Vai al contenuto principale

Customer information

Customer information on the processing of personal data made pursuant to art. 13 reg. 2016/679/EU


Dear Customer,

This is to inform you that your personal data is processed by our company. The processing is carried out in compliance with the criteria established by the European regulation on the protection of personal data, EU Reg. 2016/679, in force since 25 May 2018 ("GDPR"). According to the legislation indicated, the processing must be based on the principles of correctness, lawfulness and transparency and protection of your privacy and your rights.


  1. Ownership: The Data Controller is Società Agricola Tenuta Poggio al Tesoro S.r.l., ("Poggio al Tesoro") with registered office in Via Bolgherese 189/B, Loc. Felciaino - 57022, Bolgheri di Castagneto Carducci (LI) contactable at e-mail address:
  2. Legal basis and purpose: among the personal data processed by the Data Controller there are: Name, Surname, company name, telephone number, VAT number or tax code, email and contact details in general.
    Personal data is collected for the following purposes and according to specific legal bases:
      1. The execution of a contract or pre-contractual measures (art.6 par. 1 letter b) GDPR), specifically:
        • In case of specific interventions requested by the customer, he will be able to indirectly access the data covered by the service.
        • Provision and assistance relating to the subscribed services
      2. Fulfillment of a legal obligation to which the data controller is subject (art. 6, par. 1, letter c), GDPR), specifically:
        • Fulfillment of obligations regarding tax or accounting laws deriving from the existing relationship with you;
        • Fulfillment of obligations established by law, regulation, community legislation or authorities and for the management of commercial relationships to the extent necessary to best carry out the requested service;
        • Communication of your data to the judicial authority if requested.
      3. Sending commercial communications relating to services similar to those covered by previous sales between the parties through the use of Newsletters for which consent is not required, so-called. Soft-spam, (art. 130, paragraph 4, Legislative Decree 196/2003)
      4. Legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) in the case: Protection of company assets, security and company organisation.


For the purposes referred to in points a), b) and d) the provision is mandatory, the data are collected without your express consent, otherwise the Data Controller will not be able to proceed with the execution of the contract or the completion of the pre-contractual negotiations. For the purposes referred to in point c) the provision is optional, in the absence of your explicit consent the Data Controller may proceed with sending communications as long as you do not object to such processing.

However, it is always possible to request the Data Controller to clarify the concrete legal basis of each processing and in particular to specify whether the processing is based on the law, provided for by a contract, legitimate interest or necessary to conclude a contract. The User can obtain further information regarding the legitimate interest pursued by the Owner in the relevant sections of this document or by contacting the Owner at the email address


  1. Method: Personal data are processed, also with the aid of automated tools, by the Data Controller and by the duly appointed Managers for the correct fulfillment of the purposes indicated in point 2) using electronic tools and paper archives, as well as with the use of security measures aimed at guaranteeing the confidentiality of personal data and avoiding undue access by unauthorized parties.
  2. Communication: The Data is processed at the operational offices of the Owner where the parties involved in the processing are located. For further information, contact the Owner. The accounting/tax data may be communicated to duly appointed external parties who carry out activities on behalf of the Data Controller such as, but not limited to: accountants, credit institutions and related external professionals. The data covered by the service will be transferred to IT partners chosen to fulfill the service covered by the contract, which guarantee the same level of technical/organisational/IT/legal protection guaranteed by the data controller. Communication to third countries outside the EU is not foreseen and diffusion (e.g. social networks, websites, etc.) is not foreseen. The Data Controller does not use automated processes, including profiling, to achieve the purposes set out in this information. The personal data relating to the processing in question may be transferred to companies connected to Poggio al Tesoro, for the sole purpose of providing the service and providing sufficient guarantees to implement adequate technical and organizational measures so that the processing meets the requirements of security provided for by this agreement and by the GDPR.
  3. Storage time: In relation to the purposes referred to in point 2 above, the Data Controller will retain personal data:
    1. 10 years from the termination of the commercial or contractual relationship;
    2. for the time indicated by the regulations applied;
    3. until you object to such processing. The interested party may, at any time and free of charge, stop receiving these communications by writing to, without prejudice to the lawfulness of the processing in the period preceding the communication. In case of revocation, the owner will not proceed with any further communication;
    4. For the time strictly necessary for the execution of this purpose.
  4. The interested party has the right to ask the data controller for access to his/her personal data or the rectification or cancellation of the same or the limitation of the processing that concerns him/her, or has the right to object to their processing, in addition to the right to request portability of the same, as provided for by the articles. 15-21 of the GDPR. The request can be made by email or fax or by registered mail using the company form with the subject: "request by the interested party" specifying in the request the right that the interested party wishes to exercise (cancellation, rectification, portability, oblivion), together with to a valid e-mail/PEC address to which the feedback can be delivered. The Data Controller or anyone appointed by the same will proceed to satisfy the request within 30 days from the date of receipt. If the response is complex, the time could be extended to a further 30 days, subject to timely communication to the interested party. If you deem it appropriate to assert your rights, you have the right to lodge a complaint with the competent supervisory authority, corresponding to the Guarantor for the Protection of Personal Data, based in Piazza Venezia 11, Rome