Privacy Policy

Information notice on processing of personal data pursuant to EU General Data Protection Regulation 2016/679

In compliance with Article 13 of the EU Regulation 2016/679, we provide you with the necessary information regarding the processing of your personal data. 
By personal data we mean all the information relating to your person that we may collect when you browse the website or that you voluntarily send us by subscribing to one of the services therein. 
We will inform you of the purposes for which the data is collected and processed, of the legal grounds for the processing, of the management methods that we will adopt in order to carry out the processing, of the possible communications to which your data may be subject, of the expected retention period, of the possibility of transferring the data to third countries and of the existence of profiling processes that may involve your personal data.

1. Purpose and legitimacy of the data handling
Depending on the services delivery of which has led you to provide us with your personal data, data processing will have the following purposes:
->    Purposes associated with processing by our websites:
1. to allow your access to and use of the reserved areas of our website, which consist of portals dedicated to specific categories of users, such as agents or customers; the processing is legitimised by the need to perform what is required by a contract or agreement entered into with you
2. to collect and process your requests for bookings of visits and stays at our estates or bookings at our restaurants; the processing is legitimised by the need to execute pre-contractual requests on your part
3. to manage the booking of vouchers in your name for visits and stays at our estates or bookings at our restaurants which you may receive as a gift from a third party who has provided us with your personal data; the processing is legitimised by the need to execute a contract or an agreement entered into
3. to respond to requests for information from you; processing is legitimised by the need to execute pre-contractual requests which you have made
4. to store and evaluate the personal and contact data you send us in the event that you intend to apply for a job at our facilities; the processing is legitimised by the need to execute pre-contractual requests which you have made
5. to manage and activate your subscription to the newsletter; the processing is legitimised by the need to execute what is required by a contract or an agreement entered into 
-> Purposes associated with free Wi-Fi services inside our premises:
6. activating, providing and managing your access permissions to the WIFI service called Volare, should you request it during your visits to our facilities; the processing is legitimised by the need to execute what is required by a contract or agreement entered into by you 
-> Purposes associated with the app to scan calling cards:
7. to record in our database for external communications your personal and contact information that you wish to communicate to us by means of your business card handed in following a meeting; processing is legitimised by the need to execute pre-contractual requests on your part
-> Purposes associated with the app recording visitors during events or activities:
8. To record your personal and contact information when you attend events and exhibitions that we organise; processing is legitimised by our legitimate interest linked to organisational needs
-> Purposes associated with marketing:
9. to send you information of a commercial and promotional nature by means of various IT tools; the processing is legitimised by the consent given in advance and freely by the recipient of the communications
10. to subscribe you to our newsletter (if commercial content is envisaged); the processing is legitimised by the consent issued in advance and freely given by the recipient of the communications
11. to perform market research; the processing is legitimised by the consent issued in advance and freely given by the recipient of the communications
-> Purposes associated with profiling:
12. to analyse your habits, behaviour and consumption choices in order to establish a profile of the customer or visitor to our websites so that we can send promotional messages, offers or other commercial communications that meet the recipient's interest; the processing is legitimised by the consent issued in advance and freely given by the recipient of the communications

2. Optional or compulsory nature of data provision
When your personal data is collected in order to fulfil your explicit request or for the provision of one of our services which you wish to use or which is given to you by means of one of our vouchers, or for all the purposes listed and legitimised by the need to fulfil the requirements of a contract or an agreement concluded with you, by the need to fulfil pre-contractual requests on your part and by our legitimate interest linked to organisational needs, the provision of data is necessary. 
Without collecting your data we will not be able to achieve the intended purposes and fulfil your requests. 
For processing operations that are justified by the collection of your free consent, you will have the possibility not to grant your consent or to decide to change your mind about this at a later point in time after the release of the data for other purposes that require it.
Consent to data processing for purposes of profiling implies consent for marketing purposes, since the latter is only carried out after developing a profile of the addressee’s interests. You will not be the subject of any direct marketing activities if we cannot carry out the preliminary profiling operations.
Refusal to consent to processing for marketing and profiling purposes will in no way affect the possibility of receiving the other services being offered.
You may freely withdraw the consent you expressed at any time by writing to the following email address: privacy@masseto.com.

3. Manner of processing
Your data will be processed according to principles of correctness, legality and transparency, and this will be carried out using electronic tools but also on paper files suitable for filing, management and transmission. Processing will be carried out using tools which, in a reasonable manner and according to the state of the art, can guarantee security and confidentiality through the use of procedures for preventing the risk of loss, unauthorised access, illicit use and dissemination.
Your data will be processed exclusively 

by our formally authorised staff, trained on the operational methods to be adopted for the safe handling of the processing  by external parties necessary for us to carry out part of the activities related to the above-mentioned purposes, formally appointed by a legal deed as data processors 

4. Scope and purpose of communication and dissemination
Besides in-house staff and outside parties formally authorised to process your personal data, such data may be communicated to third parties exclusively to fulfil legal obligations, that is to comply with orders coming from public authorities with the legitimate right to do so or to uphold or defend a right in court.
Your personal data, for the purposes mentioned above, may be made available to:

The Data Controller’s staff Companies affiliated to or controlled by Gruppo Marchesi Frescobaldi.
Your personal data will not be disseminated or communicated to third parties for reasons other than those mentioned above, unless required by a law or regulation or EU regulation

5. Transfer of personal data outside the European Union
The personal data provided by you and processed for the above purposes will in no case be transferred to countries not belonging to the European Union. Should a transfer be necessary in the future, this will only be possible to countries deemed appropriate by the European Commission, or by entering into data protection clauses adopted by the European Commission with the recipients, or, in the case of a non-continuous transfer, following your informed and explicit consent.

6. Retention period
For processing related to the activation/delivery/provision of services requested by you, your personal data will be kept for as long as the services remain active or for the time necessary for the performance of the service requested, except for further compulsory storage for accounting, administrative, tax and/or legal purposes. 

7. Parties
The Data Controller is:
Marchesi Frescobaldi soc. agricola s.r.l. unipersonale, Tax Code and VAT No. 01770300489 legal headquarters in Via S. Spirito 11 50125 Florence, Administrative Office in Via Aretina 120, 50065 Sieci (FI).
The Data Processor is Mr Marco Ghilli.
The complete list of appointed data processors is available from the Data Controller at the address listed above.

8. Exercise of your rights
We remind you that have the right to obtain from the Data Controller, in the cases provided for by the relevant law, access to data concerning you, rectification or erasure, additions to incomplete data, restriction of the processing; to receive the Data in a structured format, of common use and readable from an automatic device; to recall any consent you may have granted concerning processing of your sensitive data at any time, and to object, in whole or in part, to use of the Data.
You may exercise such rights in writing by postal mail directly to the Data Controller or by email to the following email address privacy@masseto.com.
Exercise of your rights is not subject to any formal restriction and is free of cost.
If you believe that any processing of personal data relating to you and carried out by us is in breach of the provisions of the European Data Protection Regulation or other applicable legislation, you have the right to lodge a complaint with the Authority for the Protection of Personal Data, following the procedures and instructions published on the Authority's official website at http://www.garanteprivacy.it.