EU Regulation No. 2016/679 (hereinafter also GDPR) and Italian Legislative Decree 196/2003, as amended and supplemented (Italian Personal Data Protection Code), lay down rules on the protection of natural persons with regard to the processing of personal data, and on the free movement of such data. In order to protect the fundamental rights and freedoms of natural persons, privacy legislation imposes on data controllers the obligation to provide data subjects with information regarding the processing of personal data collected online and offline through various channels.
*****
The data controller isCERETTO AZIENDE VITIVINICOLE S.R.L., with registered office in Località San Cassiano n. 34, 12051 Alba (Province of Cuneo), Italy, tax code and VAT number: 00217070044.
The data controller hereby informs you that, for the purposes hereof, personal data means any information concerning your person, capable of identifying you directly and/or indirectly, such as:
The data controller will not process special data. Should it become necessary, the data controller shall process such data in accordance with applicable legislation.
Your data will be collected through requests for bookings to events sent via the site, your online purchases, newsletter subscription, and requests for information sent to the data controller's contacts.
Your data, as defined above, will be processed by the data controller for the following purposes:
Your personal, contact, payment and purchase data will be processed in order to process requests sent through the website, handle payments, ensure the proper fulfilment of legal obligations, respond to information requests, provide assistance.
The data processing is necessary to perform pre-contractual measures and/or the contract to which the data subject is a party (Article 6, paragraph 1 (b), GDPR). The provision of data is obligatory; failure to provide data will make it impossible to process your booking.
Your contact data may be processed to respond to requests sent to the data controller's contacts on the website www.ceretto.com.
The data processing is necessary to perform pre-contractual measures and/or the contract to which the data subject is a party (Article 6, paragraph 1 (b), GDPR). The provision of data is obligatory; failure to provide such data will make it impossible to respond to your request.
Your personal and contact data will be processed for the purpose of examining and replying to job application requests.
The data processing is necessary to perform pre-contractual measures and/or the contract to which the data subject is a party (Article 6, paragraph 1 (b), GDPR). The provision of data is obligatory; failure to provide data will make it impossible to examine your application.
The data described in section 2 above may be used - subject to your consent - for profiling activities such as the processing of data to examine your purchasing habits, preferences, experiences purchased, frequency of purchase, geographical area of reference, etc., in order to create profiles (individual and/or aggregate), and possibly propose personalised commercial communications (in the event of consent to the processing of data for the purposes referred to in section e below).
The prerequisite for such processing is the consent of the data subject (Article 6, paragraph 1 (a) GDPR). Such consent may be withdrawn at any time as described in section 7. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out.
Failure to give consent for this purpose shall not have any consequences on any contractual relationship.
If consent is given, no further data will be requested for this purpose. The data controller shall use the data already collected for the pursuit of other purposes if they are deemed compatible with the present purpose.
Your contact data may be used - subject to your consent - to send you commercial communications and newsletters (including personalised newsletters, if you have consented to the processing of your data for the purpose referred to in section d) above), via email, text message, messaging tools, or traditional contact methods such as telephone calls and paperbased mail. If consent is not given for profiling, commercial communications may still be sent without making predictions about your preferences and interests.
The provision of data for this purpose is optional, the prerequisite for such processing is the consent of the data subject (Article 6, paragraph 1 (a) GDPR). Such consent may be withdrawn at any time as described in section 7. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out. Failure to give consent for this purpose shall not have any consequences on any contractual relationship between the parties.
Your contact data may be used - subject to your consent - to send you commercial communications and newsletters, via email, text message, messaging tools, or traditional contact methods such as telephone call, paperbased mail, by companies belonging to the Ceretto Group.
The provision of data for this purpose is optional, the prerequisite for such processing is the consent of the data subject (Article 6, paragraph 1 (a) GDPR). Such consent may be withdrawn at any time as described in section 7. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out. Failure to give consent for this purpose shall not have any consequences on any contractual relationship between the parties.
Your data may be used in aggregate form to improve the company's services, for internal statistics.
The prerequisite for such processing is that the data controller pursues a legitimate interest in the improvement of their services (Article 6, paragraph 1, (f), GDPR). For the achievement of such purpose, the provision of further data will not be required and the data controller shall use the data already collected for other purposes deemed compatible with this one.
Your data may be processed to respond to requests from competent authorities, fulfil legally binding requests.
The legal basis for such processing is the need to fulfil a legal obligation (Article 6, paragraph 1 (b), GDPR). The data controller shall use the data already collected for the pursuit of other purposes if they are deemed compatible with the present purpose.
Your data may be processed to protect your rights or those of the data controller, or to take legal action.
The prerequisite for such processing is that the data controller pursues a legitimate interest in the protection of their rights (Article 6, paragraph 1, (f), GDPR). For the achievement of such purpose, the provision of further data will not be required and the data controller shall use the data already collected for other purposes deemed compatible with this one.
Your personal data will be processed by the data controller for the purposes described above, through entities who have access to your data in order to fulfil their work tasks. These subjects have been specifically authorised by a letter of appointment.
