Privacy and cookie policy

Protection of privacy

We kindly invite you to take note of the following information provided in accordance with Art. 13 of the GDPR (General Data Protection Regulation) n. 679/2016 – EU Privacy Regulation and related national and European legislative provisions; this privacy statement is intended for anyone who has established, is in the process of establishing or plans to establish a contractual agreement for the provision of services with the Consorzio del Vino Chianti Classico.

1. Data Controller– Information and contact details

The Data Controller is Consorzio Vino Chianti Classico, with head office in 50028 Firenze, Locality of Sambuca, Tavarnelle Valdipesa, at Via Sangallo 41, Italy. E-mail: privacy@chianticlassico.com, Tel. 055 82285, Website: card.chianticlassico.com.
Currently, having carried out the appropriate assessments, the Consorzio concluded it is not necessary to appoint a specific Data Protection Officer in charge of the Protection of Personal Data (RPD or DPO).

2. Personal Data Processors

They are the third parties, other than the Data Controller, who are authorized to handle your Personal Data in our name and on our behalf. The list is available at our Florence office, locality of Sambuca, in Tavarnelle Valdipesa, at Via Sangallo 41, Italy and may be requested using the contact details indicated herein.

The list of Data Processors (i.e. whomever is authorized to process, in our name and on our behalf, the Personal Data of which we are Data Controllers) that might be appointed, and of any system administrator is available at our head office. In certain cases, it may be possible to appoint third party employees cooperating with the Data Controller, should processing operations be fulfilled under the direct authority of said Controller.
Some examples: IT consultants (limited only to data concerning the use of computer systems and equipment), partners for the development of promotional and illustrative material for the consortium, CRM suppliers and IT platforms necessary for company business management, even if established in non-EU countries (strictly in compliance with limitations and transfer rules).

3. Legal requirements for data processing /Reasons for Personal Data processing

Basic purpose – Mandatory data provision and consent

To provide requested services (purchase of the Chianti Classico Card and any ancillary/related service, aimed in particular to obtaining the activation code to be entered in the APP named “Chianti Classico Card”);

  • To correctly quantify any amount due;
  • To comply with obligations provided by law, regulations and contractual agreements;
  • To comply with any duty owed to tax authorities, for account-keeping purposes and in accordance with fiscal and civil law;
  • To verify customer satisfaction.

Personal Data collected directly from the Data Subject in compliance with applicable legislative provisions may be processed for the following purposes:

  • Compliance with obligations imposed by law, by regulations and by current EU legislation, as well as with obligations imposed by Authorities empowered to do so by law and by Supervisory and Control Bodies. The provision of any Personal Data needed for the above listed purposes is mandatory and the refusal to comply with said duty to provide one’s data determines the failure to fulfill the legal and contractual obligations specified hereinabove, preventing the establishment of any relationship with the interested party, or rather invalidating any existing relationship;
  • Fulfillment of purposes connected to and concerning the performance of the required activity. The provision of any Personal Data needed for said purpose is necessary for the carrying out of the requested activity, also for accounting and fiscal purposes;
  • To monitor the activity via telephone calls and/or contacts and/or APP downloads (using specific details supplied by the involved party) so as to verify the level of customer satisfaction and/or completion of the services required for performance of the activity; also in this instance, the provision of any Personal Data is necessary for the performance of services that are ancillary to the main-core ones and shall in no way imply the carrying out of unwanted promotional activities to the client.

Additional purposes
Promotional activities (marketing and newsletter) – optional data provision and consent

Sending out of promotional material, newsletters, direct marketing exercise, market analysis, etc. … using:

  • Automated tools (i.e. texts and chats, e-mail, non-operator assisted phone calls)
  • Traditional or non-automated (i.e. paper-based mail, operator-assisted phone calls).

