PRIVACY POLICY of the website eniscuola.eni.com

Pursuant to Regulation (EU) 2016/679 ("GDPR"), here below Eni S.p.A. ("Company" or the "Controller") provides information regarding the processing of your personal data collected or provided by you when you use services on the website www.eniscuola.eni.com ("Website").

The Data Controller is Eni S.p.A. with registered office in Piazzale Enrico Mattei 1, 00144 Rome, which can be contacted through the contact details indicated in the Contacts section of the Website.

The Company has designated a Data Protection Officer, who can be contacted at the following email address dpo@eni.com.

The personal data being processed belong to the category of common personal data as further explained below. The personal data collected relates to any user browsing the Website and using the available services and/or registered users, as specified below.

a. Browsing data for any user
The computer systems and software procedures used to operate the Website acquire, in the course of their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This data category includes the IP addresses or domain names of the computers used by users connecting to a website, the URI (Uniform Resource Identifier) notation addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user's operating system and computer environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the website and to check its proper functioning, and is deleted immediately after processing. The data could be used to ascertain liability in case of hypothetical computer crimes against the Website.

b. Data voluntarily provided by the registered user
The personal data being processed are those referring to the registration form for account creation and/or newsletter subscription specifically for registered users: first name, surname, email address, type of teaching, teaching area, school name, school code, city, province.

c. Data voluntarily provided by any user
The personal data being processed are those referring to the subscription to the general newsletter service: email address, first name and surname.

d. Cookies
Cookies are small text files that are saved on the user's device when they visit a website. They are used to identify oneself while browsing. The cookies used on the Website serve to facilitate user browsing (e.g., by storing language choice) and will not be used for any other purpose. If necessary, they can be disabled by modifying your browser options. More information about the types of cookies used by the Website is available by consulting the Cookie Policy.

a. Legal and contractual purposes - processing necessary to fulfil a contractual or legal obligation to which the Data Controller is subject or to execute a specific request from the data subject

Your personal data may be processed, without the need for your consent, in cases where this is necessary to fulfil obligations arising from legal provisions, as well as standards, codes or procedures approved by Authorities and other competent Institutions. The above as long as it is necessary and without it, you would not be able to access the Website and services.

Your personal data will also be processed for purposes related and/or connected to the provision of services by the Company in the context of browsing the Website, and more specifically:

• for the provision of services requested by the user while browsing the Website or through the completion of forms therein, including subscription to the generic newsletter envisaged for any user;
• for the provision of the services requested by the user with registration to the Website and the creation of their account and profile including the collection, storage and processing of data for the purpose of the establishment and subsequent operational, technical and administrative management of the relationship (and the account and profile created by the customer) related to the provision of services and the execution of communications related to the performance of services, including operational and management updates, as well as user support;
• for the operational and technical management of the newsletter subscription dedicated to registered users.
• Such data - the provision of which is necessary for the operational performance of services - will also be processed by electronic means, recorded in special databases, and used strictly and exclusively in the context of browsing the Website. Since the communication of your data for the aforementioned purposes is necessary for the purpose of maintaining and providing the services of the Website, failure to do so will make it impossible to provide the specific services in question to you.

b. Purposes based on a legitimate interest of the Controller

The Controller may process your personal data on the basis of its legitimate interest in improving services and protecting its business in the following cases:

• in the case of extraordinary mergers, sale or transfer of business operations, in order to enable the implementation of operations necessary for due diligence and necessary for the transfer. It is understood that only the necessary data will be processed for the aforementioned purposes, in the most aggregate/anonymous form possible;
• analysis in an anonymous and aggregate form of the use of the services used, to identify habits and propensities of users, to improve the services provided and to meet specific user needs, i.e., preparation of initiatives related to the improvement of the services provided;
• whenever necessary for the purpose of ascertaining, exercising or defending a right of the Controller or other companies within the Company's perimeter of control in court.

In furtherance of the purposes set forth in Section 4, the Data Controller may disclose your personal data to third parties, for example those belonging to the following entities or categories of entities:

• police forces, armed forces and other public administrations, for the fulfilment of legal obligations, regulations or EU legislation;
• companies, entities or associations, or parent, subsidiary or associated companies pursuant to Article 2359 of the Italian Civil Code, or between these and companies subject to common control, as well as between consortia, business networks and temporary business groupings and associations and with their members, limited to communications made for administrative and/or accounting purposes;
• other companies contractually linked to the Controller which perform, by way of example, consulting activities, support for the provision of IT services, Website management services, etc.

The Controller ensures that the communication of your personal data to the aforementioned recipients involves only the data necessary to achieve the specific purposes for which they are intended.
Your personal information is stored in the Controller's databases and will be processed only by authorised personnel. The latter will be given special instructions on the manner and purpose of the processing. Such data will also not be disclosed to third parties, except as established above and, in any case, within the limits stated therein. Finally, we would like to remind you that your personal data will not be disseminated, except in the cases described above and/or established for by law.

For some of the purposes mentioned in Section 4, your personal data may be transferred outside the European Economic Area ("EEA"). The management of the database and processing of such data are bound to the purposes for which they were collected and are carried out in strict compliance with the standards of confidentiality and security set forth in the applicable data protection laws.
Whenever your personal data is subject to international transfer outside the territory of the EEA, the Controller will take all appropriate and necessary contractual measures to ensure an adequate level of protection of your personal data in accordance with the provisions set out within this Privacy Policy, including, among others, the Standard Contractual Clauses approved by the European Commission.

Data will be kept for a period of time no longer than necessary for the purposes for which they were collected or subsequently processed in accordance with legal obligations. Browsing and cookie data will be retained in accordance with the timeframe specified in the Cookie Policy; registration and newsletter subscription data will be retained for one year after the request to cancel the account, unless an additional period is needed to defend a right or interest of the Company or a third party.

As a data subject, you are granted the following rights to the personal data collected and processed by the Controller for the purposes indicated in Section 4: (i) the right of access, in particular by requesting, at any time, confirmation of the existence of your personal data in the Company's archives and the provision of such information in a clear and intelligible manner, as well as the right to know the origin, logic and purpose of the processing with express and specific indication of the persons assigned and responsible for the processing and third parties to whom your data may be communicated (ii) the right to update and rectify data, the deletion of redundant data or transformation into anonymous form, as well as blocking of processing and definitive deletion in case of unlawful processing; (iii) if the conditions are met, restriction of processing and portability of data; and (iv) the right to object, on grounds related to your particular situation, to the processing of your data (including profiling) carried out on the basis of the legitimate interest of the Controller or the necessity of the same processing for the performance of a task of public interest.
The law also recognises your right to lodge a complaint with the Data Protection Authority if you find that your rights under applicable data protection regulations have been violated.

You can exercise the rights listed above by contacting privacy_IDECO@eni.com, or by writing to the Data Protection Officer at dpo@eni.com.