POLICY PURSUANT TO ARTS. 12 AND 13 OF THE REGULATION (EU) NO. 679/2019 AND CONSENT TO THE PROCESSING OF PERSONAL DATA
The data subject’s rights, as laid down by arts. 15 to 22 of the GDPR, are also listed.
Information pursuant to art. 13, par. 1
A) Data Controller and contacts
The Data Controller is Arco S.R.L., with registered office in Piazza Risorgimento 4 – 12051 Alba (CN), Italy – VAT No. 03013820042 – Tel.: +39 0173.366167
The Data Controller informs you that your personal data will be processed:
– pursuant to arts. 12 and 13 of the Regulation (EU) 679/2016 (General Data Protection Regulation, hereinafter, for brevity, the ‘GDPR’), by specifically authorised parties, and only for the purposes and using the methods that will be specified below with reference to the functionalities of the web portal www.lapiola-alba.it
Please also note that the Data Controller will make use of data processors to perform its own activities in a way that is compliant with the provisions of the GDPR 679/2016.
The list of processors can be requested from the data controller with a special request, which can also be sent via email.
B) Subject matter, purposes of the processing
The Data Controller would like to inform you that when you use our services, you accept that your personal data will be processed.
The term ‘personal data’ refers to any data that may be correlated to your natural person, such as:
- Name and surname
- Telephone number
- Any intolerances or allergies
Your data, as described above, will be processed in the ways and forms prescribed by the GDPR. The processing of data provided in the appropriate sections relating to the contact between the controller and the end user will be carried out for the following purposes:
- respond to requests for information or to contact you following the submission of CVs
- make a reservation at our restaurant
- for subscription to and receipt of the newsletter and commercial communications from the Controller
- for receipt of newsletters and commercial communications from companies associated with the Controller (Ceretto Aziende Vitivinicole Srl; Relanghe Srl; I Vignaioli di Santo Stefano Belbo SSA).
Please refer to the special Cookies Policy for further information.
C) Legal basis for processing
Apart from what is specified in the Cookies Policy regarding navigation data, your communication to the Data Controller of the personal data better described above has as prerequisite for the lawfulness of processing the legitimate interest of the controller, as long as this does not conflict with the rights and freedoms of the data subject, the fulfilment of contractual and/ or pre-contractual obligations assumed with you, and your consent to the processing of any special data and to the processing of personal data for marketing purposes. The processing performed on users’ personal data is based on art. 6 of the Regulation (EU) 679/2016, points: A, B, C, F.
In particular, provision of data for the purposes referred to in points a) and b) is mandatory; failure to provide such data will make it impossible to use the services offered by the Controller. For the processing of special data relating to intolerances and/or allergies, communicated for the purpose referred to in point b), consent is required. Failure to provide will make it impossible for the Controller to process the data provided. For the purposes referred to in points c) and d), provision is optional. Processing will be carried out only with your consent. Consent may be withdrawn at any time by the data subject, without this making the processing previously carried out unlawful.
D) Recipients and categories of recipients of the data collected
In relation to the purposes indicated above, the data could be communicated to the following parties and/or categories of parties indicated below, or they could be communicated to companies and/or people, who offer services, including external parties, on behalf of the Data Controller. For greater clarity and merely by way of non-limiting example, we identify the following of these: parties – internal or external to the company – who provide IT and telematic services for managing the IT system used by the Controller and the telecommunication networks, parties who the Controller reserves the right to name, if the need arises, as processors; financial administration authorities and other companies or public bodies in fulfilment of regulatory obligations; competent authorities and/or monitoring bodies to satisfy legal obligations; associated and subsidiary companies and those contractually linked to the Controller.
Information pursuant to art. 13, par. 2
A) Data storage period
We’d like to inform you that, pursuant to art. 5 of the GDPR, in compliance with the principles of lawfulness, purpose limitation, and data storage and minimisation, your data will be stored according to law and for the time necessary to perform the activities referred to here for the purposes included above in compliance with the terms of the law. For the purposes referred to in points c) and d), the data will be retained for a period not exceeding 24 months.
