Information provided pursuant to Article 13 of EU Regulation no. 679/2016 (hereinafter referred to as “GDPR”)

Preamble: data protection by the Group

This privacy statement describes the policies concerning privacy and personal data protection implemented by the companies belonging to the Cantine 4 Valli Group in a coordinated way and in compliance with the applicable regulations in force. The list of the companies belonging to the Group (hereinafter referred to as the “Group”) is available and kept continuously updated under the section “DATA CONTROLLER”.

General information

Data subjects are informed (pursuant to Article 4, paragraph 1 of GDPR) of the following general profiles that are applicable to all scopes of processing:

  • all data are processed in compliance with the regulations in force concerning privacy (EU regulation no. 679/2016 and Legislative Decree no. 196/2006, as amended and supplemented by Legislative Decree no. 101/2018);
  • all data are processed lawfully, fairly and in a transparent manner in relation to the data subject, in compliance with the general principles set out in Article 5 of GDPR;
  • specific security measures are implemented in order to prevent the loss of data, unlawful or unauthorized processing and unauthorized accesses (Article 32 of GDPR).

Data Controller

“Data Controller” shall mean the companies of the Group (reported below) with which the data subject has its professional/contractual relationship:

Name: Cantine 4 Valli Srl

Email: info@cantine4valli.it

Name: Il Poggiarello

Email: info@ilpoggiarellovini.it

Name: Matri Vignai

Email: info@fpwinegroup.it


Name: Galli Data Service Srl

Email: dpo@gallidataservice.com

Rights of the data subjects

  • Right to request the existence and the access to personal data concerning him or her (Article 15 “Right of access”)
  • Right to obtain the rectification of inaccurate data and to have incomplete personal data completed (Article 16 “Right to rectification”)
  • Right to obtain the erasure of data, if there are legitimate grounds (Article 17 “Right to erasure”)
  • Right to obtain restriction of processing (Article 18, “Right to restriction of processing”)
  • Right to receive the personal data concerning the data subject in a structured format (Article 20, “Right to data portability”)
  • Right to object to processing and to automated decision-making processes, including profiling (Articles 21 and 22)
  • Right to withdraw a previously granted consent
  • Right to lodge a complaint with the Data Protection Authority if no acknowledgement is received

Below there is a list of the specific information in relation to:

  1. processing of data related to the operation of this website
  2. processing of data of customers / suppliers of the Data Controller


1.1 Navigation data

IT systems and software procedures necessary to the operation of this website, during their usual operation, acquire some personal data, the transmission of which is implicit in the use of Internet protocols. This information is not collected with the purpose to be associated with identified data subjects, but by their very nature could allow the identification of the users, through processing and association with data held by third parties. This category of data includes IP addresses or domain names of the computers used by users connecting to the website, the addresses in the URI (Uniform Resource Identifier) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the IT environment of the user.

Purposes and legal basis for the processing (GDPR – Article 13, paragraph 1, letter c)These data are exclusively used in order to obtain statistical anonymous information on the use of the website and to control its proper operation. Data could also be used to ascertain any responsibility in case of hypothetical computer-related crimes that damage the website (legitimate interests pursued by the Data Controller).
Scope of communication (GDPR – Article 13, paragraph 1, letters e, f)Data can be processed only by authorized and duly trained employees (GDPR – Article 29) or by any subject responsible for the maintenance of the web platform (in this case appointed external data processors) and shall not be communicated to other persons, disseminated or transferred to non-EU countries (unless in compliance with the provisions set out in Chapter 5 of GDPR). Only in case of investigation they can be put at the disposal of the competent authorities.
Data retention period (GDPR – Article 13, paragraph 2, letter a)Data are generally retained for short periods of time, except where longer periods are required due to investigation needs.
Data provision (GDPR – Article 13, paragraph 2, letter f)Data are not provided by the data subject, but automatically collected by the technological systems of the website.

1.2 Cookies 

What cookies are: Cookies are small fragments of information (letters and/or numbers) that enable the web server to store information on the client (the browser) to be retransmitted to the same website at the next visit (session cookies) or afterwards, also after some days (persistent cookies). Cookies are stored, according to the user’s preferences, by the browser on the specific device used (computer, tablet, smartphone). Similar technologies, such as, web beacon, transparent GIFs and all the local storage forms provided by HTML5, can be used to collect information on the user’s behavior and his or her use of the services. In the following sections of this statement, we well refer to the cookies and to all similar technologies by using simply the term “cookie”.

Types of first-party cookies and methods for the management of cookie preferences

Technical cookies for navigation or session cookiesTo ensure the proper navigation and operation of the websiteThrough the main browsers it is possible:
– to set a default block of all (or some) typologies of cookies
– To view the analytical list of the cookies used
– To delete all or part of the cookies installed

For further information on the setting of each browser, please refer to the specific section. It must be noticed that the block or the deletion of cookies could affect the browsing session.
Analytical and technical cookiesTo collect information on the number of visitors and the pages viewed
Performance cookiesTo enable navigation according to a set of selected criteria
Profiling cookiesTo create profiles relating to the user in order to send advertisements in line with the set preferences

The website could include links to third-party websites and cookies. For further information, please refer to the privacy policies of the linked websites.

Managing cookie preferences through the main web browsers. The user is allowed to decide whether to accept or refuse cookies by using the settings of his or her browser (as a default, most web browsers are set up to automatically accept cookies). Settings can be changed and set in a specific way for the different websites and web applications. In addition to this, the best web browsers allow defining different settings for “first-party” and “third-party” cookies. Generally, it is possible to set cookies from the menu “Preferences”, “Tools” or “Options”.

The following is a list with the links to the guides on how to manage cookies in the main web browsers:

Internet Explorer:http://support.microsoft.com/kb/278835

Internet Explorer [mobile version]: http://www.windowsphone.com/en-us/how-to/wp7/web/changing-privacy-and-other-browser-settings



Safari [mobile version]: http://support.apple.com/kb/HT1677




Additional information

1.3 Specific functions of the website

Some pages of the website may imply the request for information by the browser relating to specific functions (for example, request for information, login, work with us, etc.).

Purposes and legal basis for the processing (GDPR – Article 13, paragraph 1, letter c)Only the data necessary to the proper provision of the service and to give a correct and exhaustive response to data subjects will be required. The processing is subject to the acceptance of specific, free and informed consent (GDPR – Article 6, paragraph 1, letter a).
Scope of communication (GDPR – Article 13, paragraph 1, letters e, f)Data can be processed only by authorized and duly trained employees (GDPR – Article 29) or by any subject responsible for the maintenance of the web platform (in this case appointed external data processors). Data shall not be disseminated or transferred to non-EU countries (unless in compliance with the provisions set out in Chapter 5 of GDPR).
Data retention period (GDPR – Article 13, paragraph 2, letter a)Data are retained for as long as it is necessary for the purposes for which the data were collected.
Data provision (GDPR – Article 13, paragraph 2, letter f)It is necessary to provide the data of the mandatory fields in order to obtain a response, whereas the optional fields are intended to provide staff with more useful elements to facilitate the contact.

1.4 Data provided voluntarily by the user

The optional, express and voluntary sending of email and/or post to the addresses indicated on this website involves the subsequent acquisition of the sender’s address, which is needed to respond to the requests, as well as of any other personal data included in the message. Should the sender send his or her résumé to submit his or her application, he or she will be the only responsible for the relevance and accuracy of the data sent. Any résumé without the authorization to the data processing shall be immediately erased.


2.1 Subject-matter of processing

The company processes personal identification data of customers and/or suppliers (for example, name, surname, business name, personal/tax data, address, telephone number, email address, bank and payment details) and of their operational contact persons (full name and contact details) collected and employed within the context of supply of the products/services provided.

2.2 Purposes and legal basis of processing

Data are processed in order to:

  • enter into contractual/professional relationships and supply the related services;
  • fulfill the pre-contractual, contractual and fiscal obligations resulting from the existing relationships, as well as to manage the necessary communications related to them;
  • fulfill the obligations provided for by the law, any regulation, the Community legislation or any order issued by the Authority;
  • exercise a legitimate interest, as well as a right of the Data Controller (for example: right of defense before a court, protection of the creditor status, the common internal needs of operational, managerial and accounting nature).

Failure to provide such data shall prevent from establishing a relationship with the Data Controller. The above purposes, pursuant to Article 6, paragraphs b, c and f, represent suitable legal basis of the lawfulness of processing. In case of any processing for other purposes (such as marketing communications, making of photos/videos, etc.), data subjects shall be required a specific consent.

2.3 Methods of processing and data retention

Personal data processing is carried out through the operations set out in Article 4, paragraph 2 of GDPR, such as collection, recording, organization, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, lock, dissemination, erasure and destruction of data. Personal data are processed both by paper and electronically. The Data Controller shall process personal data for the time necessary to fulfil the purposes for which they were collected and the related law requirements (in general corresponding with the relationship with the data subject, except for the extension due to the requirement of retention of the administrative documents and of commercial correspondence).

2.4 Scope of processing

Data are processed by duly authorized and trained employees pursuant to Article 29 of GDPR. It is also possible to request the scope of communication of personal data and obtain specific indications on any external subjects operating as independent Data Processors or Data Controllers (i.e.: consultants, technicians, banks, carriers, etc.). Data can be communicated to any affiliate or subsidiary company. Data cannot be disseminated or transferred to non-EU countries (they can be transferred to non-EU countries only in compliance with the provisions set out in Chapter 5 of GDPR, aimed at ensuring that the security level of data subjects is not compromised: “Article 45 Transfers on the basis of an adequacy decision, Article 46 Transfers subject to appropriate safeguards, Article 47 Binding corporate rules, Article 49 Derogations for specific situations”). Data are not processed with automated means which could determine significant consequences for the data subject.


This privacy policy can be reviewed on a regular basis, also in relation with the reference regulation and law. Should any relevant change occur, it will be clearly highlighted on the home page of the website for a reasonable period. Nonetheless, the data subject is invited to read this policy on a regular basis.