Privacy Policy

PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA

PURSUANT TO ARTICLES 13 AND 14 OF EU REGULATION 2016/679

EU Regulation No. 2016/679 (hereinafter also GDPR) and Italian Legislative Decree 196/2003, and any modifications and/or integrations thereto (Italian Personal Data Protection Code), as amended and supplemented by Legislative Decree 110/2018, lay down rules on the protection of natural persons with regard to the processing of personal data, and on the free movement of such data. In order to protect the fundamental rights and freedoms of natural persons, privacy legislation imposes on data controllers the obligation to provide data subjects with information regarding the processing of personal data collected online and offline through various channels.

The Joint Controllers, as identified below, make available to any person (hereinafter the “Data Subject”) who browses any of the websites owned by one of the Joint Controllers, this document entitled Privacy Notice on the Processing of Personal Data pursuant to Articles 13 and 14 of EU Regulation No. 2016/679 (hereinafter the “Notice”).

Further information may be provided to Data Subjects in different ways and at different times in connection with specific processing activities.

*****

1) Who are the Joint Controllers? 

The companies within the CERETTO group, listed below, process your personal data jointly and independently, for the purposes set out hereunder:

• CERETTO AZIENDE VITIVINICOLE S.R.L., con sede legale sita in Località San Cassiano n. 34, 12051 Alba (CN), Italia, cod. fisc. e P.iva: 00217070044;
• ARCO srl, P.iva 03013820042 - con sede legale in Piazza Risorgimento, 4 - Alba (CN), Italia 
• Relanghe srl, P.iva: 02343840043 con sede legale in Località San Cassiano 34 – Alba (CN), Italia 
• Le Brunate srl, cod. f. 04218040048, con sede legale in Strada Fontanazza 16, La Morra (CN), Italia 

hereinafter referred to individually as the Controller or collectively as the Joint Controllers.

The above companies act as independent Controllers with respect to the processing of data for the purposes set out in points A, B, F, G and H. They may also act, independently or jointly as Joint Controllers, with respect to the processing of data for the purposes set out in points C, D and E, having jointly determined the purposes and means of processing by entering into a specific agreement pursuant to Article 26 of the GDPR.

The essential content of the joint controllership agreement shall be made available to the Data Subject upon request. Any Data Subject wishing to exercise their rights under the Regulation may contact CERETTO AZIENDE VITIVINICOLE S.R.L. by e-mail at ceretto@ceretto.com or by registered letter to its registered office.

Irrespective of the provisions of the agreement, the Data Subject may exercise their rights under the Regulation against any of the Controllers.

2) What personal data may we collect?

Each Controller, individually or as a Joint Controller, informs the Data Subject that, pursuant to Article 4 of the GDPR, personal data means any information relating to the Data Subject that is capable of identifying them directly and/or indirectly.

The data that may be collected (either mandatory in order to provide the service or optional), depending on the purposes, are:

• Personal data: first name, surname, date of birth;
• Contact data: address, telephone number, email;
• Purchase data: information relating to purchases you have made, such as the list of events booked, dates and the amounts of such purchases;
• Demographic data and interests: geographical origin, preferences regarding events offered by the data controller, etc.
• Data on the use of the Websites, including information collected through cookies;
• Data relating to purchasing preferences.

Please note that any data provided by the user during the booking and payment process (e.g. credit card number, cardholder name, etc.) are managed directly by the platform, which acts as an independent controller with regard to such data.

The data Controller will not process special data. Should it become necessary, the data Controller shall process such data in accordance with applicable legislation.

Your data may be collected through the websites (hereinafter collectively the Websites) owned by each of the Controllers:

• the website of the Controller CERETTO AZIENDE VITIVINICOLE S.R.L., accessible at www.ceretto.com
• the website of the Controller Relanghe srl, accessible at www.relanghe.it
• the website of the Controller ARCO srl, accessible at www.piazzaduomoalba.it / www.lapiola-alba.it

Your data may be processed following collection through the Websites in the following ways:

• completion of a booking request;
• request to join the Ceretto Community;
• completion of a contact form to request information;
• purchases via e-commerce (Ceretto srl);
• direct contact (e-mail or telephone) initiated by the Data Subject.

