Protection of Privacy

We kindly invite you to take note of the following information provided in accordance with Art. 13 of the GDPR (General Data Protection Regulation) n.679/2016 – EU Privacy Regulation and related national and European legislative provisions

1. Data Controller– Information and contact details

The Data Controller is Consorzio Vino Chianti Classico, with head office in 50028 Florence, Locality of Sambuca, Tavarnelle Valdipesa, at Via Sangallo 41, Italy. E-mail:, Tel. 055 82285, Sito web:

2. Data Protection Officer in charge of the Protection of Personal Data (RPD or DPO)

Currently, having carried out the appropriate assessments, the Consorzio concluded it is not necessary to appoint a Data Protection Officer in charge of the Protection of Personal Data (RPD or DPO).

3. Personal Data Processors


They are the third parties, other than the Data Controller, who are authorized to handle your Personal Data in our name and on our behalf. The list is available at our head office in Florence, Locality of Sambuca, Tavarnelle Valdipesa, at Via Sangallo 41, Italy and may be requested using the contact details indicated hereinabove.


The list of Data Processors (i.e. whomever is authorized to process, in our name and on our behalf, the Personal Data of which we are Data Controllers) that might be appointed, and of any system administrator, is available at our head office.

In certain cases, for processing purposes, it may be possible to appoint third party employees cooperating with the Data Controller, if said processing operations are fulfilled under the direct authority of said Controller.

Some examples: tax advisors, IT consultants (limited only to data concerning the use of computer systems and equipment), partners for the development of promotional and illustrative material for the Consorzio, suppliers of CRM and IT platforms necessary for company business management, even if established in non-EU countries (strictly in compliance with limitations and transfer rules).

4. Legal requirements for data processing/Reasons for personal Data processing Basic purpose – Mandatory data provision and consent


  • Sending out of promotional and institutional material, newsletters, direct marketing exercise, market analysis, etc. … using traditional automated (i.e. texts and chats, e-mail, non-operator assisted calls) or non-automated tools (i.e. paper-based mail, operator-assisted calls);
  • Compliance with obligations provided by law, regulations and contractual agreements;
  • Compliance with any duty owed to tax authorities, for account-keeping purposes and in accordance with fiscal and civil law;
  • To verify customer satisfaction with regard to services provided by the Data Controller.


Personal Data collected directly from the Data Subject in compliance with applicable legislative provisions may be processed for the following purposes:

  • These activities are functional for the purpose of sending out, via automated tools such as texts, chats, e-mail etc. … (in addition to more traditional methods, such as paper-based mail and/or operator-assisted phone calls) institutional and promotional communications; planning and implementing analytical, strategic and operative marketing activities; providing information on promotional activities (such as sending out advertising material or commercial communications …). Furthermore, should consent be given, it shall be regarded as valid for any contact made via traditional, as well as computerized methods (i.e. E-mail, texts, MMS, telefax, automated phone calls…). Once consent is given, the Data Subject may, at any moment and at no expense, exercise their right to object to the processing of their data for the purposes stated herein; should said Data Subject at any time decide to exercise said right, (s)he may proceed, even in a separate and diverse manner, using any one of the contact methods.
  • Compliance with obligations imposed by law, by regulations and by current EU legislation, as well as with obligations imposed by Authorities empowered to do so by law and by Supervisory and Control Bodies. The provision of any Personal Data needed for the above listed purposes is mandatory and the refusal to comply with said duty to provide one’s data determines the failure to fulfill the legal and contractual obligations specified hereinabove, preventing the establishment of any relationship with the interested party, or rather invalidating any existing relationship;
  • Fulfillment of purposes connected to and concerning the performance of the required activity. The provision of any Personal Data needed for said purpose is necessary for the carrying out of the requested activity;
  • To monitor the activity via telephone calls and/or contacts (using specific details provided by the involved party) so as to verify the level of customer satisfaction with regard to the services provided and enjoyed by said customer; also in this instance, the provision of any Personal Data is necessary for the performance of services that are ancillary to the main-core ones and shall in no way imply the carrying out of unwanted promotional activities towards the client.
5. Processed Data


Personal information, landline and/or mobile phone number, E-mail address, website


The processed data include, but are not limited to, personal and fiscal information, as well as any other detail necessary to ensure the provision of the requested services and compliance with legislative and regulatory requirements on the matter.

6. Methods of Personal Data processing


On paper and electronically


Your Personal Data will be processed using both manual and electronic tools, and strictly used only for the abovementioned purposes, and however in a manner that guarantees the security and  confidentiality of your Data.

In all instances, processing operations of Personal Data will always be carried out in strict compliance with existing provisions on protecting personal privacy; by way  of example but not of limitation, the Consorzio provides for the following: ongoing staff training, clearly defined and shared privacy policies, enforcement of appropriate practices in accordance with current binding provisions,  paper and computerized filing procedures to minimize the risk of loss, albeit accidental, and/or of unauthorized access etc. ….

For additional information on the matter, please review your rights as specified hereinafter.

7. When are you required to provide us your Personal Data?


Basic purpose: mandatory


With regard to the Personal Data we are required to collect in order to comply with contractual obligations imposed by law, by regulations and by current EU legislation, as well as with obligations imposed by Authorities empowered to do so by law and by Supervisory and Control Bodies, the refusal to provide one’s Data determines the failure to establish or to maintain any relationship to the extent said data is necessary for the relationship’s very fulfillment.

