PRIVACY POLICY

1. introduction

   1. This privacy policy ("Policy") describes the processing of personal data of users ("Data") who consult the website www.vinoste.it ("Site").
   2. This statement remains in accordance with art. 13 and 14 of Regulation (EU) n. 2016/679 (hereinafter GDPR).
   3. This information is a separate document from the cookie policy of the site in consideration of the specific requirements of the provision of the Data Protection Authority of 10.06.2021; unifying the two documents would result in the creation of a document that is too large and therefore difficult to read for the user.



2. Terms and definitions

   1. Personal data: Any information relating to an identified or identifiable natural person («concerned»); a natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name, shall be considered identifiable, an identification number, location data, an online identifier or one or more elements characteristic of its physical, physiological, genetic, psychological, economic, cultural or social identity.
   2. Data controller: Subject who establishes the purposes and methods of processing personal data.
   3. Responsible (external) of the treatment: the natural or legal person, public authority or body processing the data on behalf of the controller.
   4. RID: Confidentiality, Integrity and Availability, ie the three basic requirements of information security - Confidentiality: Principle such that the information must be accessible only to those who are authorized to know it, and that information must be protected both during transmission and storage. Integrity: Principle whereby information must be handled in such a way that it is protected from unauthorized tampering and modification. Data properties to be correct and valid. Integrity implies completeness (presence of the whole information), accuracy (error-free information) and validity of the information (information derived from valid and authorised sources). Availability: Principle such that the information is reachable and usable when requested by authorized parties, in time, in places and in ways appropriate to operational needs.
   5. User: Subject who consults the site and uses the services proposed by the same.
   6. Person in charge of the processing/personnel: subject, employee or collaborator of the Data Controller, who has access to personal data and who, as authorised person, carries out the processing activity on the same according to specific instructions formally given by the Data Controller and on its authority.
   7. Interested party: Identified or identifiable natural person, to whom the personal data collected/processed by the Company refer. For example, depending on the context, the interested party may be the User who consults a website, the employee, the customer, the supplier, etc. Legal persons are excluded from the definition of a data subject.
   8. Treatment: Any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.
      1. The collection consists in the activity of data acquisition.
      2. Recording is the storage of data on any medium.
      3. The organization consists in the classification of data according to a pre-scelt method.
      4. Structuring is the task of distributing data according to precise patterns.
      5. Storage consists in keeping the information stored on any medium.
      6. The consultation is the reading of personal data. Even the simple display of data is a treatment that can be part of the consultation operation.
      7. Processing consists in the activity by which the personal data undergoes a substantial change.
      8. The modification differs from the processing in that it can concern even a minimal part of the personal data.
      9. The selection consists in the identification of personal data within groups of data already stored.
      10. Extraction is the activity of extrapolating data from groups already stored.
      11. Comparison is an operation of comparison between data, both as a result of processing and selection or consultation.
      12. Usage is a generic activity that covers any type of data usage.
      13. Communication consists in giving knowledge of personal data to one or more subjects determined other than the data subject, the owner’s representative in the territory of the State, the person responsible and the persons in charge. In case of communication the data is transferred to third parties.
      14. Dissemination give knowledge of the data to indeterminate subjects, in any form including through their provision or consultation. It is, therefore, also widespread when you publish online, for example, a photograph on a social network. In the absence of consent, this activity must be considered illegal.
      15. Interconnection consists in the use of multiple databases, and refers to the use of electronic tools.
      16. The block consists in the temporary storage with suspension of any other treatment operation.
      17. Deletion consists in the deletion of data through the use of electronic tools.
      18. Destruction is the ultimate data deletion activity.



3. Identification details of the Data Controller.

   1. Ganzerla Andrea Gianpaolo as Data Controller, processes the Data referred to below.
   2. The Data Controller can be contacted at the following addresses:
      1. tel.: (+39) 339 4744086
      2. E-mail: info@vinoste.it
      3. Postal service: Lungolago Cesare Battisti, 55 - 25015 - Desenzano del Garda (Bs) Italy



4. interested parties.

