PRIVACY POLICY

 

We kindly invite you to read the following information provided pursuant to Article 13 of the GDPR (General Data Protection Regulation) No. 679/2016 - EU Privacy Regulation and related provisions of national and European authorities.

 

1.     Data Controller - Information and contact details

 

The Data Controller is the Consorzio Vino Chianti Classico, with head office at 50028 - Florence, Loc. Sambuca, Tavarnelle Valdipesa, Via Sangallo 41, Italy. E-mail: privacy@chianticlassico.com, Tel. 055 82285, Website: www.chianticlassico.com.

 

2. Data Protection Officer in charge of the Protection of Personal Data (RPD or DPO):

At this time, after careful assessment, the Consorzio has decided not to appoint a Data Protection Officer in charge of the Protection of Personal Data (RPD or DPO).

 

3.     Personal Data processors:

Summary: Third parties external to the Data Controller who may process your Personal Data in our name and on our behalf. A list is available at our office in Florence, Loc. Sambuca, Tavarnelle Valdipesa, Via Sangallo 41, Italy and can be requested using the contact information provided above.

Specifics: A list of data processors (i.e., those authorized to process, in our name and on our behalf, the Personal Data of which we are Data Controllers) that might be appointed, as well as of any system administrator, is available at our head office.

In certain cases, for processing purposes, it may be possible to appoint third party employees cooperating with the Data Controller, if said processing operations are fulfilled under the direct authority of said Controller.

Some examples include: IT consultants (limited only to data related to the use of IT systems and equipment), partners for the development of promotional and descriptive material for the Consorzio, suppliers of CRM and IT platforms necessary for company business management, even those located in non-EU countries (strictly in compliance with limitations and transfer rules)

4.     Legal Basis for Data Processing/Reasons for Personal Data Processing - Basic Purposes: Mandatory Provision of Data and Consent

Summary:

  • Registration and enrollment on the e-learning platform
  • Sending out of promotional and institutional material, newsletters, direct marketing, market analysis, etc. through traditional automated means (e.g., text and chat, email, non-operator assisted calls) or non-automated means (e.g., paper-based mail, operator-assisted calls);
  • Fulfillment of obligations required by law, regulations, and contracts;
  • Compliance with obligations towards tax authorities, for account-keeping purposes and in accordance with fiscal and civil law.

Specifics:

Personal Data collected directly from the Data Subject, in compliance with applicable legislative provisions, may be processed for the following purposes:

 

  This concerns the use of the e-learning platform and subsequent participation in the courses offered.

  In this case, the purpose is to send you, through automated means such as text, chat, email, etc., and through traditional means (e.g., paper-based mail and/or operator-assisted calls), institutional and promotional communications, as well as to plan and execute analytical, strategic, and operative marketing activities, and to inform you about promotional activities (e.g., sending out of promotional materials). Moreover, should consent be given, it shall be regarded as valid for any contact made via traditional, as well as automated method of contact (e.g., email, chat, text, mms, fax, automated calls). After giving your consent, you, as the Data Subject, may, at any moment and at no expense, exercise your right to object to the processing of your data for the purposes stated herein. Should you at any time decide to exercise this right, you may proceed, even in a separate and diverse manner, using any one of the contact methods.

  Compliance with obligations imposed by laws, regulations, and EU directives, or with provisions issued by Authorities empowered to do so by law and by Supervisory and Control Bodies. The provision of Personal Data necessary for the above listed purposes is mandatory, and refusal to provide one’s Personal Data will make it impossible to fulfill the aforementioned obligations, preventing the establishment of a relationship with the data subject or compromising any existing relationship.

  Fulfillment of purposes connected to and concerning the performance of the required activity. The provision of Personal Data needed for this purpose is necessary to carry out the requested activity.

  Monitoring activities through phone calls and/or contacts (using the specific details provided by the data subject) in order to verify the level of satisfaction regarding the services provided to and enjoyed by the data subject. In this case as well, the provision of Personal Data is considered necessary as it relates to services that are ancillary to the main ones and does not in any way imply the carrying out of unsolicited promotional activities towards the client.

 

5. Processed Data

Summary:

Personal information, E-mail address/es, website

Specifics:

The processed data include, but are not limited to, personal information, as well as any other detail necessary to ensure the provision of the requested services and compliance with legislative and regulatory requirements on the matter.

6. Methods of Personal Data processing

Summary:

On paper and electronically

Specifics:

Your Personal Data will be processed using both manual and electronic tools, with methods strictly correlated to the abovementioned purposes, and however in a manner that guarantees the security and  confidentiality of your Data.

In all instances, processing operations of Personal Data will always be carried out in strict compliance with existing provisions on the protection of personal privacy; by way of example but not of limitation, the Consorzio provides for the following: ongoing staff training, clearly defined and shared privacy policies, enforcement of appropriate practices in accordance with current binding provisions,  paper and computerized filing procedures to minimize the risk of loss, albeit accidental, and/or of unauthorized access etc. ….

For additional information on the matter, please review your rights as specified hereinafter.

7. When are you required to provide us your Personal Data?

Summary:

Basic purpose: mandatory

Specifics:

With regard to the Personal Data we are required to collect in order to comply with contractual obligations imposed by law, by regulations and by current EU legislation, as well as with obligations imposed by Authorities empowered to do so by law and by Supervisory and Control Bodies, the refusal to provide your Personal Data determines the failure to establish or to maintain any relationship to the extent said data is necessary for the relationship’s very fulfillment.

