EU Regulation No. 2016/679 (hereinafter also GDPR) and Italian Legislative Decree 196/2003, and any
modifications and/or integrations thereto (Italian Personal Data Protection Code), as amended and supplemented
by Legislative Decree 110/2018, lay down rules on the protection of natural persons with regard to the processing
of personal data, and on the free movement of such data. In order to protect the fundamental rights and freedoms
of natural persons, privacy legislation imposes on data controllers the obligation to provide data subjects with
information regarding the processing of personal data collected online and offline through various channels.
The Joint Controllers, as identified below, make available to any person (hereinafter the “Data Subject”) who
browses any of the websites owned by one of the Joint Controllers, this document entitled Privacy Notice on the
Processing of Personal Data pursuant to Articles 13 and 14 of EU Regulation No. 2016/679 (hereinafter the
“Notice”).
Further information may be provided to Data Subjects in different ways and at different times in connection with
specific processing activities.
*****
1) Who are the Joint Controllers?
The companies within the CERETTO group, listed below, process your personal data jointly and independently,
for the purposes set out hereunder:
- CERETTO AZIENDE VITIVINICOLE S.R.L., con sede legale sita in Località San Cassiano n. 34, 12051
Alba (CN), Italia, cod. fisc. e P.iva: 00217070044;
- Relanghe srl, P.iva: 02343840043 con sede legale in Località San Cassiano 34 – Alba (CN), Italia
- ARCO srl, P.iva 03013820042 - con sede legale in Piazza Risorgimento, 4 - Alba (CN), Italia
hereinafter referred to individually as the Controller or collectively as the Joint Controllers.
The above companies act as independent Controllers with respect to the processing of data for the purposes set
out in points A, B, F, G and H. They may also act, independently or jointly as Joint Controllers, with respect to
the processing of data for the purposes set out in points C, D and E, having jointly determined the purposes and
means of processing by entering into a specific agreement pursuant to Article 26 of the GDPR.
The essential content of the joint controllership agreement shall be made available to the Data Subject upon
request. Any Data Subject wishing to exercise their rights under the Regulation may contact CERETTO
AZIENDE VITIVINICOLE S.R.L. by e-mail at ceretto@ceretto.com or by registered letter to its registered office.
Irrespective of the provisions of the agreement, the Data Subject may exercise their rights under the Regulation
against any of the Controllers.
2) What personal data may we collect?
Each Controller, individually or as a Joint Controller, informs the Data Subject that, pursuant to Article 4 of the
GDPR, personal data means any information relating to the Data Subject that is capable of identifying them
directly and/or indirectly.
The data that may be collected (either mandatory in order to provide the service or optional), depending on the
purposes, are:
● Personal data: first name, surname, date of birth;
● Contact data: address, telephone number, email;
● Purchase data: information relating to purchases you have made, such as the list of events booked,
dates and the amounts of such purchases;
● Demographic data and interests: geographical origin, preferences regarding events offered by the data
controller, etc.
● Data on the use of the Websites, including information collected through cookies;
● Data relating to purchasing preferences.
Please note that any data provided by the user during the booking and payment process (e.g. credit card number,
cardholder name, etc.) are managed directly by the platform, which acts as an independent controller with regard
to such data.
The data Controller will not process special data. Should it become necessary, the data Controller shall process
such data in accordance with applicable legislation.
Your data may be collected through the websites (hereinafter collectively the Websites) owned by each of the
Controllers:
- the website of the Controller CERETTO AZIENDE VITIVINICOLE S.R.L., accessible at
www.ceretto.com
- the website of the Controller Relanghe srl, accessible at www. relanghe.it
- the website of the Controller ARCO srl, accessible at www.piazzaduomoalba.it / www.lapiola-alba.it
Your data may be processed following collection through the Websites in the following ways:
- completion of a booking request;
- request to join the Ceretto Community;
- completion of a contact form to request information;
- purchases via e-commerce (Ceretto srl);
- direct contact (e-mail or telephone) initiated by the Data Subject.
