Policy Art. 13 of the EU GDPR

protects the confidentiality of personal data and guarantees the necessary protection against every event which might put such confidentiality at risk of breach.

As required by European Union Regulation no. 679/2016 ("GDPR"), and particularly by art. 13, the user ("Data Subject") is hereby supplied with the information required by law in relation to the processing of their personal data.

SECTION I

Who we are and which data we process (Art. 13, par. 1, lett. a, Art. 15, lett. b GDPR)

Az. Agr. San Polino di Fabbro Luigi soc. agr. s.s, in the person of its legal representative pro tempore, with registered office in Loc. San Polino – 53024 MONTALCINO (SI), acts as Data Controller and can be contacted at the following address vino@sanpolino.it, and collects and/or receives information regarding the Data Subject, such as:


Personal data 
name, surname, physical address, nationality, province and municipality of residence, fixed and/or mobile telephone number, fax, tax code, e-mail address(es)


Bank details 
IBAN and bank/post office account details (excluding credit card number)


Telecommunications data 
Log-in, IP address.

Az. Agr. San Polino di Fabbro Luigi soc. agr. s.s does not ask the Data Subject to supply so-called "special" data, i.e. personal data revealing a person's racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, in accordance with the provisions of the GDPR (Art. 9), as well as genetic data, biometric data for the unambiguous identification of a natural person, data concerning a person's health or sex life, or sexual orientation. In the event that the service requested of Az. Agr. San Polino di Fabbro Luigi soc. agr. s.s. should require the processing of such data, the Data Subject shall be specifically informed in advance and shall be asked to give his/her consent.

The Data Controller has appointed a Data Protection Officer -DPO in the person of Luigi Fabbro, who can be contacted for any information and request:

e-mail: vino@sanpolino.it

SECTION II

The purposes for which we require the data of the interested party (Art. 13, par. 1, GDPR)

The data is used by the Data Controller to process the registration request and the contract for the supply of the Service selected and/or Product purchased, manage and execute the contact requests submitted by the Data Subject, provide assistance, comply with legal and regulatory obligations which the Data Controller is required to fulfil depending on the activity performed. Under no circumstances does Aruba sell the personal data of the Data Subject to third parties or use them for undeclared purposes.

In particular, the data of the Data Subject will be processed for:

·       a - registration and requests for contact and/or informative material

The personal data of the Data Subject is processed to pursue the preliminary activities resulting from the request for registration, the management of requests for information and contact and/or sending of informative material, as well as for the fulfilment of any other subsequent obligation.

The legal basis for such processing is the fulfilment of the services relating to the request for registration, information and contact and/or sending of informative material and compliance with legal obligations.

·       – management of the contractual relationship

The personal data of the Data Subject is processed in pursuit of the activities preliminary to and consequent to the purchase of a Service and/or a Product, the management of the relative order, the provision of the Service itself and/or the production and/or shipment of the Product purchased, the relative invoicing and payment management, the handling of complaints and/or reports to the assistance service and the provision of assistance, the prevention of fraud as well as the fulfilment of any other obligation deriving from the contract.

The legal basis for such processes is the fulfilment of the services inherent in the contractual relationship and compliance with legal obligations.    

·       c - promotional activities on Services/Products similar to those purchased by the Data Subject (Recital 47 GDPR)

The data controller may use the contact data communicated by the Data Subject, even without his/her explicit consent, for the purposes of direct sale of his/her own Services/Products, only in the case of Services/Products similar to those being sold, unless the Data Subject explicitly objects.

·       d - commercial promotion activities on Services/Products other than those purchased by the Data Subject

The personal data of the Data Subject may also be processed for purposes of commercial promotion, investigations and market research with regard to Services/Products that the Data Controller offers only if the Data Subject has authorised the processing and does not object to this.

