Through this privacy policy, drawn up pursuant to art. 13 Regulation (EU) 679/2016 (hereinafter also just “ General Data Protection Regulation ” or “ GDPR ”) and in compliance with the principles contained therein, Excantia Srl intends to inform each user (hereinafter also just “ User ”) of the processing of personal data collected through the website owned by it www.thewinesider.com .
- Data controller
The Data Controller is Excantia Srl (hereinafter also just “ Data Controller ”), VAT number 11108030013, with registered office in Corso Castelfidardo n. 30 A, 10129 – Turin.
Contact address: amministrazione@thewinesider.com
- Purpose of processing, type of personal data, legal basis and data retention period
|
|
Purpose |
Personal data |
Legal basis |
Retention period |
|
1 |
Provide information and/or send the catalog at the user's request, following completion of the data collection forms on the Site |
· Personal information (name and surname of the interested party) · Contact details (email address) · Telephone number · Region and city to which you belong |
Execution of pre-contractual measures [art. 6, 1, lett. b) GDPR] |
For the period necessary for the response |
|
2 |
Account creation and management |
· Personal information (name and surname of the interested party) · Contact details (email address; Tax Code of the interested party, telephone number) |
Execution of pre-contractual measures [art. 6, 1, lett. b) GDPR] |
Until the account is canceled and in any case no later than 24 months from the date of last contact |
|
3 |
Management of the purchase and shipping of products |
· Personal information (name and surname of the interested party) · Contact and shipping details (shipping address, email address, telephone number) · Billing details |
Execution of a contract [art. 6, 1, lett. b) GDPR] |
10 YEARS |
|
4 |
Contact and customer care |
· Personal information (name and surname of the interested party) · Contact details (email address, telephone number) |
Execution of pre-contractual and/or contractual measures [art. 6, 1, lett. b) GDPR] |
For the period necessary for the response |
|
5 |
Sending newsletters and mailing lists |
· Personal information (name and surname of the interested party) · Contact details (email address, telephone number) |
Consent [art. 6, 1, lett. 4) GDPR] |
Until consent is revoked and in any case no later than 24 months from the date of last contact |
|
6 |
Sending promotional communications for marketing purposes of the Data Controller, for sending advertising or direct sales material, carrying out market research or commercial communication with automated contact methods (email, sms, mms, or other types ) and traditional (paper mail, telephone calls with operator) |
· Personal information (name and surname of the interested party) · Contact details (email address and telephone number) |
Consent [art. 6, 1, lett. 4) GDPR] |
Until consent is revoked and in any case no later than 24 months from registration for marketing purposes |
|
7 |
Profiling aimed at analyzing the User's consumption habits to address commercial proposals of interest, in the manner referred to in the previous point 6 |
· Personal information (name and surname of the interested party, telephone number) · Contact details (email address) |
Consent [art. 6, 1, lett. 4) GDPR] |
Until the revocation of consent and in any case no later than 12 months from registration for profiling purposes |
|
8 |
Compliance with legal obligations, including those of a fiscal nature. |
· Personal information (name and surname of the interested party) · Contact details (email address) · Contractual data |
Legal obligation [art. 6, 1, lett. c) GDPR] |
According to applicable legislation |
|
9 |
Prevention of fraudulent activities and exercise of the Owner's rights in court |
· Personal information (name and surname of the interested party) · Contact details (email address) · Contractual data |
Legal obligation [art. 6, 1, lett. c) GDPR] |
10 years |
|
10 |
Statistical analysis and reporting activities, carried out by the Data Controller in order to create reports and statistics relating to Excantia's commercial activities, to evaluate, analyze and improve its products and services. |
· Personal information (name and surname of the interested party) · Contact details (email address) · Browsing data |
Legitimate interest of the Data Controller (art. 6, 1, letter f) GDPR) |
Up to two years from the date of termination of the contractual relationship |
The User can request clarification on the legal basis of each processing at any time.
- Provision of data and consequences of any refusal
The provision of data for the purposes referred to in paragraph 2, points 1,2,3,4, 8, 9 (Purpose of providing information and the catalogue, creation and management of accounts, management of the purchase and shipping of products, contact and customer care, fulfillment of legal obligations, prevention of fraudulent activities) is necessary, as it constitutes an essential requirement for the satisfaction of the user's requests and/or for the conclusion of the contract for the fulfillment of legal obligations. Your refusal or provision of inaccurate and/or incomplete information could prevent us from carrying out the activities indicated therein. For the processing of personal data for these purposes, your consent is not required, pursuant to article 6, 1 letter. b) and c) of the GDPR.
