PRIVACY POLICY

Pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation – hereinafter “GDPR”), this page describes the methods of personal data processing for the user (hereinafter “data subject”) who consults the website of Joint Controllers (hereinafter, also “Il Borro” “Pinino” or “Joint Controllers”) electronically available at the following address: Pinino – tenute.ilborrowines.it.

The present information does not concern other websites, pages or online services that can be reached through hypertext links eventually published in the websites but refer to resources outside the domain of the Joint Controllers.
We inform you that, regarding the processing of Personal Data, the legislation mentioned regulates the obligations envisaged for those who “process” information referring to other subjects, in order to ensure their confidentiality in accordance with the general principles of fairness, lawfulness and transparency. Among the obligations envisaged is that of informing the person to whom Data are referred about the purposes and methods of use made for the relevant information, the security measures adopted to protect and safeguard the Data collected, and the methods for exercising the rights recognized by the regulations in force.
“Processing” of Data means its collection, recording, organization, storage, consultation, deletion and destruction or the combination of two or more of these operations.

1. JOINT CONTROLLERS

The Joint Controllers process Personal Data as part of the use of the website as well as those used for the provision of information related to the services provided by:

• Il Borro S.r.l.;
• Il Borro Tuscan Bistro S.r.l.
• Dal Borro S.r.l.;
• Osteria del Borro S.r.l.;
• Pinino S.r.l.
  
  

2. PURPOSE AND LEGAL BASIS FOR PROCESSING

Your Data are processed for the following purposes:

1. to allow you to access the services made available by the Joint Controllers through their website;
2. browsing this website;
3. in order to comply with the obligations provided for by laws, regulations, contract and Community legislation as well as provisions issued by authorities empowered to do so by law and by supervisory and control bodies and which, therefore, in accordance with the Privacy Code and the GDPR do not require consent for their processing;
4. where you consent, for Marketing purposes, relating to the sending of promotional material or communications concerning the goods and services offered by the Joint Controllers;
5. profiling activities, meaning the analysis of your preferences, inclinations and behaviour, in order to offer you products or services in line with your needs.
   

   
   Specifically, for the above purposes, data are processed based on the following lawfulness assumptions:

   • 6, par. 1. Lett. B) GDPR, since, with reference to purposes (a), (b), (c), (d) and (e) of the preceding paragraph, the processing is necessary for the implementation of contractual or pre-contractual measures;
   • 6, par. 1. Lett. C) GDPR, given that, in relation to the purpose referred to in section (f), the processing is necessary for the purpose of fulfilling obligations of a legal nature incumbent on the Joint Controllers of the Processing;

   It follows that, in relation to the aforementioned purposes, the processing is mandatory. Failure, inexact or incomplete provision of data will result in the Joint Controllers being unable to allow you to access the purchase of products and the expected information services.

   • 6, par. 1 Lett. A) GDPR, in which, with respect to the marketing and profiling purposes mentioned in sections (g) and (h), processing is only possible where he/she consents.

   It follows that, for these purposes, the provision of data is optional and failure to provide them does not affect the possibility of accessing the services offered by the Site.

3. TYPES OF DATA PROCESSED

Browsing Data
The computer systems and software procedures used to operate this site acquire, during their normal functioning, some personal data whose transmission is implicit in the use of Internet communication protocols.
This category of data may include technical data (e.g. IP addresses or domain names of computers and terminals used by users, URI/URL notation addresses of requested resources, time of request, method used in submitting the request to the server, size of the file obtained in response, numerical code indicating the status of the response given by the server) and other parameters relating to the user’s operating system and computer environment.

Data provided by the user
The optional, explicit and voluntary sending of messages to the contact addresses, as well as the completion and submission of the forms on the site, imply the acquisition of the sender’s contact data, necessary to reply, as well as all personal data included in the communications.

Cookies and other tracking tools
With respect to which you are advised to look at the Cookie Policy.

4. METHODS OF PROCESSING

Your Data will be processed:

1. both manually and electronically and will be stored both within a paper archive and through the use of a digital database;
2. by individuals authorized to perform these tasks, who are constantly identified, appropriately trained and made aware of the constraints imposed by the GDPR and the Privacy Code;
3. with the use of appropriate security measures (technical and organizational) to ensure a level of security appropriate to the risk of processing, pursuant to Article 32 GDPR.
   
   

5. DATA RETENTION PERIOD

In compliance with the provisions of Article 5, paragraph, 1 letter e) GDPR, the personal data collected will be stored in a form that allows the identification of data subjects for a period of time not exceeding the achievement of the purposes for which the personal data are processed. Retention of data of a personal nature provided depends on the purpose of the processing mentioned in point 2.
All other data retention periods are stipulated by current legislation or existing best practices. For any doubts, you may contact the Joint Controllers.

6. SUBJECTS TO WHOM DATA MAY BE COMMUNICATED

Data for exclusive functional, managerial, fiscal and legal reasons, as part of the execution of the purposes referred to in section 3 may be communicated to subjects and companies related to the activity. These subjects will operate as Data Processors ex art. 28 GDPR, whose names may be made known to the interested party through an express request to be forwarded to ilborro@ilborro.it.
However, data will not be transferred to countries outside the EU.

7. DATA SUBJECT RIGHTS

We inform you that, in relation to the aforementioned processing operations, you may exercise the rights set forth in Articles 15-21 of the GDPR and, specifically, you have the right to obtain from the Joint Controllers confirmation as to whether or not personal data concerning yourself is being processed and, if so, to obtain access to the personal data and the following information:

1. the purposes of the processing;
2. the types of personal data involved;
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed;
4. the intended retention period of personal data;
5. the existence of data subjects’ right to request from the Joint Controllers the rectification, deletion, or restriction of the Processing of personal data concerning them or to oppose their Processing;
6. if data are not collected from the data subject, all available information about their source;
7. the existence of an automated decision-making process, including profiling, and, at least in such cases, meaningful information about the logic used, as well as the importance and expected consequences of such processing for the data subject.
   
   
8. DATA SUBJECT RIGHTS
   

   You will be able to exercise your rights under Articles 15-21 of the GDPR at any time (including by using the application form made available by the Privacy Authority at www.garanteprivacy.it) by sending e-mail to at: ilborro@ilborro.it.
   
   

   9. DATA SUBJECT RIGHTS
   

   We would like to remind you that if you believe that the processing of data about yourself has violated the provisions of GDPR Regulations, you can always lodge a complaint with the Data Protection Authority or with the authority of the country in which you usually reside, work, or the place where the alleged violation would have occurred.

   10. CHANGE
   

   This policy is subject to change and update. The version published is the one in place as of the update date indicated. Therefore, please check this policy periodically to be informed of any changes.

   Last update: March 2025.