Snam considers the privacy protection of employees and all stakeholders to be of fundamental importance in order to operate in a transparent way, consistent with its ethical values. In order to ensure proper management of this issue by the entire Group, Snam has adopted a specific Guideline, which contains the following main points.
On 8 May 2018, the Snam Board of Directors approved the Privacy Guidelines, a document containing the principles governing the proper management of privacy and the internal rules relating to the processing of personal data.
The Guideline specifies the actions that must be implemented in accordance with both national and Community legislation on the processing and protection of personal data, as well as the provisions of the Authority and the guidelines of the relevant literature and law, so that the processing of personal data is carried out in accordance with the rights and fundamental freedoms of natural persons and in particular the right to protection of personal data.
The Guideline applies to Snam and to its subsidiaries subject to management and coordination activities and is also brought to the attention of other investee companies in order to promote principles and conduct consistent with those expressed by Snam.
The privacy management system in Snam
Snam has drawn up its own Privacy Compliance Programme, in order to: define the obligations to be implemented regarding the protection of personal data at corporate level; instruct all Snam employees to ensure that personal data are processed in compliance with the fundamental rights and freedoms of natural persons and, in particular, the right to protection of personal data; assess, based on regulatory requirements, the roles and related responsibilities at corporate level.
Snam carries out risk assessment activities periodically, or whenever there are organisational changes, in order to identify and manage the most significant risks in relation to the processing of personal data.
In accordance with the principles of privacy by design and by default, a privacy impact assessment (DPIA) is carried out for each new project/initiative that has an impact on the GDPR in order to assess the consistency of the design measures with the Privacy Compliance Programme and the rights of the data subjects.
The data protection management system is kept constantly up-to-date, also through the implementation of organisational and technical measures for the protection of personal data processed, as well as through the adoption and review of corporate documentation relevant to privacy.
The Privacy Compliance Programme is part of the broader model of Integrated Risk Assurance & Compliance, which allows the integration of second-level compliance models in a process of sharing strategies and responses to non-compliance risks, in the broader process of corporate risk management. In this context, risk assessment activities are carried out in relation to corporate processes and monitoring of the correct application of the document "Privacy Guidelines".
Snam's Internal Control and Risk Management System also provides for a third level of independent and objective assurance on the adequacy and effective operation of the first and second levels of control and, in general, on the overall risk management methods carried out by the Internal Audit function. Privacy controls are taken into account during audits of the various business processes, where relevant to the scope of the control, as well as in specific audits of the Privacy Compliance Programme on the basis of the annual audit plan approved by the Snam Board of Directors.
The DPO reports periodically - in any event at least annually - on the activity carried out to the Compliance Officer of each company concerned.
Nature of personal data processed
Pursuant to Article 4 of the GDPR, “personal data” means “any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.
In the course of its business, Snam processes the personal data of various persons in its capacity as Data Controller ("Data Subjects"). For example:
- candidates and employees (including non-permanent staff such as interns, project staff, secondments and management staff);
- owners of property from which easement or ownership rights are acquired;
- shareholders, directors and auditors.
Personal data are: processed in accordance with the principles of lawfulness, correctness and transparency towards the Data Subjects; collected for specific, explicit and legitimate purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; processed in such a way as to guarantee adequate security.
- contact details of the Data Controller and of the data protection officer;
- purpose of processing of the data collected and the legal basis of the processing;
- personal data retention period (or, if this is not possible, the criteria used to determine that period);
- existence of the data subject's right to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning him/herself or to object to the processing of personal data, as well as the right to data portability.
Use and protection of personal data
Personal data are processed in relation to the purposes for which they were collected.
Snam stores personal data in electronic or paper archives, taking various measures to protect them against unauthorised access and cybersecurity threats.
Snam adopts and implements over time both organisational and technical measures to protect the personal data processed, in order to strengthen corporate accountability. Technical measures taken include, for example, the adoption of encryption of devices and removable storage media, the adoption of a SandBox for e-mail and an Information Right Management (IRM) solution, the anonymisation of data in non-productive environments, and access/password enforcement.
Roles and responsibilities
Within the company organisation, roles and responsibilities regarding the processing of personal data are defined, in line with the provisions of the GDPR.
