top of page
  • Facebook
  • Instagram
Shadows of Grapes loco.jpg
Correct Logo writing.jpg

Privacy Policy

Dear Sirs,
we hereby inform you that, pursuant to and for the purposes of Articles 4 para. 5 of the Federal Data Protection Act (DPA) and, where applicable, Articles 5, 13 and 14 of the European Regulation (EU) 2016/679 (GDPR), the personal data provided or otherwise acquired in the context of our activity will be processed in compliance with the principles set out in the above-mentioned regulations and the stringent confidentiality obligations to which the activity of our company, Ombre d'Uva di Ivano Carniello, is subject.

It should be noted that only the processing of data falling within the territorial scope of application pursuant to Article 3 GDPR is governed by the European regulation, i.e. in the case of:

(a) processing carried out as part of the activities of an establishment in the EU;

(b) offering goods or services to natural persons in the EU;

(c) monitoring the behaviour of natural persons in the EU.

Ombre d'Uva di Ivano Carniello and its subsidiaries do not have an establishment in the EU. The company may occasionally process personal data of data subjects as part of a general monitoring activity.

‍1. Definitions

‍For the purposes of this notice, the following definitions shall apply:

(a) 'data subject' shall mean any identified or identifiable natural person concerned by one or more personal data. This may be a person who simply browses our website or acquires information by any means, or a person who has made contact with our company and/or entered into a mandate of any kind;

(b) 'personal data' means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity

(c) 'data deserving special protection' or 'special data' means sensitive information such as personal data, social assistance measures, racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data or health data

d) "data relating to criminal convictions and offences or related security measures" means personal data disclosing criminal records, criminal records of administrative offences and related charges, or the status of accused person or person under investigation within the meaning of the Code of Criminal Procedure

(e) 'processing' shall mean any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

(f) 'data controller' means the subsidiary of Ombre d'Uva di Ivano Carniello,

Ivano Carniello

CH - 6964 Davesco


‍2. Categories of personal data processed

‍The Company processes the following categories of personal data in the course of its activities:

(a) ordinary personal data, with particular reference to: personal and contact data (in particular: first name and surname, date of birth, citizenship, relevance, private and professional addresses, photocopy of passport or identity card, private, professional telephone/fax numbers, both fixed and mobile, electronic addresses, identifiers of video/teleconference services, profession, employer, function, academic and professional qualifications, etc.), personal interests, tax data, invoicing data, accounting data;

b) special categories of personal data (in particular: business activity data, origin of funds, family member data, etc.), as well as data relating to possible convictions and offences or related security measures. This data is processed only to the extent necessary to comply with any requests made by the data subject, respectively where required by law, in accordance with the applicable data protection regulations and the binding instructions of the competent supervisory authority.

‍3. Purpose and legal basis of data processing

‍Personal data shall be processed by the Company for the following purposes:

3.1. Purposes deriving from legal obligations
‍The acquisition of certain personal data (in particular: name, surname, address, place and date of birth, tax code, photocopy of identity document) is carried out in implementation of obligations laid down by laws, regulations and sector regulations, or of provisions issued by authorities or supervisory or control bodies.

The purposes pursued are

(a) to identify the person concerned and carry out the appropriate checks to combat money laundering, terrorism and fraud;

b) to carry out all monitoring, reporting and/or notification activities required by regulations (in particular: AUI, CRS, FATCA, QI, etc.)

c) manage administrative-accounting and tax fulfilments.For processing for these purposes, the retention period for personal data is 10 years from the termination of the contractual relationship.

‍3.2. Purposes strictly related and instrumental to the management of contractual relations
‍Some personal data - e.g. the acquisition of information prior to the conclusion of the contract - are instrumental to the conduct of the customer relationship or to the performance of obligations arising from the contract, as well as to the fulfilment of specific requests made by the data subject.

The provision of personal data for this purpose is not obligatory. The person concerned has therefore the right not to provide them, but such a refusal may prejudice the management and/or continuation of the contractual relationship or the execution of the operations ordered by the same.