3) Why do we process your data? Purposes and legal basis

Your data, as defined above, will be processed by the data Controller for the following purposes:

1. To fulfil booking requests and perform contractual obligations.
   
   In order to fulfil booking requests submitted through the website, manage payments, ensure due compliance with legal obligations, respond to information requests and provide assistance, your personal details, contact details and purchase data shall be processed.
   
   The data processing is necessary to perform pre-contractual measures and/or the contract to which the data subject is a party [Article 6(1)(b), GDPR]. The provision of data is obligatory; failure to provide data will make it impossible to process your booking.
   
   The data are processed by the individual Controller that collected them from the Data Subject. 
   
   The means of processing may include e-mail or telephone (SMS, telephone call), as required.
   
   
2. To reply to requests sent to the data Controller.
   
   Contact details may be processed in order to respond to requests sent directly to the data Controller’s contact details shown on the Websites or indirectly through the completion of any information request forms on the Websites.
   
   The data processing is necessary to perform pre-contractual measures and/or the contract to which the data subject is a party [Article 6(1) (b), GDPR]. The provision of data is obligatory; failure to provide such data will make it impossible to respond to your request.
   
   The data are processed by the individual Controller that collected them from the Data Subject. 
   
   
3. For profiling activities.
   
   Subject to your consent, the data described may be used for profiling activities, including the analysis of data to examine purchasing habits, preferences, experiences purchased, frequency of purchases, geographical area, etc., in order to create profiles (individual and/or aggregate) and, where appropriate, to send personalised commercial communications.
   
   The prerequisite for such processing is the consent of the data subject [Article 6(1)(a), GDPR]. Such consent may be withdrawn at any time as described in section 7. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out. Withholding consent for this purpose shall not affect any contractual relationship between the parties, but shall prevent the Data Subject from receiving personalised communications.
   
   The data are processed by the individual Controller and jointly by the Joint Controllers. 
   
   
4. Sending commercial/informational communications – Ceretto Community.
   
   Subject to your consent, your contact details may be used to send commercial communications as a member of the “Ceretto Community”, which may also contain promotions or invitations to events dedicated to Data Subjects who have given their consent, by e-mail, SMS, messaging services or traditional means of contact. Commercial communications may be personalised in relation to any Data Subject who has also authorised profiling activities.
   
   The provision of data for this purpose is optional, the prerequisite for such processing is the consent of the data subject [Article 6(1)(a), GDPR]. Such consent may be withdrawn at any time as described in section 7. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out. Withholding consent for this purpose shall not affect any contractual relationship between the parties, but shall prevent the Data Subject from participating in the Ceretto Community.
   
   The data are processed by the individual Controller and jointly by the Joint Controllers. 
   
   
5. For aggregate analysis.
   
   Your data may be used in aggregate form to improve the services of each Controller and of the Joint Controllers collectively, and for internal statistical purposes.
   
   The prerequisite for such processing is that the data controller pursues a legitimate interest in the improvement of their services [Article 6(1)(f), GDPR]. For the achievement of such purpose, the provision of further data will not be required and the data controller shall use the data already collected for other purposes deemed compatible with this one.
   
   The data are processed by the individual Controller and jointly by the Joint Controllers.
   
   
6. To respond to requests from competent authorities, fulfilling legally binding requests.
   
   Your data may be processed to respond to requests from competent authorities, fulfil legally binding requests.
   
   The legal basis for such processing is the need to fulfil a legal obligation [Article 6(1)(c), GDPR]. The data controller shall use the data already collected for the pursuit of other purposes if they are deemed compatible with the present purpose.
   
