Privacy Policy

Information on the processing of personal data pursuant to art. 13 of regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 ("General data protection regulation - gdpr")

Information and contact details of the data controller

Data Controller
registered office at Via Alba, 1,
12060 Barolo (CN),
VAT 00169530045

Contact details of the Data Controller E-mail:
Tel:(+39) 0173/564400

CANTINE DEI MARCHESI DI BAROLO SPA, as Data Controller of your personal data (hereinafter also “Data Controller”), informs you, pursuant to Articles 12 and 13 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter referred to for brevity as "GDPR"), that your personal data will be processed by specifically authorized subjects and limited to the purposes and with the means that will be specified below.

CANTINE DEI MARCHESI DI BAROLO SPA is the Data Controller and manager of this website and https//, to which the information contained in this information applies (hereinafter also "Site").

CANTINE DEI MARCHESI DI BAROLO SPA believes in the importance of privacy for all its users and uses the data collected only to improve the experience of using the Site, respecting the standards required by European (GDPR) and national (Privacy Code) regulations, updating the information and allowing it to be easier to read and understand.

The GDPR is a regulation aimed at strengthening and unifying data protection for all subjects within the European Union and which requires a high level of transparency on how personal data is collected, stored and used and more generally on the processing of personal data and imposes stringent limits on their use.

Object and purposes of processing

The Data Controller informs you that it will process, specifically, your common personal data (name, surname and address), contact data (e-mail address, telephone number) and IP address, according to the purposes and means specifically defined below.

In particular, the personal data provided to the Data Controller will be processed for the pursuit of the following purposes:

This information is effective only with reference to the Site, but not with reference to other different portals or websites, for which the Data Controller is in no way responsible.

The processing of the data provided by the user will be carried out, also following automatic collection during navigation, for the sole purpose of verifying and/or controlling access to the Site and/or for the sole purpose of improving its functionality, in order to to ensure a better browsing experience.

As regards the processing of IP addresses and domain names, as well as all users browsing data, carried out by the Data Controller for the purposes indicated in point 2 above), please refer to Cookie Policy.

Lawfulness of processing

The communication to the Data Controller of the user’s personal data specified above has the following legal basis as a prerequisite for the lawfulness of the processing:

  1. Article 6, par. 1 letter f) of the GDPR (legitimate interest) for the purposes referred to in points 1 and 2 above.

The provision of user’s personal data is necessary for the complete fulfillment of the purposes referred to in points 1 and 2 above, and, consequently, your possible refusal to provide personal data may result in the failure to provide the aforementioned services and functions of the Site, preventing all or part of its functionality.

Means of Processing

The processing of the personal data is carried out by means of all or some of the operations indicated in the art. 4 no. 2 of the GDPR (“collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”).

Personal data are subjected to automated processing by the Data Controller for the time strictly necessary to achieve the purposes for which they were collected, with technical and organizational security measures adopted to prevent data loss, illicit and/or incorrect use and access unauthorized, and such, therefore, as to guarantee a level of safety adequate to the risk pursuant to art. 32 of the GDPR, by specifically authorized subjects, in compliance with the provisions of the art. 29 of the GDPR, or employees and/or collaborators of the Data Controller in their capacity as authorized subjects and/or system administrators, who will be able to carry out consultation, use, processing, comparison and any other appropriate operation in compliance with the provisions of the law necessary to guarantee, among other things, the confidentiality and security of the data as well as the accuracy, updating and relevance of the data in compliance with the declared purposes and means.

It is specified, in particular, that the user’s personal data will be processed only at the Data Controller's headquarters, except as specified below, they will therefore not be disclosed, and, pursuant to art. 13, paragraph 1, letter. (e), they may only be processed by authorized parties and/or by any external data processors pursuant to art. 28 of the GDPR (in the person of individual professionals and/or complex professional associations), and/or by subjects who operate as independent data controllers, and which explicitly include hosting and/or personnel companies technician in charge of the management and/or maintenance of the Site, but only and exclusively for the purposes expressly and specifically indicated above.

Scope of data communication

In relation to the purposes indicated above, the data may be communicated to the following subjects and/or the categories of subjects indicated below, or they may be communicated to companies and/or people who provide services, including external ones, on behalf of the Data Controller.

Among these, for greater clarity, the following are indicated by way of example but not limited to: professionals and consultants, including those in associated form; entities that provide services for the management of the IT system and telecommunications networks (including email and management of web portals and websites - cloud storage - hosting services); legal, administrative and tax consultancy firms; competent authorities and/or supervisory bodies for the fulfillment of legal obligations; subjects who carry out control, review and certification obligations of the activities carried out by the Data Controller which operate as external data processing managers pursuant to art. 28 of the GDPR, or in total autonomy as subjects distinct from the Data Controller.

