the GDPR, by writing to the e-mail address: privacy@italianapetroli.it

• d) for the transfer of data to third parties for their promotional purposes: transfer, even temporary, to third parties of the personal data collected so that they can use it directly for their own marketing purposes. The partners of the Joint Controllers to whom, with your consent, your data may be sent for their promotional purposes belong to the following product sectors: banking, financial, insurance, telecommunications, publishing, leisure, automotive, food, childhood, large-scale distribution and energy. Your Personal Data, for the same purpose, may also be communicated to the other companies of the API Group. Legal basis for processing: your express and specific consent, pursuant to Article 6, paragraph 1, letter a), of the GDPR; failure to provide such consent does not preclude or entail consequences regarding your registration in the Program. It should be noted that if you give the aforementioned consent for communication to third parties, they may carry out promotional activities towards you without having to acquire a new consent for the promotional purpose. We remind you that the third parties to whom you authorise us to disclose your data for the purposes described above must be considered independent Controllers of the processing that, after the communication, they will carry out. For this reason, the rights granted to you pursuant to Articles 15 et seq. of the GDPR must, if necessary, be exercised by you directly against them. The third parties in question are always obliged to provide you with information and to communicate the origin of the data, specifying that they have acquired it from the Joint Controllers. The Joint Controllers, operating according to principles of transparency and to provide the highest level of protection to their Customers, offer, without exhausting the obligations of third parties, the possibility of consulting the information of the selected partners to whom, upon release of your consent, your Personal Data may be transferred, on the page Driveloyalty.it (Transfer of data to third parties for marketing purposes).

For the purpose of transferring your Personal Data to third parties, you may exercise the right to object pursuant to Article 21 of the GDPR or the withdrawal of consent pursuant to Article 7 of the GDPR, by writing to the e-mail address: privacy@italianapetroli.it

Furthermore, the Joint Controllers inform you that, in addition to the methods indicated above for the withdrawal of consent, you may withdraw, modify or confer, if not previously done, your consent to the processing of your personal data for the purposes referred to in letters b), c) and d) of this Privacy Policy through the APP, by accessing the “My Profile” section with your credentials and modifying the consents indicated separately therein.

Once provided, your Personal Data may also be processed for the following purposes:

• e) to fulfil legal obligations with which the Joint Controllers are required to comply. Legal basis for processing: the fulfilment of legal obligations to which the Joint Controllers of the processing are subject, pursuant to Article 6, paragraph 1, letter c) of the GDPR. (Purposes related to the obligations established by laws, regulations or European legislation, by provisions/requests from Authorities legitimated by law and/or by supervisory and control bodies)
• f) to meet any legal defence purposes of the Joint Controllers both in the judicial field and in the phases preceding the litigation; for the prevention of fraud and improper use of the DRIV& CODE and the management of any reports, complaints or disputes that may arise from your participation in the Program. Legal basis for processing: the pursuit of a legitimate interest of the Joint Controllers of the processing to protect their rights, pursuant to Article 6, paragraph 1, letter f) of the GDPR. (Defence of rights in the course of judicial, administrative or extrajudicial proceedings, and in the context of disputes arising in relation to the Program and related services)

5. MANDATORY OR OPTIONAL NATURE OF DATA PROVISION AND CONSEQUENCES OF ANY REFUSAL TO PROVIDE DATA

The provision of Personal Data for the purposes referred to in paragraph 4, letter a) of this Privacy Policy is mandatory as it is necessary to allow you to register for the Program.

The provision of consent for the purposes referred to in paragraph 4, letters b) and c) and d) of this Privacy Policy is optional and failure to provide it does not preclude or entail consequences regarding your registration in the Program.

For the purposes referred to in paragraph 4, letters e) and f) of this Privacy Policy, you are not required to provide a new and specific provision, since the Joint Controllers will pursue these further purposes, where necessary, by processing the Personal Data collected for the purposes referred to above, considered compatible with this (also due to the context in which the Personal Data were collected, the relationship between you and the Joint Controllers, the nature of the Personal Data themselves and the adequate guarantees for their processing).

 6. HOW WE KEEP YOUR PERSONAL DATA SECURE

The Joint Controllers take appropriate security measures to protect and maintain the security, integrity and accessibility of your Personal Data.

All your Personal Data is stored on secure servers (or secure paper copies) of the Joint Controllers or their respective suppliers located in the territory of the European Union, and is accessible and usable according to their security standards and policies (or equivalent standards for our suppliers).

Where the Joint Controllers have provided you with (or you have chosen) a password that allows you to access your personal area in the App, you will be responsible for keeping this password confidential and for complying with any other security procedures that the Joint Controllers may indicate to you.

7. HOW LONG WE KEEP YOUR PERSONAL DATA

The Joint Controllers will keep your Personal Data only for the time necessary for the purposes for which they are collected, in compliance with the principles of minimisation and limitation of the purpose referred to in Article 5, paragraph 1, letters c) and e) of the GDPR.

