Policy for the Protection

Policy for the protection of personal data Hera’s goal is to be the best multi-utility in Italy for its customers, workforce and shareholders. It aims to achieve this through further development of an original corporate model capable of innovation and of forging strong links with the areas in which it operates, while respecting the local environment.

HERA'S VALUES ARE: > Integrity: we are proud to be a group of honest, loyal people. > Transparency: we are sincere and clear in all our dealings with others. > Personal responsibility: we are all committed to the welfare of the company. > Consistency: we are dedicated to practising what we preach. The group's current policy, in line with its mission and corporate values, is based on a set of values and principles which are at the heart of all its strategies and objectives: > Commitment to protect the personal data of each individual (Protection); > Guarantee of the privacy of the personal sphere and private life of each individual (Privacy); > Respect for identity and personality, and for the dignity of each human being (Individuality and Dignity); > Respect for the fundamental freedoms guaranteed by the Italian constitution (Safeguarding).

According to Hera, the fundamental principles of privacy, including the guarantee of compliance with legislation, are as follows: . personal data are collected and processed only for predefined, explicit and legitimate purposes (Purpose of the data collection); . the use of personal data is always kept to the minimum required to achieve the declared purposes (Necessity, Non-excessiveness and Indispensability); . personal data are collected and processed only if useful for achieving the declared purposes (Relevance); . personal data are processed using methods and tools proportional to the purposes to be achieved (Proportionality); . personal data collected and processed are always duly checked to make sure that they are correct and reliable (Accuracy and Completeness); . personal data collected and processed are always updated periodically (Updating); . personal data collected are always stored for a period of time that is limited to the achievement of the declared purposes (Storage); . personal data are always collected and processed following the adoption of suitable security measures (Security); . personal data may not be processed for purposes other than those declared at the collection stage or which infringe the regulations on personal data protection (Prohibition of Unlawful Processing). OBJECTIVES SET  Continuous improvement of personal data protection through: . The adoption of an adequate document system integrated into the group system (guidelines, procedures, operating instructions, standard document templates); . The definition of specific indicators for measuring achievable objectives and goals; . The identification of aspects relating to risks arising from the processing of personal data during the definition/planning/review of corporate processes; . The identification of delegates with adequate qualifications and powers to guarantee the correct functioning of the privacy management system; . The definition of an adequate organisational model to oversee the processing of personal data pertaining to each corporate process; . The adoption of declarations of compliance with regulations in the integration, amendment and/or revision of corporate processes which involve the processing of personal data; . The adoption of suitable security measures to prevent or minimise risks relating to personal data processing; . The adoption of the best available economically sustainable techniques to limit the damage in case of accidents or negative events with regard to personal data processing; . The adoption of suitable criteria and methods of restoring data in the event of damage and accidental loss;

 Involvement of stakeholders and protection of personal data with measures intended to: . Raise awareness among employees, suppliers, customers, shareholders and the public about objectives, goals and commitments undertaken with regard to personal data protection; . Engage and motivate staff with a view to achieving predefined objectives and developing a sense of responsibility at every level towards personal data protection and information security; . Train and inform on the subject of lawful and correct personal data processing and information security; . Promote dialogue and discussion with all stakeholders (public administration, authorities, local residents, associations, customers, workers etc.), taking into account their needs, with regard to personal data processing, in line with the methods of participation and communication adopted by the group. The Board of Directors has identified the development of a management system for the protection of personal data integrated and shared at group level as a strategic choice. The Chief Executive Officer is involved in the respect for and the implementation of these commitments by way of regular checks and verifications that the policy has been documented, put into action, kept active, periodically reviewed, distributed to all staff and made available to the public.

Bologna, 8 July 2009

The Chairman The Chief Executive Officer Tomaso Tommasi di Vignano Maurizio Chiarini