With regard to the Data we are not required to collect, the failure to provide one’s Data shall not in any way affect nor limit performance on our side of any contractual obligation, nor of any obligation deriving from legislative/regulatory provisions.

8. Categories of recipients of Personal Data communication


  • Employees and similar workers of the Data Controller who are qualified as “authorized to process data” (administrative, commercial, and marketing personnel; system administrators, etc. …) and who are duly trained and monitored by the Data Controller;
  • External stakeholders (i.e. legal and administrative consultants, technical service suppliers, hosting providers, IT service companies, communication agencies, commercial partners, whenever needed to perform specific obligations etc. …);
  • Bodies, businesses and/or companies belonging to the Consorzio del Vino Chianti Classico
  • Control and/or Supervisory authorities.


You Data may be communicated to:

  • Individuals who are required to receive said communication in compliance with obligations imposed by law, by regulations or by current EU legislation, or else to comply with obligations imposed by Authorities empowered to do so by law and by Supervisory and Control Bodies;
  • Consultants, professional firms, companies providing technical assistance for IT services, only upon specific assignment and as long as they are included within one of the categories specified by the GDPR n. 679/2016; all the above to be executed in accordance with current applicable legislation;
  • Bodies, businesses or member companies belonging to the Consorzio del Vino Chianti Classico

The updated list of the above said subjects may be requested to Consorzio del Vino Chianti Classico using any one of the contact details specified in the last item of this data privacy statement.

9. Retention period per Personal data


10 years, tacitly renewable, except in the case of withdrawal or exercise of other rights by the Data Subject


Besides the (mandatory) 10 years required for storage of contractual, accounting data etc. … your Personal Data will be stored in our archives for the additional purposes and on the basis of the authorizations granted by you for the extent of time that is considered reasonable, however, for no more than 10 years, which are to be intended as tacitly renewed at every expiration date, except otherwise communicated by the Data Subject.

Said period may be reduced and/or extended (subsequent communication to the involved parties) in the instance, for example, of indications received from official Institutions and/or Control Authorities.

This is without prejudice, however, to the possibility for the Data Subject to withdraw their consent at any moment without compromising the lawfulness of the data processing based on the express consent manifested prior to said withdrawal.

10. Transfer of Personal Data to Non-EU countries


The Data Controller may transfer your Personal Data to non-EU countries in order, for example, to benefit from data storage, or mailing list creation services; naturally, in this instance, the Data Controller undertakes to set up and ensure that all the appropriate safeguards required under applicable legislation are in place.


The Transfer of Personal Data to non-EU Countries may entail greater risks and for this reason, it must be attended to properly. Should the Data Controller avail itself of this possibility, it undertakes to gather all relevant supporting information beforehand and to make it available to the involved parties, and by the same manner, the terms for the exercise of their rights.

11. Lodging a Complaint with the Supervisory Authority

The procedures at your disposal for your protection are as follows: (in addition to the possibility of exercising your rights against us):

  • Access to www.garante to lodge a complaint in the dedicated page, whenever the Italian Authority is competent; or,
  • In the terms set forth by the Control Authority of the Member Country (whenever different from Italy) in which the involved party habitually resides, works or where the alleged violation took place.
12. Rights of the Data Subject


Access – Restriction – Rectification – Objection -– Withdrawal of Consent – Erasure (‘Right to be forgotten’) – Portability


Right to access: the Data Subject has the right to receive a copy of their Personal Data undergoing processing at any time.

Right to Restriction: it may be exercised not only in case of infringement of the legal requirements for lawful processing, but also should the Data Subject request the rectification of their data, or the Data Subject objects to their processing; the Data Controller undertakes to flag the data at issue for the entire period it needs to assesses the situation to decide its course of action, and it shall do so by enforcing appropriate organizational measures.

Right to Rectification: the Data Subject may request the rectification of inaccurate personal data without delay, and also has the right to obtain completion of incomplete personal data, also by supplementing a corrective statement.

Right to Object: the Data Subject has the right to object, at any time, on grounds relating to their particular situation, to the processing of their Personal Data, even if used for direct marketing and/or profiling (whenever conducted).

Right to Withdraw Consent given, for example, for marketing purposes, and similar purposes.

Right to Erasure (‘Right to be forgotten’): the Data Subject has the right to request that their data is erased to the utmost degree, for example, even after the interested party has withdrawn consent in relation to the processing of their Personal Data.

Right of Portability: it does not apply to non-automated processing, hence it does not apply to paper-based archives and/or records; this right may be exercised also solely with regard to the data supplied by the Data Subject to the Data Controller and processed with the latter’s consent, or on the basis of an agreement entered into with the Data Controller.

13. Which details may be used to exercise one’s rights?

Consorzio Vino Chianti Classico, with head office in 50028 Firenze, Locality of Sambuca, Tavarnelle Valdipesa, at Via Sangallo 41, Italy. E-mail:, Tel. 055 82285, Website:

14. Term and form for reply from the Data Controller to anyone exercising their rights with regard to their Personal Data


1 (one) month, extendable to 3 (three) months in more complex cases; written form


Please take note that should you exercise your rights, the Data Controller must reply in writing, even using electronic means that promote accessibility (a verbal reply shall be given only upon express request by the interested party) within 1 (one) month, extendable to 3 (three) months in the event of more complex cases, without prejudice to the duty to provide feedback within a month from the request, even in case of refusal.

The Data Controller, upon assessment of the complexity of the request submitted by the interested party, may establish a compensation for its service, but only if the request submitted appears as manifestly unfounded or excessive.