1. Processing of Personal Information
1.3 Additional information for individuals located in the European Union is set out in section 11 below.
2. Privacy Officer
2.1 The Controllers have appointed a Data Protection Officer (“DPO”) and a contact for privacy matters in Australia and New Zealand, respectively, who can be contacted at the following e-mail addresses: firstname.lastname@example.org, email@example.com.
3. The kinds of personal information the Controllers collect and hold
3.1 The kinds of personal information the Controllers collect and hold about you will depend on the nature of your dealings with the Controllers and the circumstances of collection. If you deal with the Controllers as a customer, supplier or contractor or you contact them through their website www.enelx.com.au they may collect your name, telephone number, email address and location. If you deal with the Controllers in some other capacity, they may collect your name and contact details and any other information you choose to provide to them. The Controllers may also collect details of the interactions they have with you.
3.2 The Controllers do not generally collect sensitive information (such as health information), and will only collect sensitive information about you with your consent (unless they are otherwise required or authorised by or under law to do so).
4. How the Controllers collect and hold personal information
4.1 The Controllers generally collect personal information about you directly from you, such as when you visit them or interact with them in writing, electronically or by telephone, or when you communicate with them through their website’s contact information field, and such information is stored electronically in a safe and secure manner.
4.2 Sometimes, the Controllers may collect your personal information from third parties. For example, the Controllers may collect personal information about job applicants from third party recruiters.
4.3 The Controllers generally hold personal information in computer systems, including computer systems operated for them by service providers. They take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, use, modification or disclosure. This includes taking appropriate security measures to protect electronic materials, and requiring their service providers to do so.
4.4 The Controllers take reasonable steps to ensure the personal information they collect, use and disclose is accurate, complete, up to date and relevant. You can help by letting them know about any changes to your personal information, such as changes to your address and phone number.
5. The purposes for which the Controllers collect, hold, use and disclose personal information
5.1 The Controllers collect, hold, use and disclose personal information for a range of purposes, including:
§ to respond to inquiries about the products and services they offer
§ to supply their products and services
§ to manage their relationships with their customers, contractors and suppliers
§ for their administrative purposes and internal record keeping
§ to provide customer service or technical support, and deal with any complaints or feedback
§ to perform research and analysis
5.2 The Controllers may use or disclose your information for other purposes required or authorised by or under law (including purposes for which you have provided your consent).
5.3 The Controllers may use your personal information to contact you with news and information about their products and services. You can let them know at any time if you no longer wish to receive these communications from them, by contacting firstname.lastname@example.org using the opt-out/unsubscribe facility in their communications. Your consent will be deemed if you do not opt out when they offer you the opportunity to do so, and will remain current until you advise them otherwise.
5.4 If the Controllers are unable to collect personal information from or about you, they may not be able to respond to your requests or enquiries or engage in other dealings with you.
6. Disclosure of personal information to third parties
6.1 In conducting their businesses, the Controllers may for the purposes outlined above share personal information with each other or disclose personal information to other third parties. These include, where appropriate:
§ other related companies of the Controllers
§ energy industry regulators
§ Transpower, the System Operator
§ Electricity Authority
§ the Controllers' contracted service providers, including:
o information technology service providers
o marketing and communications agencies
o external business and financial advisors (such as auditors and lawyers).
7. Disclosure of personal information outside Australia and/or New Zealand
7.1 If the Controllers share personal information with each other, that information may be transferred between Australian and New Zealand. Personal information may also be disclosed to other related companies of the Controllers located in other countries, including the US, Canada, India, the UK, Ireland, Poland and Italy.
7.2 The Controllers may also use service providers located overseas to store or process data which includes personal information.
8. Accessing and correcting your personal information
8.1 If you would like to access or correct the personal information the Controllers hold about you, please contact the Data Protection Officer (using the contact details in section 2 above). The Controllers will generally provide you with access to your personal information (subject to some exceptions permitted by law), but may charge an access fee to cover the cost of retrieving the information and supplying it to you.
9.1 Please contact the Controllers (using the contact details in section 2 above) if you have any concerns or complaints about the manner in which the Controllers have collected or handled your personal information. The Controllers will inquire into your complaint and respond to you in writing within 20 working days. We remind you that it is your right to lodge a complaint before the Competent Data Protection Authority. In Australia, this is the Office of the Australian Information Commissioner (www.oaic.gov.au). In New Zealand, this is the Office of the Privacy Commissioner (https://www.privacy.org.nz/).
10. Additional information
10.1 For further information regarding the management of your Personal Information, please contact the Controllers (using the contact details in section 2 above).
11. Additional information for individuals located in the European Union
11.1 This section 11 applies if either Controller processes your personal data through their website www.enelx.com.au. and you are located in the European Union.
11.2 The Controller, as Data Controller, will process your personal data in accordance with the provisions of the applicable legislation on privacy and the protection of personal data and this section 11.
11.3 When registering for various services or accessing them, the names of any other data controllers and managers will be communicated.
11.4 The Controller has appointed a Data Protection Officer (“DPO”) who can be contacted at the following e-mail addresses: email@example.com.
12. Processing Subject and Methods
12.1 The Controller will process the personal data you have communicated or it has legitimately obtained ("Personal Data"). In particular, the following Personal Data is processed:
§ Contact data: name, surname, e-mail address, telephone number and the content of the message you have sent, and other Personal Data that may have been provided to us during communications. We will process this Personal Data if you ask us questions, request information or send us communications of various kinds.
