Vai al contenuto principale

Privacy Policy

pursuant to Article 13 of EU Regulation 2016/679

This page contains information provided in accordance with Article 13 of the General Data Protection Regulation - EU Reg. 2016/679 (hereinafter referred to as "GDPR") for individuals who interact with the services as data subjects ("Data Subjects") as defined in Article 4, paragraph 1, letter a) of the GDPR.
These services can be accessed online through the following address: ("Website").

Please note that this privacy policy is specifically applicable to the Website and does not cover other websites that may be accessed by the user through links on


Data Controllers and/or Joint Data Controllers

According to Article 26, paragraph 1 of the GDPR, when two or more data controllers jointly determine the purposes and means of processing, they become joint data controllers. In the context of this privacy notice, the Parties collectively make operational decisions and determine the purposes and means of processing the Personal Data of the data subjects. This establishes a joint data controller arrangement under Article 26 of the GDPR.

The following companies, individually or jointly as joint data controllers, process your personal data in accordance with the specific purposes outlined in this privacy notice, as prescribed by the European Regulation 2016/679 (GDPR):

  • Villa della Torre S.r.l. (VAT/Tax ID: 03873710234), registered office at Via della Torre 25, 37022 - Fumane (VR), represented by its legal representative pro tempore ("Villa della Torre")
  • Società Agricola Tenuta Poggio al Tesoro S.r.l. (VAT/Tax ID: 01397920495), registered office at Via Bolgherese 189B (Loc. Felciaino) 57022 - Bolgheri di Castagneto Carducci (LI), represented by its legal representative pro tempore ("Poggio al Tesoro")
  • Az. Agr. Poggio San Polo S.a.a.r.l. (VAT: 00820950525 / CF: 02131170280), registered office at Loc. Podere San Polo di Podernovi 161, 53024 - Montalcino (SI), represented by its legal representative pro tempore ("San Polo").

Individually, they are referred to as Data Controllers, and jointly, they are referred to as Joint Data Controllers.
To facilitate communication with each Data Controller, a single point of contact has been established at

Sources and Types of Processed Data

Browsing Data

During the normal operation of the Website, the computer systems and software collect specific data, which is inherently transmitted through Internet communication protocols. While this information is not collected to identify individuals, it could potentially allow user identification when processed and associated with third-party data. This data category includes IP addresses, domain names of accessing computers, URI/URL addresses of requested resources, request timestamps, submission methods, response file sizes, server response codes (e.g., success, error), and other parameters related to the user's operating system and computer environment.
These data are used solely for anonymous statistical analysis of website usage and to ensure its proper functioning. They are stored in accordance with applicable legal requirements and may be utilized to investigate hypothetical computer crimes against the site.

Data Voluntarily Provided by the User

In certain cases, users may be requested to voluntarily provide personal data to access the various services offered by the Website. While the provision of personal data is optional, in some instances, failure to do so may result in the inability to provide the requested service. In this instance, the personal data handled by the aforementioned Data Controllers is obtained directly from clients, employing remote communication techniques such as the website and its associated web services.
The data handled by the Data Controllers may encompass personal information, including but not limited to, name, surname, date of birth, email address, phone number, nationality, province, and other contact details.


For comprehensive information regarding the use of cookies on the Website, please refer to the dedicated Cookie Policy.

Joint Data Controller Processing

As identified in section 1 of this Privacy Policy, the Data Controllers have entered into a Joint Data Controller Agreement in compliance with Article 26 of the Regulation. Through this agreement, the Data Controllers collectively process the data collected during their operations for the following purposes:

  1. Management of Information Requests and Winery Tour Reservations: This entails utilizing the provided online form on the website, if available, to handle inquiries and booking requests. The legal basis for this processing is derived from pre-contractual and contractual measures as stated in Article 6(1)(b) of the GDPR. Participation in this data processing is voluntary, and the lack of providing such information does not hinder subsequent processing activities.
  2. Institutional Communications and Promotional Material: Communications of an institutional nature, as well as the dissemination of promotional and informational material pertaining to services akin to those encompassed by the existing business relationship, are facilitated through newsletters and non-consent-requiring communications (referred to as soft-spam) in accordance with Article 130(4) of Legislative Decree 196/2003. While it is optional to provide consent, in its absence, the Data Controllers may continue sending communications until the recipient objects to such processing. The Data Subject holds the right to cease receiving these communications at any time, without charge, by contacting The lawfulness of the processing prior to the withdrawal remains unaffected.
  3. Direct Marketing and Commercial Communications: This involves the promotion of products and/or winery experiences provided by the parties through automated distance communication methods, including email, SMS, and instant messaging. The legal basis for this processing is based on the freely given and specific consent of the Data Subject in accordance with Article 6(1)(a) of the GDPR. Participation in this processing is optional, and the lack of providing data or expressing consent does not impact the aforementioned processing activities.

