Privacy protection
We invite you to read the following information made available under section 13 of the GDPR (General Data Protection Regulation) n. 679/2016 - UE Privacy Regulation and accompanying National and European legislative provisions; they are intended for those who have completed, are completing or intend to complete a contractual agreement for the provision of services with the Consorzio del Vino Chianti Classico.
1. Personal Data Controller - Indication and contact details
The Data Controller is Consorzio Vino Chianti Classico, with head office at 50028 Florence, Locality of Sambuca, Tavarnelle Valdipesa, at Via Sangallo 41, Italy. E-mail: privacy@chianticlassico.com, Tel. 055 82285, Sito web: www.chianticlassico.com.
To date, upon appropriate assessment, the Consorzio did not deem it necessary to appoint an Authority Responsible for the Protection of Personal Data (RPD or DPO-Data Protection Officer).
2. Data Processors
Summary:
Parties other than the Data Controller who can process your personal data in our name and behalf. The list is available at our head office in Florence, at Tavarnelle Valdipesa, Via Sangallo 41, Italy and may be requested using the contact details indicated herein.
In-depth information:
The list of any Data Processors (that is, subjects that process - in our name and behalf - the personal data we control) and of the system administrator/s is available at our head office.
In some cases, the employees of third parties cooperating with the Data Controller may also be authorized to process personal data, if processing operations are carried out under said Controller's direct authority.
AFor example: tax advisor, IT consultant/s (strictly for data relating to the use of computer systems and equipment), partners collaborating in the development of promotional and descriptive material for the consortium, CRM suppliers and of any IT platform needed in managing institutional business, even when located in non-EU countries (with full guarantee to comply with the restrictions and rules of data transfer).
3. Legal grounds for data processing/Why we process your personal data
Main Purpose - mandatory provision of data and consent
Summary:
- Delivery of requested services (participation to the Form-specific event and provision of ancillary/additional services);
- Correct quantification of consideration, whenever owed;
- Fulfillment of obligations required by law, regulation and contracts;
- Compliance with requirements towards tax authorities for account-keeping purposes and in accordance with tax and civil law provisions;
- Verification of customer satisfaction.
In-depth information:
Personal data collected directly from the Data Holder in accordance with applicable law may be processed for the following purposes:
- adherence to obligations required by law, regulations and EU measures, or rather to directives issued by the competent authorities duly authorized by law and by supervisory and control bodies. Providing personal data necessary for said purposes is compulsory and refusing to do so leads to the impossibility of fulfilling all the obligations indicated above, thus impeding the creation of a relationship with the Data Holder, or rather affecting the possibility of said relationship being carried out;
- " purposes linked and referring to the carrying out of the requested activity. Providing personal data necessary for said purpose is required for the carrying out of the requested activity;
- " Monitoring of the activity via phone calls and/or contact (using the specific contact details supplied by the Data Holder) in order to measure customer satisfaction; even in this case, providing personal data is deemed necessary as it pertains to services that are ancillary to the main services and does not in any way involve the carrying out of unwanted promotional activity towards the client.
Additional purposes
Promotional activities (marketing and newsletter) - provision of optional data and consent
Summary:
Dispatch of commercial communications, newsletters, direct marketing activity, market analysis, etc. using:
- automated means (i.e. text messages and chats, E-mails, non-operator assisted calls)
- traditional or non-automated means (i.e. paper mail, operator-assisted calls).
In-depth information:
Marketing (optional data
provision and consent)
In this case, it involves purposes that are functional to sending you, using automated instruments such as text messages, chat, E-mail etc...as well as non-automated ones (that is, traditional methods such as paper mail, and/or operator-assisted calls), communications aimed at monitoring customer satisfaction with regards to a specific event you took part in, as well as at planning and carrying out analytical, strategic and operational marketing activities, at providing information on promotional activities (such as: verification of event quality satisfaction for event participants, dispatch of promotional material or commercial communications...). Consequently, this particular purpose may be pursued for purposes beyond those strictly linked to gaining access to the event and/or resulting from legal and/or regulatory requirements, should you decide to give your consent; should you decide not to give your (optional) consent for the above said purpose, your participation to the event will in no way be compromised nor altered, but the Data Controller will be unable to interact with the Data Holder upon conclusion of said event for updates regarding services/initiatives/information on the denomination etc... deemed as potentially interesting by the Consorzio del Vino Chianti Classico.
