Information provided on the processing of personal data Art. 13 EU Reg. 2016/679

Through this document, Villani Giovanni S.r.l. informs its clients, suppliers and the users of this website of the methods used to process their personal data, pursuant to art. 13 of EU Reg. 2016/679. Personal data is only data related to individuals; data related to companies and legal entities is not what is being referred to in this policy.

The Data Controller

The data Controller is the company Villani Giovanni S.r.l., VAT number 02022390971, which can be contacted at the following addresses/numbers: Via Francesco Frediani, 47/3, 59100 Prato (PO), IT, Tel. +39 0574/572373, e-mail:, PEC:

Types of data processed

Clients and suppliers

With reference to its clients and supplier individuals, the Controller will only process their common data. As a non exhaustive example, the following data can be processed: name and surname, address, tax code, VAT number, telephone number, e-mail address, bank details needed to make and/or receive payments, products purchased.

Data related to legal entities (e.g. company name, registered office, VAT number, company telephones and e-mail etc.) is not personal data and is not dealt with in this policy. However, with reference to legal entity clients and suppliers, some data of individuals indicated as legal representatives or representatives could be processed. In this case too, only common data will be processed; in particular the contact data needed for communications (for example, personal phone number or personal e-mail).

Personal data belonging to special categories is not processed: pursuant to art. 9 of EU Reg. 2016/679 (racial or ethnic origin, political opinions, religious or philosophical convictions, trade union membership, genetical data, biometrical data, data related to health, sex life or the sexual orientation of the person), nor data related to criminal sentences pursuant to art. 10 EU Reg. 2016/679.

Users of the website

Navigation data

The information systems and software procedures used for this website to operate acquire, during normal operations, some personal data that is transmitted implicitly when using the Internet communication protocols. This is information that is not collected to be associated with identified data subjects; but for its very nature could, through processes and associations with data held by third parties, enable identification of users.

This data category includes the IP addresses or domain names of computers used by users connecting to the website, URI (Uniform Resource Identifier) addresses of resources requested, the time of the request, the method used when submitting the request to the server, the size of the file obtained in response, the numerical code indicating the response status given by the server (successful, error, etc.) and other parameters related to the operating system and IT environment of the user.

This data is used solely to obtain anonymous statistical information on use of the website and to check it is operating correctly and is erased straight after processing. The data could be used to ascertain responsibility for hypothetical computer crimes damaging the website. Except for this possibility, web contact data does not currently last for more than seven days.

This data is processed through Google Analytics with anonymised IP, supplied by Google Inc., whose registered office is in the United States and which adheres to the Privacy Shield. The privacy policy of Google Inc. is available at the following link.

Data provided voluntarily by the user

The optional, explicit, voluntary sending of e-mail to the addresses indicated in this website or use of the contact forms implies the subsequent acquisition of the address of the sender, needed to respond to requests, and any other personal data released (such as phone number) or entered in the e-mail.


Specific, detailed information on all aspects related to cookies and their technology is available. Please read it by clicking on the following link: Cookie policy.

Purposes and lawfulness of processing

The above personal data is processed for the following purposes:

  • Consent to the execution and correct implementation of contracts with clients and suppliers

All data needed to execute the contract is processed for the aforementioned purpose, such as name and surname of the client or supplier, shipping address, products purchased. Consent from the data subject is not required to process data for the above purpose. Processing lawfulness is based on the need to execute the contract, pursuant to art. 6, letter b) EU Reg. 2016/679.

  • Consent to fulfil accounting and fiscal legal obligations

Name and surname, address, tax code, VAT number, products purchased are processed for this purpose. Consent from the data subject is not required to process data for the above purpose. Processing lawfulness is based on the need to fulfil legal obligations related to taxes and accounting, pursuant to art. 6, letter c) EU Reg. 2016/679.

  • Commercial and direct marketing communications (soft spam) by newsletter

The contact data of clients and suppliers such as name, e-mail address and phone number is processed for this purpose. Communications will only concern information that is of potential interest to the client or supplier or promotional offers related to products or services similar to those already purchased by the client. The lawfulness of processing is based on the legitimate interest of the data controller, pursuant to art. 6, letter f) EU Reg. 2016/679. The data subject has the right to object to this processing at any time.

