Hic et Nunc S.r.l. Società Agricola, with registered offices in Vignale Monferrato (AL), Località Ca’ Milano 7 – 15049, Tax Code and VAT n. 02356550067, in its role as “Data controller”, hereby informs you, pursuant to Regulation (EU) 679/2016 (“GDPR”) and current national regulations regarding the protection of personal data that your data will be processed with the following methods and for the following purposes:
1. Purpose of the processing
The Data controller processes personal and non-sensitive identification data provided by yourself while navigating the website https://shop.cantina-hicetnunc.it/www.cantina-hicetnunc.it (hereinafter referred to as the “website”) belonging to the Data controller and, in particular:
- personal data voluntarily provided by the user, such as forename and surname, email address, telephone number, financial and payment data, as well as login data such as username and password for registered users.
The personal data and navigation data are hereinafter jointly referred to as “Data”.
2. Purposes of data processing
Your personal data will be processed for the following purposes:
- A) without your prior consent, for:
- the execution of a contract and/or contractual obligations:
- using the Website and providing suitable technical support;
- processing your requests for contact;
- allowing you to register with the Website and create personal authentication credentials;
- allowing the purchase of products (wines) and services such as the farmhouse Ca’ dell’Ebbro and stays, tours and tastings.
- The pursuit of a legitimate interest by the Data controller:
- The management and maintenance of the Website: the interests of the Data controller are governed by the general interests of a business to guarantee company operativity, also via Website operativity and the possible improvement of the efficiency of the services offered.
- The prevention or detection of fraudulent activities or abusive activities harmful to the Website, as well as the exercising of the rights of the Data controller for legal purposes: the Data controller’s interest corresponds to the legitimate and real general interest aimed at avoiding harm related to the illicit activities of others, as well as the right to constitutionally guaranteed action (article 24 of the Constitution) that, as such, is socially recognised as prevalent over the interests of the individual subject.
- Compliance with legal obligations.
- Compliance with obligations imposed by law, regulations, EU regulations, orders and recommendations of competent authorities.
B) exclusively with your consent for:
3. Method of processing
The processing of your Personal data is carried out electronically via the operations of collection, recording, updating, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, restriction, cancellation and destruction of the Data. The Data are protected in order to minimise the risk of destruction, loss (including accidental loss), unauthorised access/use or any use incompatible with the initial purpose of collection. This is carried out via technical and organisational security measures implemented by the Data processor.
4. Storage of Data
The Data controller will process the Data for the time necessary to comply with the aforementioned objectives and in any case:
- up to 10 years from termination of contractual services;
- until the expiry of the terms set out for compliance with legal obligations and for the pursuit of the Data controller’s legitimate interests, without prejudice to your right to object;
- for marketing purposes no more than two years from the date of collection and in any case until consent is revoked.
5. Access to data
Your data can be accessed for the purposes specified in article 2.A) and B):
- by employees and/or collaborators of the Data controller and/or companies in the Group in their role as agents charged with processing and/or internal data processors and/or system administrators;
- by third-party companies or other entities (e.g., IT service providers, suppliers, credit institutions, professional firms, etc.,) which perform outsourcing activities on behalf of the Data controller, in their role as external Data processors.
6. Disclosure of Data
Your Data may be communicated, even without your consent, for the aforementioned purposes, to Supervisory bodies, the Police or the Judiciary, who will process them, on their request, as autonomous Data Controllers for institutional purposes and/or in compliance with laws as part of investigations and controls. Your data can also be communicated to third parties (for example partners, freelance professionals, agents, etc.,) as autonomous Data controllers for the carrying out of activities related to the aforementioned purposes.
7. Transferring of Data
The Data Controller may transfer the Data outside the European Union. To this end, pursuant to privacy regulations, the Data controller will assess the impact of Data transfer and adopt, if applicable, the most suitable guarantees (for example adequacy decisions or standard contractual clauses).
8. Nature of providing data and consequences of refusing to provide them
The provision of Data is obligatory for the purposes specified in article 2.A.