With exclusive reference to navigation data and IP addresses, the Site may share some of the data collected with services located outside Italy and the European Union area. In the event that this should become necessary for any reason, the Data Controller hereby ensures that the transfer of data will take place in compliance with the applicable legal provisions and, in particular, in accordance with articles 44 – 45 – 46 – 47 – 48 and 49 of the GDPR and other applicable legal provisions.

On this Site some plugins are installed with advanced user privacy protection functions that do not send cookies or access the cookies present on the user's browser when the page is opened but only after clicking on the plugin.

The collection and use of information by the subjects listed below are governed by their respective privacy policies to which please refer to the links indicated.


Data retention period

In compliance with the principles of lawfulness, limitation of purposes and conservation and minimization of data, pursuant to art. 5 of the GDPR, the retention period of your personal data is established for a period of time not exceeding the achievement of the purposes indicated above for which they are collected and processed, or for the entire duration of the fulfillment of the aforementioned purposes, and, therefore, once the purposes of the processing have been completed, user’s data will be deleted from all physical and IT media.

Automated individual decision making and profiling

The Data Controller informs that, for the purposes of personal data processing, it does not make use of automated individual decision-making processes, i.e. those aimed at making decisions based solely on technological means based on predetermined criteria (i.e. without human involvement) and does not carry out profiling with the aid of first and/or third party profiling cookies within the limits and with the means best indicated in the Cookie Policy to which express and complete reference is made.

Rights of the user (data subject)

Right of Access pursuant to art. 15 of the GDPR and Right to Rectification pursuant to art. 16 of the GDPR

The user, pursuant to art. 15 of the GDPR, has the right to obtain from the Data Controller confirmation of the existence or otherwise of processing of personal data concerning him/her, to obtain access to the same and to all the information referred to in the same art. 15, paragraph 1, letters from (a) to (h), by issuing a copy of the data being processed in a structured, commonly used, machine-readable and interoperable format.

The user, pursuant to art. 16 of the GDPR, also has the right to obtain from the Data Controller the rectification and/or integration of the data being processed if they are not updated and/or inaccurate and/or incomplete.

Right to erasure pursuant to art. 17 of the GDPR and Right to restriction of processing pursuant to art. 18 of the GDPR

The user has the right to obtain exclusively in the cases referred to in the art. 17, paragraph 1, letters (a) to (f), of the GDPR, the cancellation of data concerning him/her - with the exception of the hypotheses specifically provided for by the art. 17 paragraph 3.

The user, pursuant to art. 18 paragraph 1, letters (a) to (d), of the GDPR, has the right to request and obtain from the Data Controller the limitation of the processing of his/her personal data, or that such data are not subjected to further processing and can no longer be modified. The Data Controller ensures that the restriction of processing is implemented using adequate technical devices that guarantee its inaccessibility and immutability.

Right to data portability pursuant to art. 20 of the GDPR

The user has the right to receive, pursuant to art. 20 of the GDPR, from the Data Controller the personal data concerning him/her, the processing of which is carried out by automated means, in a structured format, commonly used and readable by an automatic device, and also has the right to transmit such data to another data controller processing, or to obtain from the Data Controller, where technically feasible, the direct transmission of such data to another specifically identified data controller.

Right to object pursuant to art. 21 of the GDPR

The user has the right to object at any time for reasons related to his particular situation to the processing of personal data concerning him/her pursuant to art. 6, par. 1, letters e) and f) including profiling on the basis of these provisions. The Data Controller refrains from further processing personal data, unless it demonstrates the existence of compelling legitimate reasons to proceed with the processing which prevail over the interests, rights and freedoms of the data subject or for the assessment, exercise or the defense of a right in court.

If personal data is processed for direct marketing purposes, the user has the right to object at any time to the processing of personal data concerning him/her carried out for such purposes, including profiling to the extent that it is connected to such direct marketing. If the user objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

How to exercise user’s rights

The user may exercise the rights listed above by sending a request via email to

The Data Controller will confirm receipt of the request and provide information relating to the action taken, with reference to the exercise of the rights provided for in articles 15 to 22 of the GDPR, within 1 (one) month of receipt of the request itself. If necessary, and taking into account the complexity and number of requests, the Data Controller may extend this deadline by 2 (two) months, subject to a reasoned communication to be sent within 1 (one) month of receipt of the request.

The Data Controller will communicate any rectification, cancellation, limitation or opposition to all recipients, as identified by the art. 4, paragraph 1, n. 9 of the GDPR, to which such data were transmitted, unless this proves impossible and/or involves a disproportionate effort.

Following the sending of the request for rectification, cancellation, limitation, opposition, if the Data Controller has reasonable doubts about the user's identity, he will request further information to confirm it. Such communications will be sent by email from the aforementioned address and will be processed by the person specifically authorized for this purpose.

Finally, we would like to remind the user the right to lodge a complaint with the Supervisory Authority (Garante per la protezione dei dati personali), as specified pursuant to art. 13, paragraph 2, letter (d) and governed by articles 77 et seq. of the GDPR and 141 et seq. of D.lgs. 196/2003, as amended by D.lgs. 101/2018.