The following Privacy Policy – according to article 13 of General European Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”) aims to describe how the personal data of web site users are processed and to inform the data subject about cookies.

EPS Elvi Energy S.r.l. (hereinafter “EPS”) subject to the direction and coordination of ENGIE EPS S.A., registered office at Milan, Via Privata Anton Francesco Grazzini, 14 – 20158 is Data Controller of the user personal data gathered during the browsing activity on the site www.engie-eps.com.

The protection of personal data is very important for EPS. You can contact the Ethics & Compliance Office, writing to the following email address “privacy@engie-eps.com”

PERSONAL DATA PROCESSED

a) Personal Data voluntary processed by the user
If the user prefers to receive news about the company, EPS has to process the identification and contact details (e-mail) of data subject.

b) Cookie
The following web site uses cookie sent by web server (in this case, by the following web site) to the user browser, where the cookie is automatically stored on the personal computer, tablet, smartphone, etc, and re-send automatically to the server, each time that the same website is visited again.

c) Browsing Data
The information systems and the software procedures provided for the operating of this web site, process some data involved in the internet communication protocol, during the time of the connection.

POURPOSES OF THE DATA PROCESSING

a) Personal Data voluntary provided by the user
The personal data provided by the user (in the investors sections) are processed to meet the needs of the user (kept updated to EPS news or products, services).

b) Cookie
Through some cookies (see below the dedicated section to cookies) the user personal data could be
processed to advertising and profiling purposes. With the user consent, the personal data could be
processed to marketing, sales activities, study and marketing research, including marketing and teleselling, advertising material sending, statistical analysis for marketing purposes, survey about customer satisfaction.

c) Browsing data
These personal data are not collected to connect the information to the user. This information is processed in order to gather statistical and anonymous information about the web site navigation and to control its right operating.

THE PROVISION AND REFUSAL OF PERSONAL DATA

The provision of personal data by the user is merely voluntary action, and is necessary condition,
depending on the situation (such as investor form) and use some services related to the web site.

Each refusal to provide personal data could not cause the lack of use of web site services.
The opt-out of marketing and profiling cookie does not produce any effects for using the web site.

HOW TO PROCESS THE PERSONAL DATA

The data processing carries out with information system and organizational and logical methods strictly related to indicated purposes and are implemented all technical and procedure security measures to ensure the confidentiality, integrity, availability and resilience of data processing, in compliance with the article 32 of GDPR.

The personal data could be transferred to abroad, outside the EU also, in comply with the applicable law.

COMMUNICATION OF PERSONAL DATA

Data Controller could authorize internal or external parties to perform the data processing. The internal parties are “people in charge of data processing” involved in the business organization like as administrative, commercial and marketing staff, legal department, system administrator etc; while external parties act as “data processors” and must be appointed as such by Data Controller. The Data Processor could be transferred the personal data to:

 technical service suppliers
 postal carriers
 hosting providers
 information technology companies
 communication agencies
 ……

DATA SUBJECTS RIGHTS

Data Controller shall provide the data subjects the exercise of the following privacy rights:

 confirmation as to whether or not personal data concerning him or her are being processed, and,
where that is the case, access to the personal data, ae required by the 15 article of GDPR (Right of
access);
 rectification of inaccurate personal data concerning him or her or integration of him or her
incomplete personal data (Right to rectification);
 erasure of personal data concerning him or her, in accordance with the reasons described in the
article 17 of GDPR (Right to be forgotten);
 restriction of processing, when one or more of the cases provided by the article 18 of GDPR (Right
to restriction);
 receive the personal data concerning him or her, in a structured, commonly used and machine-
readable format and have the right to transmit those data to another controller (Right to data
portability)

Moreover, the user has the right to make opt-out of consent of data processing, anytime, without prejudice
to the lawfulness of the processing based on the consent given before the opt-out.
To exercise your rights, you and send an email with the following subject “PRIVACY”, to “privacy@engie-eps.com”.

The data subject can claim Privacy Authority, when he believes the data processing is carried out in
violation of the Regulation. Further information is available on the website www.garanteprivacy.it.

COOKIE

The cookies are small text strings send by web server to the user browser, where the cookie is
automatically stored and re-send automatically to the server, each time that the same website is visited again.
The cookies can be fist- party cookies provided by EPS or third-parties cookies. The cookies are able to allow to recognise the user device and browse the web, pointing out the user preferences and improving the user experience. The cookies aim to send customized advertising to the user.

COOKIE TYPOLOGY

Technical Cookies
Technical cookies are strictly necessary to service provisioning and they are automatically setup after the website is visited:

 Cookies allow to browse the web in the right way. In example, the user can stay connected, avoiding
that the web site connects several times for accessing the next pages.
 Cookies allow to point out the user preferences during the browsing, in example, they allow to set the language;
 Cookies help to understand, through anonymous and aggregate data gathered, how the user browse
the web site, providing information about visited sections, time spent on the web site or any
malfunctions;

Analytical Cookie
Analytical cookies are used to collect information about website usage. The website will use this
information about statistical anonymous analysis in order to improve the usage website and make the
content website more interesting and relevant. This type of cookie gathers anonymous information about
user activities and how he arrived on the website.

Third party cookies
Third party cookies are used in order to gather anonymous information about usage website by the user,
such as Pages visited, time spent, traffic source, geographical location, age, gender and interest.

Cookies to integrate products and functions of third-party software

This typology of cookie incorporates features developed by third parties within the pages of the site, such as icons or preferences expressed on social network in order to share web site content or to use third party software services (i.e. map generating software and software offering other services). These cookies are sent by third party domains and partner sites that offer their functionality within the page of the site.

Profiling cookies
Profiling cookies are useful to create user profile in order to send him customized advertising message to user needs showed by the user using the web site.

UPDATE AT JULY 2019