Premise

Osteria Acqua Ciara  (hereinafter the "Data Controller"), pursuant to art. 13 and 14 of the EU Regulation n. 679/2016, hereby announces the information relating to the processing of personal data in the provision of its service.

It is necessary to point out right away that the entire information must be read bearing in mind that the Data Controller provides an exclusively targeted service.  to sale of editorial material and training courses.

The information is also inspired by Recommendation no. 2/2001 that the European authorities for the protection of personal data, gathered in the Group established by art. 29 of the directive n. 95/46 / EC, adopted on 17 May 2001 to identify some minimum requirements for the collection of personal data online and, in particular, the methods, timing and nature of the information that the data controllers must provide to users. when these connect to web pages, regardless of the purpose of the connection as following consultation of a site, data relating to identified or identifiable persons may be processed.

The information is provided only for the website of the Data Controller and not for other websites that may be consulted by the user via links.

Art. 1. Owner - Data processing and protection manager The Data Controller of your data is  Osteria Acqua Ciara with registered office in Via Giacomo Scalini, 68, 22034 Cernobbio (CO) telephone +39 031 2258943, email  info@osteriaacquaciara.it

The collaborators and employees of the Data Controller (administrative, commercial staff), as managers and persons in charge of the processing, are all specifically assigned to data processing.

Art. 2. Place of data processing Personal data are processed in the premises of the Data Controller, as well as on IT support by means of the software made available by the various Partners and of the devices made available to the subjects authorized for processing.

Art. 3. Type of data processed The Data Controller processes exclusively data provided voluntarily by the user, or data acquired by third parties with his explicit consent; data strictly necessary to process any request, be it information or service provision.

For the provision of the service and / or for pre-contractual activities, the Data Controller processes the following categories of data:

1. Common personal data

(any information relating to a natural person, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number) including: personal data, banking / financial data, telephone and electronic contacts.

1. a) Navigation data.

The computer systems of the Site and the Blog collect some Personal Data whose transmission is implicit in the use of Internet communication protocols.

This is information that is not collected to be associated with you, but which by its very nature could, through processing and association with data held by third parties, allow you to be identified.

These data are used in order to obtain anonymous statistical information on the use of the Site and to check its correct functioning; to allow - given the architecture of the systems used - the correct provision of the various functions requested by you, for security reasons and to ascertain responsibility in the event of hypothetical computer crimes against the Site or third parties.

For example, at each access to the pages of the Data Controller's website, the user data will be transmitted through the internet browser and saved in protocol files, the so-called server log files.

The following data will be saved: date and time of access, name of the visited site, IP address, URL of the referrer (URL of origin through which you arrived on the websites of the Data Controller), the amount of data transmitted, related information to the product and version of the browser used. The IP addresses of the users are deleted or made anonymous at the end of use. In the case of anonymization, the IP addresses will be modified in such a way that they cannot be attributed to a specific natural person except with an excessive effort in terms of time, costs and labor.

We analyze these log file data sets anonymously in order to improve our offerings, find and eliminate errors faster and to check server capabilities. In support of this information on the data acquired by browsing the portal of the Data Controller, the interested party is invited to consult the session

Cookies to be considered an integral part of this information.

1. b) Data provided voluntarily.

Through the Site you have the possibility to voluntarily provide Personal Data such as name, surname and e-mail address or bank details to make a payment. The Data Controller will process these data in compliance with the Applicable Law, assuming that they refer to you or to third parties who have expressly authorized you to provide them on the basis of an appropriate legal basis that legitimizes the processing of the data in question.

With respect to these hypotheses, you place yourself as an independent Data Controller, assuming all the obligations and responsibilities of the law. In this sense, you grant the widest indemnity on this point with respect to any dispute, claim, request for compensation for damage from treatment, etc. that should reach the Data Controller from third parties whose Personal Data have been processed through your use of the Site in violation of the Applicable Law.

1. c) Data processed in interaction with social networks.