In the event of non-provision of data, we will be unable to guarantee you either registration on the website or the services specified in article 2.A. The provision of data for the purposes specified in article 2.B. is voluntary. You may decide to not provide any data, to not click on the “Follow us” button, or to later deny the possibility to process data previously provided. In this case, you will be unable to receive promotional and/or commercial communications and/or newsletters regarding news, initiatives, sponsorships and events organised by the Data Controller, nor be re-addressed to our Social Network pages from our website.
9. Rights of data subjects
We hereby inform you that, as a data subject, you have the right:
- to obtain confirmation as to the existence or non-existence of personal data concerning you, regardless of their not being already recorded, and to have said data made available to you in intelligible form;
- to obtain indications and, where appropriate, a copy of: a) the origin and category of the personal data; b) the logic applied in the event of processing with the use of electronic instruments; c) the purposes and methods for the processing; d) the identification data regarding the data controller and data processors; e) the subjects or the category of subjects to which the personal data may be communicated or who may become aware of said personal data, especially if they are in third countries or belong to international organisations; f) where possible, the period of time the data will be stored or the criteria adopted for determining said period; g) the existence of automated decision-making processes and the logic used for said processes, the importance given and the forecast consequences for the data subject; h) the existence of suitable guarantees in the event of the transferring of data to a non-EU country or an international organisation;
- to obtain, without undue delay, the updating and rectification of incorrect data or, if necessary, the integration of incomplete data;
- to obtain the erasure, the anonymisation or the restriction of data: a) unlawfully processed; b) no longer necessary with regards to the purposes for which they were collected or later processed; c) in the event of revocation of consent on which processing was based and in the event that there is no other legal basis; d) in the event that you have opposed processing and there is no prevalent legitimate reason to continue processing; e) for the fulfilment of legal obligations; f) in the event of data regarding minors. The Data Controller may refuse cancellation only in the case of: a) exercising of the right to freedom of expression and information; b) compliance with legal obligations or the execution of duties carried out in the public interest or execution of public powers; c) in the interests of public health; d) storage in the public interest, for scientific or historical research or for statistical purposes; e) exercising of rights for legal purposes;
- to obtain restriction of processing in the case of: a) dispute of the correctness of the personal data; b) illicit processing by the Data controller to hinder erasure; c) the exercising of your legal rights; d) verification whether the legitimate grounds of the Data controller override those of the data subject;
- to receive the personal data concerning you in a structured, commonly used and readable form to transmit to another data controller without unnecessary hindrance or – if technically feasible – to obtain the direct transmission of said data by the Data controller to another data controller;
- either totally or partially oppose: a) for legitimate reasons the processing of personal data which concern you, even if pertinent to the purpose of collection; b) the processing of personal data which concern you for the sending of advertising material or direct sales or for the carrying out of market research or communications of a commercial nature, through the use of automated calling systems without the intervention of an operator, via email and/or traditional marketing methods via telephone and/or standard post;
- lodge a complaint to the Italian Data Protection Authority.
In the aforementioned cases, where necessary, the Data controller will inform third parties to whom your personal data has been communicated of your decision to exercise your rights, with the exception of certain specific cases (e.g., when said compliance proves impossible or requires the use of means that are clearly disproportional to the right being exercised).
10. Method of exercising rights
You may exercise your rights at any time:
- by sending a registered letter with confirmation of delivery to the Data controller;
- by sending an email to firstname.lastname@example.org;
- by telephoning +39 035.4995700.
11. Data Controller, Data Processor and Persons charged with processing
The Data controller is:
- Hic et Nunc S.r.l. Società agricola, with registered offices in Vignale Monferrato (AL), Località Ca’ Milano 7, Tax Code and VAT N. 02356550067.
The appointed Data Protection Officer is:
- Roedl & Partner;
- Address and telephone number: Largo G. Donegani n. 2, 20121 Milan –
+39 02 6328841.
The updated list of Data Processors is held at the registered offices in Vignale Monferrato (AL), Località Ca’ Milano 7.
Hic et Nunc S.r.l. Società Agricola