B) Rights of the data subject
– Right to Access and Rectification
Pursuant to art. 15 of the GDPR, in your capacity as data subject, you have the right to obtain from the Controller confirmation of the existence, or lack thereof, of personal data processing concerning you, to obtain access to the same and to all information referred to in the same art. 15, para. 1, points (a) to (h), via the release of a copy of the data subject to processing in a structured, commonly used, machine-readable and interoperable format.
Pursuant to art. 16 of the GDPR, in your capacity as data subject, you have the right to obtain from the Controller the rectification and/or supplementation of data subject to processing if these are not up-to-date and/or inaccurate and/or incomplete.
– Right to Erasure and Right to Restriction
Pursuant to art. 17 of the GDPR, in your capacity as data subject, you have the right to obtain, without unjustified delay, from the Controller, and only in the cases referred to in art. 17, para. 1, points (a) to (f), of the GDPR, the erasure of the data that concerns you – with the exception of the cases specifically laid down in art. 17, para. 3,
Pursuant to art. 18, para. 1, points (a) to (d), of the GDPR, in your capacity as data subject, you have the right to request and obtain, from the Controller, the restriction of the processing of your personal data, or that such data are not subjected to additional processing and cannot be altered. The Controller ensures that the restriction of the processing is carried out by means of suitable technical devices that guarantee that the data cannot be accessed or altered.
– Right to Data Portability
Pursuant to art. 20 of the GDPR, in your capacity as data subject, you have the right to receive from the Controller the personal data that concern you, the processing of which is performed using automated means, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, or to obtain from the Controller, where technically feasible, the direct transmission of such data to another Data Controller specifically identified.
– Right to object
Pursuant to art. 21 of the GDPR, in your capacity as data subject, you have the right to object at any time to the processing of personal data concerning you, on grounds relating to your particular situation, in cases where the processing of your personal data is necessary (1) to perform a task in the public interest and/or connected to the exercise of public powers that the Controller holds; (2) to pursue a legitimate interest of the Controller or of a third party; (3) for profiling activities, if performed by the Controller, based on the previous points. You have, in addition, the right to object to the processing of your personal data on grounds relating to your particular situation if these data are processed for the purposes of scientific, historical, or statistical research pursuant to art. 89, para. 1, of the GDPR, except in the case where the processing is necessary to perform a task in the public interest.
How to exercise the rights
You may exercise the rights listed above by means of a request to be sent to the registered address or by contacting the controller at the number listed above;
We will confirm having received your request, and provide you with the information relating to the communication we receive, within 1 (one) month from receipt of the request itself. If necessary, and taking into account the complexity and number of requests, this term may be extended to 2 (two) months, by prior, justified notice to be sent within 1 (one) month from receipt of the request.
We will communicate any rectification, erasure, restriction, opposition to all the recipients, as identified in art. 4, para. 1, no. 9 of the GDPR, to which such data have been transmitted, unless this proves to be impossible and/or it requires a disproportionate effort.
Following the sending of your request for rectification, erasure, restriction, opposition, if the Controller has any reasonable doubts regarding your identity, it will request further information from you in order to confirm it. These communications will be sent via email.
Should the Controller fail to fulfil your request within the term of 1 (one) month from receipt of your request, the latter will inform you of the reasons for this failure, informing you of your right to lodge a complaint with the supervisory authority (the Italian Data Protection Authority), as specified pursuant to art. 13, para. 2, point (d) and governed by arts. 77 and ff. of the GDPR.
C) Right to lodge a complaint
Pursuant to art. 77 of the GDPR, in your capacity as data subject, you have the power to lodge a complaint with a supervisory authority according to the methods indicated in the same article.
D) Automated decision process and profiling