The purposes pursued are:

a) to identify the identity of the subject, to verify its suitability according to the requirements of the Company;

b) establish a contractual relationship with the Company and ensure the proper execution of related transactions

c) manage the invoicing relationship for the services provided to the person concerned and related expenses

d) providing customer support activities.

For processing for these purposes, the retention period for personal data is 10 years from the termination of the contractual relationship (in line with the ordinary limitation period).

‍3.3. Purposes pursued on the basis of the data subject's consent and duration
‍Pending consent and until opposition, the Company reserves the right to carry out, for its customers, processing of personal data for the purposes of direct marketing and profiling, in particular in connection with newsletters, conferences, promotions, market research, information material, satisfaction surveys, commercial and advertising material or relating to events and initiatives, in particular conferences and free receptions. The Company does not carry out these activities in relation to Data Subjects that may be profiled as a result of behavioural monitoring, whose data, where collected, are used solely for general analysis on the origin of contacts and the type of services of interest.

Processing is carried out by automated means, e-mail, operator phone calls, text messages, chat and paper mail, using the following personal data: first name, last name, private address, telephone number, fax number, e-mail address, social media profile, cookies, technical identifiers (IP number, unique identifiers of mobile devices, etc.).

For processing for these purposes, the period of storage of personal data is for the duration of the mandate and ends at the latest 3 years after the termination of the main contractual relationship or the requested service (e.g. newsletter).

The provision of data is optional, even though it is necessary for the implementation of this purpose. Failure to provide the data therefore means that the person concerned cannot be contacted for direct marketing initiatives based on his or her interests, but does not entail any negative consequences with regard to the purposes set out in paragraphs 3.1 - 3.3 above.

‍4. Categories of recipients to whom the data may be disclosed

‍For the purposes set out above, the data may be communicated to the following categories of recipients, in Switzerland or abroad, including outside the European Union, who take ownership of the data (non-exhaustive list)

(a) corporate bodies;

b) companies providing banking, financial and/or fiduciary services;

c) service companies for the acquisition, registration and processing of data from documents or media provided to the interested parties and concerning processing relating to payments, bills, cheques and other securities;

(d) auditing companies;

(e) lawyers and notaries

(f) governmental, supervisory and tax authorities;

g) companies managing national and international systems for checks and controls in the fight against money laundering, terrorism and fraud.

For the purposes indicated above, the data may be brought to the attention of the following categories of subjects, in Switzerland or abroad, including outside the European Union, who will act as data processors

a) service companies for the acquisition, registration and processing of data from documents or media provided to the data subjects and concerning transactions relating to payments, bills, cheques and other securities;

b) companies carrying out the activity of transmission, enveloping, transport and sorting of communications to data subjects;

c) entities that perform archiving services for documentation relating to relations with data subjects;

d) parties that perform consultancy services on behalf of the company;

e) companies that provide operational services, in particular IT and back office/operations

f) companies providing security and facility management services at the Company's buildings.

In any case, the following is specified

a) the Company does not transmit personal data outside Switzerland, unless it is required to do so by a legal obligation or if this is necessary to fulfil a contract entered into with the data subject, or on his or her instructions;

b) the company's IT platform (in particular: server, fire-wall, e-mail, back-up) is outsourced to a leading Swiss provider; the data is stored in Switzerland and accessible only to authorised persons

(c) no form of dissemination of the collected data to unspecified persons is envisaged.

‍5. Method of data processing

‍The data provided by the data subject may be processed automatically, manually or using electronic or telematic means, including recording on magnetic tape or equivalent support, with logic strictly related to the above-mentioned purposes, and in any event with procedures and systems suitable to guarantee security and confidentiality in accordance with applicable regulations.

The data in question may also be archived and stored both in paper form and in electronic form or on magnetic tape or equivalent support, in the case of recorded telephone calls. In full compliance with the guarantees of security and confidentiality, personal data may be stored on servers located in Switzerland in accordance with the applicable legal provisions.

A copy of the data may be obtained by writing to the Data Controller at the e-mail address or by writing to the Company's registered office.

‍6. Transfer of personal data to countries outside the European Union or the European Economic Area

‍It should be noted that data are transferred abroad solely by virtue of a legal obligation or if this is necessary to fulfil a contract entered into with the data subject, respectively on his/her instructions.

