Privacy Policy

Information about personal data processing of the users accessing the website
of the Martoccia di Brunelli Luca Farm

pursuant to art. 13 and following of EU Regulation 679/2016

Why this information?

This page describes the website management procedures of the Martoccia di Brunelli Luca Farm, with reference to the processing of the personal data of users (interested) consulting the website.

This is an information that is made pursuant to articles 13 and following of EU Regulation 679/2016 (hereinafter GDPR - General Data Protection Regulation) towards those who interact with the website of the Data Controller, accessible electronically at the following address:, corresponding to the home page of the official website of the Data Controller.

The information is provided only for the Data Controller and does not concern other websites, pages or online services accessible by the user through hypertext links, possibly published on the site and referring to resources external to the domain of the Data Controller.

1- Data Controller

Following consultation of the website, we inform you that data relating to identified or identifiable people may be processed.
The Data Controller is the Martoccia di Brunelli Luca Farm, based in Montalcino (SI), Loc. Podere Martoccia snc, 3, tax code. BRNLCU74D03F402X, p. VAT 00942500521, pec:
We inform you that some processing operations may also be carried out by other third parties, to which the Martoccia di Brunelli Luca Farm entrusts certain activities, or part of them, functional to the provision of services. In this case, the above-mentioned subjects will be designated as Managers or persons in charge of the processing and they will be given adequate instructions, with particular reference to the adoption of minimum-security measures, in order to guarantee the confidentiality and security of the data.
In particular, in addition to the Data Controller, such data are processed, in the role of Data Processor, by Aruba SpA, which provides the website hosting service.

2- Legal basis and purpose of data processing

The Martoccia di Brunelli Luca Farm (Data Controller) processes the personal data of users (interested parties) on the basis of the following lawfulness criteria and for the purposes outlined below: a) to fulfill the obligations coming from the contract of sale of the farm's products marketed through its website and to resolve any disputes related to commercial transactions; b) to fulfill the legal obligations provided for by administrative, accounting and tax legislation; c) to fulfill a legal obligation, consisting in the communication to the competent Authorities about the possible perpetration of fraudulent activities by unauthorized third parties, carried out through the use of its website; d) for the pursuit of a legitimate interest of the Data Controller, aimed at managing and finding the contact and information requests presented by the interested party, through the voluntary release of personal data in the contact forms on the website.

3- Types of data processed

During their normal operation, the IT systems and software procedures used to operate this website acquire some personal data whose transmission is implicit in the use of Internet communication protocols.
More specifically, this category of data includes: the pages visited, the origin, the duration of the visit, the origin of the visitor and the type of device used by the visitor.

The optional, explicit and voluntary sending of data communicated by the user through the contact forms on the website entails the subsequent acquisition by the processing Data Controller of the user name, user’s e-mail address, and any other personal data included in the communication, necessary to respond to requests sent to the Company by the interested party.
In order to purchase the farm's agricultural products on the website, the user will have to register at the shop and provide the following data: name, surname, company name, address (street, house number, postcode , city, province and country), fax and telephone number, e-mail and password and, for billing purposes, the tax code or VAT number.
The submission of the above-mentioned data is a mandatory requirement for the finalization of the purchase of products which are marketed through the website of the Data Controller.
Failure to provide the aforementioned data will prevent the Data Controller to provide the goods requested by the user.
In addition, users also communicate their data with regard to payments processing.
In this regard, it should be specified that, in relation to the management of payments, the Martoccia di Brunelli Luca Farm make use of third-party services, which allow payment by credit card or prepaid card, through the Paypal service.
Therefore the above-mentioned service providers will collect and process the users data to process the financial transactions.
To find out about privacy policies used by Paypal with regard to financial transactions, the interested party may visit the service provider website in order to double check Privacy Policy and obtain further detailed information.
Paypal makes use of the latest anti-fraud technologies and data encryption to protect the data of its customers 24/7.

The Martoccia di Brunelli Luca Farm receives information on users (interested) also through social media (Facebook), until the revocation of the "like" left by the same user (interested) on the Facebook page of the Data Controller.

4- Data provision

The provision of personal data referred to in point 2 of this information document, letters from a) to c) is a mandatory requirement.
Failure, partial or incorrect provision of the aforementioned data, will prevent the Data Controller to fulfill the legal and/or contractual obligations provided therein.

5- Communication of data to third parties and transfer of data to foreign countries

Personal data of individual users may be disclosed to external parties for the following purposes: fulfillment of administrative, accounting and tax obligations; with regard to the competent Authorities, in the event that a crime has been committed through the unauthorized use of the website of the Data Controller; to any persons who carry out the maintenance and management of the website; to the Company's trusted lawyers, for the protection of the rights of the Data Controller, in the event that there is a need to resolve disputes with users of the website, relating to non-payments and / or breaches of contractual obligations.
The information collected by the Data Controller is not provided to third parties except to utilize the necessary services and support for the Data Controller's activity.
These services include but are not limited to:
- Hosting and e-mail services of the website;
- Paypal payment service;
- Google Maps service;
- sharing service on social networks (Facebook plug-in).
Even the cookies services, being tracer technologies used by suppliers / third parties, will be able to provide information on the navigation of the interested parties. We inform you that, in the case of using Google Maps services and sharing data through the Facebook plug-in, users' personal data may be transferred to foreign countries, in particular in the United States of America, where, in terms of Privacy, the agreement that regulates the transfer of data between the EU and the US, c.d. Privacy Schield applies.
Also, the use of Paypal may entail the transfer of data to foreign countries and, regarding the level of privacy protection of the aforementioned service provider, please refer to the information provided through the Paypal Privacy Policy link.