The provision of data for the purposes referred to in paragraph 2, points 5,6,7 (Purpose of sending newsletters, marketing, profiling) is optional, the Data Controller will pursue the purposes only if expressly and specifically authorized by the user to process of the data provided for each individual purpose. Any refusal or the provision of inaccurate and/or incomplete information could prevent the carrying out of the activities indicated therein, but will not prevent the execution of the Contract.
The processing of personal data for these purposes requires the informed consent of the interested party expressed individually for each of the purposes indicated pursuant to Article 6, letter a, of the GDPR and pursuant to Italian harmonization legislation.
In any case, the interested party may revoke the consent expressed at any time without this affecting the lawfulness of the processing based on the consent given before the revocation according to the methods described in the following paragraph 5.
By virtue of the assessments carried out regarding the balance of interest between the Data Controller and the interested party, the processing of data for the purposes referred to in paragraph 2 point 10 (Purpose of statistical analysis and reporting activities) is based, pursuant to article 6, paragraph 1, letter. f) of the GDPR, on the legitimate interest of the Data Controller.
In any case, you may object pursuant to art. 21 par. 1 of the GDPR to the processing of your personal data for the purposes to and. to i. by contacting the Data Controller at any time at the contact details indicated in paragraph 5 below.
- Treatment methods
The data will be processed using IT and telematic tools, with logic strictly related to the purposes highlighted above and, in any case, by subjects authorized to carry out these tasks, appropriately informed of the constraints imposed by the GDPR, equipped with security measures aimed at guaranteeing the confidentiality of personal data and to avoid undue access to third parties or unauthorized personnel.
In particular, the data may be communicated, within the limits strictly necessary for the purposes pursued, to professionals and companies possibly in charge of specific processing, to accounting firms and consultants responsible for keeping the accounts, to banks, to associated companies, to third party suppliers. such as, by way of example, the companies that provide the management, maintenance and hosting of the Site, or companies that provide the management of the newsletter service, specifically appointed as data controllers pursuant to the provisions of the art. 28 of the GDPR. These suppliers, if operating in non-EU countries, offer their services on the basis of standard contractual clauses or on the basis of adequacy decisions of the European Commission. These subjects only come into possession of the personal data necessary to carry out their functions and can use them only for the purpose of carrying out these services on behalf of the Data Controller or to comply with legal provisions. The data may also be communicated to police bodies, judicial authorities, and to subjects who can access it pursuant to legal provisions or secondary or community legislation.
The Data Controller undertakes to process the data in compliance with the provisions of the GDPR, as well as the national legislation in force on privacy as well as to process the data lawfully and correctly, collecting and recording the same for specific purposes, explicit and legitimate, taking care to verify that they are relevant, complete and not excessive in relation to the purposes for which they are collected or subsequently processed.
- Rights of the interested party
The User can exercise all the rights provided for by the articles. 15-21 of the GDPR at any time and without unjustified limitations, by contacting the Data Controller at the email address. Requests are filed free of charge and processed by the Data Controller within 30 days.
In particular, the User can:
- obtain confirmation that processing is underway (art. 15 of the GDPR);
- obtain the rectification of inaccurate or incomplete data (art. 16 of the GDPR);
- obtain the deletion of data without unjustified delay (art. 17 of the GDPR);
- limit the processing of only part of the personal data (art. 18 of the GDPR);
- receive a copy of the personal data held by the owner, in a commonly used and machine-readable format; obtain unhindered transfer to another Data Controller (art. 20 of the GDPR);
- object at any time to the processing of personal data (art. 21 of the GDPR);
- with regard to the purposes of the processing which are based on consent, revoke it at any time (art. 7 of the GDPR).
- Complaints
The User may, at any time, lodge a complaint with the competent Authority (Guarantor for the Protection of Personal Data), pursuant to Art. 77 of the GDPR, if you believe that the Data Controller processes your personal data in violation of the applicable legislation.
- Changes
The Data Controller reserves the right to modify and update the following Privacy Policy following any new provision of national or European Union law on the protection of personal data.
Last modified:28/07/2022