Customer privacy notice

 Privacy Policy Data Processing 

Information Document Comply with US Privacy Laws and GDPR 2016/679 

Capanna di Cencioni Società Agricola s.s., with registered office and operational headquarters in Loc. Capanna, 333 – Montalcino (SI) – Italy, as data controller, informs you that your data will be processed in the manner and for the following purposes: 

1. Object of the Treatment 

The Data Controller processes personal, identifying data (for example, name, surname, company name, address, telephone, e-mail, bank and payment details) – hereinafter, “personal data” or also “data” communicated by you when entering into contracts for the Data Controller’s services. 

Please note that we will refer to: 

1. GDPR 2016/679, EU General Data Protection Regulation (the “Regulation”), governs the processing of personal data relating to individuals in the EU, by individuals, companies or organisations 
2. as required by Comply with US Privacy Laws in the various United States of America, furthermore (depending on the States with their own legislation) they are taken into consideration: 
3. Alabama 
4. Alaska 
5. Arizona 
6. Arkansas 
7. California: California Consumer Privacy Act (CCPA), https://oag.ca.gov/privacy/ccpa e California Privacy Rights Act (CPRA) https://thecpra.org/ 
8. Colorado: Colorado Privacy Act (CPA), https://www.dataguidance.com/legal-research/senate-bill-21-190-act-concerning-additional 
9. Connecticut: Il Connecticut Data Privacy Act (CTDPA), https://www.dataguidance.com/legal-research/connecticut-act-concerning-personal-data 
10. Delaware: Delaware Personal Data Privacy Act will enter into force on il 1 January 2025 https://www.dataguidance.com/legal-research/delaware-personal-data-privacy-act 
11. Florida: https://www.dataguidance.com/legal-research/florida-digital-bill-rights 
12. Indiana: Indiana Consumer Data Protection Act regulates the collection and security of consumer data and will come into force on 1 January 2025 
13. Montana: Montana Consumer Data Privacy Act will enter into force on 1 October 2024 https://www.dataguidance.com/legal-research/montana-consumer-data-privacy-act 
14. Texas: Il Texas Data Privacy and Security Act (TDPSA), https://www.dataguidance.com/legal-research/texas-data-privacy-and-security-act 
15. Virginia: Il Virginia Consumer Data Protection Act (VCDPA), https://www.dataguidance.com/legal-research/consumer-data-protection-act-under-%C2%A7591-575 
16. Oregon: Oregon Consumer Data Privacy Act, https://olis.oregonlegislature.gov/. 
17. Iowa: Iowa Consumer Data Protection Act (ICDPA) 
18. Utah: Il Utah Consumer Privacy Act (UCPA), https://le.utah.gov/ 
19. Tennessee: Il Tennessee Information Protection Act (TIPA), https://www.osano.com/articles/tennessee-information-protection-act-tipa 
20. Maryland: Maryland Online Consumer Protection Act, https://www.whitecase.com/insight-alert/maryland-enacts-comprehensive-data-privacy-law 
21. New Jersey 
22. Georgia, https://www.dataguidance.com/notes/georgia-data-protection-overview 
23. Hawaii 
24. Idaho, https://its.idaho.gov/psg/p1020.pdf 
25. Illinois: Biometric Information Privacy Act (BIPA), https://legislature.vermont.gov/ 
26. Kansas 
27. Kentucky 
28. Louisiana 
29. Maine: Maine Privacy Act, https://legislature.maine.gov/ 
30. Massachusetts: Massachusetts Data Privacy Act, https://www.mass.gov/ 
31. Michigan 
32. Minnesota: Minnesota Data Privacy Act https://www.house.mn.gov/ 
33. Mississippi 
34. Missouri 
35. Nebraska 
36. Nevada: Nevada Privacy Law, https://www.dataguidance.com/jurisdiction/nevada 
37. New Hampshire, Senate Bill 255 
38. New Mexico 
39. New York: New York SHIELD Act i. https://www.nycourts.gov/ 
40. North Carolina 
41. North Dakota, https://www.nd.gov/privacy-policy 
42. Ohio: Ohio Personal Privacy Act, https://www.dataguidance.com/news/ohio-privacy-bill-introduced-house-representatives 
43. Oklahoma 
44. Pennsylvania 
45. Rhode Island, https://legiscan.com/RI/text/S2500/2024 
46. South Carolina 
47. South Dakota 
48. Vermont: Vermont Data Broker Regulation, https://legislature.vermont.gov/ 
49. Washington: Washington Privacy Act, https://lawfilesext.leg.wa.gov/ 
50. West Virginia 
51. Wisconsin 
52. Wyoming 
53. Purpose of the processing 
54. The collection and processing of personal data are carried out in order to conduct: 
55. Without your express consent, for the following Service Purposes: 
56. fulfilling all operations imposed by regulatory obligations, tax and fiscal provisions arising from the performance of business activities 
57. establishing and executing ongoing contractual relationships; 
58. operations strictly connected and instrumental to the start of the aforementioned relationships, including the acquisition of preliminary information prior to the conclusion of the Contract; 
59. complying with legal obligations in our charge regarding the administration; 
60. carrying out the requested services, allowing effective management of customer relations in order to respond to requests for information, assistance and/or specific needs requested by you; 
61. measuring the level of customer satisfaction, processing statistics for internal use; 
62. sending our products to your address; 

B. Only with your specific and separate consent, for the following Marketing Purposes: 

1) send you communications regarding the services offered, personalized newsletters and news, containing material and promotional initiatives of their activities and services using traditional methods (telephone calls with an operator) or automated methods (email); 

2) send you commercial and/or promotional communications from third parties (for example, business partners) via e-mail, post and/or text messages and/or telephone contacts. 

