Extended Cookie Privacy Policy




Identification of simplified privacy policy procedures and acquisition of consent for the use of cookies - May 8, 2014 (Published in the Official Gazette No.126 dated June 03, 2014)
Register of the Provisions No. 229 dated May 08, 2014


Cookie Privacy policy - Art. 14 of EU REGULATION 679/16


Herein we wish to inform you with transparency about the operation on this website (hereinafter referred to as the "Site") of the so-called cookies.


Definition of "cookies"


Cookies are small text files sent from the Site to the computer device of the concerned party (usually through the browser), where they are stored and then re-sent to the Site on occasion of the subsequent visit by the user. A cookie cannot record any other data from the user's hard drive, nor send IT viruses or acquire email addresses. Each cookie is unique for the user's web browser. Some of the cookie functions may be assigned to other technologies. The term 'cookie' refers to cookies and all similar technologies.


Purpose of processing of session technical cookies


Cookies used on the Site have the purpose of carrying out IT authentication or monitoring of sessions and the storing of specific technical information regarding users accessing the servers of the Data Controller etc.. In this context, some transactions on the Site may not be carried out without the use of cookies, which in such cases are technically necessary. By way of example, access to reserved areas of the Site and the activities that can be carried out therein would be much more complex to be carried out and less secure without the presence of cookies which make it possible to identify the user and preserve its identification during the session.
Pursuant to article 122, paragraph 1, of the Privacy Code (in the version in force as a result of the entry into force of Legislative Decree 69/2012) "technical" cookies can be used even without the consent of the concerned party.
Therefore, the Data Controller wishes to inform, first of all, that on the Site there are technical cookies needed in order to browse the Site as they allow essential functions such as authentication, validation, management of a browsing session and fraud prevention and make it possible, for example, to identify whether the user had regular access to the areas of the Site that require prior authentication or user validation and management of sessions concerning the various services and applications or the storing of data for secure access or the functions of control and fraud prevention.
To ensure maximum transparency, a series of technical cookies used and
their specific function with in the website are detailed below:
• cookies that are directly installed in the computer device of the user/client (which will not be used for further purposes) such as session cookies used to "fill the shopping cart" when booking online on the Site, authentication cookies, cookies for multimedia contents such as Flash players that do not exceed the duration of the session, customization cookies (for example, for the choice of the browsing language, ID and complete password automatic fill-out by typing the first characters, etc.);
• cookies used to statistically analyze accesses/visits to the site (so-called "analytics" cookies) which are used exclusively for statistical purposes (and not for profiling or marketing) and collect information in aggregated form without any possibility of identifying the individual user. In these cases, since the current legislation requires that for analytics cookies the concerned party is provided with a clear and adequate indication of simple ways to oppose their installation (opt-out) (including any mechanism of anonymization of cookies), we specify that it is possible to deactivate Google analytics as follows: open your browser, select the setting menu, click on INTERNET options, open the privacy tab and choose the desired level of cookie authorization.  If it is desired to delete cookies already stored in memory, simply open the security tab and delete the history by ticking off the "delete cookies" box.


Purpose of processing cookies for marketing research.


In addition to technical cookies, we would like to inform you that the Data Controller also uses other cookies on this Site (deriving from specific services provided by companies operating in the sector) which cannot be qualified as "technical cookies" and which are used to analyze habits for marketing purposes.
Below, for each cookie operating on our Site, we report the information on the type of cookies used through the services of third party providers, their purpose, storage period, third parties storing the information and accessing it:


Third Parties that store and access information about the user collected through cookies


Link to the site where it is possible to view the privacy policy:
Google Inc, for statistical analysis and reporting.
Facebook Inc, for profiling


The personal data collected through the use of cookies may be processed, in an automated/IT manner, for the purposes that are specified below as required by the General Provision issued by the Italian Data Protection Authority containing the Guidelines against Spam: marketing-sales promotion, advertising, solicitation to purchase, market researches, surveys (including telephone and online surveys or through questionnaires), statistics (with identification), and marketing processing in a broad sense (including contests, games and competitions or other prize initiatives not included  in the regulations referred to in the Presidential Decree 430/2001) on products and/or services related to the Data Controller, hereinafter referred to as "Processing for Marketing Purposes"). By providing consent to the operation of cookies and the related Processing for Marketing Purposes, the concerned party specifically acknowledges these promotional, commercial and marketing purposes in the broad sense of the processing (including the subsequent management and administrative activities) and expressly authorizes such processing both pursuant to Article 23 of the Privacy Code and also pursuant to Article 130 of the Privacy Code (as the Company may use tools for Data Processing for Marketing Purposes such as e-mail, fax, sms, mms, automatic systems without operator intervention and similar, including electronic platforms and other telematic means).