  • Enable the user to navigate the website

Specific consent from the data subject is not required to process data for the above purpose. Processing lawfulness is based on the need to execute the user’s request, pursuant to art. 6, letter b) EU Reg. 2016/679.

  • Enable response to the contact attempts made by the user

Specific consent from the data subject is not required to process data for the above purpose. Processing lawfulness is based on the need to execute the user’s request, pursuant to art. 6, letter b) EU Reg. 2016/679.

Refusal to provide the data needed to execute the contract and to comply with legal obligations means it will be impossible to execute the contract.

External processors

The Controller may outsource some personal data processing for its clients and suppliers (to consultants, accountants, hosting providers, suppliers of services in cloud computing, IT system maintenance operators, etc.) to both legal entities and individuals; ensuring also contractually that those parties keep the personal data absolutely confidential and process it in compliance with the adequate guarantees and security measures required by EU Reg. 2016/679.

The newsletter service is managed by the external processor using the platform MailChimp, belonging to the company The Rocket Science Group LL C, with registered office in the USA, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, which operates externally as sub-processor pursuant to art. 28 EU Reg. 2016/679.

The MailChimp service was chosen by the Processor and authorised by the Controller as it guarantees an adequate level of protection for the personal data of the data subjects. To see their privacy policy please visit the following link:

Processors and recipients of personal data

Along with the Controller and external processors, the personal data of clients and suppliers can be processed by personnel assigned to do so. These parties are specifically appointed as processors and are given all the instructions needed to guarantee the protection and confidentiality of personal data.

Some personal data can be communicated to accountants or other external consultants, solely to assist the Controller with drafting the financial statements and complying with further accounting and fiscal obligations. In compliance with the principle of minimisation, only data strictly needed for that purpose will be communicated (name, surname, tax code and/or VAT number, address, payment data, invoicing data, products purchased/sold etc.). Data that is not needed for the purpose will not be communicated (e-mail address, phone number, fax number etc.) unless it is contained on the headed paper of supplier invoices.

n order to enable the Controller to fulfil its fiscal obligations, some date can be transmitted to the Revenue Office.

The Controller may communicate the personal data of the data subject to public authorities if obliged to do so by a law or the order of a Judge.

Method and duration of processing

The personal data of clients and suppliers can be processed electronically and by being stored in paper archives.

The Controller prepares adequate measures to protect the personal data of its clients and suppliers, in proportion to the risk level involved.

The personal data needed to execute a contract will be stored for the duration needed to execute the contract. The contact data of individuals (such as phone number and e-mail address) can be stored for a longer period of time, when the clients/suppliers are regular ones. This to avoid having to ask for the same data each time, slowing down the work of both parties. Once a term deemed consistent as quantifiable in 24 months has gone by since the last contact, the Controller undertakes to erase that data too.

The personal data needed to fulfil fiscal and accounting obligations is stored, in digital form and/or on paper, for 10 years in compliance with legal obligations.

Rights of the data subject

The data subject has the right, at any time, to ask the Controller to be informed of the personal data concerning him/her and being processed by the latter, pursuant to art. 15 EU Reg. 2016/679. He/she also has the right to ask for data to be rectified pursuant to art. 16 EU Reg. 2016/679, erased pursuant to art. 17EU Reg. 2016/679, restricted pursuant to art. 18 EU Reg. 2016/679, its portability pursuant to art. 20 EU Reg. 2016/679, to object to processing pursuant to art. 21 EU Reg. 2016/679.

If the data subject feels there has been a violation to the processing of his/her data, he/she may deposit a complaint with the personal data protection Authority.

The data subject may not oppose processing or demand erasure of data that the Controller is obliged to process in compliance with accounting, fiscal or other legal obligations.


For any communication or to exercise its personal data processing rights, the data subject may contact the processing Controller using the contact data provided above.

x Per migliorare l'esperienza di navigazione questo sito utilizza cookies, anche di terze parti, clicca su "Consenti" per abilitarne l'uso.
Per informazioni dettagliate sui cookie consulta la nostra informativa completa. Nega Consenti