This can take place automatically, using the following methods:

- e-mail;

- sms;

- telephone contact

and can be carried out:

  1. if the Data Subject has not withdrawn his/her consent to the use of the data;
  1. if, in the event that the processing is carried out through contact with a telephone operator, the Data Subject is not entered in the register of objections pursuant to Presidential Decree no. 178/ 2010.

The legal basis for such processing is the consent given by the Data Subject prior to the processing, which may be withdrawn by the Data Subject freely and at any time.

·       e - cyber security

In line with the provisions of Recital 49 of the GDPR, the Data Controller shall process, also through its suppliers (third parties and/or addressees), the personal data of the Data Subject relating to the traffic in a manner strictly necessary and proportionate to guarantee the security of the networks and information, i.e. the ability of a network or an information system to resist, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of the personal data stored or transmitted.

The Data Controller will promptly inform the Data Subjects if there is a particular risk of breach of their data, without prejudice to the obligations deriving from the provisions of Art. 33 of the GDPR relating to notifications of personal data breaches.

The legal basis for such processing is the observance of legal obligations and the legitimate interest of the Data Controller to carry out processes related to the purposes of protecting the company's assets and system security.

·       – profiling

The personal data of the Data Subject may also be processed for profiling purposes (such as analysis of the data transmitted and the Services/Products selected, proposing advertising messages and/or commercial proposals in line with the choices made by the users) only if the Data Subject has given explicit and informed consent. The legal basis for such processing is the consent given by the Data Subject prior to the processing, which may be withdrawn by the Data Subject freely and at any time.

·       – fraud prevention (Recital 47 and Art. 22 GDPR)

the personal data of the Data Subject, with the exception of special data (Art 9 GDPR) or judicial data (Art 10 GDPR), will be processed to enable controls for the purposes of monitoring and preventing fraudulent payments, by software systems that carry out an automated verification prior to the negotiation of Services/Products.

personal data collected for anti-fraud purposes only, unlike data necessary for the correct performance of the service requested, will be deleted immediately at the end of the check phases.    

·       – protection of minors

The Services/Products offered by the Data Controller are reserved to subjects legally capable, on the basis of the national reference legislation, of entering into contractual obligations.

In order to prevent illegitimate access to its services, the Data Controller implements preventive measures to protect its legitimate interest, such as the control of the tax code and/or other checks, when necessary for specific Services/Products, the correctness of the identification data of the identity documents issued by the competent authorities.    

Disclosure to third parties and categories of addressees (Art. 13 par. 1, GDPR)

The personal data of the Data Subject is disclosed mainly to third parties and/or addressees whose activities are necessary to carry out the activities inherent in the relationship established and to respond to certain legal obligations, such as:

Third-party suppliers
The provision of services (servicing, maintenance, additional services, electronic communications networks and services) related to the provision of the service requested.
Administrative, accounting and contractual obligations.

Digital credit and payment institutions, Banks/Post Offices
Management of collections, payments, reimbursements related to the contractual service

External professionals/consultants and consulting firms
Compliance with legal obligations, exercise of rights, protection of contractual rights, recovery of debts

Financial administration, public bodies, judicial authority, authorities for the supervision of lists and registers kept by public authorities or similar bodies
Fulfilment of legal obligations, defence of rights; in accordance with specific regulations, in relation to contractual performance 

Persons formally delegated or having recognised legal status
Legal representatives, curators, guardians, etc.

The Data Controller requires its Third-Party suppliers and Data Processors to comply with security measures equal to those adopted in relation to the Data Subject, restricting the scope of the Data Processor's action to the processing operations connected with the requested service.

The Data Controller does not transfer your personal data to countries where the GDPR does not apply (countries outside the EU) except in the case of specific indications to the contrary, of which you will be informed in advance and for which, if necessary, your consent will be requested.

 

The legal basis of such processes is the performance of the services inherent in the relationship established, the respect of legal obligations and the legitimate interest of Az. Agr. San Polino di Fabbro Luigi soc. agr. s.s to carry out the processes necessary for these purposes.