In addition to filling out the appropriate service request forms, you can submit this request, if you have a Facebook or Google profile, also by simply clicking on the "Register with Facebook" or "Register with Google" button. In this case, Facebook or Google will automatically send some of your data to the Data Controller, specified in the appropriate "pop-up" window that is displayed at the time of the request, and there will be no need to fill in other forms on your part.

1. d) Particular Categories of Data.

The App relies on a platform that allows you to access your data, content, programs and results at any time and place. This necessarily involves the processing, by the Data Controller, of data which, as a whole, may reveal some personal details and which, therefore, fall within the category of particular categories of personal data referred to in art. 9 of the Regulations. In fact, the App provides a service that involves the processing of personal data such as, by way of example, name and surname, date of birth, email address, as well as information. In this regard, it is clarified that this information is necessary in order to be able to provide you with the requested assessments.

1. e) Geolocation

Among the services offered by the Site there is the possibility for the user to view their geographical position (transmitted, with prior consent, from the user's device to the application) within a map. These location data are not transmitted or made accessible outside the user's mobile device, the Data Controller therefore does not carry out any processing of these data. Otherwise, the App, with your express authorization, processes the data relating to your location in order to provide you with the service, as better described in the Terms and Conditions of Use of the App itself. You always have the option to deny the App access to your location data through the settings of your mobile device. The images and videos collected during the session will not be processed through specific technical devices suitable for identifying the interested party.

Art. 4. Purpose of the treatment

The Data Controller informs that it will process personal data to the extent strictly necessary to fulfill the following purposes:

1. a) purposes related to the execution of a contract of which you are a party or to the execution of pre-contractual measures adopted at your request;

2. b) purposes related to the fulfillment of a legal obligation to which the Data Controller is subject;

3. c) purposes necessary to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their judicial functions;

4. d) allow navigation of the Site and the provision of the services of the Data Controller;

5. e) find specific requests addressed to the Data Controller;

6. f) fulfill any obligations established by applicable laws, regulations or community legislation, or satisfy requests from authorities;

7. g) carry out direct marketing via e-mail for services similar to those signed by you, unless your express refusal to receive such communications, which you may express during registration or on subsequent occasions;

8. h) carry out marketing / newsletter activities such as: elaborating studies, researches, market statistics; send information and promotional material relating to the activities, services and products of the Data Controller and its commercial Partners (without any communication of personal data owned by the Data Controller to the aforementioned Partners); send you surveys to improve the service ("customer satisfaction"). These communications may be made via e-mail or text message, through paper mail and / or the use of the telephone with operator and / or through the official pages of the Data Controller on social networks, or even through push notifications via the App; it is specified that the Data Controller collects a single consent for the marketing purposes described here, pursuant to the General Provision of the Guarantor for the Protection of Personal Data "Guidelines on promotional activities and the fight against spam", of 4 July 2013 ; if, in any case, you wish to object to the processing of your data for marketing purposes carried out with the means indicated here, you can do so at any time by contacting the Data Controller at the addresses indicated in the "Contacts" section of this information, without prejudice to the lawfulness of the processing based on the consent given before the revocation;

9. l) for statistical or research purposes, without it being possible to trace your identity.

The user at any time has the right to revoke his authorization for the use of personal data for these purposes, even if only partially or for specific methods of communication. This operation does not involve additional costs and it will only be necessary to send a communication to the known contacts of the Data Controller.

Art. 5. Processing methods

The information systems and computer programs are configured by minimizing the use of personal data and identification data, so as to exclude their processing when the purposes can be pursued through anonymous data or with the use of appropriate methods that allow the identification of the 'interested only in case of need.

To access the service offered by the Data Controller, the interested party will initially provide only common personal data which will be processed by administrative staff.

In fact, the Data Controller takes all possible initiatives and security measures to prevent the appointees from processing data that is not necessary for the accomplishment of the related purpose.

Your personal data will be recorded, processed, managed and archived with the aid of electronic IT tools and only possibly in paper form.

In any case, the chosen method will not affect the security and confidentiality of the data which remain guaranteed.

