pursuant to Article 13 of EU Regulation 2016/679
This page contains information provided in accordance with Article 13 of the General Data Protection Regulation - EU Reg. 2016/679 (hereinafter referred to as "GDPR") for individuals who interact with the services as data subjects ("Data Subjects") as defined in Article 4, paragraph 1, letter a) of the GDPR.
These services can be accessed online through the following address: www.poggioaltesoro.it ("Website").
Data Controllers and/or Joint Data Controllers
According to Article 26, paragraph 1 of the GDPR, when two or more data controllers jointly determine the purposes and means of processing, they become joint data controllers. In the context of this privacy notice, the Parties collectively make operational decisions and determine the purposes and means of processing the Personal Data of the data subjects. This establishes a joint data controller arrangement under Article 26 of the GDPR.
The following companies, individually or jointly as joint data controllers, process your personal data in accordance with the specific purposes outlined in this privacy notice, as prescribed by the European Regulation 2016/679 (GDPR):
- Villa della Torre S.r.l. (VAT/Tax ID: 03873710234), registered office at Via della Torre 25, 37022 - Fumane (VR), represented by its legal representative pro tempore ("Villa della Torre")
- Società Agricola Tenuta Poggio al Tesoro S.r.l. (VAT/Tax ID: 01397920495), registered office at Via Bolgherese 189B (Loc. Felciaino) 57022 - Bolgheri di Castagneto Carducci (LI), represented by its legal representative pro tempore ("Poggio al Tesoro")
- Az. Agr. Poggio San Polo S.a.a.r.l. (VAT: 00820950525 / CF: 02131170280), registered office at Loc. Podere San Polo di Podernovi 161, 53024 - Montalcino (SI), represented by its legal representative pro tempore ("San Polo").
Individually, they are referred to as Data Controllers, and jointly, they are referred to as Joint Data Controllers.
To facilitate communication with each Data Controller, a single point of contact has been established at firstname.lastname@example.org.
Sources and Types of Processed Data
During the normal operation of the Website, the computer systems and software collect specific data, which is inherently transmitted through Internet communication protocols. While this information is not collected to identify individuals, it could potentially allow user identification when processed and associated with third-party data. This data category includes IP addresses, domain names of accessing computers, URI/URL addresses of requested resources, request timestamps, submission methods, response file sizes, server response codes (e.g., success, error), and other parameters related to the user's operating system and computer environment.
These data are used solely for anonymous statistical analysis of website usage and to ensure its proper functioning. They are stored in accordance with applicable legal requirements and may be utilized to investigate hypothetical computer crimes against the site.
Data Voluntarily Provided by the User
In certain cases, users may be requested to voluntarily provide personal data to access the various services offered by the Website. While the provision of personal data is optional, in some instances, failure to do so may result in the inability to provide the requested service. In this instance, the personal data handled by the aforementioned Data Controllers is obtained directly from clients, employing remote communication techniques such as the website and its associated web services.
The data handled by the Data Controllers may encompass personal information, including but not limited to, name, surname, date of birth, email address, phone number, nationality, province, and other contact details.
Joint Data Controller Processing
- Management of Information Requests and Winery Tour Reservations: This entails utilizing the provided online form on the website, if available, to handle inquiries and booking requests. The legal basis for this processing is derived from pre-contractual and contractual measures as stated in Article 6(1)(b) of the GDPR. Participation in this data processing is voluntary, and the lack of providing such information does not hinder subsequent processing activities.
- Institutional Communications and Promotional Material: Communications of an institutional nature, as well as the dissemination of promotional and informational material pertaining to services akin to those encompassed by the existing business relationship, are facilitated through newsletters and non-consent-requiring communications (referred to as soft-spam) in accordance with Article 130(4) of Legislative Decree 196/2003. While it is optional to provide consent, in its absence, the Data Controllers may continue sending communications until the recipient objects to such processing. The Data Subject holds the right to cease receiving these communications at any time, without charge, by contacting email@example.com. The lawfulness of the processing prior to the withdrawal remains unaffected.
- Direct Marketing and Commercial Communications: This involves the promotion of products and/or winery experiences provided by the parties through automated distance communication methods, including email, SMS, and instant messaging. The legal basis for this processing is based on the freely given and specific consent of the Data Subject in accordance with Article 6(1)(a) of the GDPR. Participation in this processing is optional, and the lack of providing data or expressing consent does not impact the aforementioned processing activities.
Furthermore, the provided personal data may also be processed for pre-contractual purposes, legal obligations, and/or the legitimate interests of the Data Controllers. Data Subjects are encouraged to contact the respective Data Controller indicated above for further information on such processing purposes.In line with the aforementioned purposes, the Joint Data Controllers have collaboratively established the modalities of processing within the specific agreement. They have also defined clear and transparent procedures to ensure timely response to Data Subjects who wish to exercise their rights as outlined in Articles 15, 16, 17, 18, and 21 of the Regulation, as well as in cases involving the portability of personal data as stipulated in Article 20 of the Regulation.
Data Processing Methods
Regarding the aforementioned purposes, the processing of personal data is conducted through the employment of manual, computerized, and telematic tools. These methodologies are intricately aligned with the intended objectives and designed to uphold the utmost security and confidentiality of the data.
Retention of Personal Data
With regard to the aforementioned purposes in section 4, the Data Controllers will retain personal data as follows:
- Until the full completion of the request and/or winery visit.
- Until any objection to such processing is raised by the Customer for treatments that fall under the category of "soft-spam" and do not require explicit consent, as stipulated in Article 130, paragraph 4, of Legislative Decree 196/2003.
- Until the Data Subject revokes their consent, for a maximum period of 24 months from the moment of data provision. It is important to note that the lawfulness of processing during the valid consent period remains unaffected for treatments based on the Data Subject's explicit and voluntary consent, as defined in Article 6, paragraph 1, letter a) of the GDPR.
The Data Controllers may retain certain data even after the termination of the business relationship, in accordance with the time necessary to fulfill specific contractual or legal obligations, as well as for administrative, tax, and/or social security purposes, as mandated by applicable laws and regulations. Furthermore, data may be retained for the duration required to enforce any legal rights. It is emphasized that data processing not only complies with current regulations but also upholds the inherent standards of confidentiality associated with financial activities, which the Data Controllers have consistently adhered to.
Categories of Recipients to Whom Data May Be Disclosed
Rights of the Data Subject
We hereby inform you, in your capacity as the data subject ("Data Subject"), of your entitlement to exercise certain rights with respect to the Data Controller(s) and/or Joint Data Controllers. These rights include the right to access your personal data, to have your data rectified or erased, or to restrict the processing thereof. Additionally, you have the right to object to the processing of your data and the right to data portability.
You may exercise these rights by submitting a request via email or certified email (PEC), clearly indicating the specific right you wish to exercise (e.g., erasure, rectification, portability, oblivion), along with a valid email address/PEC for correspondence. The Data Controller or their authorized representative will diligently address your request within a maximum period of 30 days from the date of receipt. In exceptional cases where the request is particularly complex, this timeframe may be extended by an additional 30 days, with prompt notification to the data subject.
To streamline communication between you and each Data Controller, a centralized point of contact has been established, utilizing the following email address: firstname.lastname@example.org.
Should you deem it necessary to assert your rights, you have the option to lodge a complaint with the competent supervisory authority, namely the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), situated at Piazza Venezia 11, Rome.