Privacy Policy for the processing of personal data of users who visit the Company’s website, pursuant to Article 13 of Regulation (EU) 2016/679.

WHY THIS INFORMATION

In accordance with Regulation (EU) 2016/679 (hereinafter “Regulation”), this page describes the processing methods:

• of personal data of users who consult the website (hereinafter “Website”) of H2Energy (hereinafter “Company”) accessible via the following web address www.h2e.it;
• of personal data entered or collected through the Company’s social media pages.

This information does not concern other websites, pages, or online services accessible through hyperlinks that may be published on the site but refer to resources external to the Company’s domain.

DATA CONTROLLER

DATA CONTROLLER is: H2Energy

Registered office: Via Niga, 73 – 25020, Azzano Mella (BS) PEC: h2energy@pec.it Tax code and VAT number: 04230640981 Email: info@h2e.it

DATA PROTECTION OFFICER

The Company has appointed a Data Protection Officer (DPO) to ensure compliance with Italian and European regulations.

The Data Protection Officer can be contacted at the following address:

Data Protection Officer, Via Niga, 73 – 25020, Azzano Mella (BS) PEC: h2energy@pec.it Tax code and VAT number: 04230640981 Email: info@h2e.it

LEGAL BASIS OF PROCESSING

The Company will process personal data only if it has a legal basis for doing so.

The data protection regulations state that the processing of personal data is lawful only if at least one of the following conditions applies (as per Article 6 of the Regulation):

a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;

c) the processing is necessary for compliance with a legal obligation to which the data controller is subject;

d) the processing is necessary to protect the vital interests of the data subject or of another natural person;

e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;

f) the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The legal basis for the processing, therefore, will depend on the reasons for which the Company has collected and uses the data.

These reasons consist, in some cases (such as for inquiries received through the contact section), in the need to provide a response to the requests received (in this case, the legal basis is the performance of a contract and/or pre-contractual measures), in other cases, in the duty to comply with legal and/or regulatory obligations, or in other cases, in the possibility of pursuing the legitimate interest of the Company, which will be identified from time to time. Where the data subject’s consent is required, such consent will be requested in accordance with the law.

TYPES OF DATA PROCESSED AND PURPOSES OF THE PROCESSING

Personal data means all information relating to the user, by which the user can be identified. Therefore, personal data includes, for example, the name, surname, contact details, telephone number, email address, IP address, and information concerning the user’s access to the Website.

Following the consultation of the Website, as well as the use of the services made available through it, the Company may collect users’ personal data following telephone communications to the contact details provided on the Website, as well as through the receipt of emails to the addresses provided on the Website, or through the completion of forms in the contact section, or through the use of social media plug-ins used on the Website.

In particular, the types of data processed can be classified as follows:

NAVIGATION DATA

The computer systems and software procedures used to operate the Website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.

This information is not collected to be associated with identified data subjects, but by its nature could, through processing and association with data held by third parties, allow users to be identified.

This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI/URL addresses (Uniform Resource Identifier/Locator) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters related to the user’s operating system and computer environment.

This data, necessary for the use of web services, is also processed for the following purposes:

• obtaining statistical information on the use of services (most visited pages, number of visitors per hour or day, geographical areas of origin, etc.);
• checking the correct functioning of the services offered;
• identifying anomalies and/or abuses.

Navigation data is not retained for more than seven days (except in cases where it is necessary for the investigation of crimes by the Judicial Authority).

PERSONAL DATA VOLUNTARILY PROVIDED BY USERS

The optional, explicit, and voluntary sending of messages to the contact addresses of the Company, private messages sent by users to the institutional profiles/pages on social media (where this option is available), as well as the completion and submission of forms on the Company’s website, involves the acquisition of the sender’s contact data, necessary to respond, as well as all personal data included in the communications.

Specific information will be published on the pages of the Website set up for the provision of specific services.