§ Browsing data: the IT and telematic systems and software procedures used to operate the Site acquire, during their normal operation, certain data (e.g. the date and time of access, the pages visited, the name of the Internet Service Provider and the Internet Protocol (IP) address through which you access the Internet, the Internet address from which you connected to our Site, etc.), whose transmission is implicit in the use of web communication protocols or is useful for the better management and optimisation of the data transmission and e-mail system.
12.3 We inform you that this Personal Data will be processed manually and/or with the aid of computerised and/or telematic means.
13. Purpose and legal basis of the processing
13.1 The Controller will process your Personal Data for the achievement of specific purposes and only in the presence of a specific legal basis provided for by the applicable law on privacy and protection of personal data. Specifically, the Controller will process your Personal Data only when one or more of the following legal bases occurs:
- you have given your free, specific, informed, unequivocal and express consent to the processing;
- the processing is necessary for the execution of a contract of which you are a party or for the execution of pre-contractual measures adopted at your request;
- in the presence of a legitimate interest of the Controller;
- the Controller is bound by a legal obligation to process Personal Data.
13.2 The following table lists the purposes for which your Personal Data is processed by the Data Controller and the legal basis of such processing.
Purpose of data processing
It allows the use of all the functions of the Site.
Performance of a contract
Check the Site for proper operation.
Performance of a contract
In order to ascertain responsibility in the event of computer crimes damaging the Site; detection, prevention, mitigation and assessment of fraudulent or illegal activities in relation to the services provided on the Site; execution of the security checks required by law.
Provide an answer to a question or request made by the data subject
Implement pre-contractual measures taken at the request of the data subject
The performance by the Controller, Enel X Group companies, parent companies, subsidiaries or affiliates or by the Controller's commercial partners to carry out market research, direct sales, including telephone calls, for the placement of products or services, for commercial communications or marketing activities. These activities can be carried out by sending advertising, informative or promotional material or invitations using traditional methods (e.g. paper mail) or automated contact systems (e.g. SMS, e-mail)
Consent of the data subject
Analysis of the usage trends for the products and services offered by the Controller, Enel X Group companies, parent companies, subsidiaries, affiliates or the controller's commercial partners, the definition of individual and group profiles, the proposition of individual offers also prepared through the use of instruments and applications designed to record the total consumption of energy as well as its hourly distribution, or related to individual user devices.
Consent of the data subject
13.3 The provision of your Personal Data is necessary in all cases where processing is carried out on the basis of a legal obligation or to execute a contract of which you are a party or due to the implementation of pre-contractual measures taken at your request. Your eventual refusal could entail the Controller's impossibility to proceed with the purpose for which the Personal Data is collected.
13.4 The provision of your Personal Data is voluntary for the pursuit of additional purposes and the failure to provide your consent in relation to them will have no consequences on the conclusion of the contract. The mandatory or optional nature of the provision will be specified at the time of collection.
14. Recipients of Personal Data
14.1 Your Personal Data may be made accessible for the purposes mentioned above:
a. to the employees and collaborators of the Controller, appointed for this purpose, or to the companies of the Enel X Group present in the European Union for the performance of organizational, administrative, financial and accounting activities;
b. to third-party companies or other entities that carry out outsourced activities on behalf of the Controller to enable the Site to operate, as external data processor.
15. Transfer of Personal Data
15.1 Your Personal Data will be processed within the European Union and stored on servers located within the European Union.
15.2 The same data may be processed in countries outside the European Union, provided that an adequate level of protection is guaranteed, recognized by a specific suitability decision of the European Commission.
15.3 The transfer of your Personal Data to third countries outside the European Union, in the absence of a suitability decision or other appropriate measures as described above, will be carried out only if you have explicitly consented to the same, or in the cases provided for by the GDPR, and will be processed in your interest. In these cases, we inform you that despite the fact that the Enel X Group adopts operational instructions that are common to all the countries in which it operates, the transfer of your Personal Data could be exposed to risks related to the peculiarities of local laws regarding the processing of Personal Data.
16. Personal Data retention period
16.1 The Personal Data processed for the purposes set out above will be kept in compliance with the principles of proportionality and necessity, and in any case until the purposes of the processing have been pursued.
17. Rights of Data Subjects
17.1 In accordance with articles 15 - 21 of EU Regulation 2016/679 (GDPR), in relation to the Personal Data communicated, you have the right to:
a. access and request a copy;
b. request its correction;
c. request its deletion;
d. obtain a restriction of processing;
e. object to the processing;
f. receive data in a structured format, commonly used and readable by an automatic device and transmit them to another data controller, where technically feasible, without any impediment.
17.2 We inform you that you have the right to object to the processing of Personal Data concerning you at any time, on the basis of the legitimate interest of the Controller.
17.3 If you object to the processing of your Personal Data as indicated in article 11.9.2, the Controller will refrain from any further processing of your Personal Data, unless it demonstrates the existence of binding legitimate reasons to proceed with the processing, or for the for the establishment, exercise or defense of a right in court.
17.4 To exercise your rights and withdraw your consent, you can send a communication to the e-mail address firstname.lastname@example.org.
17.5 For further information regarding your Personal Data, you can contact the Data Protection Officer of Enel, who can be reached at the following e-mail address: email@example.com.
17.6 We remind you that it is your right to lodge a complaint before the Competent Data Protection Authority.