Eni S p A : Privacy disclosure for candidates for the position of Director and Statutory Auditor

Privacy disclosure for

candidates for the position of Director and Statutory Auditor

FOR CANDIDATES FOR THE POSITION OF DIRECTOR AND STATUTORY AUDITOR OF

ENI SPA

Privacy disclosure under the terms of Regulation (EU) 2016/679 ("GDPR")

Under the terms of Regulation (EU) 2016/679 ("GDPR"), Eni S.p.A. (the "Company" or the "Data Controller") submits to you below the disclosure regarding the processing by the Company of your personal data ("Personal Data") - provided by you directly or by the shareholders of Eni S.p.A. - in relation to the candidature presented for the position of Director or Statutory Auditor of the Company.

1. Data Controller
   The Data Controller is Eni S.p.A., with registered office in Rome, Piazzale Enrico Mattei, 1, 00144.
2. Data protection officer
   The Company has designated a Data Protection Officer, who can be contacted at the following email address dpo@eni.com.
3. Data processed
   The Personal Data to be processed are:
4. • personal data and contact details (for example name, surname, date and place of birth, tax code, address of residence, telephone, e-mail, identity document);
   • personal data necessary for managing the candidature for the position of member of the Board of Directors and the Board of Statutory Auditors of the Company itself (for example, curriculum vitae).
5. Purposes and legal basis of the processing
6. 1. Legal obligations related to the procedure for appointment to the position of Director and Statutory Auditor of Eni S.p.A
      The Personal Data will be processed:
   2. • to fulfil the legal obligations connected with the appointment procedure (for example, check on reasons for ineligibility, incompatibility and forfeiture provided for in the current legislation);
      • following a request by the competent administrative or judicial authority;
      • in all cases in which such processing is required by other applicable legal provisions. The Personal Data processing for the aforesaid purposes is based on (i) the legislation applicable in relation to the appointment procedure; (ii) the requests by the Public Authority; (iii) recommendations of the Corporate Governance Code that the Company has adopted, and codes or procedures approved by Authorities and other competent Institutions; (iii) requests by the Public Authority.

      This processing is necessary for the purposes of correct participation and execution of the appointment procedure.

   3. Legitimate Interest
      The Personal Data will be processed on the basis of the legitimate interest of the data controller to:
   4. • identify the candidates;
      • analyse the existence of the necessary requisites for conferment of a position;
      • enable the Company to perform the activities necessary for managing the candidature for the position of member of the Board of Directors and the Board of Statutory Auditors of the Company itself, including publication on the company's website;
      • ascertain, exercise or defend a right of the Data Controller or of other companies within the perimeter of control of the Company in court.

1. Recipients of the personal data and data processing method
   To pursue the purposes indicated in point 4), the Data Controller may communicate the Personal Data to other subjects, such as those belonging to the following subjects or categories of subjects:
2. • police forces, armed forces and other public administrations, to fulfil the obligations provided for by laws, regulations or community legislation. In these cases, on the basis of the legislation applicable on the subject of data protection the obligation to acquire advance consent of the data subject to the said communications is excluded;
   • companies, entities or associations, or parent companies, subsidiaries or associated companies under the terms of article 2359 of the Italian Civil Code, or between these and companies subject to joint control, and between consortia, networks of companies and

groups and temporary associations of companies and with the subjects belonging to them, limited to communications made for administrative and/or accounting purposes.

The Data Controller guarantees to provide the best care possible so that exclusively the Personal Data necessary to achieve these specific purposes is communicated to the aforesaid parties. With reference to the Personal Data communicated to them, the recipients belonging to the categories indicated above may operate, as the case may be, as data processors (and in this case they will receive opportune instructions from the Data Controller) or as autonomous data controllers.

The Personal Data will be processed also with electronic instruments exclusively by personnel authorised and instructed on the methods and purposes of the processing.

Finally, we can note that the Personal Data will not be distributed.