Personal data are managed with automated tools for the time strictly necessary to achieve the purposes of the processing. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.

In this sense, there is a widespread distribution of responsibilities and the possible activities on the data are defined through regulations and operating instructions to the persons in charge. The Data Controller has undertaken to guarantee training and refresher courses on privacy issues, potential dangers and responsibilities related to data processing. Furthermore, all operators who access the computerized systems are identifiable, bound by professional and / or official secrecy and in any case authorized to process them.

In cases where special laws provide for the processing of data in anonymous form (protection of victims of acts of sexual violence and pedophilia, seropositivity, use of narcotic drugs, psychotropic substances and alcohol, intervention of voluntary termination of pregnancy, birth in anonymity, services offered by family counseling, responsible procreation choices, etc.) the data are obscured at the time of their creation in accordance with the provisions of the law in force and are not subject to processing.

The Data Controller does not perform profiling on the data processed.

Art. 6. Security Measures

The processing of personal data is guaranteed by the application of suitable and preventive security measures that make it possible to minimize the risk of destruction or loss, even accidental, of the data, of unauthorized access or processing that is not permitted or does not comply with the purpose of the collection.

Organizational choices and operating procedures regarding security in the processing of personal data are also defined by the processing of sensitive personal data using electronic tools.

The security system for personal data identifies the organizational choices and operating methods regarding the security in the processing of personal data, in particular with regard to:

• the list of personal data processing;

• access to authorized personnel based on the purpose of the processing;

• the analysis of the risks affecting the data;

• the measures to be taken to ensure the integrity and availability of the data;

• the description of the criteria and methods for restoring the availability of data following destruction or damage;

• the provision of training interventions for the persons in charge of processing, to make them aware of the risks affecting the data, of the measures available to prevent harmful events, of the profiles of the regulations on the protection of personal data most relevant in relation to the related activities, of the responsibilities that derive and how to update on the minimum measures adopted by the Data Controller;

• the description of the criteria to be adopted to ensure the adoption of the minimum security measures in case of processing of personal data entrusted outside the structure of the Data Controller or transferred abroad;

• for personal data suitable for revealing the state of health and sexual life, the identification of the criteria to be adopted for encryption or for the separation of such data from other personal data of the interested party.

Art. 7 Recipients of the Treatment

The subjects who will process your personal data are:

- subjects appointed within the structure of the Data Controller, necessary for the provision of the services offered;

- subjects who typically act as data controllers, i.e .:

1. i) persons, companies or professional firms that provide assistance and advice to the Data Controller in accounting, administrative, legal, tax and financial matters;

2. ii) subjects delegated to carry out technical maintenance activities;

iii) credit institutions, insurance companies and brokers;

iii) parent companies, subsidiaries and affiliates of the Data Controller, limited to the pursuit of administrative-accounting purposes connected to the performance of organizational, administrative, financial and accounting activities;

- persons authorized by the Data Controller to process Personal Data who are committed to confidentiality or have an adequate legal obligation of confidentiality; (e.g. employees and collaborators of the Data Controller);

- subjects, bodies or authorities to whom it is mandatory to communicate your personal data by virtue of legal provisions or orders of the authorities;

- judicial authorities in the exercise of their functions when required by the Applicable Regulations.

The display of personal data takes place only by authorized subjects according to specific methods, relating to the content of the contract signed by the data subject and in compliance with the purposes already described.

The designation is carried out by means of an “appointment deed” inserted in the agreements, conventions or contracts that provide for the entrusting of personal data processing externally to the Company.

7.1 Internal Data Processors

The Data Controller, in consideration of the complexity and multiplicity of the institutional functions of the Company, designates as Data Processors:

• each Manager in charge of an Operating Unit of the Company, for the paper databases and for the electronic databases of the individual structures;

• the Manager in charge of the IT Service for centrally managed electronic databases;

• all external subjects who, in any way, use the Data Controller's database on behalf and in the interest of the Data Controller for purposes related to the exercise of its business functions (Article 9).

The designation of the internal managers is linked to the assignment of the structure assignment and is considered accepted by signing the contract.

