PERSONAL DATA PRIVACY POLICY OF THE ECSA ENERGY SA
Privacy policy
This policy is provided pursuant to Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (so-called “General Data Protection Regulation” or “GDPR”) and the data protection laws of the Swiss Confederation, in particular the Federal Act on Data Protection of 25 September 2020 and the Data Protection Ordinance (DPO) of 31 August 2022. It is provided by the Data Controller, i.e. the person who, individually or jointly with others, determines the purposes and methods for the processing of personal data.
The Data Controller, aware of the importance of guaranteeing the security of personal information, provides the information necessary to make the user (hereinafter “User” or “Data Subject”) aware of the characteristics and methods used to process his/her personal data.
Data Controller
Who determines the purposes and methods used to process data?
ECSA Energy SA, with registered office in CH-6828 Balerna, via Luigi Favre, 16, CHE-143.818.564, in the person of the legal representative pro tempore, in the quality of Data controller (hereinafter “Data Controller”).
Subject of the processing
What personal data are processed?
The personal data that may be processed are the User’s data collected when the User browses the website and when he/she uses the functions and services of the website.
In particular, the Data Controller may process:
- personal data whose transmission is connected to the use of Internet communication protocols (navigation data, such as page accesses, amount of data transferred, status message after accesses, session ID numbers, IP addresses, URL addresses, location data, display language, coordinated universal time, etc.);
- ordinary personal data (e.g. registration data, personal data, contact details, e-mail address).
Purposes
What are the purposes of data processing?
The User’s personal data, collected when the User browses the website and when he/she uses the functions and services of the website, may be processed for the following purposes:
- the purpose connected to the provision of web pages, functions and services of the website: the processing of personal data (navigation data whose transmission is linked to the use of Internet communication protocols, such as, for example, page accesses, amount of data transferred, status message after accesses, session ID numbers, IP addresses, URL addresses, display language, coordinated universal time, etc.), is required to allow the provision of web pages, website functions and services, to obtain statistical information on the use of web pages and to check the pages are functioning correctly;
- the purposes related to registration on the website: processing of personal data (registration data, personal data, contact details, e-mail address), to allow registration on the website and the provision of functions and services connected to the registration itself;
- the purpose related to responding to reports, questions or requests made by the User: the processing of the User’s personal data (personal data, contact details, e-mail address), necessary to respond to the reports, questions and/or requests made by the User;
- the purpose connected to the protection of rights and the management of website security: the processing of the User’s personal data necessary for the protection of the Data Controller’s rights, including in legal proceedings, as well as to allow the management of the website’s security;
- the purpose connected to the sending of newsletters: the processing of the User’s personal data (registration data, personal data, contact details, e-mail address), which is needed to send communications of an informative nature to people who specifically request it by subscribing to the newsletter. The User can withdraw and unsubscribe from the newsletter at any time, by notifying the Data Controller;
- the purpose related to the issue of the Fidelity Card and participation in the related loyalty programmes: the processing of the User’s personal data (registration data, personal data, contact details, e-mail address), necessary for the issue of the Fidelity Card for participation in initiatives and loyalty programmes based on the use of the Fidelity Card itself;
- the purpose connected to the sending of commercial communications to customers (soft spam): the processing of the User’s personal data (personal data, contact details, e-mail address), which is needed to e-mail promotions, discounts, etc. related to products or services previously purchased by the User. In any case, if such communications are no longer wanted, the User can object, at any time, by notifying the Data Controller, who will stop sending them. From the moment of the User objects, the Data Controller will no longer be able to process the data for this purpose;
- the purpose connected to the sending of commercial communications to existing, prospective or potential customers (direct marketing): subject to the User’s consent, the processing of the User’s personal data (personal data, contact details, e-mail address), necessary for sending, by e-mail or via other automated systems (e.g. WhatsApp), advertising material and promotional communications on the Data Controller’s products or services, also based on the sectors the User has shown an interest in;
- the purpose connected to the transfer of the User’s personal data to the other companies of the ECSA Group: subject to the User’s consent, the processing of the User’s personal data (personal data, contact details, e-mail address), necessary for the communication of the same to the other ECSA Group companies, so that they can contact the User directly by sending to him/her, by e-mail or via other automated systems (e.g. WhatsApp), advertising material and promotional communications on their products or services.
Legal bases
What are the reasons that justify data processing?