Should you decide to provide said consent, it will be regarded as applicable and valid for contacts made using both traditional and automated instruments (such as E-mail, text messages, mms, telefax, automated calls, etc.)
However, after having given your consent, you retain the right to object, at any time and at no cost, to the processing of your personal data for this specific purpose; should you wish to exercise at any moment said right to object, you may do so any which way you prefer using one of the contact methods.
Mailing list or
newsletter
By subscribing to the mailing list or to the newsletter, the client's E-mail address is automatically included in a contact list and therefore used for E-mail communication regarding all types of information, including promotional, pertaining to our services and/or initiatives. The participant's E-mail may also be added to this list as a result of his or her registration to the web application (websites that can be traced back to the Consorzio del Vino Chianti Classico) or after having expressly requested it at a subsequent time.
4. Processed personal data
Summary:
- Personal details, Phone and/or mobile phone number, E-mail address/es, year of birth, etc...
- Tax details
In-depth information:
Purely by way of a non-limiting example, we process personal and tax details, as well as any data needed to supply the requested services and in accordance with applicable sector-specific laws and regulations currently in force.
5. Methods of personal data processing
Summary:
Hard copy and electronically
In-depth information:
The processing of a Data Holder's personal data is performed using manual and automated instruments, with methods that are closely related to the above mentioned purposes, yet always in ways that guarantee the safety and confidentiality of your personal data.
In all instances, data processing operations are performed ensuring the fullest respect for the current legal framework relating to protection of confidentiality; purely by way of a non-limiting example, the Consorzio contemplates: constant staff training, clear and common policies on privacy, implementation of appropriate behavorial practices adhering to legally binding provisions, hard copy and electronic storage practices to minimize the risk of loss, even accidental, and/or of unauthorized access etc...
Should you wish to receive more information on the matter, please take note of your rights guaranteed as specified hereunder.
6. When are you required to provide your data?
Summary:
Main purpose: requirement
Other purposes (marketing/promotional/profiling): option
In-depth information:
With regard to the data we are required to possess, in order to comply with contractual obligations established by law, by regulations and by EU measures, or rather by directives issued by the competent authorities duly authorized by law and by supervisory and control bodies, failure to supply said data on your part shall determine the impossibility of creating or carrying out the relationship insomuch as those data are required for the fulfillment of said relationship.
With regard to data we are not required to possess, failure to communicate them to us will in no way compromise or limit our compliance with contractual obligations, nor with those arising from legislative and regulatory requirements.
7. Categories of personal data recipients
Summary:
- Employees and similar workers of the Data Controller qualified as "authorized to process personal data" (administrative, commercial, marketing personnel; system administrators, etc. ...), all of whom duly trained and monitored by said Controller;
- External subjects (i.e. legal and administrative consultants; technical service suppliers; hosting providers, IT service companies, communication agencies, commercial partners whenever needed to perform specific obligations, etc. ...)
- Control and/or Supervisory authorities.
In-depth information:
You data may be communicated to:
- those subjects who are required by law to receive said communication in compliance with an obligation established by law, by regulation and by EU measures, or rather with directives issued by the competent authorities duly authorized by law and by supervisory and control bodies;
to consultants, professional firms, companies providing technical assistance for IT services, provided they have been specifically engaged and are duly classified in one of the categories set out by GDPR n. 679/2016; all of the above shall be carried out in accordance with the law currently in force;
- The updated list of the above said recipients may be obtained by simple request made to Consorzio del Vino Chianti Classico using the contact details specified in the last paragraph of this privacy notice.
L'elenco aggiornato dei predetti soggetti potrà essere ottenuto mediante semplice richiesta al Consorzio del Vino Chianti Classico utilizzando i riferimenti indicati all'ultimo punto della presente informativa.
NB: data will not be shared with third parties for their marketing purposes.
