Management Systems

The trend in the competition situation on the markets where the Acea Group operates requires growing attention to the matter of compliance with antitrust law and the regulations concerning consumer protection.

Acea believes that competition and consumer protection is a core value for company business activities and pursues its objectives in obersvance of the rules regulating the market. Consistent with the principles set out in the Code of Ethics, the Group specifically abstains from collusive and abusive practices and, more generally speaking, from any practice that might impede the correct functioning of market mechanisms and imply detriment to consumers.
Acea has, therefore, adopted a specific "Antitrust Compliance Programme", with a view to both enhancing internal controls intended to ensure compliance with market and consumer protection legislation and to promoting the development of a corporate culture, oriented towards respect for free market values and fair competition.
In this connection, on 13 December 2018 the Acea Spa Board of Directors approved:

• the "Manual of Compliance with Antitrust and Consumer Protection Legislation, setting out the main points of the legislation and providing a series of behavioural rules, with which all Acea staff are obliged to comply when carrying out their work;
  
• the "Organisational Regulation on Antitrust Compliance and Unlawful Commercial Practices" which defines the corporate organisation for the purpose of effectively implementing the Compliance Programme.
  

The Compliance Programme, implemented in every Group company under the responsibility of the Company Antitrust Liaison Officer, provides for a series of activities, including:

• mapping and identification of the areas of activity, structures and corporate processes potentially exposed to Antitrust risks
  
• risk identification and assessment
  
• definition of the process management systems at greatest antitrust risk
  
• staff training and refresher sessions
  
• constant monitoring and periodic updating of the programme.
  

Each Company’s Antitrust Contact Person receives specific training and support from the Holding Company Contact Person.

Following the entry into force of European personal data protection Regulation 679/2016 ("GDPR") on 25 May 2018 and the Italian transposition legislation (Legislative Decree no.101/2018 amending Legislative Decree no.196/03) subsequently introduced only in September 2018, Acea launched an adjustment programme to identify - giving priority to core processes -  the activities to be undertaken to achieve the highest possible level of compliance and, for the same purpose, to give the company a Privacy Governance Model, that is consistent, integrable with and functional to the existing internal control system.

A Data Protection Officer (DPO) was appointed at Group level, supported by an ad hoc structure (DPO Office), contactable at the following address: privacy@aceapsa.it. Some "privacy control units" were also identified to act as internal reference and liaison points with the DPO Office.

The adjustment programme launched, and currently being improved on, integrated numerous initiatives and activities, including:  

• the mapping of corporate processes
  
• drafting of the Register of processing operations
• definition of an analysis and assessment model for risks connected with the processing operations mapped in the register, as basis for the methodology and implementation of DPIAs (Data Protection Impact Assessments) as regards processing operations that pose a high risk for the rights and freedom of individuals
• the dissemination of instructions for the processing of managed personal data to the Process Owners and authorised persons
  
• the implementation of standardised procedures for handling data subjects' requests
  
• identification of the responsibilities and issuing of the operational procedures/instructions for the management of Data Breaches, if any
  
• the definition of tools and procedures for the correct handling of relations with third parties and the related roles, formalities and responsibilities
• the definition, at central level, of an extensive library of applicable Technical and Organisational Safety Measures – in various combinations – for all personal data handling procedures carried out within the Company and the group
• guidance and support activities for the full implementation of principles of data protection by design and by default
• staff awareness and training activities
• the revision and updating of legal and information documentation to data protection standards, handling of personal data processing consents
• the approval of a guidance (Guidelines /policies) and operating (instructions) procedural corpus to be available for use by the entire company

In 2020, the Model was tested, reviewed and enhanced with methodological analysis and risk assessment tools and its roll out in the subsidiaries accompanied. The processes considered potentially high risk for the rights and freedom of individuals were subjected to Data Protection Impact Assessment. Moreover, the procedure in terms of analysis, definition and monitoring of the conditions for entrusting to third parties activities which also involve personal data processing is increasingly thorough.

For the sustainability of its operations, Acea acknowledges the fundamental nature of the following values:

• the promotion of a quality culture
  
• respect for the environment and safeguarding of ecosystems
  
• the valorisation of people
  
• safety in the workplace
  
• infection control and prevention
• efficient resource management
  
• risk assessment
  
• responsible management of its economic, social and environmental impacts
  
• dialogue with the parties involved
  
• promotion of sustainability in the value chain.
  

For this reason, in November 2020 Acea senior management approved the new Management Systems and Sustainability Policy, which sets out the principles, values and commitments undertaken by the company, including them as part of the framework for the pursuance of sustainable development. This policy is an integral part of the Management Systems compliant with ISO 9001, ISO 14001, ISO 45001 and ISO 50001 standards. In October 2020, the Chief Executive Officer approved the new infection control and prevention policy following the decision to obtain certification for the infection prevention management system (Biosafety Trust Certification).

In order to ensure that the management systems always reflect changes in the internal and external context, Acea analyses the situation and expectations of its stakeholders.

Management of quality, environment, safety and energy are central aspects of our corporate policies, as shown by the number of Group companies that have implemented certified integrated management systems.