CONSEQUENCES OF FAILURE TO PROVIDE DATA

The failure to provide data necessary to respond to requests may result in the impossibility, for the Company, to provide a comprehensive response or the available services.

If necessary, the Company will inform the user from time to time about the mandatory or optional nature of the provision of personal data (e.g. to make a specific request).

In particular, the mandatory or optional nature of the communication of data will be highlighted through a notice or a specific character on the mandatory information.

DATA RECIPIENTS

The Company’s personnel, acting on the basis of specific instructions provided in relation to the purposes and methods of processing, will be the data recipients.

The data collected following the consultation of the Website will also be shared with subjects designated by the Company, as data processors, pursuant to Article 28 of the Regulation.

In case of use of social media plug-ins present on the Website, the data will be shared with the social media service and, where applicable, with the user’s profile on the social media. In this case, please refer to the Privacy Policy published by the social media.

In any case, the personal data processed will not be disclosed.

Subject to legal provisions, communication or dissemination of data requested by the Police, the Judicial Authority, information and security organizations, or other public entities for the purposes of defense or State security or for the prevention, investigation, or suppression of crimes is reserved.

PROCESSING METHODS AND SECURITY

The data will be processed:

• using manual, computer, and telematic tools, ensuring the availability, integrity, and confidentiality of the data;
• with organizational methods and with logic strictly related to the purposes indicated, in compliance with the principle of minimization;
• by specifically appointed, identified, and authorized subjects, adequately instructed and informed of the constraints imposed by the relevant legislation;
• using technical and organizational security measures aimed at preventing and/or reducing the risks of unauthorized access and destruction or loss of data.

DATA PROCESSING LOCATION

The management and storage of personal data will take place in Italy and, in any case, within the European Union.

Currently, the servers used by the Company are located within the European territory.

The data will not be transferred outside the European Union.

It is understood, however, that, if deemed necessary and/or appropriate, the Company may change the location of the servers in Italy and/or the European Union and/or non-EU countries. In this case, the Company will ensure that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, by concluding, if necessary, agreements guaranteeing an adequate level of protection, and/or by adopting the standard contractual clauses provided by the European Commission, and/or, in any case, by satisfying the conditions provided for by applicable regulations.

STORAGE PERIOD

The data collected from the Website will be used exclusively for the purposes indicated and will be kept for the time strictly necessary to carry out the Company’s activities.

The data will not be kept for a period longer than necessary to achieve the purpose for which they were processed. To determine the appropriate retention period, the Company will take into account the quantity, nature, and sensitivity of the personal data, the purposes for which they are processed, and the possibility of achieving those purposes through other means.

The data collected from the Website will, therefore, be kept for the entire duration necessary to respond to requests and, even after cessation, to manage any contractual, pre-contractual, administrative, or legal obligations connected or resulting from them, or for the time allowed by Italian law for the protection of the Company’s legitimate interests.

DATA SUBJECT RIGHTS

Data subjects have the right to obtain from the Company, in the cases provided for, access to their personal data and the rectification or erasure of such data or the restriction of processing concerning them, to object to processing, and to request data portability (see Articles 15 and onwards of the Regulation).

Data subjects may also, at any time, withdraw the consent given.

The relevant request to the Company should be submitted by contacting the Data Protection Officer at the contact details provided above.

Data subjects who believe that the processing of personal data concerning them through the Website is in violation of the Regulation have the right to lodge a complaint with the Data Protection Authority, as provided for in Article 77 of the Regulation, or to take legal action (Article 79 of the Regulation).

CHANGES AND UPDATES TO THIS PRIVACY POLICY

The Company may modify or simply update, in whole or in part, this information, also in consideration of possible changes to the regulations.

The Company commits not to limit any rights recognized previously without first obtaining the explicit consent of the data subject.

Changes and updates will be made available on the home page of the Website. The most relevant changes will be highlighted through a more conspicuous notice (e.g., if services and collected data allow, through email notification).