In carrying out its activities, the data controller collaborates with external subjects and/or categories of subjects, who process the data as autonomous data controllers or data processors (in the latter case, duly appointed by the data controller). Your personal data may therefore be communicated, by way of example but not limited to: external consultants and suppliers, banks and credit institutions, insurance companies, carriers, professional firms, other Ceretto Group companies, public administrations, police forces.
Under no circumstances shall your data be transferred to third parties. The list of data processors may be requested from the data controller in the manner provided for in section 7 below.
In processing the data collected for the purposes described above, the data controller shall not transfer data to third countries.
It should be noted that, pursuant to Article 5 of the GDPR, in compliance with the principles of lawfulness, purpose limitation and data retention and minimisation, the data collected for the purposes set out in sections a), b), c), g), h), i) shall be processed in accordance with the law and for the time necessary to carry out the activities referred to in the above-mentioned purposes, and subsequently retained for the time required by legal obligations. For the purposes referred to in section d), the data shall be processed after obtaining your consent, and will be kept for a maximum period of 12 months. For the purposes referred to in section e) and f), the data shall be processed after obtaining your consent, and will be kept for a maximum period of 24 months. Consent may be withdrawn at any time and processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out.
The data subject may exercise the following rights against the data controller with regard to the processing of their data:
- Right of Access and to Rectification
Pursuant to Article 15 of the GDPR, in your capacity as data subject, you have the right to obtain the following from the data controller: confirmation as to whether or not personal data relating to you are being processed, access to such data and to all the information referred to in Article 15(1)(a) to (h), by means of the issue of a copy of the data being processed in a structured, commonly used, machine-readable and interoperable format.
Pursuant to Article 16 of the GDPR, in your capacity as data subject, you have the right to obtain the rectification and/or integration of the processed data if they are not updated and/or inaccurate and/or incomplete, from the data controller.
- Right to Erasure and Right to Restriction
Pursuant to Article 17 of the GDPR, in your capacity as data subject, you have the right to obtain the erasure of data relating to you - with the exception of the cases specifically provided for in Article 17 paragraph 3 - exclusively in the cases referred to in Article 17 paragraph 1 (a) to (f) of the GDPR, from the data controller, without undue delay.
Pursuant to Article 18 paragraph 1, points (a) to (d), of the GDPR, in your capacity as a data subject you have the right to request and obtain from the data controller, the restriction of the processing of your personal data, namely that such data shall not be subject to further processing and may no longer be modified. The data controller shall ensure that the restriction of processing is implemented by means of appropriate technical devices that guarantee inaccessibility and the impossibility to modify them.
- Right to Portability
Pursuant to Article 20 of the GDPR, in your capacity as data subject, you have the right to receive the personal data concerning you from the data controller, the processing of which is carried out by automated means, in a structured, commonly used and machine-readable format, and you also have the right to transmit such data to another data controller, or to obtain from the data controller, when technically feasible, the direct transmission of such data to another specifically identified data controller.
- Right to Object
Pursuant to Article 21 of the GDPR, in your capacity as data subject you have the right to object at any time to the processing of personal data concerning you, on grounds relating to your particular situation, in cases where the processing of your data is necessary (1) for the performance of a task carried out in the public interest and/or in connection with the exercise of official authority vested in the data controller; (2) for the pursuit of a legitimate interest of the data controller or a third party; (3) for profiling activities, if carried out by the data controller, on the basis of the preceding sections. You also have the right to object to the processing of your personal data on grounds relating to your particular situation where the data is processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89 paragraph 1 of the GDPR, except where the processing is necessary for the performance of a task carried out in the public interest.
- Withdrawal of consent
If the data processing is based on the consent of the data subject, they may withdraw it at any time. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out.
- Right to complain
Pursuant to Article 77 of the GDPR, in your capacity as data subject, you have the right to lodge a complaint with a supervisory authority in the manner indicated in the same article.
You may exercise the rights listed above by sending a request to the address of the registered office or by writing to ceretto@ceretto.com.
We will acknowledge receipt of your request and provide you with the relevant information within 1 (one) month of receiving your request. If necessary, and taking into account the complexity and number of requests, such time period may be extended by 2 (two) months, subject to a motivated communication to be sent within 1 (one) month of receipt of the request.
Any rectification, erasure, restriction or opposition shall be communicated to all recipients, as identified in Article 4 paragraph 1 (9) of the GDPR, to whom such data have been transmitted, unless this proves impossible and/or involves a disproportionate effort.
Following the sending of your request for rectification, erasure, restriction or opposition, if the data controller has reasonable doubts about your identity, they will request further information to confirm it. Such communications will be sent by email.
In the event that the data controller does not comply with your request within 1 (one) month from receipt of the request, the data controller shall inform you of the reasons for non-compliance, informing you as of now of your right to lodge a complaint with the Supervisory Authority (Italian Garante per la protezione dei dati personali), as specified pursuant to Article 13 paragraph 2 (d) and covered by Articles 77 et seq. of the GDPR.
The data controller informs you that, for the purpose of processing your personal data, they do not use automated decision-making processes, namely processes aimed at making decisions based solely on technological means according to predetermined criteria (i.e. without human involvement).
