Privacy policy

Privacy policy pursuant to art. 13 of EU Regulation no. 2016/679


The information describes the way in which the website (“Website”), is managed with reference to the processing of the personal data of its Users.  The policy is released pursuant to art. 13 of the Regulation (EU) 2016/679 (“GDPR”) and the national laws on the protection of personal data, and is applicable to all Users who visit the Website and interact with the services of Casa E. Mirafiore & Fontanafredda s.r.l.

The policy applies to the Website only and not to other Websites belonging to Third Parties (so-called “Partners”) that may be accessed by the User via links present on the Website.

Who is the Data Controller?

The Data Controller is Casa E. Mirafiore & Fontanafredda s.r.l. with registered office in Via Alba 15, 12050 Serralunga d’Alba (CN), Italy, in the person of its legal representative pro tempore, (“Data Controller”).

Casa E. Mirafiore & Fontanafredda s.r.l. has appointed a Data Protection Officer, who can be contacted at the following e-mail address

Which data is collected?

The Data Controller collects the following types of personal data:

  • Browsing data: the Website may collect information that could enable identification of the User. This type of data includes IP addresses or domain names of computers used by users connecting to the site, URI (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error) and other parameters.
  • Data supplied voluntarily by the User: the Data Controller processes personal and identifying data (name, surname, address, telephone, e-mail).

Users are free to supply their personal data when submitting requests for information to the e-mail addresses of Casa E. Mirafiore & Fontanafredda s.r.l.

The Data Controller doesn’t process requests for information sent to third parties (e.g. Osteria Disguido, Guidoristorante, Fondazione Mirafiore). In this case, personal data will be processed by such parties. Please refer to their privacy policies, at the following websites:

On the occurring occasion of some specific events, such as the Harvest Festival (“Festa della Vendemmia”), personal datas may be processed by external subjects (such as organizational Partners) as independent data controllers. In this case, please refer to their privacy policies published on their own websites.

If the User does not communicate the identification and personal data correctly, the Data Controller may be unable to process the requests, either in full or in part. 

  • Special categories of data included in the “Notes” section (e.g., information on health, racial and ethnic origin, religious beliefs, food intolerances, allergies). Any processing of such data takes place pursuant to art. 9 of the GDPR and, therefore, with the User’s explicit consent. Please note that the Data Controller does not process special categories of data unless strictly necessary for the provision of the service.
  • With regard to the sending of personalised newsletters, the Data Controller processes the User’s e-mail addresses in order to send commercial promotions dedicated to the services/products of Casa E. Mirafiore & Fontanafredda and referred to group companies and business partners. Personal data collected for newsletter activities are processed by the Data Controller and newsletter activities to which you provide your consent on this website, and whose subject are business proposals by group companies and/or business partners, are managed only by Casa E.Mirafiore & Fontanafredda s.r.l. No personal data for marketing purposes will be transferred and disclosed to third parties; in these cases, a specific consent will be required.   
  • Data provided for the booking and purchase of packages (“Experiences, Activities, Packages” as indicated in the General Terms and Conditions of Sale): Personal data is processed for the provision of a service or to allow the User to purchase a product. To this end, it should be noted that Personal Data may be used for marketing purposes in order to send personalised e-mails depending on the products purchased, with the consent of the user.
  • Cookies: for the processing of cookies, please see the relative Cookie policy.

Please note that when the User sends requests for information to Osteria Disguido ( and, GBistrot (, Guido Ristorante ( and and Eventi Fondazione Mirafiore (, he/she will be contacted directly by the restaurants and Fondazione Mirafiore. From that moment on, personal data will be processed by Alciati s.a.s di Ugo Alciati & C. and Fondazione Mirafiore. In this respect, please refer to the relevant privacy policy, published on their websites.

Why and on what legal basis do we process data?

  • Browsing data: browsing data is used to manage statistical information, for the purposes of security and the operation of the Website. The data could also be used to ascertain responsibility in the event of cyber crimes. The legal basis of the process is the legitimate interest of the Data Controller and, in the case of requests by the Legal Authorities, the legal obligation.
  • Personal data and special categories of data supplied voluntarily by the User with a view to being contacted and for the purchase of services and products (so-called “Experiences, Activities, Packages” as indicated in the General Terms and Conditions of Sale): Personal data is processed for the fulfilment of requests and of pre-contractual, contractual or fiscal obligations. Special categories of Data are processed with the User’s explicit consent.
  • Personalised newsletter (marketing activities): the User’s personal data may be processed for marketing purposes only with specific consent, which is optional. A “personalised newsletter” means a personalised promotional communication that may also be based on past purchases and consumer preferences.  The subject of the newsletter is the products and services offered by the Data Controller, group companies and business partners affiliated with Casa E. Mirafiore & Fontanafredda s.r.l.. The legal basis is the User’s consent, which can be withdrawn at any time. With the User’s consent, the Data Controller may, at any time,  collect from its social media business pages (Facebook, Instagram, LinkedIn) information relating to preferences, habits and lifestyle, as well as details of purchases made where Casa E. Mirafiore & Fontanafredda s.r.l. has an e-commerce platform, in order to create group or individual profiles for sending targeted communications in line with your interests, or to carry out market research and statistical analysis, also with anonymous data, organised in aggregate form. When the User subscribes to the newsletter service, they receive a “registration confirmation” e-mail, without which the newsletter will not be active. The user is entitled to withdraw the consent given, unsubscribing or writing to No solely automated decisions-making process is in place.

