As stated in the art. 13 of the European Regulation 2016/679, this information is provided to suppliers, natural and legal people or people responsible and operating on behalf of suppliers, of CANTINA F.LLI ZENI SRL, as provided by the provisions for the revision of the Privacy Code (as amended by Legislative Decree 101/2018) to the requirements of the European Regulation 2016/679 concerning the protection of personal data (hereinafter mentioned as “GDPR”).


The Data Controller (hereinafter “Owner”) is CANTINA F.LLI ZENI S.R.L., with its registered office at Via Costabella 9 – 37011 Bardolino (VR) – C.F. and VAT No. 04142840232. The Data Protection Manager (DPO) can be contacted at the following email address: This email address is being protected from spambots. You need JavaScript enabled to view it..


Personal data subject to processing, identification (Company name, VAT number, name and surname of natural people, etc.) and contact details (name, address or other elements of personal identification, such as name, surname, telephone number, and -mail, etc.) according to the principles of lawfulness and transparency, are collected to an adequate aim, relevant and limited to the purposes, previously determined, explicit and legitimate, and directly provided by the interested party for:

– supply of a product or service;

– subscription and activation of services stated in the contract;

– previous commercial and economic transactions;

– functional operations to the provision of products or services;

– participation at events organized by the Data Controller or in which he takes part;

– different kind of requests, also received via e-mail.


  1. Personal data will be processed for purposes related to the commercial transaction linked to the provision of a product or service and to the activation of these products stated in the contract and to the organizational management of the requested service for the fulfillment of the contractual obligations as well as attributable to negotiations and to pre-contractual commercial dealings, to the execution of the agreed performances and so to fulfill the legal obligations including accounting, administrative and fiscal responsibilities and to allow an effective management of commercial relations.


The legal basis of the processing consists by the fulfillment of a legal obligation to which the Owner is subject, as well as by the execution of a contract of which the interested party is one of the subjects or by the execution of pre-contractual measures.


The provision of data is essential to fulfil the legal obligations governing commercial transactions and taxation, as well as for the achievement of the purposes mentioned in point a): failure, partial or incorrect provision could cause the impossibility to activate and to receive the provision of products or services requested by the Owner and therefore this could compromise the contract in whole or in part.


Personal data will be managed through paper and electronic tools, with lawfulness and relevance, adopting guarantee measures aimed at identifying adequate security measures at any stage of the treatment process, focusing on specific purposes. At the end of the storage term, personal data are anonymized, and the identifying data will be removed especially if there is no necessity to hold them in an identifiable form for the processing purposes period (as indicated in the next paragraph). The Data Controller does not make any independent decision-making processes (such as profiling) on ​​the data of customers or potential customers or natural people operating on behalf of clients.

Personal data will be processed by people responsible, who have been expressively authorized and trained about personal data protection. It might be possible that the IT technicians and IT staff who oversee the operation of the IT system will be able to accidentally access the data.


Personal data will be stored for the period necessary to achieve the purposes stated in point a). In particular, they will be hold for a period of time equal to the minimum necessary which is until the end of the existing contract, with the exception of a further period of storage, of approximatively ten years, for eventual complaints and possible dispute or in relation to what is required from tax and civil legislation.


The personal data handled by the Data Controller will not be disclosed, or will not be disclosed to unknown people, in any possible form, not even for consultation.

Personal data may, on the other hand, be communicated to third parties, without the necessity of specific consent (Article 6, letters b) and c) of the GDPR) for the purposes stated in point a) to both, public or private person, towards which disclosure is required by law or by bilateral agreements for the fulfillment of the aforementioned purposes. These people will treat the data as independent data controllers.

Finally, personal data may be disclosed to third parties that carry out outsourcing activities (for example, professional consultants, companies that provide trucking services on behalf of third parties, companies that provide IT services). Its use is exclusively linked to services related to the aim pursued, which our organization will evaluate from time to time and, to ensure greater protection, the Company will decide if appointing those responsible for the treatments performed. The complete list of those responsible, identified and appointed in a written document hold by the Data Controller.

In any cases, those people will process the data in accordance with the instructions received from the Data Controller, according to the operational profiles assigned to them in relation to the functions performed in the Company, limited to what is necessary and instrumental for the execution of specific operations within the services requested.


Under no circumstances it is possible the transfer of personal data to another country or an international organization (Article 13, paragraph 1, letter f) of the GDPR). However, the Owner has the right to use cloud services, in which case, the service providers appointed as Data Processors for the purposes stated in the art. 28 of the GDPR 2016/679, limited to the performance of specific processing activities, will be chosen among those companies that present sufficient guarantees to implement adequate technical and organizational measures, therefore the treatment meets the requirements of the GDPR and guarantees the protection of rights of the interested parties.


The interested party, to whom the personal data refer, has the right to exercise his/her rights at any time (see articles 15-22 of the GDPR) in order to obtain:

  • the confirmation that the managing of personal data concerning him or her is in progress and gain access to the data and the following information (purposes of the processing, categories of personal data, recipients and / or categories of recipients to whom the data are will be communicated, retention period);
  • the rectification of inaccurate personal data concerning him and / or the integration of incomplete personal data, even providing a supplementary declaration;
  • the deletion of personal data, in the clause provided for by current legislation;
  • the limitation to processing, in the clause provided for by current legislation;
  • the portability of data and ask the Data Controller for personal data concerning him and/or request the Data Controller to directly transmit his data to another Data Controller;
  • opposition to the processing of personal data concerning him, in the instances provided for by current legislation.

Concerning their rights, the interested parties may address their requests through specific communication sent by post addressed to the Data Controller (to the address above) or by sending a communication to the e-mail address: This email address is being protected from spambots. You need JavaScript enabled to view it., by specifying the subject of the request, the right he/she intends to refer to and  attaching a copy of an ID that certifies the legitimacy of the request.


Interested parties who believe that the processing of personal data referring to them occurs in violation of the provisions of the Regulations, have the right to make a complaint with the competent control authority (Guarantor for the Protection of Personal Data) according to the options provided on the website (pursuant to art. 77) or to undertake appropriate judicial proceedings as stated in the art. 79 of the Regulation itself (GDPR).