   1. Users who consult the site.



5. Type of data processed

   1. The visit and consultation of the Site do not generally involve the collection and processing of Data except for the Data voluntarily provided and Cookies referred to in the cookie policy.
      1. Data voluntarily provided by the User: Data provided when the User interacts with the Site’s functionalities (e.g. by filling in the contact form or asking for a consultation). In this case the following data will be processed: name, surname, address and-Email of the natural person User or of the legal representative/contact person of the User of the service and any other information that the User may insert in the contact form or request a consultation. The source of the Data is the User.
      2. The Data collected by the technical Cookies necessary for the correct functioning of the banner to appear immediately according to the provision of the Guarantor of 10.06.2021 as better specified by the cookie policy.



6. Any collection of Data other than the categories indicated

   1. The Data Controller may also be required to request additional Data and submit them to processing operations and to communicate them to the entities indicated in the paragraph entitled "Scope of Data Circulation" for the same reasons specified.
   2. This will be, in these circumstances, the provision of data:
      1. is imposed by laws, regulations or authority decisions;
      2. is necessary and instrumental to the management and execution of the service requested by the User;
      3. is necessary to pursue the legitimate interest of the Data Controller as specified in art. 7 of this information.
   3. For this last category of hypothesis will be requested or collected and will be transmitted to the subjects specified above only the Data essential to the indicated purpose.



7. Purpose of use of Data and basis of legitimacy

   1. The Data are processed for the legitimate purposes set out below with the related grounds:
      1. Exercise of the right of defence ex art. 9 par. 2 lett. e-f) GDPR for the particular data that the User will consider to enter in the forms for the contact or to ask for a consultation;
      2. Performance of the contract or pre-contractual measures taken at the request of the data subject for other data provided voluntarily:
         1. in order to assess the possibility of establishing a contractual relationship,
         2. Strictly related purposes;
      3. Legitimate interest of the Data Controller for all data:
         1. The defense in court also in administrative or arbitration procedures and conciliation in the cases provided for by law, by Community law, by regulations.
      4. Legal obligations of the Data Controller for all data:
         1. The fulfilment and performance of specific tasks deriving from laws, Community legislation, regulations in particular for the establishment, management and termination of the relationship.
   2. In addition, the Data are used to carry out all the activities to these instrumental and ancillary and in any case necessary for the pursuit of the said purposes (registration, storage of Data, consultation etc.)
   
   

8. Nature of the provision

   1. The processing of Data provided is entirely instrumental to the purposes mentioned above.
   li>>The provision of Data pursuant to art. 5,a,i) by the Users is optional since the User could only indicate the contact request.
   2. Personal data will not be used for automated decision-making processes, including profiling.



9. Period of storage of personal data

   1. The data provided under art. 5,a,i) will be retained for 3 months from their insertion after which they will be erased and possibly processed by force of professional post, after this period, is not supposed to be conferred.
   2. The Data collected for purposes related to the legitimate interest of the Data Controller will be retained until the satisfaction of said interest and then for a period of 5 years.
   3. At the end of the retention period the Data will be deleted and therefore, upon expiry of this period, the right of access, cancellation, rectification and the right to portability of the Data cannot be exercised.



10. How to use the Data

    1. The processing of Data is carried out mainly through computer procedures or in any case automated means, marginally with paper media by the Data Controller or any duly instructed and committed to confidentiality.
    2. The Data is protected by adequate organizational and security measures and arranged to prevent unauthorized access, loss or destruction, and in particular:
       1. Limited access to the Holder for
          1. IT structures,
          2. the premises where any documents received or printed with the Data provided spontaneously by the User and the devices where the data received electronically are stored,
       2. Data is saved on
          1. Devices protected by updated firewalls and antivirus and password that is changed every 3 months,
          2. Password protected offline external hard drive that is changed every 3 months,
          3. Cloud provided by Google,
          4. back up daily on cloud and external hard drive,
       3. Preparation of an MOP,
       4. The Data Controller’s continuing education given the function of privacy advisor by the same coated.
    3. In compliance with the provisions of art. 5 of the GDPR, the Data are:
       2. , collected and registered for specific, explicit and legitimate purposes, and subsequently processed in terms compatible with those purposes;
       3. appropriate, relevant and limited to what is necessary for the purposes for which they are processed;
       4. exact and if necessary, updated;
       5. treated to ensure an adequate level of security;
       6. , stored in a form that allows the identification of the Data Subject for a period of time not exceeding the achievement of the purposes for which they are processed.



