Privacy Policy

Information notice pursuant to Art. 13 of the Regulation (EU) 2016/679 (“GDPR”)

Pursuant to Reg. UE 2016/679 (General Data Protection Regulation) we provide you the deserved information concerning processing of collected personal data. 

The notice is not valid for external links; Data Controller is not to be considered responsible for third parties’ web pages. 

The notice is drawn up pursuant to art. 13 Reg. UE 2016/679 (General Data Protection Regulation), inspired to DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2009, and to Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies – 8 may 2014 by Italian Data Protection Authority, considering the EDPB Guidelines 05/2020 on consent under Regulation 2016/679.

Personal data (art. 4 GDPR): any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can directly or indirectly be identified, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier or to one or more specific factors to the physical, physiological, genetic, mental, economic, cultural or social identity (C26, C27, C30).

Personal data processed: name, surname, shipping address, telephone number, email, tax code, VAT number for invoicing and invoicing address, navigation data.

Navigation data
Computer systems and procedures software preceded to the operation of this site, acquire, during their normal exercise, some personal data whose transmission is implicit using Internet communication protocols. This category includes: IP addresses, URI/URL (Uniform Resource Identifier/Locator), time of request, type of request, outgoing packet size, server status of response (received, error, etc…) and other parameters related to the operating system (for further information see Cookies policy of this website).

Data provided by data subject
The optional, explicit and voluntary dispatching of messages to contact-addresses, as well as compilation and forwarding of forms that are on Data Controller’s website, involves the acquisition of sender’s personal data necessary to reply, as well as all the personal data included in messages themselves

DATA CONTROLLER, pursuant to art. 4 and 24 of the Regulation (EU) 2016/679, is Villa d’Este S.p.A., having its head office in Via Regina, 40 – 22012 – Cernobbio (CO) 22011, as represented by the pro-tempore legal representative. The contact details of the controller: fax +39 031 348873, e-mail:, telephone: +39 0313481.

For more information on the cookies used by this website please see our cookies policy at the following link.

Purposes Of ProcessingLawfulness Of Processing Data Retention PeriodNature Of Data Provision And Refusal
A) Browsing on this websiteLegitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR): activities that are strictly necessary for the operation of the website and the provision of the navigation service on the platform.Only for the related session, after which the data are deleted.The provision of navigation data is necessary in order to allow you to navigate the website. Failure to provide data will not allow you to navigate on the site.
Processing of personal data of users of the site for management of requests.Legitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR): : reply to users’ requests.1 yearThe provision of data is optional. Failure to provide data will not allow you to obtain the requested information.
E-commerce: sale of products online, including delivery and any invoicing; management of after-sales services (returns, refunds); related administrative and accounting activities. 
Purchases can only be made by registering on the website and creating an account. 
Contract (Art. 6, par 1, lett. b) GDPR. Theprocessing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;. 

Compliance with a legal obligation (art. 6 par. 1 lett. c) GDPR). 
In case of invoicing, retention in accordance with legal obligations (art. 2220 Civil Code).

For the account: until deletion from the platform.
The provision of personal data is necessary to process your order. Failure to provide data will not allow you to proceed with your order.
Softspam: promotional and commercial information activities through newsletters to the email address provided during the sale, concerning the same type of product being sold – art. 130, paragraph 4 D.lgs. 196/03 updated to D.lgs. 101/2018.  Legitimate interest of the Data Controller (art. 6, par. 1, lett. f) GDPR): the processing is necessary for the pursuit of the legitimate interest of the Data Controller to maintain contact with its customers in order to continue the relationship provided that the interests or fundamental rights and freedoms of the person concerned do not prevail and Article 130, paragraph 4 of D.lgs.196/03. Up to the consent withdrawal (opt-out)The provision of personal data (email) is necessary in order to receive the newsletter. Failure to provide data will not allow you to receive the newsletter.
B) Creating an account on this website.Contract (Art. 6, par 1, lett. b) GDPR).  The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.Until deletion from the platform.The provision of your personal data is necessary for the creation of the account. Failure to provide data will not allow you to create the account.


The personal data provided will be communicated to subjects who will process personal data as data processor (art. 28 GDPR), as persons acting under the authority of the Joint controllers (art. 29 GDPR), or as autonomous data controllers, in order to follow up on the purposes of the processing indicated above.

Specifically, personal data may be communicated to recipients belonging to the following categories:

  • parties dealing with the shipment of orders;
  • online payment providers;
  • subjects that manage the computer system used by the Controller and the telecommunications networks (including e-mail, the Internet site, site hosting);
  • freelancers, firms or companies in the context of assistance and consultancy relationships;
  • competent authorities to fulfil legal obligations and/or provisions of public bodies, upon request.

The list of data processors is constantly updated and available at the headquarters of the Controller.

Personal data will be not transferred to countries outside the EEA. 

The data subject will be able to exercise their rights as expressed in Articles 15 et seq. of EU Regulation 2016/679, addressing themselves to Data controller at the following email: The data subjects have the right to obtain access to personal data and the rectification or erasure personal data, or the restriction of processing that concerns them. Furthermore, data subjects have the right to object, at any time, to the processing of their data (including automated processing, e.g. profiling) and, with reference to art. 6 paragraph 1, letter a) and art. 9 paragraph 2, letter a), they have the right to withdraw the consent given at any time. To stop receiving automated direct marketing communications (e.g. email), please write an email to at any time with the subject line “unsubscribe from automated” or use our automated unsubscribe systems for email only.  If you wish to stop receiving traditional direct marketing communications (i.e. paper mailings), please write an email to at any time with the subject line “unsubscribe from traditional”. In the cases provided for, data subjects have the right to the portability of their data and in this case the Data Controller will provide them with their personal data in a structured, commonly used and machine-readable format. Without prejudice to any other administrative and judicial appeal, if data subjects believe that the processing of their personal data violates the provisions of Regulation EU 2016/679, pursuant to art. 15 letter f) of the aforementioned Regulation EU 2016/679, they have the right to lodge a complaint with the Data Protection Authority (Garante per la protezione dei dati

Data controller has the right to change, update, add or remove portions of this privacy policy at its sole discretion and at any time. In order to facilitate such verification, this policy will contain an indication of the date of update

Updating date: 02th July 2020