The reasons that justify the processing of the User’s personal data, collected when the User browses the website and when he/she uses the functions and services of the website, are:
- the purpose connected to the provision of the web pages, functions and services of the website: the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (the User’s decision to use the functions and services of the website);
- purposes related to registration on the website: the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (the User’s decision to register on the website);
- the purpose related to responding to reports, questions and/or requests made by the User: the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (the User’s decision to send reports, questions and/or requests to the Data Controller);
- the purpose related to the protection of rights and the management of website security: the pursuit of the legitimate interest of the Data Controller (protection of rights and management of website security);
- the purpose connected to the sending of newsletters: the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (User’s decision to subscribe to the newsletter);
- the purpose related to the issue of the Fidelity Card and participation in the related loyalty programmes: the execution of a contract the User is party to or the execution of pre-contractual measures adopted at his/her request (the User’s decision to own a Fidelity Card and join the loyalty programmes);
- the purpose connected to the sending of commercial communications to customers (soft spam): the pursuit of the legitimate interest of the Data Controller (sending of commercial communications to Users who are already customers);
- the purpose connected to the sending of commercial communications to existing, prospective or potential customers (direct marketing): the express consent of the User. Consent can always be withdrawn; from the moment consent is withdrawn, the Data Controller will no longer be able to process the data for this purpose;
- the purpose connected to the transfer of the User’s personal data to the other companies of the ECSA Group: the express consent of the User. Consent can always be withdrawn; from the moment consent is withdrawn, the Data Controller will no longer be able to process the data for this purpose.
Provision of the personal data
What is the nature of the provision of data?
The provision of the personal data that are processed is:
- for the purpose connected to the provision of the web pages, of the functions and services of the website: it is necessary to allow the provision of the web pages and the website functions and services. Personal data are acquired automatically while the User browses the web, through the computer systems and software procedures used to operate the website;
- for purposes related to registration on the website: necessary to allow registration on the website and the provision of functions and services connected to the registration itself; failure to provide data, therefore, makes it impossible for the User to register on the website and use the features and services connected to the registration itself;
- for the purpose related to responding to reports, questions and/or requests made by the User: necessary to allow the responding to reports, questions and/or requests from the User; failure to provide data, therefore, makes it impossible for the User to receive answers to reports, questions and/or requests sent to the Data Controller;
- for the purpose related to the protection of rights and the management of website security: due to the exercise of the Data Controller’s legitimate interest to protect their rights, including during legal proceedings, as well as to be able to manage the security of the website;
- for the purpose connected to the sending of newsletters: necessary to allow the sending of communications of an informative nature to subjects who expressly request them by subscribing to the newsletter; failure to provide data, therefore, makes it impossible for the User to subscribe to the newsletter. The User can withdraw and unsubscribe from the newsletter at any time by notifying the Data Controller, who will interrupt the activity;
- for the purpose related to the issue of the Fidelity Card and participation in the related loyalty programmes: necessary for the issue of the Fidelity Card and to allow participation in the related loyalty programmes; failure to provide the data, therefore, makes it impossible for the User to own the Fidelity Card itself and to participate in the related loyalty programmes;
- for the purpose connected to the sending of commercial communications to customers (soft spam): due to the exercise of a legitimate interest of the Data Controller to be able to send commercial communications to Users who are existing customers. In any case, Users who no longer wish to receive such communications can object, at any time, by notifying the Data Controller, who will interrupt the activity;
- for the purpose connected to the sending of commercial communications to existing, prospective or potential customers (direct marketing): optional; failure to provide data will make it impossible for the Data Controller to send, via e-mail or other automated systems, advertising material and promotional communications on the Data Controller’s products or services, also based on the sectors the User has shown an interest in;
- for the purpose connected to the transfer of the User’s personal data to the other companies of the ECSA Group: optional; failure to provide (or withdrawal of previously given consent) will make it impossible for the Data Controller to communicate the data to the ECSA Group companies. Without the data, these companies therefore will not be able to contact the User directly and will be unable to send, via e-mail or other automated systems (e.g. WhatsApp), advertising material and promotional communications on their products or services.
Storage period
How long are the data kept for?