11. Data Circulation Scope

    1. 1. The Data Controller collects the Data and processes it in this capacity.
       2. Data at the date of writing of this information are not made accessible to data processors but only to the Data Controller.
    2. Scope attributable to external parties
       1. In addition, always for the purposes strictly instrumental to the provision of data, the Data Controller transmits some, not the particular ones, according to a strict criterion of relevance, to the following categories of subjects:
          1. external consultants and service companies (including IT) entrusted with specific management related to the site and the use of the services proposed in it;
          2. public security authorities or judicial authorities where requested by them.
          3. Subjects and/or public and private entities to whom the Data will be disclosed in order to comply with or to require the fulfilment of specific obligations under the contract, laws, regulations, EU legislation.
       2. These entities will act as separate "Controllers" of the respective processing operations. In some cases they will act as duly appointed Data Processors.



12. Non-disclosure of Data

    1. The Data will not be disseminated to indeterminate subjects.



13. Location and Data Transfer Abroad

    1. The Data are stored on servers located within the EEA; cloud services are also used, for which the service providers have servers within the EEA and provide adequate guarantees, as required by art. 46 GDPR.
    2. It remains in any case understood that the Data Controller, if necessary, will be able to move servers outside the EU. In this case, the Data Controller ensures that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, after stipulating the standard contractual clauses provided by the European Commission.



14. Violazione dei dati personali

    1. The Data Controller is obliged to:
       1. notify any security breach which accidentally or unlawfully leads to the destruction, loss, modification, unauthorised disclosure or access to the personal data transmitted, stored or otherwise processed to the Guarantor for the protection of personal data without undue delay and, where possible within 72 hours from the moment it became aware of it, unless the same infringement is unlikely to constitute a risk to the rights and freedoms of natural persons. If this time limit is not respected, the infringement notification must be accompanied by the reasons for the delay. For the minimum content of the notification please refer to the provisions of art. 33 of the GDPR;
       2. communicate any data breach to the Data Subject without undue delay if such breach constitutes a high risk for the rights and freedoms of natural persons, except in the cases provided for by art. 34 of the GDPR.