The Data Controller must inform each Data Processor, as identified by the Regulations, of the responsibilities entrusted to him in relation to the provisions of the regulations in force.

Each Manager must guarantee:

- timely and full compliance with the duties of the Company provided for by the Code, including the safety profile;

- compliance with the provisions of these Regulations as well as the specific instructions given by the Data Controller;

- interaction with the Guarantor in the event of a request for information or other investigations;

- the adoption of suitable measures to guarantee, in the organization of performances and services, respect for the rights, fundamental freedoms and dignity of the interested parties, as well as professional secrecy, without prejudice to the provisions of current legislation and the security system company regarding the methods of processing sensitive data and minimum security measures.

The Data Processor, in relation to the implementation of security measures, has the following duties:

• draw up and update the list of the types of treatments carried out (census - art.16);

• ask the Head of the IT Service to assign an individual and non-reusable personal identification code to each Data Processor for access to data;

• keep the passwords for access to data by the Distributors;

• check with the Head of the IT Service the effectiveness of the protection and antivirus programs as well as define the measures for accessing the premises and the security measures against the risk of intrusion;

• ensure that all security measures regarding the Company's data are applied within the Company itself and externally, if they are accessed by third parties such as Data Processors;

• inform the Data Controller in the event that risks have been identified.

• All those who, in any way, manage, individually and separately from the single structure to which they belong, personal data of third parties, individually assume the quality of autonomous "Controllers" of the treatment.

7.2 External Data Processors

All external subjects who carry out processing operations on the Company's databases, on behalf and in the interest of the same, for purposes related to the exercise of company functions, are appointed "External Managers" of the processing.

External Managers have the obligation:

• to process the data lawfully, fairly and in full compliance with current legislation on privacy;

• to comply with the security measures provided for by the Privacy Code and to adopt all measures that are suitable for preventing and / or avoiding the communication or dissemination of data, the risk of destruction or loss, even accidental, of unauthorized access or processing unauthorized or not in accordance with the purposes of the collection;

• to appoint the persons in charge of the processing within them;

• to ensure that the data processed are brought to the attention only of the personnel in charge of the processing;

• to process the personal data, also of a sensitive and health nature, of the Patients exclusively for the purposes set out in the contract or agreement;

• to comply with the instructions given by the Data Controller;

• to specify the places where the data is physically processed.

In the event of non-compliance with the aforementioned provisions, the external data processors must be considered autonomous "owners" of the treatment and therefore subject to their respective obligations and therefore respond directly and exclusively for any violations of the law.

7.3 Persons in charge of processing

Each employee in charge of a specific service and required to carry out technical processing operations is to be considered, to all effects, "Appointed" pursuant to art. 30 of the Privacy Code.

The Appointee, in carrying out the operations strictly connected to the fulfillment of his functions, must scrupulously comply with the instructions given by the Data Controller and the Manager, undertaking to adopt all the security measures provided for by this Regulation as well as any other measure that is suitable to prevent and / or avoid the communication or dissemination of data, the risk, even accidental, of destruction or loss, of unauthorized access or unauthorized treatment or treatment not in accordance with the purposes of the collection.

The Person in charge collaborates with the Data Controller and the Manager by reporting any risk situations in the processing of data and providing all information necessary for the performance of the control functions.

In particular, the Person in charge must ensure that, during the processing, the data are:

- processed lawfully and fairly;

- collected and recorded for specific, explicit and legitimate purposes, and used in other processing operations in terms compatible with these purposes;

- exact and, if necessary, updated, pertinent, complete, not excessive and, if sensitive data, indispensable with respect to the purposes for which they are collected or subsequently processed;

- kept in a form that allows the identification of the data subject for a period of time not exceeding that necessary for the purposes for which they were collected or subsequently processed.

The Person in charge is required to maintain complete confidentiality on the data of which he has become aware during the performance of his activity, undertaking to communicate the data exclusively to the subjects indicated by the Data Controller and the Manager, only in the cases provided for by law and / or in the carrying out the business activity.