In particular, data may be transferred where necessary for the performance of a contract concluded between the data subject and the controller or the implementation of pre-contractual measures taken at the request of the data subject; or where the transfer is necessary for the conclusion or performance of a contract concluded between the controller and another natural or legal person for the benefit of the data subject; or the transfer is necessary for important reasons of public interest; or the transfer is necessary for the establishment, exercise or defence of legal claims; or the transfer is necessary in order to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and may be consulted either by the public in general or by any person who can demonstrate a legitimate interest, only if the conditions for consultation laid down in Union or Member State law are met.

‍7. Sources from which personal data originate

‍In line with the provisions of Article 14 DPA and 14.2(f) GDPR, the Company processes not only personal data provided directly by the data subjects, but also additional data otherwise obtained, e.g. by consulting public and/or private databases.

In particular, the Company uses databases for its customers to collect information necessary to comply with legislative obligations in the areas of anti-money laundering, anti-terrorism and anti-fraud (e.g. World-Check database). Information and personal data obtained through such databases shall be processed and stored exclusively by the Company.

‍8. Rights of the data subject

‍In accordance with Article 8 DPA, data subjects have the right to verify the accuracy of their personal data and to have them amended, corrected and/or updated. Upon written request, data subjects have the right to be informed whether, and in what manner, personal information concerning them is being processed. Data subjects also have the right to withdraw their consent to the processing of personal data. In certain special cases, access to data may be denied if so required by law.

Data subjects have the right to obtain advice on data protection from the Federal Data Protection Commissioner ('Federal Data Protection Commissioner'), as well as to report unlawful processing for the purpose of intervention when: a. there are processing methods that could harm the personality of a considerable number of people (system error); b. data collections must be recorded (Art. 11a DPA); c. there is an obligation to inform in accordance with Art. 6 para. 3 DPA. The Federal Commissioner can be contacted using the contact details at

In the event that the processing of personal data is subject to the GDPR as a result of profiling based on monitoring pursuant to Art. 3 para. 2 lit. b GDPR, the data subject may assert his or her rights as expressed in Articles 15, 16, 17, 18, 19, 20, 21, 22 GDPR. Data subjects have the right to request from the Data Controller, to the extent provided for in the legislation, free access to the data concerning them, their deletion, the rectification of inaccurate data, the integration of incomplete data, the restriction of processing to storage only, as well as opposition to processing, deletion (right to be forgotten) and portability of the data concerning them. If the processing is based on consent or on contract and is carried out by automated means, data subjects have the right to receive the data in a structured, commonly used and machine-readable format free of charge and, if technically feasible, to have the data transferred to another data controller without hindrance.

Data subjects have the right to withdraw their consent given under Article 6(1)(a) or Article 9(2)(a) of the GDPR at any time, without such withdrawal affecting the lawfulness of the processing based on the same consent given before the withdrawal. Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State in which they habitually reside or work or in the State where the alleged breach occurred.

Irrespective of the reference legislation, the exercise of rights must be made by written communication to the Data Controller, who can be contacted at the e-mail address or by writing to the address of the company's registered office.

‍9. Data Controller / DPO / Persons authorised to process data

‍The data controller is (with registered office in Lugano-Paradiso, via Zorzi 18)

E-mail address:

Telephone number: +41 79 307 35 75

The persons authorised to process the data pursuant to Article 29 of the GDPR are the employees and collaborators of the Company who will process the data in compliance with the principles of confidentiality and security imposed by the applicable regulations.

‍10. Cookies

‍Cookies are text files that are recorded on the user's terminal or that allow access to information on the user's terminal. Cookies make it possible to store information on visitors' preferences and are used to check that the site is working properly and to improve its functionality by customising the content of the pages according to the type of browser being used, or to simplify navigation by automating procedures (e.g. login, site language), and finally to analyse visitors' use of the site. There are different types of cookies (technical, analysis, profiling and marketing cookies, etc.) but our site only uses analysis cookies, i.e. cookies used directly by the site manager to collect information, in aggregate form, on the number of users and how they visit the site.