SECTION III

What happens if the Data Subject does not provide the data identified as necessary for the performance of the service requested? (Art. 13, par. 2, lett. e GDPR)

The collection and processing of personal data is necessary to fulfil the services requested and to provide the Service and/or supply the Product requested. If the Data Subject does not provide the personal data expressly envisaged as necessary on the order form or on the registration form, the Data Controller cannot carry out the processing connected with the management of the services requested and/or the contract and the Services/Products connected to it, nor fulfil the obligations that depend on them.

What happens if the Data Subject does not consent to the processing of personal data for commercial promotion activities on Services/Products other than those purchased?

If the Data Subject does not consent to the processing of his/her personal data for such purposes, said processing shall not take place for such purposes, without this affecting the provision of the services requested, nor for those for which he/she has already given his/her consent, if requested.

If the Data Subject has given his/her consent and should subsequently withdraw it or object to the processing for commercial promotion activities, his/her data will no longer be processed for such activities, without this having consequences or detrimental effects for the Data Subject and for the services requested.

 

How we process the data of the Data Subject (Art. 32 GDPR)

The Data Controller arranges the use of adequate security measures in order to preserve the confidentiality, integrity and availability of the Data Subject's personal data and imposes similar security measures on third-party suppliers and Data Processors.

Where we process the data of the Data Subject

The personal data of the interested party are stored in paper, computer and electronic archives located in countries where the GDPR is applied (EU countries).


How long is the data of the Data Subject kept? (Art. 13, par. 2, lett. a GDPR)

Unless the Data Subject explicitly expresses his/her desire to remove such data, the personal data of the Data Subject will be kept for as long as it is necessary for the legitimate purposes for which it was collected.

In particular, they will be kept for the entire duration of your registration but not beyond a maximum period of 12 (twelve) months of inactivity, or if, within that period, Services and/or Products purchased through the same registry are not associated with them.

In the case of data provided to the Data Controller for the purposes of commercial promotion for services other than those already purchased by the Data Subject, for which consent was initially given, these will be kept for 24 months, unless the consent given is withdrawn.

In the case of data provided to the Data Controller for profiling purposes, these will be kept for 12 months, unless the consent given is withdrawn.

It should also be added that, in the event that a user submits to Az. Agr. San Polino di Fabbro Luigi soc. agr. s.s. personal data which are unsolicited or unnecessary for the purpose of providing the service requested or a service closely related to it, Az. Agr. San Polino di Fabbro Luigi soc. agr. s.s cannot be considered the owner of these data and will delete them as soon as possible.

Regardless of the determination of the Data Subject to remove the data, personal data shall in any case be stored according to the terms provided for by current legislation and/or national regulations, for the sole purpose of guaranteeing the specific obligations of certain Services (by way of non-limiting example, Certified Electronic Mail, Digital Signature, Electronic Storage - see the relevant section).

In addition, personal data will be kept for the fulfilment of obligations (e.g. tax and accounting) that remain even after the termination of the contract (Art. 2220 Civil Code); for these purposes the Data Controller will retain only the data necessary for its continuation.

This is without prejudice to cases in which the rights deriving from the contract and/or from the registration of personal data are asserted in court, in which case the personal data of the Data Subject, solely those necessary for such purposes, will be processed for the time necessary for their pursuit.

What are the Data Subject's rights? (Articles 15 – 20 GDPR)

The Data Subject is entitled to obtain the following from the Data Controller:

a) confirmation as to whether or not the processing of personal data concerning him/ her is taking place and, if this is the case, to obtain access to said personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the addressees or categories of addressees to whom the personal data have been or will be disclosed, particularly if they are addressees in other countries or international organisations;
  4. when possible, the envisaged period of retention of the personal data or, if this is not possible, the criteria used to determine such period;
  5. the existence of the right to ask the data subject to correct or erase personal data or to limit the processing of personal data relating to him or her or to object to their processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the data are not collected from the data subject, all information available on their source;
  8. the existence of an automated decision-making process, including profiling and, at least in such cases, meaningful information on the logic used, as well as the importance and the envisaged consequences of such processing for the data subject.
  9. the adequate guarantees provided by the Third country (non-EU) or an international organisation for the protection of any data transferred

 

(b) the right to obtain a copy of the personal data undergoing processing, provided that this right does not adversely affect the rights and freedoms of others; should the Data Subject request further copies, the Data Controller may charge a reasonable fee based on administrative costs.