   
7. For the protection of rights.
   
   Your data may be processed to protect your rights or those of the data controller, or to take legal action.
   
   The prerequisite for such processing is that the data controller pursues a legitimate interest in the protection of their rights [Article 6(1)(f), GDPR]. For the achievement of such purpose, the provision of further data will not be required and the data controller shall use the data already collected for other purposes deemed compatible with this one.
   
   
8. Soft spam
   
   Your data may also be processed for the purpose of sending commercial information relating to products and/or services similar to those already purchased by the Data Subject (soft spam). 
   
   Pursuant to Article 130(4) of the Privacy Code, “where the Controller uses the e-mail address provided by the Data Subject in the context of the sale of a product or service for the purpose of direct marketing of its own products or services, the Data Subject’s consent is not required, provided that the products or services are similar to those that were the subject of the sale, and the Data Subject, having been duly informed, does not refuse such use, whether initially or on the occasion of subsequent communications. The Data Subject is informed, at the time of collection and on the occasion of each communication sent for the purposes of this paragraph, of the right to object to such processing at any time, easily and free of charge.”
   
   The data are processed by the individual Controller.

04) Who are the Recipients of the data?

Your data shall not be disclosed or made accessible and available to third parties, with the exception of communications made by the Controller – without requiring your consent – in compliance with legal and contractual obligations, which shall be carried out within the EU solely for the purposes set out below.

Your data may be shared, for the pursuit of the purposes specified above, with the following categories of recipients:

A. internal persons within each Controller, acting as “authorised processors”.

Your personal data shall be processed by the Controller for the purposes described above through internal persons who have access to your data in order to carry out their work duties. Such persons have been specifically authorised by means of a letter of appointment. These subjects have been specifically authorised by a letter of appointment.

B. external parties carrying out specific tasks on behalf of the Controllers and ancillary to the above purposes, acting as “data processors”, including where they serve as system administrators.

Your personal data may be processed, by way of example and without limitation, by parties serving in the following capacities: (i) system administrators for the management of each Controller’s IT resources, or parties managing the booking and payment systems; (ii) accountants for the management of tax and accounting matters; (iii) auditors or other parties tasked with inspections or checks on compliance with applicable legislation; (iv) external consultants and suppliers, banks and credit institutions, insurance companies, carriers, professional firms; (v) other companies within the Ceretto group; (vi) public administrations.

Such parties may also process your data as independent controllers. 

Under no circumstances shall your data be transferred to third parties. The list of data processors may be requested from the data controller in the manner provided for in section 7 below. 

05) Do we transfer data to third countries? 

Your personal data may be transferred to third countries outside the European Union.

In such cases, where those countries do not offer an adequate level of protection and have not been recognised as such by an adequacy decision of the European Commission (United States of America and India), the Controller, including through its Data Processors bound by Data Processing Agreements, shall ensure an adequate level of protection through appropriate measures and safeguards.

06) How long do we retain the data? 

Please note that, pursuant to Article 5 of the GDPR and in compliance with the principles of lawfulness, purpose limitation, storage limitation and data minimisation:

• data collected for the purposes referred to in points a), b), e), f) and g) shall be processed in accordance with the law and for the time necessary to carry out the activities related to the above purposes, and shall subsequently be retained for the period required by legal obligations and/or in any event within the ordinary limitation periods (10 years), taking into account any time limits arising from the initiation of legal proceedings;
• data collected for the purposes referred to in points c) and d) shall be processed subject to your consent and shall be retained until such consent is withdrawn. Consent may be withdrawn at any time; any processing carried out prior to withdrawal shall be deemed lawful; Consent may be withdrawn at any time and processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out.
• in the absence of consent (points c and d), data collected for the purpose referred to in point h) shall be retained for a maximum of 3 years from the last purchase.

 7) What are the rights of the Data Subject?