Pursuant to the General Provision of the Data Protection Authority “Consent to the processing of personal data for direct marketing purposes through traditional and automated communication means" occurs as follows:


1. any consent provided for participation to commercial and promotional communications on the basis of art. 130, paragraphs 1 and 2, of the Code and art. 22 of the EU Regulation 679/16 (that is through the use of email, fax, sms, mms, automated systems without operator intervention and similar, including electronic platforms and other telematic means) will require receipt of said communications not only through said automated contact methods, but also through traditional means, such as snail mail or telephone calls through an operator;
2. The right of the concerned party to oppose the processing of personal data for direct marketing purposes through the aforementioned automated contact methods shall automatically extended in any case to traditional ones, and even in said case, without prejudice to the possibility to exercise the right as established in article  7, paragraph 4, of article 21 of the EU Regulation of the Code both in terms of specific means and specific data processing;


3. the concerned party who does not wish to provide consent according to the terms specified above, may specify the preference of receiving communications for the aforementioned marketing purposes exclusively through traditional contact methods whenever applicable: said preference can be exercised free of charge by emailing us to privacy@castelfalfi.com.


In order to meet the privacy obligations of the Data Controller in full respect of the principles of simplification of said obligations and pursuant to the General Provision of the Data Protection Authority titled “Consent to the processing of personal data for direct marketing purposes through traditional and automated communication means”, we would like to inform you that the specific consent will be individual as well as inclusive and will make reference to all the possible marketing means, pursuant to articles 23 and 130 of the Privacy Code, as well as to article 7 of the European Regulation 679/16, without prejudice to the possibility of the concerned party to inform the Company, by writing to the email address: privacy@castelfalfi.com about any objection regarding the use of specific means respect to others for receiving marketing communications upon the provision of consent. In addition, also for the purpose of meeting the privacy obligations of the Data Controller in full respect of the principles of simplification of said obligations, we would also like to inform you that the specific consent will be individual as well as inclusive and will also refer to all the different and possible marketing purposes herein detailed (without repeating the consent requests for each marketing purpose pursued by the Data Controller), without prejudice to the right of the concerned party to notify, even at a later date, to the Company a different selection preference regarding consent or non-consent for each marketing purposes.
To proceed with the Processing for Marketing Purposes, it is necessary to acquire a specific consent, which is specific, separate, expressed, documented, advanced, informed, free and fully optional.
Consequently, wherever the concerned party wishes to provide said consent, he/she must be
informed in advance and made aware that the purposes of the processing are of a specific commercial, advertising, promotional and marketing nature in the general sense. Therefore, under the flag of full transparency, we would like to inform you that your data will be collected and subsequently processed on the basis of a specific provision of consent:
1. to send to the subjects that have provided aware consent, advertising and
information material (e.g. Newsletters), promotional material or material, in any case, of a soliciting
commercial nature, pursuant to article 23 and 130 of the privacy code; and art 7 of the European Regulation
2. to carry out direct sales activities or activities promoting products or services of the Company;
3. to send commercial information; perform interactive commercial communications also pursuant to article 58 of the Law Decree 206/2005 through the use of email;
4. to process analyses, researches, and market statistics;
5. to send commercial communications for which the European Regulation requires explicit consent


With reference to the forwarding of Newsletters via email to which you may provide your consent, we would also like to inform you that the electronic contents of said promotional communications may be supported by the use of software (such as cookies or web beacons) that may make the Company become aware of a series of parameters such as, for example: time of opening of the Newsletter, pages viewed of the Newsletter, links clicked inside the Newsletter, links to websites of the Company directly through the Newsletter. These parameters, which will not profile the recipient, aim at making available to the Company
statistical data regarding the booking of services generated through various sources.
Thus, by providing consent to this optional processing, the concerned party specifically acknowledges and authorizes said additional and potential secondary processing.
In any case, even wherever the concerned party has provided consent to authorize the Data Controller to the processing of the data to pursue all the purposes listed in the points from 1 to 5 above, he/she will remain free at any time to revoke such consent by sending, without any need for formalities, a clear notification to that end to the Company to the email address: privacy@castelfalfi.com.