(c) the right to obtain from the Data Controller the correction of personal data relating to him or her that are inaccurate, without undue delay

(d) the right to obtain from the Data Controller the removal of his or her personal data, without undue delay, where there are grounds under Article 17 of the GDPR for doing so, including, for example, where they are no longer necessary for the purposes of the processing or where the processing is unlawful, and where the conditions laid down by law are met; and, in any event, where the processing is not justified by another equally legitimate reason;

e) the right to obtain from the Data Controller the limitation of the processing, in the cases envisaged by Art. 18 of the GDPR, for example where you have contested its accuracy, for the period necessary for the Data Controller to verify its accuracy. The Data Subject must be informed, within a reasonable time, also of when the period of suspension has been completed or the cause of the limitation of the processing has ceased to exist, and therefore the limitation itself has been lifted;

(f) the right to obtain communication from the Data Controller of the addressees to whom requests for correction, cancellation or limitation of the processing operation have been forwarded, unless this proves impossible or involves a disproportionate effort.

g) the right to receive personal data concerning him/her in a structured, commonly used and machine-readable format, and the right to transmit such data to another data controller without hindrance by the Data controller to whom he/she has supplied the data, in the cases envisaged by Art. 20 of the GDPR, and the right to obtain direct transmission of personal data from one data controller to another, where technically feasible.

For all further information and to send your request, please contact the Data Controller at the following address  vino@sanpolino.it, In order to ensure that the above rights are exercised by the Data Subject and not by unauthorised third parties, the Data Controller may request the Data Subject to provide any further information necessary for the purpose. 

How and when can the Data Subject oppose the processing of his/her personal data? (Art. 21 GDPR)

For reasons relating to the particular situation of the Data Subject, the latter may object at any time to the processing of his/her personal data if it is based on legitimate interest or if it is carried out for commercial promotion purposes, sending the request to the Data Controller at the following address: privacy@staff.aruba.it.

The Data Subject has the right to the cancellation of his or her personal data if the Data Controller has no legitimate reason that prevails over that which gave rise to the request, and if the Data Subject has opposed the processing for commercial promotion activities.

To whom can the Data Subject complain? (Art. 15 GDPR)

Without prejudice to any other administrative or judicial action, the Data Subject may submit a complaint to the supervisory authority competent on the Italian territory (Autorità Garante per la protezione dei dati personali /Italian Data Protection Authority) or to the authority that performs its tasks and exercises its powers in the Member State where the breach of the GDPR occurred. 

Every update of this Policy will be communicated promptly and using appropriate means and will also be communicated if the Data Controller processes the data for purposes other than those referred to in this Policy before proceeding and following the expression of the consent of the interested party if necessary.    

SECTION IV

COOKIES

General information, deactivation and management of cookies

Cookies are data sent from the website and stored by the internet browser on the user's computer or other device (e.g. tablet or mobile phone). Technical cookies and third-party cookies may be installed by our website or its subdomains.

In any case, the user can manage or request the general deactivation or cancellation of cookies, changing the settings of their internet browser. However, such deactivation may slow down or prevent access to certain parts of the site.

The settings for managing or disabling cookies may vary depending on the internet browser used; for more information on how to perform these

operations, we suggest consultation of the user manual of the device or the "Help" function of the internet browser.

