In compliance with art. 13 of Regulation (EU) 2016/679 of the European Parliament and Council, dated 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter GDPR 2016/679).

1. Data Controller and Data Processor – art. 13, par. 1 letters [a] and [b], GDPR 2016/679
   The Data Controller, who data subjects may contact to exercise the rights recognised by the GDPR and to receive an up-to-date list of all Data Processors, is Associazione Strada del Vino Valcalepio e dei Sapori della Bergamasca.
   The Data Protection Officer (DPO) appointed by the Data Controller is Mr Sergio CANTONI, who can be contacted at info@stradadelvalcalepio.com or by calling 035 953957.
2. Type of Data Processed, Purposes and Legal Basis of the Processing – art. 13, par. 1 letter [d], GDPR 2016/679
   Browsing Data
   The website collects personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified users, but due to its nature, when elaborated and combined with data held by third parties, it may lead to their identification. This category of data includes: IP addresses, domain names of the computers used by users to connect to the site; the addresses in URI (Uniform Resource Identifier) format of the resources requested, the time when the request is made, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the server (successful, error, etc.) and other parameters concerning the user’s operating system and computer environment. This data is used solely to obtain anonymous statistical information on how the site is used and to make sure it is working properly. This data could be used to ascertain liability in the event of hypothetical cybercrimes to the detriment of the site.
   Cookies
   The Cookie Policy is shown in overlay the first time the website is accessed.
3. Communication and Disclosure of Data – art. 13, par. 1 letters [e] and [f], GDPR 2016/679
   The Data Controller may transfer users’ data to third parties qualified as data processors to carry out technical or commercial operations necessary to manage the website effectively (for example, couriers and postal service operators; advertising, commercial and social media agencies; IT service providers; payment service providers; customer services providers). In these cases, communication to third parties is essential to comply with contractual obligations and to improve the performance of the website. The Data Controller ensures data processors manage data correctly and safely with agreements on data processing. Users may request a list of Data Processors by sending an email to the Data Controller. Additionally, the Data Controller may be required to share personal data in specific instances set by the law, following orders from public authorities, or to protect their own rights or the rights of a third party. The Data Controller does not transfer data outside the European Union.
   Third-Party Websites
   This policy does not apply to other websites or platforms reachable from the website (eg: via banners, ads and other links to third-party websites or platforms), for which users should refer to the relevant privacy policies.
4. Data Retention Period – art. 13, par. 2 letter [a], GDPR 2016/679
   The Data Controller retains personal data for the time necessary to provide the services requested by the user or to comply with legal and fiscal obligations, or for a minimum period of time set by the law. To determine the adequate retention period for data collected with the user’s consent, the Data Controller takes into account the following: the specific purposes explained in the policy for which the website collects personal information; the type of ongoing relationship with the user (access frequency; if the user submits requests using the contact forms; if the user receives newsletters or commercial communications; how regularly they browse the website, etc.); any specific request from the user to erase their data or revoke their consent; the legitimate business interests of the Data Controller. The website will duly erase, or transform into anonymous format, any data that by law is no longer necessary.
5. Data Subject Rights – art. 13, par. 2 letters [b] and [d], GDPR 2016/679
   Data subjects have the right to receive confirmation as to whether or not personal data concerning them is processed by the Data Controller.
   If it is, in accordance with the Regulation, the data subject has the right to:
   • be informed about the collection and use of their personal information;
   • access their personal information free of charge;
   • obtain the ratification or addition of any incorrect or incomplete personal information;
   • obtain the erasure of personal information;
   • subject to specific conditions, limit the use or obtain the erasure of their personal information;
   • obtain and reuse their personal information for different services, when processing is based on a contract or on consent and is carried out automatically (“data portability right”);
   • subject to specific conditions, object to the processing of their personal information;
   • complain with the Data Protection Authority about the collection and processing of their personal information;
   • revoke their consent to the processing of their personal data at any time, without prejudice to the processing carried out before the consent was revoked.
   • For any information, please refer to the Data Protection Authority website – garanteprivacy.it – which features a section dedicated to data subject rights.
6. Nature of Data Provision and Consequences of Refusing to Provide Data – art. 13, par. 2 letters [e] [f], GDPR 2016/67
   Aside from the above-mentioned browsing data, users are free to provide personal details by filling in the contact forms or to receive promotional communications or purchase goods or services; refusal to provide such data may result in the impossibility to receive what they requested.
   All forms clearly show which fields are mandatory in order to ensure users receive what they requested.
7. Policy Amendments
   Any amendments to this policy will be published on the website. Users are kindly requested to check for updates and amendments.