3) Why do we process your data? Purposes and legal basis
Your data, as defined above, will be processed by the data Controller for the following purposes:
A) To fulfil booking requests and perform contractual obligations.
In order to fulfil booking requests submitted through the website, manage payments, ensure due compliance with
legal obligations, respond to information requests and provide assistance, your personal details, contact details
and purchase data shall be processed.
The data processing is necessary to perform pre-contractual measures and/or the contract to which the data subject
is a party [Article 6(1)(b), GDPR]. The provision of data is obligatory; failure to provide data will make it
impossible to process your booking.
The data are processed by the individual Controller that collected them from the Data Subject.
The means of processing may include e-mail or telephone (SMS, telephone call), as required.
B) To reply to requests sent to the data Controller.
Contact details may be processed in order to respond to requests sent directly to the data Controller’s contact
details shown on the Websites or indirectly through the completion of any information request forms on the
Websites.
The data processing is necessary to perform pre-contractual measures and/or the contract to which the data subject
is a party [Article 6(1) (b), GDPR]. The provision of data is obligatory; failure to provide such data will make it
impossible to respond to your request.
The data are processed by the individual Controller that collected them from the Data Subject.
C) For profiling activities.
Subject to your consent, the data described may be used for profiling activities, including the analysis of data to
examine purchasing habits, preferences, experiences purchased, frequency of purchases, geographical area, etc.,
in order to create profiles (individual and/or aggregate) and, where appropriate, to send personalised commercial
communications.
The prerequisite for such processing is the consent of the data subject [Article 6(1)(a), GDPR]. Such consent may
be withdrawn at any time as described in section 7. Processing carried out in the period prior to withdrawal of
consent shall be deemed to have been lawfully carried out. Withholding consent for this purpose shall not affect
any contractual relationship between the parties, but shall prevent the Data Subject from receiving personalised
communications.
The data are processed by the individual Controller and jointly by the Joint Controllers.
D) Sending commercial/informational communications – Ceretto Community.
Subject to your consent, your contact details may be used to send commercial communications as a member of
the “Ceretto Community”, which may also contain promotions or invitations to events dedicated to Data Subjects
who have given their consent, by e-mail, SMS, messaging services or traditional means of contact. Commercial
communications may be personalised in relation to any Data Subject who has also authorised profiling activities.
The provision of data for this purpose is optional, the prerequisite for such processing is the consent of the data
subject [Article 6(1)(a), GDPR]. Such consent may be withdrawn at any time as described in section 7. Processing
carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out.
Withholding consent for this purpose shall not affect any contractual relationship between the parties, but shall
prevent the Data Subject from participating in the Ceretto Community.
The data are processed by the individual Controller and jointly by the Joint Controllers.
E) For aggregate analysis.
Your data may be used in aggregate form to improve the services of each Controller and of the Joint Controllers
collectively, and for internal statistical purposes.
The prerequisite for such processing is that the data controller pursues a legitimate interest in the improvement of
their services [Article 6(1)(f), GDPR]. For the achievement of such purpose, the provision of further data will not
be required and the data controller shall use the data already collected for other purposes deemed compatible with
this one.
The data are processed by the individual Controller and jointly by the Joint Controllers.
F) To respond to requests from competent authorities, fulfilling legally binding requests.
Your data may be processed to respond to requests from competent authorities, fulfil legally binding requests.
The legal basis for such processing is the need to fulfil a legal obligation [Article 6(1)(c), GDPR]. The data
controller shall use the data already collected for the pursuit of other purposes if they are deemed compatible with
the present purpose.
G) For the protection of rights.
Your data may be processed to protect your rights or those of the data controller, or to take legal action.