Upon receipt of said opt-out request, the Company will promptly remove and delete the data from its database used for Data Processing for Marketing purposes and inform any third-party of said revocation of consent so as they may also delete the data of the user, if said data were disclosed to them. Receipt of the request for deletion of the data will be automatically valid as confirmation of occurred cancellation.



Notification and dissemination of personal data collected through cookies during the data processing for Marketing purposes.


For the same purposes as those listed in point 1 through 5 of the previous section, the Data Controller would like to inform you that the data may disclose to commercial third parties (Third Parties). Consent provided for the Data Processing for Marketing purposes to the Company in the role of Data Controller - whenever provided by the concerned party - does not include the other and additional data processing for marketing purposes represented by the disclosure to third parties for the same purpose. In order to disclose the data to external parties, it is mandatory to acquire
from the concerned party and additional, separate, added, documented, expressed and full optional consent.
As it is indeed clarified by the Provision issued by the Italian Data Protection Authority detailing the Guidelines to fight Spam:
1. in relation to the disclosure to third parties for marketing purposes in general, the communication or transfer of personal data to third parties for marketing purposes cannot be based on the acquisition of a single and general consent by the concerned parties for such purposes; 2. the Data Controller that intends to collect the personal data of the concerned parties also to disclose (or transfer) them to third parties for their promotional purposes must first provide an appropriate privacy policy that also identifies each of the third parties or, alternatively, indicate the categories (financial or commodity) to which they belong;
3. the data controller must acquire a specific consent for the disclosure (and/or transfer) to third parties of the personal data for promotional purposes, as well as a separate one from the consent required by the Data Controller to carry out its own promotional activity;
4. if the concerned party provides the aforementioned consent for disclosure to third parties, the latter may carry out promotional activities through the automated methods referred to in art. 130, paragraphs 1 and 2 of the Privacy Code, and Article 22 of the EU REGULATION 679/16 without having to acquire a new consent for promotional purposes.
Pursuant to the Provision issued by the Italian Data Protection Authority containing the Guidelines to fight Spam, the third parties recipients of the personal data of the concerned parties for the subsequent Data Processing for Marketing Purposes can be identified with reference to the following commodity or financial categories: publishing, suppliers of electronic communication products and services, Internet service providers, communications agencies, insurance and financial services companies, food and beverage companies, clothing, ICT hardware and software companies, banks and credit institutions, travel agencies, tourism services companies, companies offering personal services and goods, including health products and services, as well as companies providing energy and gas products and services.
The Personal data will be disseminated.



Mandatory or optional consent for the use of cookies for marketing purposes


Methods of providing consent.
We remind you that the provision of both the consent to the use of cookies for marketing purposes and the related and subsequent data processing for Marketing Purposes, as well as the separate consent to the disclosure of the personal data collected through cookies to third parties for Data Processing for Marketing Purposes with the objective and in the manner described above are absolutely optional (and in any case revocable with no formality at a later date) and failure to provide consent will not have any consequence other than the impossibility for the Data Controller and for any third party to process the aforementioned marketing data. In the case of refusal of providing consent for marketing purposes, there will be no impact and/or consequence on the ability to access the Site.
The Data controller uses the service of third parties (mentioned above)


The link to use the service is http://www.youronlinechoices.com/it/le-tue-scelte.


Alternatively, the user may also exercise his/her right to accept the use of cookies also through his/her browser settings. By changing browser settings, it is possible to accept or refuse cookies or to receive a warning message before accepting a cookie from the website being visited.
Cookies may also be deleted by deleting the contents of the "cookies" folder used by browser. Each browser has a different procedure for the management of cookies. Below is a link to the specific instructions for the most popular browsers:
Internet Explorer: http://windows.microsoft.com/i...
Google Chrome: https://support.google.com/acc...
Apple Safari: http://support.apple.com/kb/HT...
Mozilla Firefox: https://support.mozilla.org/it...
Disabling cookiees in Flash:
http://www.macromedia.com/supp...
Please note that if the user completely disables cookies in his/her browser, he/she may not be able to use all of the interactive features available on the website.



