According to the provisions of law, referring to art. 13 of the European Regulation 2016/679, this information is provided to customers, which can be persons or those who are acting on behalf of clients or potential customers such as legal entities, of CANTINA F.LLI ZENI SRL, as provided by the provisions for the variation of the Privacy Code (amended by Legislative Decree 101/2018) to the provisions of the European Regulation 2016/679 concerning the protection of personal data (see below “GDPR”).


The Data Controller (below “Owner”) is CANTINA F.LLI ZENI S.R.L., with registered office in Via Costabella 9 – 37011 Bardolino (VR) – C.F. and VAT No. 04142840232. The Data Protection Officer (DPO) can be contacted at the following e-mail address:


Personal data and identification, subject to processing (such as: Company name, VAT number, name and surname etc.) and contact details (name, address or other personal identification, such as name, surname, telephone number, e-mail, etc.) in compliance with the principles of lawfulness, correctness and transparency, are collected to an adequate extent, relevant and limited to the purposes, previously determined, explicit and legitimate, and directly provided by the interested party for:

– product sales;

– signing and activation of the products supply provided and stated in the contract;

– previous commercial and economic transactions;

– functional operations for the supply of products (logistics and freight transport);

– participation in events organized by the Data Controller or in which he takes part;

– interactions through the website;

– requests for information, including via e-mail.


  1. a) After the registration of your account on the personal data will be processed for purposes related to the commercial sale transaction (which can be direct or online) of a product and the activation of the supply of products listed in the contract (purchase order). Data will be processed also for the organizational management of the requested products, for the fulfillment of contractual obligations (logistics and freight transport). Moreover, they are linkable to the pre-contractual negotiations and commercial relationships, the execution of the agreed services and the communication to satisfy information requests, as well as for compliance with regulatory obligations including accounting, administrative and tax obligations to allow effective management of commercial relations.
  2. b) Personal data will also be processed, with explicit consent, for marketing activities, aimed at communicating and/or sending via e-mail, mail and/or text messages and/or telephone contacts, newsletters, even with automated methods, information and commercial offers and/or promotional material about products or services offered by the Data Controller.
  3. c) Personal data will be processed, with explicit and unequivocal consent to create a customer profile according to your preferences, habits, interests, behaviors, products purchased, responses to market research in order to send tailored commercial communications. For example, the data help us understand, after your purchases, the pages you visited on our websites and mobile applications, what your consumption habits are. In this way we can analyze and customize our promotional campaigns based on your interests. We will process the data for these purposes only, after your previous consent, which is optional and revocable at any time (art.6.1 lett.a) GDPR.
  4. d) The purpose of creating and managing your personal account on the website, if you decide to register, is to identify and assist you in case you will lose your access data (username or password), to allow you to save the list of your favorite products, to set your choices regarding privacy consents, etc.


The legal basis of this document (as stated in point a) and d) ) is created starting by the fulfillment of a legal obligation about which the Owner is responsible, as well as by the execution of a contract (purchase order) which includes the interested party or by the execution of pre-contractual measures adopted upon request of the client.

The process of data for the purposes of marketing and profiling, referred mentioned in points b) and c) in the “purpose” section is instead legalized if the interested party has expressed consent to the processing of his/her personal data for the specific purposes stated above: but, pursuant to art. 7 of the GDPR, the interested party can revoke the consent given at any time by sending a communication to the contact present in this statement. The revocation of the consent does not affect the lawfulness of the process based on consent before the cancellation.

Mandatory or optional nature of providing data

The provision of data is essential to comply with the laws which are governing commercial transactions and taxation, as well as for the achievement of the purposes referred to point a) and d): due to the partial or incorrect provision of data, it could be impossible activate and provide the requested service and this could compromise the contractual relationship in whole or in part.

Providing data (identification and contact details) for the purposes referred to the point b) and c) is optional:

  • If you don’t give the consent to use the data for marketing purposes, this will not affect the legitimacy of the data processing referred to in point a) and d) and it will have no consequences on the use of services, but this will compromise the focus on commercial communications concerning the products and services provided or to have the opportunity to contact those clients who would like to receive promotions dedicated to new products.
  • If you don’t give the consent to use the data for profiling purposes, this will not affect the legitimacy of the data processing referred to point a) and d) and this will not compromise the use of the services, but as a consequence, it will not be possible to personalize our promotional campaign based on your preferences.


Personal data will be processed with paper and electronic instruments, with principles of lawfulness, necessity and relevance, by adopting guarantee measures aimed at identifying adequate security measures at any stage of the process, having regard to the specific purposes of the processing. In this context, personal data is anonymized and identifying data removed if there is no need to process the data in an identifiable form for the processing purposes and, in any case, at the end of the storage term indicated in the next paragraph.

The Data Controller can process the data (with previous consent) for automated decision-making processes (such as profiling) potential customers or individuals data operating in the name and on behalf of clients such as legal persons. The profiling process is used to send personalized commercial offers with no price difference or social class discrimination.