The prerequisite for such processing is that the data controller pursues a legitimate interest in the protection of
their rights [Article 6(1)(f), GDPR]. For the achievement of such purpose, the provision of further data will not
be required and the data controller shall use the data already collected for other purposes deemed compatible with
this one.
H) Soft spam
Your data may also be processed for the purpose of sending commercial information relating to products and/or
services similar to those already purchased by the Data Subject (soft spam).
Pursuant to Article 130(4) of the Privacy Code, “where the Controller uses the e-mail address provided by the
Data Subject in the context of the sale of a product or service for the purpose of direct marketing of its own
products or services, the Data Subject’s consent is not required, provided that the products or services are similar
to those that were the subject of the sale, and the Data Subject, having been duly informed, does not refuse such
use, whether initially or on the occasion of subsequent communications. The Data Subject is informed, at the time
of collection and on the occasion of each communication sent for the purposes of this paragraph, of the right to
object to such processing at any time, easily and free of charge.”
The data are processed by the individual Controller.
Who are the Recipients of the data?
Your data shall not be disclosed or made accessible and available to third parties, with the exception of
communications made by the Controller – without requiring your consent – in compliance with legal and
contractual obligations, which shall be carried out within the EU solely for the purposes set out below.
Your data may be shared, for the pursuit of the purposes specified above, with the following categories of
recipients:
A) Internal persons within each Controller, acting as “authorised processors”.
Your personal data shall be processed by the Controller for the purposes described above through internal persons
who have access to your data in order to carry out their work duties. Such persons have been specifically authorised
by means of a letter of appointment. These subjects have been specifically authorised by a letter of appointment.
B) External parties carrying out specific tasks on behalf of the Controllers and ancillary to the above
purposes, acting as “data processors”, including where they serve as system administrators.
Your personal data may be processed, by way of example and without limitation, by parties serving in the
following capacities: (i) system administrators for the management of each Controller’s IT resources, or parties
managing the booking and payment systems; (ii) accountants for the management of tax and accounting matters;
(iii) auditors or other parties tasked with inspections or checks on compliance with applicable legislation; (iv)
external consultants and suppliers, banks and credit institutions, insurance companies, carriers, professional firms;
(v) other companies within the Ceretto group; (vi) public administrations.
Such parties may also process your data as independent controllers.
Under no circumstances shall your data be transferred to third parties. The list of data processors may be requested
from the data controller in the manner provided for in section 7 below.
Do we transfer data to third countries?
Your personal data may be transferred to third countries outside the European Union.
In such cases, where those countries do not offer an adequate level of protection and have not been recognised as
such by an adequacy decision of the European Commission (United States of America and India), the Controller,
including through its Data Processors bound by Data Processing Agreements, shall ensure an adequate level of
protection through appropriate measures and safeguards.
How long do we retain the data?
Please note that, pursuant to Article 5 of the GDPR and in compliance with the principles of lawfulness, purpose
limitation, storage limitation and data minimisation:
- data collected for the purposes referred to in points a), b), e), f) and g) shall be processed in accordance
with the law and for the time necessary to carry out the activities related to the above purposes, and shall
subsequently be retained for the period required by legal obligations and/or in any event within the
ordinary limitation periods (10 years), taking into account any time limits arising from the initiation of
legal proceedings;
- data collected for the purposes referred to in points c) and d) shall be processed subject to your consent
and shall be retained until such consent is withdrawn. Consent may be withdrawn at any time; any
processing carried out prior to withdrawal shall be deemed lawful; Consent may be withdrawn at any
time and processing carried out in the period prior to withdrawal of consent shall be deemed to have been
lawfully carried out.
- in the absence of consent (points c and d), data collected for the purpose referred to in point h) shall be
retained for a maximum of 3 years from the last purchase.
7) What are the rights of the Data Subject?