6- Where and how we store personal data

Personal information is stored on our service provider's servers.
The hosting and e-mail service provider is Aruba SpA, whose servers are located in Europe.
Access to personal data is restricted to authorized and specifically appointed personnel only.
Measures have been taken to use a 256-bit TLS 1.2 encrypted connection. SSL with security certificate.
Shipping documents and invoices containing the data related to commercial transactions carried out through the website are kept at the Company's headquarters, in archives composed by cabinets accessible only by the authorized personnel.

7- How long the collected information are stored

Personal data provided by the interested party for the specific purposes are maintained for the duration of the performance of the activities indicated therein, unless the termination of the contractual relationship occurs prior to the fulfillment of the same and for the entire duration required to fulfill obligations related to administrative tasks, accounting and tax regulations.
In particular:
-data integrating accounting records: 10 years from the date of the last registration;
-contractual data relating to the service provided: 10 years following the completion of the contract and / or longer prescription period;
-contacts data provided by users for information: these are kept for the time necessary to provide the interested party with an answer and for the following six months, after which they will be deleted.
In all other cases, personal data are maintained for the time necessary to provide the requested services or to fulfill legal obligations.

8- Cookies and other tracking systems

Cookies are small text strings used to store some information that may concern the user, his preferences or the internet access device (computer, tablet or mobile phone) and are mainly used to adapt the functioning of the site to the expectations of the user, offering a more personalized browsing experience and memorizing the previously made choices.
A cookie consists of a reduced set of data transferred to the user's browser by a web server and can only be read by the server that made the transfer. It is not executable code and does not transmit viruses.
Various types of cookies can be found on the website of the Data Controller:
-technical cookies, which are essential for navigating the site using all its features. For the installation of these types of cookies, the user's consent is not required, but only the disclosure obligation;
-third-party cookies, which are sent from different websites or web servers, on which some elements may reside, such as images, maps, sounds, links to other domains etc. Cookies other than technical ones are installed or activated only after the consent expressed by the user by interacting with the banner on the website page, or by continuing to browse.
There are no profiling cookies on the Data Controller website.
Below are the types of cookies that are used on the website of the Data Controller and the links to the information of third parties, which also include the indications to manage or disable the cookies published on the related web pages:

Google Maps (Google Inc.)
Google Maps is a map visualization service managed by Google Inc. that allows this website to integrate such content within its pages.
Personal Data collected: Cookies and Usage Data.
Place of treatment: United States–Privacy Policy. Subject adhering to the Privacy Shield;

Facebook page embedding plug-in
It is an interaction service with the Facebook social network, provided by Facebook, Inc.
Personal Data collected: Cookies and Usage Data.
Place of treatment: United States –Privacy Policy. Subject adhering to the Privacy Shield;

Google cookies:
for whose description and purpose of use, see the link types of cookies used by Google  and the link management of cookies in the browser
As highlighted above, the site uses third-party cookies, the installation of which requires the user's consent (interested) as indicated above.
For more information about the cookies on the website of the Data Controller, please refer to the specific information on the site.

9- Children's rights

In the event that the navigation of the website is carried out by a children under 14 years of age, registration on the site requires the supervision of a parent or guardian, who remains responsible for the use of the site in the name and for account of the aforementioned minor.

10- Rights of the interested parties

Articles 13 and following of the GDPR give the interested party the exercise of specific rights, such as:

Right of access (art.15 GDPR):

In other words, it confirms whether or not personal data concerning the interested party is being processed and, in this case, to obtain access to the personal data and to the information referred to in the aforementioned article;

Right to rectification (art. 16 GDPR):

Correction of inaccurate personal data concerning the interested party without justified delay; integration of incomplete personal data of the interested party, taking into account the purposes of the processing

Right to erasure (right to be forgotten) art. 17 GDPR:

Cancellation of personal data concerning the interested party without undue delay.
The Data Controller has the obligation to delete personal data without undue delay in the cases provided for by art. 17 of the Regulation;

Right to limitation of treatment (art. 18 GDPR):

Limitation of treatment in the cases referred to in art. 18 of the Regulation;

Right to data portability (art. 20 GDPR):

Receipt in a structured format, commonly used and readable by an automatic device, of the personal data of the interested party provided to the Data Controller; right to transmit such data to another Data Controller without impediment by the Data Controller to which they were provided in the cases referred to in art. 20 of the Regulation;

Right to object (art. 21 del GDPR):

Right of opposition of the interested party, at any time, for reasons related to its particular situation, to the processing of its personal data  pursuant to art. 6 paragraph 1 lett. e) or f), including profiling based on these provisions.

The exercise of the user's rights (interested party) may take place by sending a request to the following pec address:

The interested party is also informed of the right to lodge a complaint with the Guarantor for the protection of personal data, if it is believed that the processing of user data violates EU Regulation 679/2016.

11- Policy update

This information constitutes the privacy policy of this site and is updated to the new requirements required for data processing by EU Regulation 679/2016. This information may undergo further updates following regulatory changes that foresee new and/or different methods of processing personal data.

12- Contact us

For the exercise of the rights of users/visitors (interested parties) and for any other information related to data processed through the Data Controller website please refer to the following email addresses: -  pec: