Privacy Policy


EU Regulation No. 679/2016 (hereinafter also GDPR) lays down rules on the protection of natural persons with regard to the processing of personal data, as well as rules on the free movement of personal data. In order to protect the fundamental rights and freedoms of natural persons, the Regulation therefore imposes on data controllers the obligation to provide data subjects with the information referred to in Articles 12, 13 and 14, and the specific indication of the data subject's rights, provided for in Articles 15 to 22 of GDPR 679/2016

A. Data controller and contacts

The data controller is "Grandi Vini snc di Maccario e Degiorgis", with registered office at
Via Vittorio Emanuele II, 1/A – 12051 Alba (CN) – Italia
VAT IT-02101890040 Phone: +39 0173 361204 – PEC:

The Data Controller informs you that your personal data will be processed:
in accordance with Articles 12 and 13 of EU Regulation No. 679/2016 (General Data Protection Regulation, hereinafter referred to as "GDPR" for brevity), by specifically authorised persons, limited to the purposes and in the manner that will be specified below with reference to the functionalities of this web portal.
Please also note that the Data Controller employs data processors to carry out its activities in accordance with the dictates of GDPR 679/2016.

B. Subject, purpose of processing

The Data Controller informs you that when you use our services you agree to your personal data being processed.
Personal data means any data that can be related to your person such as:
a. Name and Surname
b. Email
c. Telephone number
d. Address of residence or domicile
e. Bank details (credit/debit card)
Your data, as described above, will be processed in the ways and forms prescribed by the GDPR, for the performance of the Website's own functionalities, with particular - but not exhaustive - reference the data that you have provided or will provide to us are collected in order to offer you the services you have requested on a daily basis.
Particularly, the personal data you provide to the Data Controller will be processed in pursuit of the following purposes:
• to follow up on requests for purchases made through this web portal
Data given generically will also be processed as a result of automatic data collection during navigation. Please refer to the appropriate Cookie Policy for further information.

Legal basis for processing
Apart from what is specified in the Cookie Policy for navigation data, the communication by you to the Data Controller of the personal data specified above, has the following legal bases as prerequisites for the lawfulness of the processing:
• Art. 6(1)(b) of the GDPR, concerning the performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at the request of the data subject.
The aforementioned legal basis is merely optional and not mandatory in nature, having no other consequence than the impossibility for the Data Controller to properly carry out the aforementioned direct communication or contractual/pre-contractual execution services. And, in any case, the consent you may have given may be revoked by you at any time, with immediate interruptive effect on the aforementioned business activities and services.

C. Art. 6(1)(f)

The treatment is not based on Art. 6(1)(f)

D. Recipients and categories of recipients of the data collected

In relation to the purposes indicated above, the data may be communicated to the following subjects and/or categories of subjects indicated below, or they may be communicated to companies and/or persons, who provide services, including external services, on behalf of the Data Controller. Among these, we indicate for the sake of clarity, by way of example but not limited to: subjects - internal or external to the company - who provide computer and telematic services for the management of the information system used by the Data Controller and telecommunications networks, subjects that in the event the Data Controller reserves the right to appoint as data processors; financial administrations and other companies or public bodies in fulfillment of regulatory obligations; competent authorities and/or Supervisory Bodies for the fulfillment of legal obligations.
Under no circumstances do we transfer or sell personal data to third parties.

Information in accordance with Art. 13(2)

A. Period of data retention

We would like to inform you that, in accordance with Article 5 of the GDPR, in compliance with the principles of lawfulness, purpose limitation and data retention and minimization, your data will be retained in accordance with the law and for the time necessary to carry out the activities referred to in the above-mentioned purposes in compliance with the terms of the law. For the period corresponding to fiscal, accounting, administrative needs and to document our activities and also to respond to your data recovery needs as well as for the time necessary to ensure defense in court.

B. Rights of the data subject

Right to Access and Rectification
Pursuant to Article 15 of the GDPR, in your capacity as a Data Subject you have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, to obtain access to them and to all the information referred to in Article 15(1)(a) to (h), by issuing a copy of the data being processed in a structured, commonly used, machine-readable and interoperable format.
Pursuant to Article 16 of the GDPR, in your capacity as a Data Subject you have the right to obtain from the Data Controller the rectification and/or integration of the data being processed if they are out of date and/or inaccurate and/or incomplete.

Right of Cancellation and Right of Limitation
Pursuant to Article 17 of the GDPR, in your capacity as a Data Subject you have the right to obtain, without undue delay, from the Data Controller, exclusively in the cases referred to in Article 17(1)(a) to (f) of the GDPR, the deletion of data concerning you - with the exception of the cases specifically provided for in Article 17(3).
Pursuant to Article 18 paragraph 1, letters (a) to (d), of the GDPR, in your capacity as a Data Subject you have the right to request and obtain from the Controller, the restriction of the processing of your personal data, i.e., that such data are not subject to further processing and can no longer be modified. The Data Controller shall ensure that the restriction of processing is implemented by means of appropriate technical devices that guarantee its inaccessibility and immodifiability.

Right to Portability
Pursuant to Article 20 of the GDPR, in your capacity as a Data Subject you have the right to receive from the Data Controller the personal data concerning you, the processing of which is carried out by automated means, in a structured, commonly used and machine-readable format, and you also have the right to transmit such data to another Data Controller, or to obtain from the Data Controller, where technically feasible, the direct transmission of such data to another specifically identified Data Controller.

Right of Opposition
Pursuant to Art. 21 of the GDPR, in your capacity as a Data Subject you have the right to object at any time to the processing of personal data concerning you, on grounds relating to your particular situation, in cases where the processing of your data is necessary (1) for the performance of a task carried out in the public interest and/or in connection with the exercise of official authority vested in the Data Controller; (2) for the pursuit of a legitimate interest of the Data Controller or a third party; (3) for profiling activities, if carried out by the Data Controller, on the basis of the preceding points. You also have the right to object to the processing of your personal data on grounds relating to your particular situation if it is processed for scientific or historical research or statistical purposes pursuant to Article 89(1) of the GDPR, except where the processing is necessary for the performance of a task carried out in the public interest.

Ways of exercising the above rights
You may exercise the rights listed above by request to be sent to the PEC address; or by registered mail with return receipt requested to the address of the registered office listed above.
We will acknowledge receipt of your request and provide you with the information related to the communication received by us within 1 (one) month of receipt of the request. If necessary, and taking into account the complexity and number of requests, this deadline may be extended by 2 (two) months, subject to reasoned communication to be sent within 1 (one) month of receipt of the request.
Any rectification, deletion, restriction opposition will be communicated to all recipients, as identified in Article 4(1)(9) of the GDPR, to whom such data has been transmitted, unless this proves impossible and/or involves a disproportionate effort.
Following the submission of your request for rectification, cancellation, restriction opposition, if the Data Controller has reasonable doubts about your identity it will request further information to confirm it. Such communications will be sent by e-mail.
In the event that the Controller fails to comply with your request within the period of 1 (one) month from the receipt of the request, the latter will inform you of the reasons for non-compliance, informing you as of now of your right to lodge a complaint with the Supervisory Authority (Data Protection Authority), as specified pursuant to Article 13, paragraph 2, letter (d) and governed by Articles 77 et seq. of the GDPR.

C. Right of complaint

Pursuant to Article 77 of the GDPR in your capacity as a Data Subject you have the right to lodge a complaint with a supervisory authority in the manner indicated in that article.
The relevant Authority is the Data Protection Authority:

D. Automated decision making and profiling

The Data Controller informs you that, for the purpose of processing your personal data, it does not use automated decision-making processes, i.e., those directed at making decisions based solely on technological means on the basis of predetermined criteria (i.e., without human involvement), nor does it carry out profiling activities, i.e., that directed at using your personal data to analyze or predict aspects concerning your professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements, etc.

Method of treatment

The processing of the personal data you have communicated is carried out by means of the operations indicated in Article 4(2) of the GDPR, namely, "collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, communication, deletion and destruction of data."

The personal data communicated by you are subject to automated processing for the time strictly necessary to achieve the purposes for which they were collected, with technical and organizational methods adopted to prevent the loss of data, illicit and/or incorrect use and unauthorized access, and such, therefore, as to ensure a level of security appropriate to the risk in accordance with Art. 32 of the GDPR, by specially authorized persons, in compliance with the provisions of Art. 29 of the GDPR, i.e. by employees and/or collaborators of the Data Controller in their capacity as authorized subjects and/or system administrators, who may carry out consultation, use, processing, comparison and any other appropriate operation in compliance with the provisions of the law necessary to guarantee, among other things, the confidentiality and security of the data as well as the accuracy, updating and relevance of the data in relation to the stated purposes and methods.

It should be noted, in particular, that the personal data that you have communicated will be processed only at the headquarters of the Data Controller, except as specified below, will not, therefore, be disseminated, and, pursuant to Art. 13, paragraph 1, lett. (e), the same may be processed only by authorized parties and/or any external data processors ex art. 28 of the GDPR (in the person of individual professionals and/or complex professional associations), and/or by subjects operating as autonomous data controllers, the list of which is available at the Data Controller's offices and is provided following a written request by the data subject, and among which explicitly include, among others, hosting companies and/or technical personnel in charge of managing and/or maintaining the website, but only and exclusively for the purposes expressly and specifically indicated above.

Below is some general information about cookies, taken from the FAQ page of the Privacy Guarantor's website.

What are cookies?

"Cookies are strings of text that websites visited by users (so-called Publishers, or "first parties") or different sites or web servers (so-called "third parties") place and store within the user's own terminal device, so that they are then transmitted back to the same sites on the next visit."

What are cookies used for?

"Cookies are used for different purposes: performing computer authentication, tracking sessions, storing information about specific configurations regarding users accessing the server, storing preferences, or to facilitate the enjoyment of online content, such as keeping track of items in a shopping cart or information for filling out a computer form, etc."
Then there are profiling cookies, which are not covered in this policy and for which we refer you to the Privacy Guarantor's FAQ page, as they are not used on our site.

What are technical cookies?

"These are cookies that are used to perform navigation or provide a service requested by the user. They are not used for any other purpose and are normally installed directly by the website owner."
Our site uses only technical cookies, for the management of the online store's shopping cart, so that by closing and reopening the browser the services previously placed in the cart will be displayed to eventually complete the purchase.

Why does the banner requesting cookie consent not appear on any page of the site?

Because explicit consent is no longer required by regulation. The technical cookies that we install automatically serve only to improve the enjoyment of the site and in no way do we use them for other purposes, such as tracking or marketing. Here is the question and the related answer from the Privacy Guarantor to this question.
Does the obligation to use the banner also apply to owners of sites that use only technical cookies?
"No. In this case, the owner of the site may give the information to users in the manner he considers most appropriate, for example, by including the relevant indications in the privacy policy indicated on the site."

Further information on cookies can be found on the FAQ page of the Privacy Guarantor's website.

The English version of this page was translated by the automatic translator DeepL

This policy is updated periodically to be in line with changes made on our site.
Last update: February 2023