Here are some links explaining how to manage or disable cookies for the most popular Internet browsers:

Internet Explorer: http://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies

Google Chrome: https://support.google.com/chrome/answer/95647

Mozilla Firefox: http://support.mozilla.org/it/kb/Gestione%20dei%20cookie

Opera: http://help.opera.com/Windows/10.00/it/cookies.html

Safari: https://support.apple.com/kb/PH19255

·       Technical cookies

The use of technical cookies, i.e. cookies necessary for the transmission of communications over an electronic communications network or cookies strictly necessary for the provider to supply the service requested by the customer, allows the safe and efficient use of our site.

Session cookies may be installed in order to allow you to access and use the restricted area of the portal as an authenticated user.

Technical cookies are essential to the proper functioning of our website and allow users to navigate normally and to take advantage of the advanced services available on our website. The technical cookies used are divided into session cookies, which are stored exclusively for the duration of navigation until the browser is closed, and persistent cookies, which are stored in the memory of the user's device until their expiry or cancellation by the user. Our website uses the following technical cookies:

  •    navigation or session cookies, used to manage normal navigation and user authentication;
  •    functional cookies, used to store customisations chosen by the user, such as the language;
  •    analytics cookies, used to learn how users use our website in order to assess and improve its operation.      

·       Third-party cookies

Third-party cookies can be installed: these are analytics and profiling cookies of Google Analytics, Google Doubleclick, Criteo, Rocket Fuel, Youtube, Yahoo, Bing and Facebook. These cookies are sent by the websites of these third parties outside our site.

Third-party analytics cookies are used to collect information about user behaviour on the website. This is done anonymously in order to monitor performance and improve the usability of the site. Third-party profiling cookies are used to create user profiles, in order to offer advertising messages in line with the choices made by said users.

The use of these cookies is governed by the rules prepared by the third parties themselves, so we invite Users to read the privacy policies and the instructions on how to manage or disable cookies published on the following web pages:

For Google Analytics cookies:

-  privacy policy: https://www.google.com/intl/it/policies/privacy

- instructions on how to manage or disable cookies: https://support.google.com/accounts/answer/61416?hl=it

For Google Doubleclick cookies:

-  privacy policy: https://www.google.com/intl/it/policies/privacy/

- instructions on how to manage or disable cookies: https://www.google.com/settings/ads/plugin

For Criteo cookies:

-  privacy policy: http://www.criteo.com/it/privacy/ 

- instructions on how to manage or disable cookies: http://www.criteo.com/it/privacy/

For Facebook cookies:

-  privacy policy: https://www.facebook.com/privacy/explanation

- instructions on how to manage or disable cookies: https://www.facebook.com/help/cookies/

For CrazyEgg cookies:

-  privacy policy: https://www.crazyegg.com/privacy/ 

- instructions on how to manage or disable cookies: https://www.crazyegg.com/cookies/ 

For Rocket Fuel cookies:

-  privacy policy: http://rocketfuel.com/it/privacy/ 

- instructions on how to manage or disable cookies: http://rocketfuel.com/it/cookie-policy/

For YouTube cookies:

-  privacy policy: https://www.youtube.com/intl/it/yt/about/policies/#community-guidelines 

- instructions on how to manage or disable cookies: https://support.google.com/accounts/answer/61416?hl=it

For Yahoo cookies:

- privacy policy and instructions on how to manage or disable cookies:

https://policies.yahoo.com/ie/it/yahoo/privacy/euoathnoticefaq/

For Bing cookies:

-privacy policy and instructions on how to manage or disable cookies: https://privacy.microsoft.com/it-it/privacystatement

·       Profiling cookies

The Data Controller(s) may use so-called web analytics software to install profiling cookies, which are used to prepare detailed analysis reports in real time relating to information on: visitors to a website, search engines of origin, keywords used, language used, most visited pages. 

They may collect information and data such as IP address, nationality, city, date/time, device, browser, operating system, screen resolution, navigation source, pages visited and number of pages, duration of the visit, number of visits.