Furthermore, the provided personal data may also be processed for pre-contractual purposes, legal obligations, and/or the legitimate interests of the Data Controllers. Data Subjects are encouraged to contact the respective Data Controller indicated above for further information on such processing purposes.In line with the aforementioned purposes, the Joint Data Controllers have collaboratively established the modalities of processing within the specific agreement. They have also defined clear and transparent procedures to ensure timely response to Data Subjects who wish to exercise their rights as outlined in Articles 15, 16, 17, 18, and 21 of the Regulation, as well as in cases involving the portability of personal data as stipulated in Article 20 of the Regulation.

Data Processing Methods

Regarding the aforementioned purposes, the processing of personal data is conducted through the employment of manual, computerized, and telematic tools. These methodologies are intricately aligned with the intended objectives and designed to uphold the utmost security and confidentiality of the data.

Retention of Personal Data

With regard to the aforementioned purposes in section 4, the Data Controllers will retain personal data as follows:

  • Until the full completion of the request and/or winery visit.
  • Until any objection to such processing is raised by the Customer for treatments that fall under the category of "soft-spam" and do not require explicit consent, as stipulated in Article 130, paragraph 4, of Legislative Decree 196/2003.
  • Until the Data Subject revokes their consent, for a maximum period of 24 months from the moment of data provision. It is important to note that the lawfulness of processing during the valid consent period remains unaffected for treatments based on the Data Subject's explicit and voluntary consent, as defined in Article 6, paragraph 1, letter a) of the GDPR.

The Data Controllers may retain certain data even after the termination of the business relationship, in accordance with the time necessary to fulfill specific contractual or legal obligations, as well as for administrative, tax, and/or social security purposes, as mandated by applicable laws and regulations. Furthermore, data may be retained for the duration required to enforce any legal rights. It is emphasized that data processing not only complies with current regulations but also upholds the inherent standards of confidentiality associated with financial activities, which the Data Controllers have consistently adhered to.

Categories of Recipients to Whom Data May Be Disclosed

The Data Controllers may disclose your personal data to third parties, who may be appointed as external Data Processors if necessary, for the purposes specified in section 3, without requiring your explicit consent. Additionally, your data may be shared with third parties to fulfill legal obligations. The data relevant to the service may be transferred to carefully chosen technical and/or IT partners to ensure the seamless provision of the service, while maintaining an equivalent level of technical, organizational, IT, and legal safeguards as upheld by the Data Controllers. There are no intentions to disclose data to third countries outside the European Union, nor are there any plans to disseminate data through social networks, websites, or other means. The Data Controllers do not employ automated processes or profiling techniques to achieve the objectives outlined in this Privacy Policy. Personal data pertaining to the aforementioned processing activities may be transferred to affiliated legal entities of the Data Controllers solely for the purpose of service delivery, with the implementation of suitable technical and organizational measures to ensure that the processing adheres to the security requirements outlined in this Privacy Policy and the GDPR.

Rights of the Data Subject

We hereby inform you, in your capacity as the data subject ("Data Subject"), of your entitlement to exercise certain rights with respect to the Data Controller(s) and/or Joint Data Controllers. These rights include the right to access your personal data, to have your data rectified or erased, or to restrict the processing thereof. Additionally, you have the right to object to the processing of your data and the right to data portability.

You may exercise these rights by submitting a request via email or certified email (PEC), clearly indicating the specific right you wish to exercise (e.g., erasure, rectification, portability, oblivion), along with a valid email address/PEC for correspondence. The Data Controller or their authorized representative will diligently address your request within a maximum period of 30 days from the date of receipt. In exceptional cases where the request is particularly complex, this timeframe may be extended by an additional 30 days, with prompt notification to the data subject.

To streamline communication between you and each Data Controller, a centralized point of contact has been established, utilizing the following email address:

Should you deem it necessary to assert your rights, you have the option to lodge a complaint with the competent supervisory authority, namely the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), situated at Piazza Venezia 11, Rome.