This page describes how to manage the website with reference to the processing of the personal data of users who consult it. This is an information that is also provided pursuant to art. 13 of Regulation 2016/679 / EU (General Data Protection Regulation – hereinafter also “GDPR”) to those who interact with web services, accessible on this website. The information is provided only for this website and not for other websites that may be consulted by the user through the links on the pages of the website itself.


I. Purpose of this deed

The purpose of this deed is to define the conditions under which the Company Neogy s.r.l., as a supplier pursuant to the contract to which this deed is attached, is appointed as external data processing manager and as such undertakes to perform for account of Cogeser Energia s.r.l. hereinafter the Data Controller, the personal data processing operations defined below.

As part of their contractual relations, the parties undertake to respect the confidentiality of the data indicated below as well as the regulations in force applicable to the processing of personal data provided for by Legislative Decree 30 June 2003, n. 196 “Code regarding the protection of personal data” and subsequent amendments and additions. and by Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 applicable from 25 May 2018 (hereinafter: GDPR).

II. Description of the treatment granted to the supplier ex. Art. 28 of the GDPR

The supplier is authorized to process, on behalf of the Data Controller, the personal data necessary to provide the services underlying the contract to which this is attached. With regard to the identification of the purpose, the category of data, as well as the categories of persons concerned, please refer to the provisions in the table below:

Personal data Customers

III. Duration of the contract

Please refer to the contract to which this deed is attached.

 IV. Obligations of the supplier towards the Data Controller

The supplier undertakes to comply with what is indicated below in the processing of data.

  1. Purpose of the treatment

The Supplier undertakes to process the data only for the purposes that are the subject of the contract of which this deed is an attachment. If the Supplier processes the acquired data for different purposes, it is considered an independent Owner and as such is liable for any violations.

  1. Data processing

The Supplier undertakes to process the data in accordance with the instructions made available by the Data Controller attached to this document.

If the Provider considers that an instruction constitutes a violation of the European Data Protection Regulation or any other provision of Union law or the legislation of the Member States relating to data protection, it shall immediately inform the Data Controller.

Furthermore, if the Supplier is required to transfer data to a third country or to an international organization pursuant to Union law or the legislation of the Member State to which it is subject, it is required to inform the Data Controller before processing, to unless the relevant law provides otherwise, as in the case of important reasons of public interest.

  1. Training of authorized personnel

The Supplier ensures that the persons authorized to process the personal data provided for in the contract:

  • undertake to comply with the legal obligations regarding the confidentiality of personal data;
  • receive adequate training on the protection of personal data.
  1. Documentation that the Supplier makes available to the Owner

The Supplier undertakes to demonstrate compliance with all its obligations under art. 28 of the GDPR and allows the performance of reviews, including inspections, carried out by the Owner or appointed third party and undertakes to contribute to the related audits. The Supplier undertakes to assist the Data Controller in assessing the risks relating to the protection of personal data processed, provided for in accordance with legislation. The Data Controller notifies the Manager in writing, with at least 14 (fourteen) days notice, of the date and the name of the persons who, on his behalf, will carry out the inspection and revision operations.

  1. Privacy by design and by default

The Supplier undertakes to take into consideration, in relation to its tools, products, applications or services, the principles of data protection from the design stage and by default

  1. Appointment of subcontractor by the Supplier

The Supplier may request another supplier (hereinafter referred to as “subcontractor”) to carry out specific data processing activities.

The Supplier informs the Owner in advance, in writing, of any changes relating to the addition or replacement of other subcontractors. This information must clearly indicate the subcontracted processing activities, the identity and contact information of the Supplier and the dates of the subcontracting. The Data Controller has a minimum term of 3 days from the date of receipt of such information to present his objections. Subcontracting can only be carried out if the Owner has not contested within the agreed term, with the Owner’s obligation to justify his opposition.