The data subject may exercise the following rights against the data controller with regard to the processing of their data:

- Right of Access and to Rectification

Pursuant to Article 15 of the GDPR, in your capacity as data subject, you have the right to obtain the following from the data controller: confirmation as to whether or not personal data relating to you are being processed, access to such data and to all the information referred to in Article 15(1)(a) to (h), by means of the issue of a copy of the data being processed in a structured, commonly used, machine-readable and interoperable format.

Pursuant to Article 16 of the GDPR, as a Data Subject you have the right to obtain from the Controller the rectification and/or supplementation of data being processed where such data are out of date and/or inaccurate and/or incomplete.

- Right to Erasure and Right to Restriction

Pursuant to Article 17 of the GDPR, in your capacity as data subject, you have the right to obtain the erasure of data relating to you - with the exception of the cases specifically provided for in Article 17(3) - exclusively in the cases referred to in Article 17(1)(a) to (f) of the GDPR, from the data controller, without undue delay.

Pursuant to Article 18(1), points (a) to (d), of the GDPR, as a Data Subject you have the right to request and obtain from the Controller the restriction of the processing of your personal data, i.e. that such data shall not be subject to further processing and may no longer be modified.  The Controller shall ensure that the restriction of processing is implemented by means of appropriate technical measures that guarantee inaccessibility and immutability.

- Right to Portability

Pursuant to Article 20 of the GDPR, in your capacity as data subject, you have the right to receive the personal data concerning you from the data controller, the processing of which is carried out by automated means, in a structured, commonly used and machine-readable format, and you also have the right to transmit such data to another data controller, or to obtain from the data controller, when technically feasible, the direct transmission of such data to another specifically identified data controller.

- Right to Object

Pursuant to Article 21 of the GDPR, in your capacity as data subject you have the right to object at any time to the processing of personal data concerning you, on grounds relating to your particular situation, in cases where the processing of your data is necessary (1) for the performance of a task carried out in the public interest and/or in connection with the exercise of official authority vested in the data controller; (2) for the pursuit of a legitimate interest of the data controller or a third party; (3) for profiling activities, if carried out by the data controller, on the basis of the preceding sections. You also have the right to object to the processing of your personal data on grounds relating to your particular situation where the data is processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89 paragraph 1 of the GDPR, except where the processing is necessary for the performance of a task carried out in the public interest.

- Withdrawal of consent

If the data processing is based on the consent of the data subject, they may withdraw it at any time. Processing carried out in the period prior to withdrawal of consent shall be deemed to have been lawfully carried out.

 - Right to lodge a complaint

Pursuant to Article 77 of the GDPR, in your capacity as data subject, you have the right to lodge a complaint with a supervisory authority in the manner indicated in the same article.

Receipt of your request shall be acknowledged and the relevant information shall be provided to you within one (1) month of receipt of the request. If necessary, taking into account the complexity and number of requests, this period may be extended by a further two (2) months, subject to a reasoned communication to be sent within one

(1) month of receipt of the request.

Any rectification, erasure, restriction or objection shall be communicated to all recipients, as identified in Article 4(1)(9) of the GDPR, to whom the data have been transmitted, unless this proves impossible or involves disproportionate effort.

Following the submission of your request for rectification, erasure, restriction or objection, should the Controller have reasonable doubts as to your identity, it shall request further information to confirm it. Such communications will be sent by email.

In the event that the data controller does not comply with your request within 1 (one) month from receipt of the request, the data controller shall inform you of the reasons for non-compliance, informing you as of now of your right to lodge a complaint with the Supervisory Authority (Italian Garante per la protezione dei dati personali), as specified pursuant to Article 13(2)(d) and covered by Articles 77 et seq. of the GDPR.

8) Do we use automated decision-making processes?

The data controller informs you that, for the purpose of processing your personal data, they do not use automated decision-making processes, namely processes aimed at making decisions based solely on technological means according to predetermined criteria (i.e. without human involvement).

Last update: June, 10th 2026