In accordance with art. 12 et seq. of Regulation (EU) No 2016/679 (“GDPR” or the “Regulation”), this notice relates to the personal data conferred by the data subject by completing the contractual proposals and/or to sign up to services also offered online through the website by completing the relevant forms or, in any case, legitimately collected by the Controller.
The data controller (“Data Controller” or “Controller”) is Dolomiti Energia Holding S.p.A., with registered office in Rovereto, at via Manzoni 24, Tax Code and VAT no. 01614640223, tel. +39 0464 456111 certified e-mail address:

Pursuant to art. 37 of the Regulation, the Data Controller has appointed a Data Protection Officer (DPO) who may be contacted for any requirements pertaining to the protection of personal data, including the exercising of the rights indicated in point 9 below, at the e-mail address, by telephone on 0461 362222, or at Via Fersina 23, Trento.

The personal data may be processed for the following purposes: processing a request or report submitted by the data subject and, therefore, for ends strictly connected to the management of relations, including those of a contractual nature, with the data subject, including administrative and accounting formalities and requirements; service communications, surveys, hydrotours, visits to the facilities, access to and use of all the site's online services, such as, for example, requests for information, complaints, chats; this also includes satisfaction of regulatory requirements (both national and EU) and the provisions issued by authorities authorised by law and by supervisory and control bodies, including the adoption of measures for the prevention and containment of COVID-19.

The following categories of data may be subject to processing: personal details; tax code and/or VAT no.; contact details; payment data, solvency, IP address.

As regards the purposes referred to in paragraph 3, there is no obligation to confer data, but failure to do so will make it impossible to satisfy the request.
The authorisation for the processing of data for the purposes described and the legal basis therefore derive from the fact that it is needed to follow up on activities resulting from the data subject's request and to satisfy any associated obligations or, during the pre-contractual phase, to implement measures and activities connected with the contracting process. The adoption of measures to combat and contain the dissemination of the COVID-19 virus satisfies the general obligation of protecting health through implementation of the anti-infection protocols.

The data are collected from the data subject, i.e. they are provided by said subject, result from the use of the product or service or, in any case, have been legitimately acquired by the Controller.
The processing will be conducted:
- through the use of manual and automated systems;
- by parties or categories of parties authorised to carry out the relevant duties;
- through the use of measures adequate to guarantee the confidentiality of the data and prevent unauthorised third parties from accessing them.
As regards the purposes to in point 3 above, without prejudice to any regulatory obligation to archive documentation, the data subject's data will be retained for the time needed to carry out the activities connected with and resulting from specific processing activities.
There are no automated decision-making processes.

The data collected and processed may be communicated, exclusively for the purposes specified above, to:
a) all parties whose right to access said data is recognised by virtue of regulatory measures;
b) employees, agents, suppliers or partners of the Controller, as part of the relevant duties and/or contractual obligations relating to the execution of the  request; the Controller's suppliers may indicate, for example, other companies from within the same group (which may be viewed at that provide activities through inter-company service agreements, banks and credit institutions, trade associations, insurance firms, legal advisors, lawyers, tax consultants and accountants, debt collection companies, businesses that detect financial risks and carry out fraud prevention activities, parties that carry out activities on behalf of Dolomiti Energia Holding S.p.A. based on collaboration agreements, etc.;
c) public administrations and supervisory and control authorities.

The activity will be carried out within the European Union and there is no intention to transfer the data outside the European Union or to an International Organisation. Personal data may be transferred to countries located outside the European Economic Area by virtue of an adequacy decision on the country from the European Commission, signing up to specific agreements or following adequate guarantees of a contractual nature including binding corporate rules and typical data protection contractual clauses.

The GDPR grants the data subject the right to exercise the following rights with reference to the personal data that concern him/her (this brief description is indicative - for a complete illustration of these rights, including the limits on them, see the Regulation, especially articles 15-22):
- access to personal data (the right to obtain, free of charge, information on the personal data held by the Controller and the associated processing, as well as to obtain a copy thereof in an accessible form);
- rectification of data (correction or completion of data – not an expression of evaluation criteria – that are incorrect or inaccurate, including if they become so through a failure to update them);
- withdrawal of consent (if the processing is conducted by virtue of consent expressed by the data subject, s/he may withdraw it at any time, without prejudice to the lawfulness of the processing conducted prior to the withdrawal)
- erasure of data (right to be forgotten) (e.g. the data are no longer necessary for the purposes for which they were collected or processed; they were processed illegally; they must be deleted to satisfy a legal obligation; in the event of withdrawal or objection to processing);
- restriction of processing (in specific cases – contesting of the accuracy of the data, within the time necessary for verification; contesting of the legality of the processing and objection to erasure; the need to use the data for the data subject's rights of defence, whereas they are no longer useful for the purposes of the processing; if there is any objection to the processing, the data will be retained while the necessary verifications are conducted, using methods that will allow them to be restored, but in the mean time, they may not be consulted by the Controller except in relation to the validity of the restriction request submitted by the data subject);
- objection to all or part of the processing (in specific circumstances, and in any case when the personal data are processed for direct marketing purposes, the data subject will be entitled to object to the processing at any time, including profiling to the extent that it is connected with such direct marketing);
- data portability (where the processing is based on consent or a contract and is carried out using automated means, the data subject may, on request, receive the personal data concerning him/her in a structured, commonly used and machine-readable format and may transmit them to another party, without hindrance from the Data Controller to which they were provided and, where technically feasible, may ensure that the transmission is carried out directly by the latter);
- lodging a complaint with the supervisory authorities (Personal data protection watchdog– Privacy Guarantor).

DEH-Ver. 02/08/21