• In particular, without prejudice, upon expiry of the Program, to participation in a new loyalty campaign, your Personal Data processed for the purposes referred to in paragraph 4, letter a) of this Privacy Policy will be kept for the entire duration of the Program, including any extensions, and, even thereafter, for the time strictly necessary to fulfil the obligations related to the initiative.
• Personal Data, in particular personal and contact data, processed for the purposes referred to in paragraph 4, letter b) of this Policy will be processed until the withdrawal of the consent you have given pursuant to Article 7 of the GDPR and/or until you object to the processing pursuant to Article 21 of the GDPR; it should also be noted that Personal Data relating to the details of the products purchased and the services used will be kept for this purpose for a period of time equal to 24 (twenty-four) months from their registration, without prejudice to the possible withdrawal of consent, if prior to the expiry of this term. It will be the responsibility of the Joint Controllers to periodically request your consent for this purpose, so as to respect your choices.
• Personal Data, in particular personal and contact data, processed for the purposes referred to in paragraph 4, letter c) of this Policy will be processed until the withdrawal of the consent you have expressed pursuant to Article 7 of the GDPR and/or until you object to the processing pursuant to Article 21 of the GDPR; please note that the Personal Data relating to the details of the products purchased and the services used and the data relating to your purchasing habits and propensities will be processed and stored for this purpose for a period of 12 (twelve) months from collection, without prejudice to any withdrawal of consent or objection to the processing if prior to the expiry of this term. It will be the responsibility of the Joint Controllers to periodically request your consent for this purpose, so as to respect your choices.
• Personal Data, in particular personal and contact data, processed for the purposes referred to in paragraph 4, letter d) of this Policy will be processed until the revocation of the consent you have expressed pursuant to Article 7 of the GDPR and/or until you object to the processing pursuant to Article 21 of the GDPR. It will be the responsibility of the Joint Controllers to periodically request your consent for this purpose, so as to respect your choices.

The Joint Controllers inform you that the Personal Data stored for the purposes referred to in letters b) and c) and d) of this information will, at the end of the periods indicated above (24 and 12 months) be irreversibly anonymised and processed for statistical purposes only.

• Personal Data processed for the purposes referred to in paragraph 4, letter e) of this Policy will be kept for the time required by the specific obligation or applicable law.
• The Joint Controllers also reserve the right, for the purposes referred to in paragraph 4, letter f) to keep the Personal Data also for as long as necessary to ascertain and exercise their right and/or satisfy any legal defence purposes in court as well as in the out-of-court context and in the stages preceding the litigation.

In the event of revocation of membership of the Program and/or your requests for cancellation, a retention period of no more than one quarter has been identified for your Personal Data, for administrative purposes only (and not also for profiling or marketing), without prejudice to any specific legal obligations on the retention of accounting records or for the protection in court of the rights of the Joint Controllers or by express order of Public Authorities. After this period, your personal data will be deleted.

The Joint Controllers inform you that membership of the Program will remain valid even if they exercise the right to reset the points you have accumulated due to your inactivity,

i.e. for failure to use the points accumulated within the terms established by the regulations.

For more information, you can contact the Joint Controllers and/or the DPO at the contacts referred to in paragraph 12 of this Privacy Policy.

8. WHO WE MAY SHARE YOUR PERSONAL DATA WITH

Your Personal Data may be shared with the subjects indicated below (also referred to as “Recipients”)

• persons authorised by the Joint Controllers to process personal data pursuant to Articles 29 of the GDPR and 2-quaterdecies of the Privacy Code (e.g. the internal staff of the Joint Controllers responsible for managing information systems, etc.);
• entities or authorities to which your Personal Data must be disclosed by virtue of legal provisions provided for by European Union law or by that of the Member State to which the Joint Controllers are subject;
• third parties such as law firms and public authorities to which the Joint Controllers turn in order to comply with or apply the Program regulations or to safeguard any other legitimate interest;
• third parties such as the police and public authorities to protect the rights of the Joint Controllers, or following a request validly made by them;
• third parties, belonging to the product sectors referred to in paragraph 4, letter d) of this Privacy Policy, for which you have given your consent to receive promotional marketing messages.
• subjects who, in the provision of services, typically act as data processors pursuant to Article 28 of the GDPR (by way of example, suppliers/contractors of goods or services related to the provision of the benefits obtainable through the loyalty points accumulated by the Customer, or to the technical management of the Program).

The complete list of Recipients is present in the Program regulations (always available on the Driveloyalty.it page) and, in any case, available, in its most up-to-date version, upon your request, at the headquarters of the Joint Controllers and at the addresses indicated in paragraph 12 of this Privacy Policy, to which the updated list of Data Processors may also be requested.

9. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

In order to carry out some of the processing activities of your Personal Data, the Joint Controllers will communicate the same to external parties located in countries that do not belong to the European Union (EU) or the European Economic Area (EEA) (hereinafter,

the “Third Countries”) and that could guarantee a lower level of protection of your Personal Data than that guaranteed within the European Union.