15. Rights of data subjects

    1. Interested parties may exercise the following rights: art. 15.22 gdpr
       1. right of access, that is the right to obtain from the Company the confirmation that the data is being processed or not and, in this case, to obtain access. In particular, the interested party has the right to obtain the indication (i) of the origin of personal data; (ii) of the purposes and methods of processing; (iii) of the logic applied in the case of processing carried out with the help of electronic tools; (iv) the identification details of the data processors; (v) the subjects or categories of subjects to whom the Data may be communicated or who may become aware of it as responsible persons or (if any) in charge or (if any) designated representative in the territory of the State;
       2. right of rectification, that is the right to obtain the rectification (correction, modification integration) of incorrect, outdated or insufficient data of an elementary nature and not of data of an evaluative nature, relating to judgments, opinions or other evaluations of a subjective nature. In the event that the personal data subject to rectification have been transmitted to other subjects, it is the responsibility of the owner to give notice and request the correction to each of the recipients, unless this is impossible or involves a disproportionate effort (Art. 19 of the GDPR).
       3. the right to be forgotten, that is, the right to obtain the erasure, transformation into anonymous form or the blocking of data processed in violation of the law, including those whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed in certain circumstances provided by law;
       4. the right to receive the attestation that is the right to be aware that the transactions referred to in points ii and iii have been brought to the knowledge, also as regards their content, of those to whom the data have been communicated or disseminated, except where such compliance proves impossible or involves the use of means manifestly disproportionate to the protected right;
       5. right of limitation of processing, that is the right to oppose the processing or to obtain the limitation of the processing of Data pursuant to law;
       6. right to be informed of corrections and cancellations and limitations of data processing;
       7. right to portability, ie the right to receive the Data in a structured format, in common use and readable at the IT level as well as the right to transmit the data to another data controller - this right to "portability" applies only to Data provided by the Data Subject and may be subject to certain restrictions, as provided for by the Privacy Policy;
       8. the right to object, that is to say the right to object to the processing of data where there are reasons related to its particular situation, to the processing of personal data concerning it pursuant to Article 6, paragraph 1, paragraphs e) or f), including profiling on the basis of these provisions.
       9. Right not to be subject to a decision based solely on automated processing: the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects affecting him or which have a similar significant effect on him. This right shall not apply where the decision:
          1. is necessary for the conclusion or performance of a contract between the data subject and a data controller
          2. is authorised by the law of the Union or the Member State to which the data controller is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the data subject;
          3. is based on the explicit consent of the data subject.
       10. the right to revoke the consent given, at any time, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;
       11. right to compensation, that is, the right to obtain from the Data Controller and/or the Data Controller the full and effective compensation for damage suffered, material or intangible (financial loss, identity theft, discrimination, etc.)if caused by the processing of personal data of the data subject in violation of the Regulation and the Data Controller and/or the Data Controller are not able to prove that the harmful event is not their fault;
       12. the right to lodge a complaint with the Guarantor for the protection of personal data (Piazza Venezia, 11 - 00187 Roma RM - PEC: protocol-lo@pec.gpdp.it) in case of unlawful processing without prejudice to the limits of D. Lgs. No. 101/2018, art. 2-undecies and art. 2-duodecies.
    2. Please note that the rights referred to in art. 15 to 22 of the GDPR refer to personal data concerning deceased persons - pursuant to art. 2-terdecies, paragraph 1, of Legislative Decree No. 196/2003 - "may be exercised by those who have a vested interest, or act for the protection of the person concerned, as his agent, or for family reasons worthy of protection". The entitled persons may be identified, e.g. as follows:
       1. next of kin who have family reasons "deserving" of protection (spouse and children, in the absence of ascendants or brothers and sisters and in their absence other ascendants or direct descendants up to the fourth grade), also identified by analogy in the matter of correspondence pursuant to art. 93 of the copyright law (l. 22 April 1941, n. 633).
       2. the executors, appointed pursuant to art. 700 c.c. and seg. entrusted with the exercise of the relevant rights in the interests of the deceased, or agents invested for that purpose under a post-mortem contract exequendum, that is, a legal transaction between the parties in life, by which the agent undertakes to carry out on behalf of the principal, following the death of the principal, an assignment relating to provisions of a generally non-equity nature;
       3. anyone who proves to have an own interest in defense of property rights deriving from the death of the person concerned and the right to defend their interests in court (for example, the legitimate heirs pretermessi).



16. Communications and exercise of the data subject’s rights

    1. To exercise the rights referred to in art. 15 - 22 GDPR (art. 15,a,i-x) the interested party can submit a written request, addressed without formality, to the Data Controller by sending a communication to the following e-mail address: ilvigneto.bs@gmail.com, or to the abovementioned office (with. ar.).
    2. The request must be accompanied by a copy of the identity document in the absence of digital subscription of the request.
    3. As required by the GDPR, the feedback will take place within 30 days of receipt of the request, unless in the same period the Data Controller informs the interested party of the extension of this period for a further 60 days.
    4. The exercise of a right is normally free of charge, except in cases where:
       1. , the holder must incur relevant technical expenses to fulfill (e.g., if multiple copies have been requested);
       2. the requests are manifestly unfounded or excessive, in particular because of their repetitive nature (eg harassment). In these cases it is possible: to charge a fee (sub a and b), taking into account the administrative costs incurred. In particular,
          1. , with regard to the right of access, the holder may charge a reasonable fee based on administrative costs, in the event of a request for additional copies (Art. 17, par. 3, GDPR);
          2. refuse to fulfill the request.

See also our Cookies Policy