Third Party Cookies


While browsing the Site, the user may also receive on its computer device cookies from different websites or different web servers (so-called "third party" cookies): this happens because the Site may contain elements such as, for example, images, maps, sounds, specific links to web pages of other domains that are located on servers other than the one on which the requested page is located. In other words, these cookies are set directly by the website managers or servers other than the one of the Site.
These cookies can be sent to the user's browser by third-party companies directly from their websites from which it is possible to access by browsing the Site of the Data Controller. In such cases, the Company is not involved in the use of such cookies whose transfer falls under the responsibility of said third companies. In fact, as it is clarified by the Privacy Guarantor: "The obligation to inform the user about the use of cookies and to obtain their prior consent, if any, is the responsibility of the operator of the website that uses them, in its capacity as data controller. In the event that a website also allows the transfer of "third party" cookies, the privacy policy and the acquisition of consent are usually borne by the third party. It is necessary that the user is adequately informed, even if in the simplified manner required by law, when accessing the site that allows the storage of third-party cookies, or when accessing the contents provided by third parties and, in any case, before the cookies are downloaded to the user's computer device.
Precisely for the sake of the transparency of information called for by the operators of the "first part site" (i.e. the Site as managed by the Data Controller) where "third party cookies" operate, we would like to inform you that the following third party cookies are used on the Site:




Statistical analysis


The services contained in this section allow the Data Controller to monitor and analyze traffic data and are used to monitor User behavior.


- Google Analytics (Google Inc.)
Google Analytics is a web analysis service provided by Google, Inc. (“Google”). Google uses the Personal Data collected for the purpose of tracking and analyzing the use of this App, drawing up reports and sharing  them with other services developed by Google.
Google may use the Personal Data to contextualize and customize the advertisements of its advertising network.
Personal data collected: Cookies and Usage Information.
Data Processing location: USA – Privacy Policy – Opt Out


Interaction with external social networks and platforms


These services make it possible to interact with social networks, or other external platforms, directly from the pages of this App.
The interactions and information acquired by this App are in any case subjected to the User's  privacy settings set for each social network.
If a service is installed that interacts with social networks, it is possible that, even if Users do not use the service, it collects traffic data related to the pages on which it is installed.


- Like button and social network widgets by Facebook (Facebook, Inc.)
The "Like" button and Facebook social widgets are interaction tools with the Facebook social network, provided by Facebook, Inc.
Personal data collected: Cookies and Usage Information.
Data Processing location: USA – Privacy Policy


Re-marketing and Behavioral Targeting


These services enable this App and its partners to communicate, optimize and provide advertisements based on the past use of this App by the User.
This activity is carried out by tracking Usage Data and the use of Cookies, information that is transferred to the partners to which the re-marketing and behavioral targeting activity is linked.


Facebook Remarketing (Facebook, Inc.)
Facebook Remarketing is a Remarketing and Behavioral Targeting service provided by Facebook, Inc. which links the activity of this App to the Facebook advertising network.
Personal data collected: Cookies and Usage Information.
Data Processing location: USA – Privacy Policy


Content viewing from External Platforms


These services make it possible to view contents hosted on external platforms directly from the pages of this App and to interact with them.
If a service of this type is installed, it is possible that, even if Users do not use the service, it collects traffic data related to the pages on which it is installed.


Youtube Video Widget (Google Inc.)
Youtube is a video content viewing service operated by Google Inc. that allows this App to integrate said contents in its own pages.
Personal data collected: Cookies and Usage Information.
Data Processing location: USA – Privacy Policy


Data Controller and Data Supervisors.
The identification details of the Data Controller of the Company for the data processing of the concerned party (the list of Data Supervisors is available at the Data Controller's registered office) are as follows:


Data Controller
Tenuta di Castelfalfi SpA


loc. Castelfalfi snc


50050 Montaione (FI)


Address for exercising the rights pursuant to art. 7 of the Privacy Code and Articles from 12 to 22 of the EU REGULATION 679/16: RDP@castelfalfi.com (DPO)


Exercising of rights by the concerned party


At any time, the concerned party will have the possibility - with no need for formalities - to exercise his/her rights in relation to the current privacy legislation (also using the appropriate form for the request made available by the Guarantor on www.garanteprivacy.it), which is reported in full below. The exercise of these rights is not subjected to any formal constraint.