The data subject’s rights, as laid down by arts. 15 to 22 of the GDPR, are also listed.
Information pursuant to art. 13, par. 1
A) Data Controller and contacts
The Controller of the processing performed is CERETTO AZIENDE VITIVINICOLE S.R.L., with headquarters located in San Cassiano 34 –Alba (CN) – 12051, Italy – VAT no. 00217070044 - Ph.: +390173282582
The Data Controller informs you that your personal data will be processed:
- pursuant to arts. 12 and 13 of the Regulation (EU) no. 679/2016 (General Data Protection Regulation, hereinafter, for brevity, the “GDPR”), by specifically authorised parties, and only for the purposes and using the methods that will be specified below with reference to the functionalities of the web portal: www.wineclub.ceretto.com
Please also note that the Data Controller will make use of data processors to perform its own activities in a way that is compliant with the provisions of the GDPR 679/2016.
The list of processors can be requested from the data controller with a special request, which can also be sent via email.
B) Subject matter, purposes of the processing
The Data Controller would like to inform you that when you use our services, you accept that your personal data will be processed.
The term “personal data” refers to any data that may be correlated to your natural person, such as:
Name and surname
Telephone number (if you should provide this so that we can fulfil your request for more information)
Your data, as described above, will be processed in the ways and forms prescribed by the GDPR. The processing of data provided in the sections relating to contact between controller and final user will be performed to respond to your questions or information requests, or for registration on the site or to receive newsletters. Please refer to the special Cookies Policy for further information.
Legal basis for processing
Apart from what is specified in the Cookies Policy regarding navigation data, your communication to the Data Controller of the personal data better described above has as prerequisite for the lawfulness of processing the legitimate interest of the controller, as long as this does not conflict with the rights and freedoms of the data subject and the fulfilment of contractual and/or pre-contractual obligations assumed with you, and your consent to the processing of data for marketing purposes.
C) The processing performed on users’ personal data is based on art. 6 of the Regulation (EU) 679/2016, points: A, B, C, F
D) Recipients and categories of recipients of the data collected
In relation to the purposes indicated above, the data could be communicated to the following parties and/or categories of parties indicated below, or they could be communicated to companies and/or people, who offer services, including external parties, on behalf of the Data Controller. For greater clarity and merely by way of non-limiting example, we identify the following of these: parties - internal or external to the company - who provide IT and telematic services for managing the IT system used by the Controller and the telecommunication networks, parties who the Controller reserves the right to name, if the need arises, as processors; financial administration authorities and other companies or public bodies in fulfilment of regulatory obligations; competent authorities and/or monitoring bodies to satisfy legal obligations.
In no case do we give or sell personal data to third parties.
Information pursuant to art. 13, par. 2
A) Data storage period
We’d like to inform you that, pursuant to art. 5 of the GDPR, in compliance with the principles of lawfulness, purpose limitation, and data storage and minimisation, your data will be stored according to law and for the time necessary to perform the activities referred to here for the purposes included above in compliance with the terms of the law. For the period corresponding to the fiscal, accounting, and administrative necessities, and to document our activity, and also to respond to your needs to recover data, as well as for the time necessary to ensure defence in legal proceedings.
B) Rights of the data subject
- Right to Access and Rectification
Pursuant to art. 15 of the GDPR, in your capacity as data subject, you have the right to obtain from the Controller confirmation of the existence, or lack thereof, of personal data processing concerning you, to obtain access to the same and to all information referred to in the same art. 15, para. 1, points (a) to (h), via the release of a copy of the data subject to processing in a structured, commonly used, machine-readable and interoperable format.
Pursuant to art. 16 of the GDPR, in your capacity as data subject, you have the right to obtain from the Controller the rectification and/or supplementation of data subject to processing if these are not up-to-date and/or inaccurate and/or incomplete.
- Right to Erasure and Right to Restriction
Pursuant to art. 17 of the GDPR, in your capacity as data subject, you have the right to obtain, without unjustified delay, from the Controller, and only in the cases referred to in art. 17, para. 1, points (a) to (f), of the GDPR, the erasure of the data that concerns you - with the exception of the cases specifically laid down in art. 17, para. 3.
