Dear Sir/Madam,
Geoside S.p.A. (hereinafter, for brevity, the "Data Controller" or "Company"), as data controller, wishes to inform you, pursuant to Article 13 of the European Regulation 2016/679 on the protection of personal data (the "Regulation") and national legislation, including individual provisions of the Supervisory Authority (Italian Data Protection Authority), where applicable, that your personal data will be processed in compliance with current legislative and contractual provisions for the purposes and in the manner indicated below.
This privacy policy is provided to customers and customer representatives, including their employees, collaborators and agents; it is specified that the data of customer representatives are processed in order to interact, through them, with customers.
A) Types of personal data
The Company mainly processes the following categories of personal data, concerning the customer (if a natural person) or the customer representative:
With reference to the customer (if a natural person), the Company also processes:
B) Purposes of processing
Your personal data are collected and processed for the following purposes:
a) the presentation of offers, negotiation, conclusion and execution of:
b) the provision of services offered by the Company directly or through third-party companies;
c) the fulfillment of all administrative and accounting formalities;
d) managing requests for information, complaints and disputes relating to the provision of services by the Company (e.g. services and works for energy requalification of the property, energy saving services and for the use of renewable energy, including what is necessary to obtain tax benefits/contributions, energy supply, home automation services, production of reports relating to consumption and environmental data, other services provided by the Company);
e) audit activities and data analysis for the improvement of processes and services;
f) to allow you, after registration on the MyGeoside internet portal and verification of your identity, to consult information relating to the services provided by the Company and the active user account on the portal; for the request of services, the management of all activities inherent and/or consequent to it and the provision of services in digital mode;
g) sending SMS (Short Message Service) to confirm appointments or services, or to access digital service delivery methods;
h) control activities aimed at protecting against credit risk and fraud related to the services provided, including activities aimed at identifying the customer's economic reliability and solvency, before or during the contractual relationship. To activate and keep services active, some personal data from public archives or registers relating to any protests, registrations or prejudicial transcriptions (such as seizures, insolvency proceedings, attachments, mortgages, judicial claims) and survey and financial statement data are used;
i) for the protection of credit interests, the Company may use information relating to the status and timeliness of payments relating to products or services also provided in the past;
j) the assignment of credit rights towards customers, arising from the supply of products and services provided by the Company;
k) to ascertain, exercise or defend a right in judicial or administrative proceedings or in the context of arbitration or conciliation procedures;
l) for the recording of emergency intervention request calls;
m) sending advertising material, conducting market research, direct sales, including by telephone, carrying out commercial promotion activities for the services provided by the Company, directly or through third-party companies, specifically appointed as data processors;
n) sending communications via email for the purpose of direct sales of products or services similar to those you have already purchased (so-called soft spam), subject to any objection you may exercise at any time, according to the methods indicated in each communication or in point 5 of this privacy policy.
C) Legal basis for processing
The processing of personal data is necessary:
Personal data will be processed by authorized persons of the Company and/or by Processors that the Data Controller may use – as indicated in paragraph 4) of this privacy policy –, to store, manage and transmit the data by paper, electronic and telematic means in accordance with the principles of law and protecting the confidentiality of the data subject and their rights through the adoption of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The provision of your personal data is mandatory for the purposes referred to in point 1) B, letters a) to l) for the establishment and execution of the contractual relationship, as well as for related administrative, accounting and tax obligations and for the management of any complaints, and any failure to provide data may prejudice the provision of the requested services. The provision of your personal data is optional for the purpose referred to in point 1) B letter m) and failure to provide data means that the Company will be unable to carry out commercial promotion activities. We remind you that consent may be revoked at any time and the revocation does not affect the lawfulness of processing based on consent before the revocation.
Your data will be retained for the period necessary to comply with legal obligations in accordance with the principles of proportionality and necessity.
The data retention period depends on the purposes for which they are processed and therefore may vary. The criteria used to determine the applicable retention period are as follows: the retention of personal data subject to this privacy policy will be for the time necessary (i) to manage the contractual relationship; (ii) to manage complaints or specific requests; (iii) to assert rights in court; (iv) for the time provided by applicable legal provisions; and (v) for the time you remain a representative of the Company's customer company (unless one of the cases referred to in the previous points applies).
Personal data and energy consumption data will in any case be automatically deleted 10 years after the termination of the contractual relationship, within the terms for exercising contractual actions under the civil code, and in any case for the time necessary to exercise rights.
Data collected in the context of home automation services and consumption reports will be deleted within 6 months following the termination of the contractual relationship.
For the purposes referred to in point 1) B letter m) of this privacy policy, the retention period for your personal data will be 24 months, unless your consent is revoked before the expiry of this period. At the end of this period, your personal data will be deleted.
Your data may be communicated to:
a) companies of the Italgas Group, or parent, subsidiary and affiliated companies of the Company, for administrative-accounting purposes of management and control and for the provision of IT services and the management of the Company's technological infrastructure;
b) parties contractually linked to the Company, such as banks and credit institutions, insurance companies and intermediaries, legal consultants, tax consultants and accountants, debt collection companies, companies that detect financial risks and carry out fraud prevention activities; parties that perform technical/operational or organizational tasks on behalf of the Company; that provide data acquisition, data entry, archiving and processing services necessary for the use of services offered to customers; that provide services for the management of the Company's technological infrastructure; that carry out transmission, enveloping, transport and sorting of communications to the customer; that carry out customer assistance activities; that carry out control, audit and certification of activities performed by the Company, also in the interest of its customers; banks and credit card companies; other operators in the energy sector for the management of related relationships; firms and companies in the context of assistance and consultancy relationships, including legal;
c) public bodies for the fulfillment of obligations required by law;
d) public authorities and supervisory and control bodies, when this is necessary for the granting of subsidies, contributions, grants and benefits of any kind, connected with the supply of products and/or provision of services, or when required by specific regulatory, regulatory and authorization provisions;
e) external companies, including foreign ones, operating in the sector of granting financing, including payment deferrals, when permitted by current legislation, for the purpose of preventing and controlling insolvency risk and credit protection;
f) external companies, including foreign ones, operating in the sector of providing services for the analysis and processing of consumption data, environmental data and digital consumption monitoring services.
The parties belonging to the categories listed above will process the data as independent data controllers or data processors or authorized persons for processing, specifically designated by the Company, to whom the Company will provide adequate operational instructions, aimed at adopting adequate security measures, in order to guarantee the confidentiality, security and integrity of the data.
The data provided will not be transferred to third parties and will not be disclosed in any way. The data may be cross-referenced, for updating and analysis purposes, with other data lawfully held by the Company.
The data will be processed within the European Union and stored on servers located within the European Union.
Within the limits provided by the Regulation and Article 2-undecies of the Privacy Code, the data subject (i.e., the customer, if a natural person, or the representative of the customer company) may exercise, in relation to the processing of personal data described herein, the rights provided by the Regulation (Articles 15-21 and 77), including:
To exercise these rights, you may contact the Data Protection Officer (hereinafter only "Data Protection Officer" or, briefly, "DPO") by sending an email to DPO.GDPR@italgas.it.
The Data Controller for personal data is Geoside S.p.A., with registered office in Casalecchio di Reno (BO), via Ettore Cristoni 88.
The updated list of any data processors is available at the Data Controller's headquarters.
The Italgas Group has appointed a Data Protection Officer who can be contacted at the email address indicated in point 5, or by regular mail at the Company's headquarters.
Date of last update of this privacy policy: January 2026