Information note pursuant to article 13 of EU Regulation 679/2016 for the processing of personal data
We would like to inform you that the European Regulation 679/2016 (hereinafter also called “Regulation”) concerning the protection of natural persons with regard to the processing of personal data provides for the protection of individuals with regard to the processing of personal data.
According to the aforementioned legislation, the processing of personal data subject of this information note by CESARI s.r.l. (“Controller”) will be based on the principles of fairness, lawfulness, transparency, relevance, and no excess with respect to the purposes for which the aforementioned data are collected, in order to protect your privacy and your rights.
Personal data processed
The Data Controller processes personal data of Customers (natural persons), Customers Suppliers, or Third Party representatives provided by the Customers / Suppliers / Third Parties or directly by the Data Subject (during direct or indirect, past or present contractual relationships, visits or business meetings, trade fairs, conferences, courses, seminars or other promotional events, past communications, or previous occasions for meetings with representatives of CESARI s.r.l.) or acquired through public broadcasting directories or websites.
“Special categories of personal data” will not be processed by the Data Controller (pursuant to art. no. 10 of the EU Regulation 679/2016).
In particular, the data collected during the request or order stage via the e-commerce website are those necessary to complete your request or fulfil the order.
In the event that the user wishes to join the Wine Club to take advantage of special services and promotions for the purchase of products, personal data are required, some mandatory to provide the service and others optional, necessary to be able to take part in promotional initiatives.
Whatever the origin of the collection of personal data, pursuant to articles 13 and 14 of the EU Regulation 679/2016, we provide you with the information below.
Purposes of processing
Personal data are processed to:
a) provide the products and services included in the contractual relationships between CESARI s.r.l. and the Customer;
b) provide information and / or send communications relating to products and services made or to be made, or to products and / or services to be purchased, or collaborations to be established, both in the pre-contractual phase (e.g. preparing a sales offer) and after;
c) provide all accounting and tax requirements related to the contractual relationship that will possibly be established with the Customer or with the Supplier;
d) send information and / or offers regarding products and services provided by CESARI s.r.l. which may be considered of interest to current or potential Customers, suppliers, partners, or third parties, without this leading to the transfer of personal data to third parties;
e) verify the quality of the products and services offered;
f) evaluate the quality of related supplies and services;
g) send communications and commercial and / or advertising information concerning its products, services, events and initiatives;
h) credit protection;
i) carry out promotional activities, direct-marketing, and web-marketing of the Wine Club members, also through the profiling of the same, and send targeted and personalized newsletters and communications (via e-mail, SMS, mail) according to the users’ preferences;ù
j) organize promotional initiatives such as events and prize competitions in order to promote the brand of the winery.
The legal basis for data processing consists of:
- legal obligations as well as contractual or pre-contractual obligations for the purposes referred to in points a), b), c);
- legitimate interest of the data subject for the purposes set out in points d), e), f), g), h); j)
- consent of the data subject for the purposes referred to in point i).
Methods of processing
The processing will be carried out manually or – mainly – through electronic means, and will include, in compliance with the limits and conditions laid down in Articles 2, 3, and 4 of the EU Regulation 679/2016, all operations or set of operations included in the same Regulation under the term ‘processing’, excluding dissemination.
The methods for the processing of personal data are described in the procedural documentation prepared by CESARI s.r.l.. They include the adoption of adequate security measures to protect the confidentiality, integrity, and availability of data stored on computer or paper. These measures have been assessed as appropriate following the analysis of all risks – assessed considering the severity of the possible consequences and the probability of occurrence – that fall on the personal data processed and on the natural persons themselves.
Personal data will be kept for the period necessary to fulfil the purposes described above, and in particular:
- to fulfil all legal and contractual obligations and, in order to satisfy the legitimate interests of the Data Controller (conservation of know-how, maintenance of evidence relating to the quality of products and services), for at least ten years from the termination of any contractual relationship.
- For Wine Club Card holders, the data will be kept until the end of the promotion as stated in the Guidelines and for a further 12 months starting from the last purchase, unless otherwise consented by the user. If a user registered with the Wine Club does not make a purchase within 12 months, his/her registration will be automatically cancelled.
- For the management of events and prize contests the personal data collected will be kept for a maximum of 5 years from the end of the initiative, unless there are legal or contractual obligations as per the previous points.
The provision of the data is:
- mandatory for the processing referred to in abovementioned points a), b), and c). In this case, the refusal to provide the data could lead to the failure or only partial execution of the contract stipulated between the parties and / or the impossibility of formulating the offer for the service requested.
- optional for the processing referred to in abovementioned points d), e), f), g), h) i) and j). In this case, the refusal to provide the data, or the subsequent request for erasure or restriction of processing, has no consequence on compliance with the contractual requirements but may prevent you from receiving future information on our services.
Disclosure and transfer of personal data
The personal data collected may be shared with other entities outside CESARI s.r.l for the abovementioned purposes, and in particular:
- In the event of a contractual relationship with the Customer or the Supplier, the data necessary to comply with legal obligations may be disclosed to tax and / or legal consultants, social security institutions, banks and insurance companies, IT companies and law firms or to the Judicial Authority solely for the purposes related to the management of the contract and to comply with legal requirements.
- To carry out some activities related to the processing of data for marketing purposes (direct-marketing, sending newsletters, social media, etc.), including the profiling of users, the data may be transmitted to companies providing marketing and communication services, website management services and third-party web services (Wine Platform, Mailchimp).
Those the personal data will be communicated to will act as processors, independent owners or subjects authorized to the processing.
Personal data will not be disseminated in any case.
Personal data will not be transferred outside the European Union.
Contact details of the Data Controller
The Data Controller is:
Via Stanzano 1120, 40024 Castel San Pietro Terme (BO)
Tel. +39 051 6947811
Fax. +39 051 944387
e-mail: [email protected]
Rights of the data subject
At any time, you may exercise your rights toward the Data Controller, pursuant to articles no. 15 (“Right of access by the data subject”), no. 16 (“Right to rectification”), no. 17 (“Right to erasure”), no. 18 (“Right to restriction of processing”), no. 21 (“Right to object and automated individual decision-making”), and no. 22 (“Automated individual decision-making, including profiling”) of the Regulation – included below for your convenience and available at www.garanteprivacy.it or easy to request from the Data Controller by directing the request to their above-mentioned address, for the purpose of exercising the aforementioned right of access. In the same way you can withdraw your consent to the processing of your data. It is also possible to file a complaint about the processing of personal data by the Company to the National Supervisory Authority or to the Guarantor for the Protection of Personal Data (www.garanteprivacy.it).
In particular, Wine club members have the right not to be subject of profiling.
Registered users may decide not to receive newsletters and promotional communications, but this entails cancellation from the Wine Club.
EU Regulation 679/2016 art. no. 15-16-17-18-21-22
Article 15 – Right of access by the data subject
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
1. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
2. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
3. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Article 16 – Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Article 17 – Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
Article 18 – Right to restriction of processing
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Article 21 – Right to object
- The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
- In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
- Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Article 22 – Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her ;
2. Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests;
c) is based on the data subject’s explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.