The data subject may exercise the following rights against the data controller with regard to the processing of their
data:
- Right of Access and to Rectification
Pursuant to Article 15 of the GDPR, in your capacity as data subject, you have the right to obtain the following
from the data controller: confirmation as to whether or not personal data relating to you are being processed,
access to such data and to all the information referred to in Article 15(1)(a) to (h), by means of the issue of a copy
of the data being processed in a structured, commonly used, machine-readable and interoperable format.
Pursuant to Article 16 of the GDPR, as a Data Subject you have the right to obtain from the Controller the
rectification and/or supplementation of data being processed where such data are out of date and/or inaccurate
and/or incomplete.
- Right to Erasure and Right to Restriction
Pursuant to Article 17 of the GDPR, in your capacity as data subject, you have the right to obtain the erasure of
data relating to you - with the exception of the cases specifically provided for in Article 17(3) - exclusively in the
cases referred to in Article 17(1)(a) to (f) of the GDPR, from the data controller, without undue delay.
Pursuant to Article 18(1), points (a) to (d), of the GDPR, as a Data Subject you have the right to request and obtain
from the Controller the restriction of the processing of your personal data, i.e. that such data shall not be subject
to further processing and may no longer be modified. The Controller shall ensure that the restriction of processing
is implemented by means of appropriate technical measures that guarantee inaccessibility and immutability.
- Right to Portability
Pursuant to Article 20 of the GDPR, in your capacity as data subject, you have the right to receive the personal
data concerning you from the data controller, the processing of which is carried out by automated means, in a
structured, commonly used and machine-readable format, and you also have the right to transmit such data to
another data controller, or to obtain from the data controller, when technically feasible, the direct transmission of
such data to another specifically identified data controller.
- Right to Object
Pursuant to Article 21 of the GDPR, in your capacity as data subject you have the right to object at any time to
the processing of personal data concerning you, on grounds relating to your particular situation, in cases where
the processing of your data is necessary (1) for the performance of a task carried out in the public interest and/or
in connection with the exercise of official authority vested in the data controller; (2) for the pursuit of a legitimate
interest of the data controller or a third party; (3) for profiling activities, if carried out by the data controller, on
the basis of the preceding sections. You also have the right to object to the processing of your personal data on
grounds relating to your particular situation where the data is processed for scientific or historical research
purposes or for statistical purposes pursuant to Article 89 paragraph 1 of the GDPR, except where the processing
is necessary for the performance of a task carried out in the public interest.
- Withdrawal of consent
If the data processing is based on the consent of the data subject, they may withdraw it at any time. Processing
carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out.
- Right to lodge a complaint
Pursuant to Article 77 of the GDPR, in your capacity as data subject, you have the right to lodge a complaint with
a supervisory authority in the manner indicated in the same article.
Receipt of your request shall be acknowledged and the relevant information shall be provided to you within one
(1) month of receipt of the request. If necessary, taking into account the complexity and number of requests, this
period may be extended by a further two (2) months, subject to a reasoned communication to be sent within one
(1) month of receipt of the request.
Any rectification, erasure, restriction or objection shall be communicated to all recipients, as identified in Article
4(1)(9) of the GDPR, to whom the data have been transmitted, unless this proves impossible or involves
disproportionate effort.
Following the submission of your request for rectification, erasure, restriction or objection, should the Controller
have reasonable doubts as to your identity, it shall request further information to confirm it. Such communications
will be sent by email.
In the event that the data controller does not comply with your request within 1 (one) month from receipt of the
request, the data controller shall inform you of the reasons for non-compliance, informing you as of now of your
right to lodge a complaint with the Supervisory Authority (Italian Garante per la protezione dei dati personali),
as specified pursuant to Article 13(2)(d) and covered by Articles 77 et seq. of the GDPR.
8) Do we use automated decision-making processes?
The data controller informs you that, for the purpose of processing your personal data, they do not use automated
decision-making processes, namely processes aimed at making decisions based solely on technological means
according to predetermined criteria (i.e. without human involvement).
Last update: 20 March 2026