The User’s personal data will be stored:
- for the purpose connected to the provision of the functions and services of the website: the User’s personal data will be stored, in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are kept for a few days (unless specific requests from the public authority requires data to be stored for longer);
- for purposes related to registration on the website: the User’s personal data will be stored, in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are kept for as long as the User is a registered user of the website;
- for the purpose related to responding to reports, questions and/or requests made by the User: the User’s personal data will be kept, in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are stored, depending on the subject and type of messages, for the time necessary to respond to reports, questions and/or requests made by the User and in any case no more than 10 years from the time of collection;
- for purposes related to the protection of rights and the management of website security: in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are stored for no more than 10 years from the time of collection;
- for the purpose connected to the sending of newsletters: in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are kept for as long as the User is subscribed to the newsletter;
- for the purposes related to the issue of the Fidelity Card and participation in the related loyalty programmes: in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose. As a rule, personal data are kept for as long as the User holds the Fidelity Card and participates in the related loyalty programmes;
- for the purpose connected to the sending of commercial communications to customers (soft spam): in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose and in any case no longer than 24 months from the time of collection;
- for the purpose connected to the sending of commercial communications to existing, prospective or potential customers (direct marketing): until consent is withdrawn or in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose and in any case no longer than 24 months from the time of collection;
- for the purpose connected to the transfer of the User’s personal data to the other companies of the ECSA Group: until consent is withdrawn or in compliance with the provisions of the law, for a period not exceeding that necessary for the pursuit of this purpose and in any case no longer than 24 months from the time of collection;
Methods of data processing
How are the data processed?
The processing of personal data will be carried out with the use of electronic tools.
The processing of personal data will be based on the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and will be carried out with computerised procedures (and residually through manual or paper tools), suitable for guaranteeing data security and confidentiality, also through the use of suitable procedures that avoid the risk of destruction, loss, modification, unauthorised disclosure, unauthorised access to transmitted, stored or, in any case, processed personal data.
Access, communication and dissemination
Who can access and process the data?
Personal data may be made accessible to workers or collaborators, who have been expressly trained and authorised to process data and who work for or under the direct authority of the Data Controller.
Personal data may also be processed by third parties that, on behalf of the Data Controller, carry out outsourced activities and have proven they have adopted technical and organisational measures that can guarantee data security.
These third parties, expressly designated as processors of personal data, will be provided with adequate operating instructions.
These subjects are essentially included in the following categories:
- companies that offer management and maintenance services for IT systems and websites;
- companies that offer support for market studies;
- companies that perform management and maintenance services for the database of the Joint Controllers;
- companies that offer e-mailing services;
- companies that offer services for the management of the marketing automation platform;
- companies that provide organisational support and event reception services.
The processed personal data cannot be communicated to other specific subjects, with the exception of the cases provided for by current legislation, such as, for example, communication to the Authorities and control and supervisory bodies and, in general, communication to third parties, including private individuals, who can legitimately request and receive data, or to Public Authorities who expressly request data from the Data Controller for administrative or institutional purposes.
Furthermore, personal data may be communicated to other specific subjects if the User explicitly consents to transmission.
The processed data cannot be disclosed to indeterminate subjects.
Transfer of data
Where are personal data stored?
Personal data will be stored within the Swiss Confederation and the European Economic Area (EEA).
Any transfer to third countries that do not belong to the European Economic Area can only take place if those countries guarantee an adequate level of protection of personal data, using methods that comply with European and Swiss legislation on the protection of personal data.
Rights of the data subjects
What are the rights of the data subject?
The User has the right to:
- obtain confirmation from the Data Controller as to whether or not personal data concerning him/her are being processed and, in this case, have access to personal data and other related information, also receiving a copy (right of access);
- obtain from the Data Controller the rectification of inaccurate personal data and/or the integration of incomplete personal data concerning him/her (right to rectification);
- in the foreseen cases, obtain the cancellation of personal data from the Data Controller (right to erasure);
- in the foreseen cases, obtain from the Data Controller the restriction of the processing of all or part of the personal data processed by the Data Controller (right to the restriction of processing);
- in the event that the processing is based on consent or on the execution of a contract the User is party to and is carried out in an automated way, request and receive from the Data Controller, in a commonly used electronic format, the personal data that concern him/her, as well as, if technically feasible, the transmission to another Data Controller (right to data portability);
- withdraw, at any time, any consent given in relation to the processing of personal data (right to withdraw consent);
- in the foreseen cases, object, in whole or in part, to the processing of personal data (right to object);
- in the foreseen cases, not to be subjected to a decision based solely on automated processing.
If the User believes that the data processing is in violation of European and Swiss legislation on the protection of personal data, he/she has the right to lodge a complaint with the competent Supervisory Authority or, in the cases provided for, to appeal to the appropriate judicial offices.
Exercise of rights
How can the data subject exercise his/her rights?
The User may exercise his/her rights at any time by contacting the Controller:
ECSA Energy SA,
via Luigi Favre, 16
CH-6828 Balerna (Svizzera)
e-mail: privacy@ecsa.ch
Data Protection Officer
How can the Data Protection Consultant be contacted?
The User may exercise his/her rights at any time by contacting the Data Protection Consultant or the Data Protection Officer (DPO) by writing to this e-mail address: studiobarbieri@mywaysec.com