With regard to the Personal Data we are not required to collect, the failure to provide said Data shall not in any way affect nor limit performance on our side of any contractual obligation, nor of any obligation deriving from legislative/regulatory provisions.

8. Categories of recipients of Personal Data communication

Summary:

  • Employees and similar workers of the Data Controller who are qualified as “authorized to process data” (administrative, commercial, and marketing personnel; system administrators, etc. …) and who are duly trained and monitored by the Data Controller;
  • External stakeholders (i.e. platform maintainers, legal and administrative consultants, technical service suppliers, hosting providers, IT service companies, communication agencies, commercial partners, whenever needed to perform specific obligations etc. …);
  • Control and/or Supervisory authorities.

Specifics:

You Data may be communicated to:

  • Individuals who are required to receive said communication in compliance with obligations imposed by law, by regulations or by current EU legislation, or else to comply with obligations imposed by Authorities empowered to do so by law and by Supervisory and Control Bodies;
  • Consultants, professional firms, companies providing technical assistance for IT services, only upon specific assignment and as long as they are included within one of the categories specified by the GDPR n. 679/2016; all the above to be executed in accordance with current applicable legislation;

 

The updated list of the above said subjects may be requested to Consorzio del Vino Chianti Classico using any one of the contact details specified in the last item of this privacy statement.

9. Retention period per Personal Data

Summary:

10 years, tacitly renewable, except in the case of withdrawal or exercise of other rights by the Data Subject

Specifics:

Besides the (mandatory) 10 years required for storage of contractual, accounting data etc. … your Personal Data will be stored in our archives for the additional purposes and on the basis of the authorizations granted by you for the extent of time that is considered reasonable, however, for no more than 10 years, which are to be intended as tacitly renewed at every expiration date, except otherwise communicated by the Data Subject.

Said period may be reduced and/or extended (subsequent communication to the involved parties) in the instance, for example, of indications received from official Institutions and/or Control Authorities.

This is without prejudice, however, to the possibility for the Data Subject to withdraw their consent at any moment without compromising the lawfulness of the data processing based on the consent manifested prior to said withdrawal.

10. Transfer of Personal Data to Non-EU countries

Summary:

The Data Controller may transfer your Personal Data to non-EU countries in order, for example, to benefit from data storage, or mailing list creation services; naturally, in this instance, the Data Controller undertakes to set up and ensure that all the appropriate safeguards required under applicable legislation are in place.

Specifics:

The Transfer of Personal Data to non-EU Countries may entail greater risks and for this reason, it must be attended to properly. Should the Data Controller avail itself of this possibility, it undertakes to gather all relevant supporting information beforehand and to make it available to the involved parties, and by the same manner, the terms for the exercise of their rights.

11. Lodging a Complaint with the Supervisory Authority

The procedures at your disposal for your protection are as follows: (in addition to the possibility of exercising your rights against us):

·       Access to www.garante privacy.it to lodge a complaint in the dedicated page, whenever the Italian Authority is competent; or,

  • In the terms set forth by the Control Authority of the Member Country (whenever different from Italy) in which the involved party habitually resides, works or where the alleged violation took place.

12. Rights of the Data Subject

Summary:

Access – Restriction – Rectification – Objection -– Withdrawal of Consent – Erasure (‘Right to be forgotten’) - Portability

Specifics:

Right to access: the Data Subject has the right to receive a copy of their Personal Data undergoing processing at any time.

Right to Restriction: it may be exercised not only in case of infringement of the legal requirements for lawful processing, but also should the Data Subject request the rectification of their data, or the Data Subject objects to their processing; the Data Controller undertakes to flag the data at issue for the entire period it needs to assesses the situation to decide its course of action, and it shall do so by enforcing appropriate organizational measures.

Right to Rectification: the Data Subject may request the rectification of inaccurate Personal Data without delay, and also has the right to obtain completion of incomplete Personal Data, also by supplementing a corrective statement.

Right to Object: the Data Subject has the right to object, at any time, on grounds relating to their particular situation, to the processing of their Personal Data, even if used for direct marketing and/or profiling (whenever conducted).

Right to Withdraw Consent given, for example, for marketing purposes, and similar purposes.

Right to Erasure (‘Right to be forgotten’): the Data Subject has the right to request that their data is erased to the utmost degree, for example, even after the interested party has withdrawn consent in relation to the processing of their Personal Data.

Right of Portability: it does not apply to non-automated processing, hence it does not apply to paper-based archives and/or records; this right may be exercised also solely with regard to the data supplied by the Data Subject to the Data Controller and processed with the latter’s consent, or on the basis of an agreement entered into with the Data Controller.

13. Which details may be used to exercise one’s rights?

Consorzio Vino Chianti Classico, with head office in 50028 Firenze, Locality of Sambuca, Tavarnelle Valdipesa, at Via Sangallo 41, Italy. E-mail: privacy@chianticlassico.com, Tel. 055 82285, Website: www.chianticlassico.com

14. Term and form for reply from the Data Controller to anyone exercising their rights with regard to their Personal Data

Summary:

1 (one) month, extendable to 3 (three) months in more complex cases; written form

Specifics:

Please take note that should you exercise your rights, the Data Controller must reply in writing, even using electronic means that promote accessibility (a verbal reply shall be given only upon express request by the interested party) within 1 (one) month, extendable to 3 (three) months in the event of more complex cases, without prejudice to the duty to provide feedback within a month from the request, even in case of refusal.

The Data Controller, upon assessment of the complexity of the request submitted by the interested party, may establish a compensation for its service, but only if the request submitted appears as manifestly unfounded or excessive.