For users which are not registered, this process consists in crossing personal data, which have been collected by relating different features (for example: e-mail and web browsing, interaction on social network channel, use of maps or viewing of audio and video contents, etc.) and the identification tools different than cookies (such as fingerprinting, which builds user profiles on specific parameters).

Personal data will be processed by the staff expressly authorized and trained in matters of personal data protection. The IT technicians and IT team who oversee the operation of the IT system will be able to access the data in an accidental manner.


Personal data will be stored for the period needed to achieve the purposes stated in point a) and d). In particular, they will be kept for a period of time equal to the minimum required, which is until the end of the existing contractual relationships, with the exception of a further period of data retention, equal to ten years, for eventual disputes or in relation to which term has been required by the current civil and fiscal provisions.

Furthermore, if the consent has been given for marketing purposes referred to point b) and for profiling purposes stated in point c), the data will be stored, with the exception of an eventual cancellation of the consent, for a period which cannot exceeding the time necessary to achieve the objectives pursued. After that, data will be erased or made anonymous and processed solely for statistical analysis (except for an additional retention period imposed by law or if there is an explicit request by the Authority).


The personal data processed by the Data Controller will not be disclosed, or will not be disclosed to unknown people, in any possible form, including the possibility to make them available for consultation.

On the other hand, personal data might be communicated to third parties, without the need of a specific consent (Article 6, letters b) and c) of the GDPR) for the purposes stated in point a) and, depending on the singular competence, to Banks and Insurance Institutions and, in general, to any public or private entity to which the communication is mandatory by law or by virtue of bilateral agreements for the fulfillment of the aforementioned purposes. These organizations will treat the data as independent data controllers.

Finally, personal data may be disclosed to third parties that carry out outsourcing activities (for example: professional consultants, companies that provide transport services on behalf of third parties, companies that provide IT services, companies specializing in management of commercial information and electronic communications services) which are used exclusively for the provision of services connected to the purpose pursued, which our organization will evaluate time to time, to ensure greater protection. The complete list of those responsible, identified and appointed, is available as hold by the Data Controller.

In any cases, they will process the data in accordance with the instructions received from the Data Controller, according to the operational profiles assigned to them in relation to the functions performed, limited to what is necessary for the execution of specific operations within the services requested.


Under no circumstances is possible the communication of personal data to another country or any international organization (Article 13, paragraph 1, letter f) of the GDPR). However, the Owner reserves the right to use cloud facilities if the service providers appointed as Data Processors pursuant to and for the purposes of art. 28 of GDPR 2016/679, limited to the performance of specific processing activities, will be chosen among those companies certified in accordance with ISO 27001 (information security), ISO 27017 (cloud security), ISO 27018 (cloud privacy). For marketing purposes, the data, limited to the e-mail address, may be used to send electronic communications (e-mail or newsletter) through the following online platforms:

  • via the MailChimp platform (The Rocket Science Group, LLC, 512 Means St., Suite 404 – 30318 Atlanta, Georgia) outside the European Union.
  • Active Campaign (North Dearborn Street, 5th floor Chicago, IL 60602

The American Company mentioned above, signed an agreement called “EU.U.S. Privacy Shield” with the European Union, therefore, the regulation on privacy is in accordance with the current European provisions of the GDPR.


The interested party, to whom the personal data refer, has the possibility to exercise these rights at any time (pursuant to articles 15-22 of the GDPR) in order to obtain:

  • the confirmation that the processing of personal data concerning him or her is in progress and obtain access to the data and the following information (purposes of the processing, categories of personal data, recipients and / or categories of recipients to whom the data are states and / or will be communicated, retention period);
  • the rectification of inaccurate personal data concerning him/her and/or the integration of incomplete personal data, even providing a further declaration;
  • the deletion of personal data, in the cases provided for by current legislation;
  • the limitation to processing, in the cases provided for by current legislation;
  • the portability of data, to ask the Data Controller for personal data concerning him/her and/or request the Data Controller to directly transmit his data to another Data Controller;
  • disagreement to the processing of personal data concerning him, in the cases provided for by current legislation.

With regards to the exercise of their rights, the interested party may address their requests through specific communication sent by mail addressed to the Data Controller (to the address above) or by sending a communication to the e-mail address, specifying the subject of the request, the right he/she intends to exercise and attaching a photocopy of an ID that certifies the legality of the request.


Interested parties who believe that the processing of personal data referring to them occurs in violation of the provisions of the Regulations, have the right to place a complaint with the competent control authority (Guarantor for the Protection of Personal Data) according to the methods provided on the website (pursuant to art. 77) or to take appropriate judicial proceedings pursuant to art. 79 of the Regulation itself (GDPR).







Cantina F.lli Zeni Srl via Costabella, 9 - 37011 Bardolino, Verona - Italy - Tel. +39 045 721 00 22 - Fax +39 045 621 27 02 - p.iva IT04142840232