The transfer of your Personal Data by the Joint Controllers to subjects located in Third Countries will in any case take place in compliance with the provisions of the applicable legislation on the protection of personal data and on the basis of one of the adequate guarantees provided for by Article 44 et seq. of the GDPR, such as, for example, the adoption of Standard Clauses approved by the European Commission, the selection of subjects adhering to international programs for the free circulation of data or operating in countries considered safe by the European Commission, in compliance with the recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board.

In this regard, the Joint Controllers inform you that they have contracted the exclusivity of certain activities to third-party service providers operating in the United States of America. The level of data protection is fully adequate as these companies are certified under the “EU-U.S. Data Privacy Framework” managed by the US Department of Commerce.

You can write to the Joint Controllers at any time, using the contact details referred to in paragraph 12 of this Privacy Policy, asking who the subjects to whom the Personal Data are communicated are, as well as to receive a copy of the guarantees adopted for the transfer.

10.POSSIBLE AUTOMATED DECISION-MAKING PROCESSES

The Joint Controllers do not use automated decision-making processes, including profiling, without your consent.

11.YOUR RIGHTS REGARDING DATA PROTECTION AND YOUR RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY

Under the conditions provided for by the GDPR, you have the right to ask each Joint Controller at any time:

• access to your Personal Data, as required by Article 15 of the GDPR,
• the rectification and integration of your Personal Data held by the Joint Controllers that you consider inaccurate, as provided for by Article 16 of the GDPR,
• the deletion of your Personal Data for which there is no longer any legal basis for their processing, as provided for by Article 17 of the GDPR,
• the limitation of the way in which your Personal Data is processed, if one of the hypotheses provided for in Article 18 of the GDPR occurs,
• copy of the Personal Data that you have provided to us, in a structured format, commonly used and readable by an automatic device for processing based on the contractual relationship (so-called portability), as required by Article 20 of the GDPR,
• not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects that concern you, if you have not expressed your prior consent, as required by Article 22 of the GDPR,
• the withdrawal of your consent at any time, in the event that the processing is based on consent. It should be noted that any withdrawal of consent will only have effect with reference to subsequent processing, without prejudice to the lawfulness of the processing carried out prior to such withdrawal.

Right to object: in addition to the rights listed above, you always have the right to object at any time to the processing of your Personal Data carried out for the pursuit of the legitimate interest of the Joint Controllers and for the processing carried out for marketing purposes, including profiling to the extent that it is connected to such marketing.

To exercise the aforementioned rights with regard to the Joint Controllers, you may proceed in the following ways:

1. in real time via the App, by accessing the “My profile” section and making the desired changes;
2. for residual problems and for the management of rights that cannot be exercised independently in the manner indicated in point 1, in particular for the deletion of the data provided, by writing to the e-mail address privacy@italianapetroli.it;

The exercise of these rights is subject to certain exceptions aimed at safeguarding the public interest (e.g. the prevention or identification of crimes) and the interests of the Joint Controllers (e.g. the maintenance of professional secrecy). In the event that you exercise any of the aforementioned rights, it will be the responsibility of the Joint Controllers to verify that you are entitled to exercise it and to respond to your request, as a rule, within one month.

If you believe that the processing of your Personal Data is in violation of the provisions of the GDPR and the legislation on the protection of personal data, you have the right to lodge a complaint with the Data Protection Authority, using the references available on the website www.garanteprivacy.it or to take legal action.

12. CONTACTS OF THE JOINT CONTROLLERS AND THE RELEVANT DATA PROTECTION OFFICER (“DPO”)

You may contact the Joint Controllers at any time at the following e-mail address, identified as the single point of contact for the exercise of your rights: privacy@italianapetroli.it, or at the following e-mail addresses:

• for Italiana Petroli S.p.A.: dpoitalianapetroli@pec.gruppoapi.com.
• for ESE S.r.l.: dpoese@pec.gruppoapi.com.

In this regard, the Joint Controllers inform you that you may in any case exercise your rights towards and/or against each Joint Controllers, by contacting the certified e-mail addresses indicated above or by sending your request/report through the dedicated form, in the “Write us” section of the following website: Privacy – Write us – Contacts and assistance Gruppo api.

13.JOINT CONTROL AGREEMENT

The essential content of the joint control agreement signed between IP and ESE – which deals with transparently determining the respective responsibilities regarding compliance with the obligations deriving from the GDPR, with particular regard to the exercise of your rights and the respective communication functions of this Privacy Policy – is available on request at the following address dpoitalianapetroli@pec.gruppoapi.com / privacy@italianapetroli.it .

14. AMENDMENTS

The Joint Controllers reserve the right to modify or simply update, in whole or in part, the content of this Policy, also due to changes in the applicable legislation. You will be informed of these changes as soon as they are introduced.