Whether in the case of general or specific authorization, the subcontractor is required to comply with the same obligations of this contract governed in a specific other way on behalf and according to the instructions of the Owner. The Supplier ensures that the subcontractor presents sufficient guarantees regarding the implementation of adequate technical and organizational measures so that the treatment meets the requirements of the law, assuming the relative responsibility.

It follows that if the Subcontractor does not comply with its data protection obligations, the Supplier remains fully responsible towards the Owner for the execution of the subcontractor’s obligations – however, without prejudice to the possibility for the Owner to take direct action against the Sub-managers, in which case the Owner keeps Neogy exempt from any liability that may derive from it.

  1. Obligation to inform the interested parties

The Data Controller is responsible for providing the information required for data protection to the persons affected by the processing activities at the time of data collection and for making the updated list of external data processing managers available to the interested parties.

  1. Exercise of people’s rights

Whenever possible, the Supplier assists the Data Controller in compliance with the obligation to fulfill the requests to exercise the rights of the interested parties.

The Supplier undertakes to communicate promptly and within 5 working days to the Data Controller the requests of the interested parties concerning the treatments governed by this deed and to collaborate with the same in the management.

  1. Notification of Personal Data Breaches

The Supplier notifies the Data Controller of any incident and violation of personal data without undue delay and within 48 hours of becoming aware of the violation by email to the address

This notification is accompanied by all relevant documentation so that the Data Controller, if necessary, informs the competent Supervisory Authority.

The notification must contain at least:

  • a description of the nature of the personal data breach including, if possible, the categories and approximate number of individuals affected by the breach and the categories and approximate number of personal data records in question;
  • the name of the data protection officer or other contact point from which further information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken by the Data Controller or the measures it intends to take to remedy the violation of personal data, including, where appropriate, measures designed to mitigate any possible negative consequences.

If, and to the extent that it is not possible to provide all this information simultaneously, the information may be disclosed at a later time, without undue delay.

It will be the responsibility of the Data Controller to immediately inform the interested party of the violation of personal data, if the violation could create a high risk for the rights and freedoms of a natural person, through a press release or other suitable instrument.

  1. Assistance of the Supplier in compliance with the obligations of the Data Controller

The Supplier assists the Data Controller in carrying out the impact assessments on data protection and, if necessary, in carrying out the prior consultation of the supervisory authority.

  1. Security measures

The Supplier undertakes to implement the technical and organizational measures appropriate to the service covered by the contract pursuant to the GDPR art. 32.

  1. Data processing measures after the termination of services

As per instructions, the Supplier undertakes to destroy all personal data processed or transfer them to the Data Controller within 45 days, except when the Supplier is required to keep the information collected in compliance with legal obligations. The return must be accompanied by the destruction of all copies in the information systems of the Supplier. In the case of the data are stored, the Supplier can indicate the reasons and criteria for data retention.

  1. Responsible for data protection

The Supplier communicates to the Data Controller the name and contact of the person appointed as data protection officer, if applicable, pursuant to Article 37 of the European Data Protection Regulation.

  1. Keeping the register of processing activities

Where applicable, the Supplier declares to keep in writing the register of data processing activities in accordance with the provisions of the law.

V. Obligations of the Owner towards the Supplier

The Data Controller undertakes to:

  1. document in writing all the instructions relating to the processing of data to be provided to the Supplier;
  2. supervise the processing of data, including the conduct of audits and inspections of the Supplier.

VI. Responsibility of the Supplier

According to the provisions of the law, if the Data Controllers and the Supplier are involved in the same treatment and are considered responsible for any damage caused to the interested parties, each party is jointly and severally liable for the entire amount of the damage, in order to guarantee the effective compensation of the interested party. If the Data Controller or the Data Processing Provider has paid the full compensation for the damage, this Data Controller or Data Processor has the right of recourse against the other party involved in the treatment for the compensation of the portion corresponding to its liability for damage, in accordance with the conditions laid down by law.

Should the Supplier carry out further processing of personal data than what is agreed in the service contract of which this deed forms part, the parties undertake to define in advance the roles pursuant to the GDPR and to eventually stipulate an additional appointment for such processing.