Marketing (optional data provision and consent)
These activities are functional to the purpose of sending out, via automated tools such as text messages, chats, E-mails (in addition to more traditional methods, such as paper-based mail and/or operator-assisted phone calls) notices aimed at, for example, monitoring the level of customer satisfaction with regard to the purchase; of planning and implementing analytical, strategic and operative marketing activities; of providing information on promotional activities (for example, measure the level of satisfaction among participants with regard to the quality of the purchase; send out advertising material or commercial communications…). Consequently, this specific purpose may be pursued for further reasons besides those tightly associated with the purchase and/or deriving from legal and/or regulatory requirements, should the interested party decide to give his/her consent; should the Data Agent decide not to give their (optional) consent for the above said purpose, his/her purchase will not be in any way affected nor modified, but said decision to withhold consent may determine the impossibility for the Data Controller to interact with the Data Agent, preventing the former from updating the latter, once the event is over, on the services/initiatives/news on the designation etc. that are deemed potentially interesting by the Consorzio del Vino Chianti Classico.
Furthermore, should consent be given, it shall be regarded as valid for any contact made via traditional, as well as computerized methods (i.e. E-mail, texts, MMS, telefax, automated phone calls…).
Once consent is given, the Data Subject may, at any moment and at no expense, exercise their right to object to the processing of their data for the purpose stated herein; should said Data Subject at any time decide to exercise said right, (s)he may proceed, in a separate and diverse manner, using any one of the contact methods.

Mailing list or newsletter
By accepting to be added to the mailing list or to the newsletter, the Client’s E-mail address is automatically included within a list of recipients for E-mail messages containing information, also promotional in nature, regarding our services and/or initiatives. The participant’s E-mail address may also be added to the above said list as a result of his/her website registration (to websites linked to the Consorzio del Vino Chianti Classico), as well as after having made an express request to that effect, even at a subsequent moment.

4. Processed Data

Personal information, fixed and/or mobile phone number; E-mail address/es, billing information

The processed data include, but are not limited to, common personal information, as well as any other detail necessary to ensure the provision of the requested services and compliance with legislative and regulatory requirements on the matter.

5. Methods of Personal Data processing

On paper and electronically.Specifics:Your personal data will be processed using both manual and electronic tools, and used only for the abovementioned purposes, in order to guarantee the security and confidentiality of your data.
However, processing operations of Personal Data shall always be carried out in strict compliance with existing provisions on protecting personal privacy; by way of example but not of limitation, the Consorzio provides for the following: ongoing staff training, clearly defined and shared privacy policies, enforcement of appropriate practices in accordance with current binding provisions, paper and computerised filing procedures to minimize the risk of loss, even accidental, and/or of unauthorized access, etc.For additional information on the matter, please review your rights as specified hereinafter.

6. When are you required to provide us your Personal Data?

Basic purpose: mandatory
Other purposes (marketing/promotion/profiling): optional

With regard to the personal data we are required to collect in order to comply with contractual obligations (purchase of the Chianti Card and obtainment of the related activation code) imposed by law, by regulations and by current EU legislation, as well as with obligations imposed by Authorities empowered to do so by law and by Supervisory and Control Bodies, the refusal to provide one’s Data determines the failure to establish or to maintain any relationship to the extent said data is necessary for the relationship’s very fulfillment.
With regard to the Data we are not required to collect, the failure to provide one’s Data shall not in any way affect nor limit performance on our side of any contractual obligation, nor of any obligation deriving from legislative/regulatory provisions.

7. Categories of recipients of Personal Data communication

  • Summary:
    Employees and similar workers of the Data Controller who are qualified as expressly “authorized to process data” (administrative, commercial, and marketing personnel; system administrators, etc. …) and who are duly trained and monitored by the Data Controller;
  • External subjects (i.e. legal and administrative consultants; technical service suppliers; hosting providers; payment platforms and banking institutions; IT service companies; communication agencies; commercial partners, whenever needed to perform specific obligations etc. …);
  • Bodies, businesses or companies belonging to the Consorzio del Vino Chianti Classico for non-commercial purposes;
  • Control and/or Supervisory authorities.

Your Personal Data may be communicated to:

  • Individuals who are required to receive said communication in compliance with obligations imposed by law, by regulations or by current EU legislation, or else to comply with obligations imposed by Authorities empowered to do so by law and by Supervisory and Control Bodies;
  • Consultants, professional firms, hosting providers, banking institutions or financial intermediaries, companies providing technical assistance for IT services, only upon specific assignment and as long as they are included within one of the categories specified by the GDPR n. 679/2016; all the above to be executed in accordance with current applicable legislation;
  • Bodies, businesses or member companies belonging to the Consorzio del Vino Chianti Classico;
  • To the following companies - SILFI, Cristoforo SCS and D.R.E.Am Italia – which are functional in the provision of the services;

8. Data transfer to third parties for their marketing purposes

Summary and Specifics:
The Consorzio may not transfer a Data Subject’s Personal Data to bodies, companies or Consortium member companies for their separate processing with marketing purposes.