- Compliance Officer: in Snam, this is the natural person who, following a Board resolution, is responsible for independently fulfilling the obligations laid down in relation to the processing of personal data and exercising the rights and powers provided for by the GDPR for the Data Controller, as well as the power to identify within the company organisation the figures to whom specific delegated powers should be given.
- (Internal) processing officer: ensures and guarantees the maintenance of the control measures put in place to protect the rights of data subjects and implements, within the scope of the processes for which he/she is responsible, all appropriate technical and organisational measures for processing personal data.
- Data processor: each employee who processes personal data, to whom instructions must be given to carry out the task.
- System administrator: this figure carries out activities of a technical nature (e.g. management of storage media, hardware maintenance, management of authentication and authorisation systems).
- Data Protection Officer: carries out the tasks provided for in Article 39 of the GDPR. Data subjects may contact the DPO for all matters relating to the processing of their personal data and the exercise of their rights under the GDPR.
- (External) controller: a person external to the company organisation who carries out processing on behalf of the Controller on specific instructions.
Privacy training is ensured by means of specific training courses which must be attended by employees appointed as Internal Data Processors, System Administrators or Parties processing the data.
Data retention period
Snam retains the personal data collected for a period not exceeding that which is strictly necessary for the purposes for which they were collected. This means that for each individual process, the specific factors that affect retention times are evaluated on a case-by-case basis, in accordance with the GDPR.
As required by the GDPR, Snam has adopted and periodically updates its processing register.
This tool allows more effective management of data protection within the company organisation, as it makes it possible to keep track of the processing operations carried out, to list in an orderly manner the elements relevant to the proper management of personal data, and to help assess the inherent risk associated with each processing operation.
Specifically, the Processing Register contains the following information: name and contact details of the Data Controller and of the DPO, purposes of the processing, description of the categories of data subjects and of the categories of personal data, categories of recipients to whom the data have been or will be disclosed, where applicable the transfers personal data to a third country or an international organisation, documentation of appropriate safeguards, where possible the time limits for erasure of the different categories of data and where possible a general description of the technical and organisational security measures.
A data breach is a violation of the security standards adopted for the protection of personal data that may result in the destruction, loss, modification, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed (e.g. data theft).
Snam has adopted a special procedure to manage the eventuality of a data breach, identifying roles and responsibilities in order to guarantee compliance with legal obligations within the timeframe indicated by the GDPR.
Following a data breach, the Compliance Officer takes all necessary corrective actions in accordance with the security measures, assessing with the support of the relevant functions the need and/or opportunity to increase the security measures in order to raise the general standards of data protection.
To date, there have been no cases of data breach.
Data subjects rights
In accordance with the applicable regulations on the processing of personal data, Snam guarantees and provides tools and measures to ensure appropriate and timely feedback to the data subjects who exercise their rights under the GDPR:
- Right of access: Snam shall promptly reply to a data subject who has requested confirmation as to whether or not personal data concerning him/herself are being processed and, if so, shall grant access to such data, providing information on the processing of the data subject's personal data.
- Right of rectification: the Data Subject has the right to obtain the rectification of inaccurate personal data concerning him/herself without undue delay. Snam shall rectify inaccurate personal data or supplement incomplete personal data, including by means of a supplementary declaration provided by the data subject.
- Right to erasure (so-called right to be forgotten): Snam proceeds to erase personal data relating to the data subject in certain cases provided for by applicable law (for example, if the data are no longer necessary for the purposes for which they were collected; revocation of consent, if necessary and expressed by the data subject previously).
- Right to restriction of processing: Snam proceeds to restrict the processing of personal data if the data subject requests it and the legal requirements are met.
- Right to data portability: Snam, in compliance with the provisions and regulations of Article 20 of the GDPR, guarantees, following an express request by the data subject: (a) the receipt by the Data Subject of personal data concerning him/herself in a structured, commonly used and machine-readable format; (b) the transmission of such data to another data controller when their processing is based on the consent of the data subject or on a contract entered into with the data subject.
The management of any requests from Data Subjects is handled by the Snam’s Data Protection Officer .
20 May 2021 - 15:19 CEST