The designation of the Appointee is carried out by means of the employee's preposition, with a hiring provision or service order, to the single service unit for which the permitted processing area is identified by means of the data registration forms.

The Officers must receive suitable and analytical instructions, also for homogeneous groups of functions, regarding the activities on the data entrusted (insertion, updating, cancellation, etc.) and the obligations to which they are required.

Art. 8 Nature of the provision of data and consent

The consent to the processing of personal data is as voluntary as it is essential for the provision of the requested service, that is the main purpose of the data processing (including related administrative activities), since failure to consent would prevent you from using the service.

Below are some special cases of acquiring consent to the processing of data on the basis of special laws or relating to specific categories of reports:

1. a) Minors

The consent to the processing of the data of a child under 16 must be signed by at least one parent exercising parental authority.

1. b) Persons subject to guardianship powers

The guardian presents the consent form for the processing of data on behalf of the protected user, addressing it to the user himself and completing it with his personal data and his signature; attaches to this form the documentation issued by the Judicial Authority or, alternatively, a self-declaration of guardianship.

1. c) Person Who Cannot Sign

The user who cannot sign the consent form due to illiteracy, temporary or permanent physical impediment, without a legal representative, can express his consent verbally or by other means (gestures), of which the operator acknowledges (perhaps with the help of a family member, who knows the patient's ways of expressing himself) with the aid of audiovisual recording tools that will be archived and used exclusively in the event of disputes.

8.1 Marketing Purposes

If the customer gives explicit consent, the contact details provided may be used by the Data Controller for the promotion of products or services similar to those that the customer has purchased or joined, for sending advertising material relating exclusively to the aforementioned services or for carrying out commercial communications.

By granting consent to the processing for marketing purposes, pursuant to art. 6, paragraph 1, letter a) of the Regulations, the interested party specifically takes note of the promotional, commercial and marketing purposes in the broad sense of the treatment and expressly authorizes said treatment both where the means used for the Treatment for Marketing Purposes are the telephone with operator or other non-electronic, non-telematic means or not supported by automatic, electronic or telematic mechanisms and / or procedures that where the means used for the Processing for Marketing Purposes are e-mail, fax, sms, mms, automatic systems without operator intervention and similar, including electronic platforms and other telematic means.

Pursuant to the General Provision of the Privacy Guarantor of May 15, 2013 entitled "Consent to the processing of personal data for" direct marketing "purposes through traditional and automated contact tools", the attention of interested parties is specifically drawn to the fact that:

1. any consent given for the sending of commercial and promotional communications through IT or telematic methods will imply the receipt of such communications, not only through said automated contact methods, but also through traditional methods, such as paper mail or calls via operator;

2. the collection of consent envisaged from time to time will be unitary and comprehensive and will refer to all possible means of marketing processing. To proceed with the Processing for Marketing Purposes, it is mandatory to acquire specific, separate, express, documented, preventive and entirely optional consent.

3. without prejudice to the possibility of freely revoking consent to the processing of personal data for "direct marketing" purposes, even if only partially with respect to certain means or treatments;

4. the aforementioned revocation can be exercised by writing to  amministrazione@celsrl.it  and that the opposition to such treatment will not produce any consequences on the provision of services.

Furthermore, the Data Controller informs the interested party that the data could also be disclosed to third-party business partners. The consent to the Treatment for Marketing Purposes - where provided by the interested party - does not also cover the different and further marketing treatment represented by the communication of data to third parties for the same purposes. To proceed with this communication externally it is mandatory to acquire from the interested party a further, separate, additional, documented, express and completely optional consent, in compliance with the General Provision of the Guarantor of 4 July 2013 containing the Guidelines to combat spam.