We inform you that if you are already our customers, we may send you commercial communications relating to the Data Controller’s services similar to those you have already used, unless you disagree. 

The contractual purposes, provision of services, commercial and non-commercial litigation, and promotional purposes concern the processing of the personal data of the Customer only. The Customer’s personal data will be processed for the entire duration of the contractual relationships established and also subsequently for the fulfillment of all legal obligations as well as for future commercial purposes. 

1. Methods of processing 

The processing will be carried out in an automated and/or manual manner, with methods and tools, in compliance with the security measures, by specifically appointed persons. Security measures will be used to guarantee the confidentiality of the interested party to whom such data refers and to avoid undue access to third parties or unauthorized personnel. 

The data provided will be stored in our archives according to the following parameters: 

For the activities of administration, accounting, orders, management of estimates and the entire production flow, assistance and maintenance, shipping, invoicing, services, management of any disputes: 10 years as established by law by the provisions of art. 2220 C.C., without prejudice to any late payments of the fees that justify the extension; 

For the purposes referred to in paragraph 2.A points 2-3-4-5-6 above, the retention times are until the expiry of the contract; 

For marketing purposes (paragraph 2.B points 1-2): expiry of contracts; 

1. Access to data 

Your data may be made accessible for the purposes referred to in the previous points 2.A: 

to members, employees and collaborators of the Data Controller in their capacity as persons in charge and/or internal data controllers and/or system administrators; 

To associated companies/freelance collaborators to whom Capanna di Cencioni Società Agricola s.s. entrusts certain activities (such as the administrative and logistical management of certain conferences and/or training courses). 

to third-party companies or other entities that carry out outsourcing activities on behalf of the Data Controller, in their capacity as external data controllers (for example: software houses, associated firms, lawyers, certifying bodies, accounting/tax consultants and in general to all bodies responsible for checks and controls regarding the correct fulfillment of the purposes indicated above, Municipal Bodies and/or Municipal Offices, consultants and service companies and for workplace safety, who may in turn communicate the data, 

CUSTOMER PRIVACY NOTICE Comply with US Privacy Laws and GDPR2016/679 Review 00 of the 28/08/2024 3 of 4 

collected and processed may also be communicated, in Italy and abroad, to subcontractors/suppliers. 

For brevity, the detailed list of these figures is available at our office and is at your disposal. 

1. Communication of data. 

Without the need for express consent, the Data Controller may communicate your data for the purposes referred to in point 2.A to Supervisory Bodies, Judicial Authorities, as well as to those subjects to whom communication is mandatory by law for the fulfillment of the aforementioned purposes. These subjects will process the data in their capacity as independent data controllers. 

Your data will not be disclosed. 

1. Data transfer 

Personal data is stored on servers within the European Union located in the offices of the registered office. In any case, it is understood that the Data Controller, if necessary, will have the right to move the servers even outside the EU. In this case, the Data Controller hereby ensures that the transfer of data outside the EU will take place in accordance with the applicable legal provisions, subject to the stipulation of the standard contractual clauses provided by the European Commission. 

1. Nature of the provision of data and consequences of refusal to respond 

The provision of data for the purposes referred to in point 2.A is mandatory. In their absence, we will not be able to guarantee you the Services referred to in point 2.A. 

The provision of data for the purposes referred to in point 2.B is optional. You can therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided: in this case, you will not be able to receive newsletters, commercial communications and advertising material relating to the Services offered by the Data Controller. However, you will continue to be entitled to the Services referred to in point. 2.A. 

1. Rights of the interested party 

In relation to the aforementioned processing, each Interested Party may exercise the rights. 

a) to access personal data 

b) to obtain the rectification or cancellation (oblivion) of the same or the limitation of the processing that concerns him; 

c) to oppose the processing; 

d) to the portability of the data; 

e) to withdraw consent; 

f) to lodge a complaint with the supervisory authority 

In cases of opposition to the processing of the Data, the Company reserves the right to evaluate the request, which will not be accepted if there are compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the Interested Party. 

1. How to exercise your right 

You may exercise your rights at any time by sending: 

e-mail info@capannamontalcino.com 

1. Owner, responsible person and persons in charge 

The Data Controller is Capanna di Cencioni Società Agricola s.s. with registered office and operational headquarters in Loc. Capanna, 333 – Montalcino (SI) – Italy. 

The updated list of data controllers and processors is kept at the registered office of the Data Controller