1. Transfer of the Personal Data out of the EU
   If it is instrumental to pursuance of the purposes indicated in point 4, the Personal Data may be transferred abroad to companies with headquarters outside of the European Economic Space ("EES"), also through entry in shared databases managed by third parties that do not come within the Company's perimeter of control. The management of the database and the processing of such data are tied to the purposes for which they were collected and occur with maximum observance of the confidentiality and security standards pursuant to the applicable laws on personal data protection.
   Every time that your Personal Data is transferred out of the territory of the EES and, in particular, to States that do not benefit from an adequacy decision of the European Commission, the transfer will be made exclusively (i) after you have signed the standard contractual clauses adopted by the European Commission and after the adoption of all further technical and organisational measures capable of guaranteeing an adequate level of Personal Data protection and, in any case, one at least equivalent to that guaranteed within the EES, or (ii) in the presence of one of the conditions pursuant to art. 49 GDPR.
2. Data storage time
   The Personal Data will not be maintained for any more time than is necessary for the purposes for which they were collected or subsequently processed, in line with what is set forth by legal obligations.
3. Rights of the data subject
   As a Data Subject, you have the following rights over the Personal Data collected and processed by the Data Controller for the purposes indicated in point 4.

1. Right to access

This consists of the right to obtain from the Data Controller confirmation as to whether or not Personal Data are being processed, and, where that is the case, access to the Personal Data and to the following information: (i) the purposes of the processing; (ii) the categories of

Personal Data in question; (iii) the recipients or the categories of recipients to whom or which the Personal Data have been or will be communicated, in particular if recipients of third countries or international organisations; (iv) when possible, the period of storage of the Personal Data provided for or, if not possible, the criteria used to determine this period; (v) the right to lodge a complaint with a supervisory authority; (vi) if the Data have not been collected from you, all the information available on their origin; (vii) the existence of an automated decision-making process, including profiling, and information on the logic used and the expected consequences of this processing.

1. Right to rectification

This consists of the right to obtain the rectification of inexact Personal Data and, taking into account the purposes of the processing, the right to obtain additions to incomplete Personal Data, also providing a supplementary declaration.

1. Right to erasure

This consists of the right to obtain the erasure of the Personal Data if one of the following reasons exists: (i) the Personal Data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; (ii) the Personal Data are being processed illicitly; (iii) you have withdrawn your consent, if provided for, on the basis of which the Data Controller had the right to process your Data and there is no other legal foundation that enables the Data Controller to perform the processing activity; (iv) you have objected to the processing activity and there is no prevailing legitimate reason; (v) the Personal Data must be erased to fulfil a legal obligation. The Company has however the right to deny the exercise of the aforesaid rights to erasure if this is necessary to fulfil a prevailing legal obligation or to defend a right it has in court.

1. Right to data portability

This consists of the right to receive in a structured format, in common use and legible, the Personal Data provided to the Company and processed by it, if necessary on the basis of the consent or of a contract with you, and the right to transmit these Data to another data controller without impediments.

1. Right to restriction of processing

This consists of the right to obtain from the Company the restriction of processing where one of the following applies: (i) if you have challenged the correctness of the Personal Data for the period necessary for the Data Controller to check the correctness of these Personal Data;

1. in the case of illicit processing of the Personal Data, if you object to their erasure; (iii) also if the Personal Data are not necessary of the purposes of the processing, if there is a need for them to be processed for the ascertainment, exercise or defence of a right in court;

1. for the period necessary to check any prevalence of legitimate reasons of the Data Controller with respect to your request objecting to the processing.

1. Right to object

This consists of the right to object, for reasons connected with your particular situation, to the processing of the Personal Data carried out on the basis of the legitimate interest of the Data Controller.

You can exercise the rights listed above writing to the data protection officer at the e-mail address dpo@eni.com. Without prejudice to any other administrative or judicial application, you are also guaranteed the right to lodge a complaint with the competent supervisory authority (for Italy: the Italian Data Protection Authority) if you believe that there has been a breach of your rights on the subject of Personal Data protection. Further information is available on the website http://www.garanteprivacy.it.

Eni SpA

Sede legale in Roma, Piazzale Enrico Mattei, 1 Capitale sociale:

euro 4.005.358.876 interamente versato Registro delle Imprese di Roma, codice fiscale 00484960588

partitaIVA 00905811006 Sedi secondarie:

San Donato Milanese (MI) - Via Emilia, 1

San Donato Milanese (MI) - Piazza Ezio Vanoni, 1