Pursuant to the General Provision of the Guarantor of 4 July 2013, containing the Guidelines to combat spam, the third parties recipients of the communications of the personal data of the interested parties for the subsequent Processing for Marketing Purposes can be identified with reference to the following subjects and the following categories commodity or economic:

1. a) Third parties belonging to the product sectors of publishing, sports clubs, suppliers of electronic communication goods and services, Internet service providers, communication agencies, companies that provide insurance and financial services, companies in the food and catering sector, clothing, ICT hardware and software, banks and credit institutions, travel agencies, companies that offer services in the tourism sector, companies that offer services and goods for the person, companies that supply goods and services in the energy and gas sector.

The provision of personal data to the Data Controller and the provision of both the consent to the Processing for Marketing Purposes and the distinct consent to the communication to third parties for the Processing for Marketing Purposes for the purposes and with the methods illustrated above are absolutely optional and always revocable.

Since some purposes of the processing pursued are of a specific commercial, advertising, promotional and marketing nature in a broad sense and that the modules on the Site pursue these purposes by default, where the interested party does not intend to give consent to the Processing for the purpose of Marketing the

as a consequence it will be impossible to use the services of the Data Controller. Failure to provide the Processing for Marketing Purposes will determine interference and / or consequence on any other contractual, contractual or other relationships in place with the user.

Art. 9 Transfer of data abroad

Your personal data may also be transferred to other countries belonging to the European Union, exclusively to allow the employees in charge of the Data Controller to carry out their work in execution of the contract.

Your personal data may also be transferred to the United States (a country not belonging to the European Union) exclusively to allow the employees in charge of the Data Controller to carry out their work in execution of the contract. For this reason, no sensitive data will be transferred abroad. The transfer of personal data to the United States is also guaranteed by the "adequacy decision" of the European Commission on the privacy regulations of that country.

Art. 10 Rights of the interested party

As a subject interested in the processing of personal data, you may at any time make use of the faculties and rights provided for by art. 13 paragraph 2 lett. re a) b) c) d) e) of EU Regulation 679/2016.

In particular, you are entitled to: · The right to obtain confirmation of the existence or otherwise of personal data concerning you; The right of access, that is to have communication of data concerning you upon simple request; The right to object which provides for the possibility of opposing the processing of personal data for legitimate reasons. The right of rectification, i.e. modification and updating of data; The right to be forgotten, i.e. to have the data concerning you deleted. In order to implement the right to be forgotten, the following distinction must be made:

- if the processing of the data requires an express consent, the revocation of the latter will be sufficient to obtain the cancellation, to be understood as automatic, of the data;

- if the processing of data requires consent for conclusive facts, the cancellation can be implemented, upon request, only if the personal data are no longer necessary with respect to the purposes for which they were collected or processed. The right to limit the processing that minimizes the use of data processing to what is necessary for the purposes of the same. However, this right is provided only in the following mandatory cases:

- if the interested party contests the accuracy of the personal data and for the time strictly necessary to verify its accuracy;

- where, in the presence of unlawful processing, the interested party opposes the cancellation of the data;

- where, if the Data Controller no longer needs to keep the data, the interested party is interested in their conservation for the purpose of exercising or defending a right in court;

- in case of opposition to the processing, but only for the time necessary to establish the primacy between the interest of the Data Controller and the right of the data subject.

The limitation can be revoked at any time and the Data Controller will inform the interested party before the revocation is effective. The right to portability of the data provided by the interested party which allows the interested party to receive the personal data concerning him in a commonly used format.

• The right to withdraw consent to the processing of data for the primary purposes of the processing at any time. The revocation of the consent could however make it impossible to provide the service and in any case does not affect the lawfulness of the treatment based on the consent given before the revocation;

- The right to withdraw consent to the processing of data for the secondary marketing and newsletter purposes of the processing at any time. The withdrawal of consent does not make it impossible not to use the services of the Data Controller. In any case, this revocation does not affect the lawfulness of the processing based on the consent given before the revocation; - The right to lodge a complaint for violation of the law with the Privacy Authority, without prejudice to any other judicial action.

Requests should be sent via e-mail to the address:  info@osteriaacquaciara.it

​

Art. 11 Data retention period

The data retention period is provided by the Data Controller within 10 years from the last legally relevant processing or from the acquisition of consent to the processing itself.