By clicking "Accept the use of cookies" on the banner when first accessing the site, the visitor expressly consents to the use of cookies and similar technologies, and in particular to the recording of such cookies on his terminal equipment for the purposes indicated above, or to access through cookies to information on his terminal equipment.

‍11. How to disable cookies

‍The user may refuse the use of cookies and may revoke a consent already given at any time. Since cookies are linked to the browser being used, they can be disabled directly from the browser, thus refusing/revoking consent to the use of cookies, or via the banner at the bottom of the page.  Disabling cookies may prevent the proper use of some functions of the site itself, in particular services provided by third parties may not be accessible, and therefore may not be viewable: - YouTube videos or other video sharing services; - social network buttons; - Google maps.

Instructions for disabling cookies can be found on the following web pages: Mozilla Firefox - Microsoft Internet Explorer - Microsoft Edge - Google Chrome - Opera - Apple Safari.

12. Third-party cookies

‍This site also acts as an intermediary for third party cookies (such as social network buttons), which are used to provide additional services and functionality to visitors and to simplify the use of the site itself, or to provide personalised advertising. This site has no control over these third party cookies and has no access to the information collected through these cookies. Information about the use of these cookies and their purposes, and how to disable them, is provided directly by the third parties on the pages indicated below.

Please note that user tracking generally does not involve identification of the user, unless the User has already subscribed to the service and is also already logged in, in which case it is understood that the User has already given his/her consent directly to the third party when subscribing to the relevant service (e.g. Facebook).

This website uses cookies from the following third parties.

- Google Ireland ltd: For information on the use of data and its processing by Google Ireland ltd, please refer to Google's privacy policy, Google's terms of use when using partner sites or apps and the Google Ads Terms of Use.

- Google Analytics: used to analyse how users use the site, to compile reports on site activity and user behaviour, how often users visit the site, how the site is tracked and which pages are visited most frequently. The information is combined with information collected from other sites in order to create a comparative picture of the use of the site in relation to other sites in the same category.

Data collected: browser ID, date and time of interaction with the site, page of origin, IP address.

Place of data processing: European Union as the anonymisation of the service is active.

The data collected does not allow personal identification of users, and is not cross-referenced with other information relating to the same person. They are processed in aggregate form and anonymised (truncated to the last octet). Google Inc. (the data controller) is prohibited from cross-referencing this data with data from other services on the basis of a special agreement (DPA).Further information on Google Analytics cookies can be found on the page Google Analytics Cookie Usage on Websites.

The user can selectively disable (opt-out) the data collection by Google Analytics by installing the appropriate component provided by Google on his browser.

Data collected: number and behaviour of service users, IP address, information linking site visits to the Google account for logged in users, video viewing preferences.

Place of data processing: USA.

‍13. Duration of cookies

‍Some cookies remain active only until the browser is closed or any logout command is executed. Other cookies "survive" when the browser is closed and are available on subsequent visits by the user. These cookies are called persistent and their duration is fixed by the server when they are created. In some cases an expiry date is set, in others the duration is unlimited.

‍14. Social Network Plugins

‍This site also incorporates plugins and/or buttons to enable easy sharing of content on your favourite social networks. When you visit a page on our website that contains a plugin, your browser connects directly to the servers of the social network from where the plugin is loaded, which server can track your visit to our website and, where appropriate, associate it with your social network account, particularly if you are logged in at the time of your visit or if you have recently browsed one of the websites containing social plugins. If you do not wish the social network to record data relating to your visit to our website, you must log out of your social network account and probably delete the cookies that the social network has installed in your browser.

Plugins with advanced privacy protection functions are installed on this site, which do not send cookies or access the cookies on your browser when you open the page but only after you click on the plugin.

The collection and use of information by such third parties is governed by their respective privacy policies to which please refer.

- LinkedIn (link cookie policy)

‍15. Disclaimer

‍This privacy policy is dated 1 July 2023. The intent of the same is to illustrate its activities related to data protection but is not to be considered an exhaustive or binding document with the reservation to modify the document whenever Ombre d'Uva di Ivano Carniello deems it appropriate.



Ivano Carniello

CH - 6964 Davesco 

+41 79 307 35 75

  • Black Facebook Icon
  • Black Instagram Icon

Your form has been sent!

bottom of page