The User is informed that their personal data may be processed to comply with legal obligations or an order issued by the Authority and to pursue a legitimate interest of the Data Controller or to exercise the latter’s rights, such as the right of defence.

Who are the data recipients?

Personal data can be communicated to the following categories of parties:

  • authorised persons (employees and collaborators);
  • event organisers, in their capacity as outsourcers;
  • providers of services for the management of the activities indicated above, such as sending newsletters (MailUp service);
  • providers of services for the management of the information system (IT consultants);
  • web platform operators.

Those belonging to the above categories act as Data Processors pursuant to art. 28 GDPR. The personal data is processed only by persons authorised by the Data Controller (employees/collaborators), in compliance with art. 29 GDPR, by virtue of their duties or corporate role, who have been instructed on matters relating to privacy.

How long do we keep the data?

The user’s personal data supplied when requesting information and making purchases and bookings is processed by the Data Controller only for the period of time necessary to achieve the purposes of the process, after which they are kept only in compliance with the legal obligations in force on the matter, for administrative purposes or to assert or defend an entitlement.

Personal data processed for the purpose of sending newsletters is kept as long as the User shows interest in receiving the newsletter. To this end, a data retention period criterion which envisages “regular verification” by the Data Controller has been established. According to this criterion, the User who does not show interest in receiving the Casa E. Mirafiore & Fontanafredda s.r.l. newsletter for 36 consecutive months will be automatically deleted from the mailing list.

The User’s personal and fiscal data are retained in order to comply with legal obligations and for legitimate interests, e.g. right of defence.

As far as the retention period for Cookies installed on the website is concerned, please see thecookie policy.

What are the security measures?

The personal data collected is recorded in digital form, using organisational and technical security measures to ensure the protection of confidentiality and to avoid the risks of loss and destruction, unauthorised access, processing that is not permitted or does not comply with the purposes mentioned above.

Some of the security measures implemented include: – backup – use of the https protocol; – use of anti-malware and anti-spam; – use of security plug-ins; – use of a ban list.

Is the data transferred to countries outside the EU?

Personal data is not transferred to non-EU countries or international organisations. The data is stored on servers located in Italy.  Where necessary, the Data Controller may transfer the location of the server, making sure that the transferral of the data outside the EU will take place in compliance with the legal provisions applicable, entering into agreements, if necessary, that guarantee an adequate level of protection or adopting the standard contractual clauses envisaged by the European Commission.

Does the Website target minors?

The Website is not intended for use by minors and no data is collected from minors or processed. In compliance with applicable law, the person exercising parental authority is required to give consent to the collection of the minor’s personal data. In the event that the data of minors is unintentionally sent, the Data Controller will delete it promptly.

What are the User’s rights?

The User may exercise their rights as stated in article 15 et seq. of EU Regulation 2016/679, by writing to the Data Controller at or by registered letter with notification of receipt addressed to Casa E. Mirafiore & Fontanafredda S.r.l., Via Alba, 15 – 12050 Serralunga d’Alba (CN), Italy.

For each processing operation, the User may exercise:

  • the right to access: to obtain a copy of the personal data being processed;
  • the right to object to the processing of personal data for commercial purposes: the User may request the termination of the sending of promotional communications at any time by unsubscribing through the newsletter or by writing to;
  • the right to object to decisions based on purely automated processes: the User may request exclusion from activities, such as profiling, resulting from decisions based on purely automated processes;
  • the right to rectification: to rectify the personal data held by the Data Controller if it is not up to date or correct;
  • the right to withdraw consent: to withdraw the consent given at any time;
  • the right to deletion: the User may request the deletion of personal data when the purposes of the process no longer exist and there are no legitimate interests or legal provisions requiring continuation;
  • the right to restrict processing: to request that processing operations be restricted;
  • the right to data portability: the right to obtain a copy of the data in a structured format that can be electronically transferred to another Data Controller;
  • the right to contact the Data Protection Authority with registered office in Piazza Venezia 11, IT-00187, Rome, 00186 – Rome,  (

For further information on the rights of Users, please visit the page of the Data Protection Authority:

What happens in the event of changes to the Privacy Policy?

The Data Controller reserves the right to amend and update this privacy policy at its own discretion. Any updates will be published on this page and an e-mail will be sent to you indicating the updates.

This Privacy Policy was published on 25 Jenuary 2022