Pursuant to art. 18, para. 1, points (a) to (d), of the GDPR, in your capacity as data subject, you have the right to request and obtain, from the Controller, the restriction of the processing of your personal data, or that such data are not subjected to additional processing and cannot be altered. The Controller ensures that the restriction of the processing is carried out by means of suitable technical devices that guarantee that the data cannot be accessed or altered.
- Right to Data Portability
Pursuant to art. 20 of the GDPR, in your capacity as data subject, you have the right to receive from the Controller the personal data that concern you, the processing of which is performed using automated means, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, or to obtain from the Controller, where technically feasible, the direct transmission of such data to another Data Controller specifically identified.
- Right to object
Pursuant to art. 21 of the GDPR, in your capacity as data subject, you have the right to object at any time to the processing of personal data concerning you, on grounds relating to your particular situation, in cases where the processing of your personal data is necessary (1) to perform a task in the public interest and/or connected to the exercise of public powers that the Controller holds; (2) to pursue a legitimate interest of the Controller or of a third party; (3) for profiling activities, if performed by the Controller, based on the previous points. You have, in addition, the right to object to the processing of your personal data on grounds relating to your particular situation if these data are processed for the purposes of scientific, historical, or statistical research pursuant to art. 89, para. 1, of the GDPR, except in the case where the processing is necessary to perform a task in the public interest.
How to exercise the above-mentioned rights
You may exercise the rights listed above by means of a request to be sent to the registered address or by contacting the controller at the number listed above;
We will confirm having received your request, and provide you with the information relating to the communication we receive, within 1 (one) month from receipt of the request itself. If necessary, and taking into account the complexity and number of requests, this term may be extended to 2 (two) months, by prior, justified notice to be sent within 1 (one) month from receipt of the request.
We will communicate any rectification, erasure, restriction, opposition to all the recipients, as identified in art. 4, para. 1, no. 9 of the GDPR, to which such data have been transmitted, unless this proves to be impossible and/or it requires a disproportionate effort.
Following the sending of your request for rectification, erasure, restriction, opposition, if the Controller has any reasonable doubts regarding your identity, it will request further information from you in order to confirm it. These communications will be sent via email.
Should the Controller fail to fulfil your request within the term of 1 (one) month from receipt of your request, the latter will inform you of the reasons for this failure, informing you of your right to lodge a complaint with the supervisory authority (the Italian Data Protection Authority), as specified pursuant to art. 13, para. 2, point (d) and governed by arts. 77 and ff. of the GDPR.
C) Right to lodge a complaint
Pursuant to art. 77 of the GDPR, in your capacity as data subject, you have the power to lodge a complaint with a supervisory authority according to the methods indicated in the same article.
The relevant authority is the Italian Data Protection Authority:
D) Automated decision process and profiling
The Controller would like to inform you that, for the purposes of the processing of your personal data, we do not make use of automated decision-making processes, or those directed at making decisions based only on technological means based on predetermined criteria (i.e. without human involvement), nor do we directly perform profiling activities, or those directed at using your personal data to analyse or predict aspects regarding your professional earnings, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements etc.
Processing methods - how do we ensure your data is protected?
The processing of personal data that you communicate is performed by means of the operations identified in art. 4, no. 2) of the GDPR, and, precisely: “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
The personal data that you communicate are subjected to processing for the time strictly necessary to achieve the purposes for which they were collected, with technical and organisational, manual and automated methods, adopted to prevent the loss of data, illegal or incorrect uses thereof, and unauthorised accesses thereto, and such, therefore, as to ensure a level of security appropriate to the risk pursuant to art. 32 of the GDPR, by parties specially authorised, in fulfilment of what is laid down in art. 29 of the GDPR, i.e. employees and/or collaborators of the Controller in their capacity as authorised subjects and/or system administrators, who will be able to perform consultation, use, processing, and comparison operations, and any other appropriate operation in compliance with the legal provisions necessary for ensuring, among other things, the confidentiality and the safety of the data, as well as the accuracy, updating, and relevancy of the data in compliance with the declared purposes and methods.