8. Retention period for personal data
Summary:
10 years, tacitly renewed at every expiration date, unless revoked at each deadline or in the event other rights are exercised by the Data Holder
In-depth information: In-depth information: beyond the limit of 10 years (mandatory) required for storage of contractual data, accounting data etc... your personal data will be stored in our archives for the additional purposes and only subsequent your authorization for the amount of time that is deemed appropriate , or rather for a maximum of 10 years that shall be renewed at every expiration date, unless otherwise notified by the Data Holder.
Said term may be limited and/or increased (following communication to the Data Holders) in the event, for example, of instructions received by Control Institutions and/or Authorities.
This is, however, without prejudice to the possibility, at any time, of revoking one's consent, which shall not affect the lawfulness of data processing based on consent given before its withdrawal.
9. Transfer of personal data to non-EU countries
Summary:
The Data Controller may transfer your data to non-EU countries in order to benefit from specific services, such as storage or mailing list creation; obviously, in said event, the Data Controller undertakes to establish and ensure that adequate safeguards required by law have been put in place.
In-depth information:
the transfer of personal data to non-EU countries may involve greater risks and therefore must be monitored appropriately. Should the Data Controller make use of said option, then it undertakes to gather all relevant documentation and make it available to the involved parties, ensuring the same terms and procedures for the exercise of their rights.
10. Lodging a complaint with the Supervisory Authority
The available procedures for your safeguard and protection are (besides exercising your rights against us):
- Accessing www.garante privacy.it in the specific section dedicated to complaints should the Italian Authority have jurisdiction;
or
- Following the terms and procedures laid down to petition the Control Authority of the Member State (if different from Italy) in which the Data Holder habitually resides, works, or rather where the alleged violation took place.
11. Your rights
Summary:
Access - Restriction - Rectification - Objection - Withdrawal of Consent - Erasure (Right to be Forgotten) - Portability
In-depth information:
Right to access: you may receive copy of the personal data being processed at any moment
Right of restriction: it may be exercised not only if the lawfulness of the processing of personal data has been violated, but also when data are asked to be rectified, or the Data Holder objects to the processing; the Data Controller agrees to flag the data in question for the entire time it needs to decide on the appropriate action to take, implementing any suitable measure for that purpose.
Right of rectification: you may obtain the prompt rectification of any inaccurate personal data that concern you and you are also entitled to ask that your incomplete personal data be integrated, also by providing a supplemented statement.
Right to object: you are entitled to object at any time, on grounds relating to your specific situation, to the processing of personal data that concern you, even if used for direct marketing and/or profiling (if performed).
Right to withdraw consent, when given, for example, for marketing and similar purposes.
Right to Erasure (Right to be Forgotten): it is possible to request that all personal data be erased in a strengthened manner, for example, even after the Data Holder has withdrawn consent to the processing of his or her personal data.
Right of Portability: this does not apply to non-automated processing, therefore to hard copy archives and/or registers; furthermore, only the data supplied by the Data Holder to the Data Controller and processed with the Data Controller's consent, or on grounds of an agreement reached with the Data Holder, can be regarded as portable.
12. Contacts for the exercise of your rights
Consorzio Vino Chianti Classico, with head office in 50028 Firenze, Locality of Sambuca, Tavarnelle Valdipesa, at Via Sangallo 41, Italy. E-mail: privacy@chianticlassico.com, Tel. 055 82285, Website: www.chianticlassico.com
13. Term and form of reply from the Data Controller to whomever exercises a right concerning his or her personal data
Summary:
n. 1 (one) month extendable to n. 3 (three) months in more complex cases, in writing
In-depth information:
should you exercise your rights, the Data Controller must provide a written reply, also using electronic means to make it more accessible, (a verbal reply shall be provided only upon express request by the Data Holder) within and no later than 1 (one) month, which may be extended to 3 (three ) months in more complex cases, notwithstanding the obligation to provide a reply within one month from the request, even in case of a rejection.
The Data Controller, upon assessment of the complexity of the request formulated by the Data Holder, shall determine the amount of a possible contribution it may request from said petitioning party, but only if the Controller ascertains that the request is manifestly excessive or ungrounded.