9. Retention Period for Personal Data

10 years, tacitly renewable, except in the case of withdrawal or exercise of other rights by the Data Subject.

Besides the (mandatory) 10 years required for storage of contractual, accounting data etc. … your Personal Data will be stored in our archives for the additional purposes and on the basis of the authorizations granted by you for the extent of time that is considered reasonable, however, for no more than 10 years, which are to be intended as tacitly renewed at every expiration date, except otherwise communicated by the Data Subject.Said period may be reduced and/or extended (subsequent communication to the involved parties) in the instance, for example, of indications received from official Institutions and/or Control Authorities.This is without prejudice, however, to the possibility for the Data Subject to withdraw their consent at any moment without compromising the lawfulness of the data processing based on the express consent manifested prior to said withdrawal.

10. Transfer of Personal Data to Non-EU Countries

The Data Controller may transfer your Personal Data to non-EU countries in order, for example, to benefit from data storage, or mailing list creation services; naturally, in this instance, the Data Controller undertakes to set up and ensure that all the appropriate safeguards required under applicable legislation are in place.

The Transfer of Personal Data to non-EU Countries may entail greater risks and for this reason, it must be attended to properly. Should the Data Controller avail itself of this possibility, it undertakes to gather all relevant supporting information beforehand and to make it available to the involved parties, and by the same manner, the terms for the exercise of their rights.

11. Lodging a complaint with the Supervisory Authority

The procedures at your disposal for your protection are as follows (in addition to the possibility of exercising your rights against us):

  • Access to www.garante privacy.it to lodge a complaint in the dedicated page, whenever the Italian Authority is competent;or
  • In the terms set forth by the Control Authority of the Member Country (whenever different from Italy) in which the involved party habitually resides, works or where the alleged violation took place.

12. Rights of the Data Subject

Access – Restriction – Rectification – Objection -– Withdrawal of Consent – Erasure (‘Right to be forgotten’) - Portability


  • Right to access: the Data Subject has the right to receive a copy of their Personal Data undergoing processing at any time.
  • Right to Restriction: it may be exercised not only in case of infringement of the legal requirements for lawful processing, but also should the Data Subject request the rectification of their data, or the Data Subject objects to their processing; the Data Controller undertakes to flag the data at issue for the entire period it needs to assesses the situation to decide its course of action, and it shall do so by enforcing appropriate organizational measures.
  • Right to Rectification: the Data Subject may request the rectification of the inaccurate personal data without delay and also has the right to obtain completion of the incomplete personal data, also by way of supplementing a corrective statement.
  • Right to Object: the Data Subject has the right to object, at any time, on grounds relating to their particular situation, to the processing of their Personal Data, even if used for direct marketing and/or profiling (whenever conducted).
  • Right to Withdraw Consent given, for example, for marketing purposes, and similar purposes.
  • Right to Erasure (‘Right to be forgotten’): the Data Subject has the right to request that their data is erased to the utmost degree, for example, even after the interested party has withdrawn his/her consent in relation to the processing of their Personal Data.
  • Right of Portability: it does not apply to non-automated processing, hence it doesn’t apply to paper-based archives and/or records; this right may be exercised also solely with regard to the data supplied by the Data Subject to the Data Controller and processed with the latter’s consent, or on the basis of an agreement entered into with the Data Controller.

13. Which details may be used to exercise one’s rights?

Consorzio Vino Chianti Classico, with head office in 50028 Firenze, Locality of Sambuca, Tavarnelle Valdipesa, at Via Sangallo 41, Italy. E-mail: privacy@chianticlassico.com, Tel. 055 82285, Website: card.chianticlassico.com.

14. Term and form for reply from the Data Controller to anyone exercising their rights with regard to their Personal Data

1 (one) month, extendable to 3 (three) months in more complex cases; written form.

Please take note that should you exercise your rights, the Data Controller must reply in writing, even using electronic means that promote accessibility (a verbal reply shall be given only upon express request by the interested party) within 1 (one) month, extendable to 3 (three) months in the event of more complex cases, without prejudice to the duty to provide feedback within a month from the request, even in case of refusal.The Data Controller, upon assessment of the complexity of the request submitted by the interested party, may establish a compensation for its service, but only if the request submitted appears as manifestly unfounded or excessive.