Information notice for Customers and Suppliers


The Data Controller, Villani S.p.A., according to Articles 13 and 14 of European Regulation 679/2016 regarding the protection of personal data ('Regulation'), informs the Data Subject about the processing of their personal information.

Data Controller and contact details

Villani S.p.A.
Address: Via E. Zanasi 24, 41051 Castelnuovo Rangone (MO)
E-mail: – Phone number: +39059534411

Data Subjects and type of information processed

For working activities, Villani S.p.A. only collects common personal data belonging to customers, suppliers, contact persons at customers and suppliers, or those who represent them.
Most of the personal data processed comes directly from the interested parties. Villani S.p.A uses basic contact information, such as name and surname, address, e-mail, telephone number, and tax data for contractual or legally required documents, commercial data or banking, information on employment and professional relationships, and can also acquire other data from the people themselves during normal working relationships. No personal data of these subjects is processed pursuant to art. 9 of the GDPR.

Types of personal data

Any data provided in relation to your personnel involved in the performance of contracts, including the names of internal contact persons for the management of contracts; positions; telephone numbers; e-mail addresses; any data regarding the legal representatives for the purposes of economic-financial audits (hereinafter ‘Data Subjects’), whether it be directly provided or obtained from the public, shall be processed by the company in accordance with the Regulation and national legislation, including any provisions issued by the Supervisory Authority (Authority for the protection of personal data) where applicable.

Purpose of data processing

The Data Subject’s data is processed by Villani S.p.A. as part of the performance of its economic and commercial activities for purposes connected with the possible establishment, management, and execution of commercial or contractual relations (including the management of the pre-contractual relationship and/or entry into the company’s customer registry). More specifically, the data will be processed for the fulfilment of legal and regulatory obligations (e.g. tax and accounting obligations); the administrative management of contracts and orders, including handling payments and invoices; the receipt of goods at your premises; the management of any litigation; the management of any debt collection; the recruitment of personnel according to the company’s needs; as well as for purposes of intercompany reporting, internal controls (security, asset integrity), and management control. The Data Subject’s data may also be processed periodically to assess the existence of the ethical and legal requirements established by the company. To process the data for the above-mentioned purposes, it is not necessary to obtain specific consent from the Data Subjects as the company can avail itself of the exemptions set out in Articles 6.1 b), c) and f) of Regulation 2016/679.

How the data is provided and processed

The Data Subjects must provide their personal data without which it will not be possible to establish any business relationship, to properly perform pre-contractual and contractual obligations or, where a contractual relationship has already been established, to fulfil the obligations and commitments arising from that contract.
The data will be processed by the company and its employees mainly using electronic and manual systems in accordance with the principles of correctness, fairness and transparency as provided for by the applicable data protection legislation. The confidentiality of the person to whom the data refers will also be protected by means of technical and organizational security measures to ensure an adequate level of security (e.g. preventing access by unauthorized persons, except in the cases required by law).

Data retention

The data will be kept in accordance with the applicable data protection regulations for as long as necessary to fulfil the above-mentioned purposes. For contractual relationships, only the personal data required for the fulfilment of civil and tax obligations will be kept for the duration of the contractual relationship and in compliance with these obligations (e.g. civil obligation to keep invoices and company documents for at least ten years).

Data communication, disclosure, and transfer

Without prejudice to communications carried out in fulfilment of legal and contractual obligations, the data may be passed onto tax or legal consultants that collaborate with the company, as well as to parties permitted by law to receive such information, including Italian and foreign judicial authorities and other public authorities, for purposes connected with the fulfilment of legal obligations or for the fulfilment of obligations assumed and arising from the contractual relationship, including for debt collection needs and defence in court. Contact details may be disclosed for occasional, one-off needs to customers and/or suppliers of the company.

The data will be processed by the personnel in charge at the company, which will also make use of third parties to provide certain services involving the processing of personal data, by way of example and not exhaustively, for all legal, accounting and management services for the evaluation and workplace safety processes, for the management of IT systems and for other support services for the company’s activities and where necessary for the purposes of the coordination and control of the company.

These subjects operate on the basis of specific and adequate instructions when it comes to the processing methods and security measures set out in the contractual documentation. A complete and up-to-date list of the entities that process personal data as data controllers is available upon request by the data subject in the exercise of their rights, as explained below.

The personal data will not be disclosed. The data are not generally transferred outside of the European Union; however, should it be necessary to transfer data to countries outside the European Economic Area for specific needs regarding the location of the company’s (in document Company with capital C or company – select one)  servers and the coordination of group activities, including to countries that do not offer adequate protection, the company guarantees adequate levels of protection and safeguarding, including contractual protection in accordance with applicable regulations, including the stipulation of standard contractual clauses.

The list of countries outside the European Economic Area where data are transferred is available upon request in the exercise of your rights.

Rights of the Data Subject

The Data Subject may contact the Data Controller, at the contact details indicated here or by writing to to exercise the rights, provided by the Regulation (Articles 15-21), in relation to the data processing described herein:
to receive confirmation of the existence of their personal data and access their content (access rights);
to update, amend and/or correct their personal data (rectification rights);
to request the deletion or restriction of the data processed in breach of the law, including data that must not be kept in relation to the purposes that the data was collected or otherwise processed for (right to be forgotten and right to restriction);
to object to the processing (right to object);
to revoke consent, where given, without prejudice to the lawfulness of the processing based on the consent given before revocation;
to lodge a complaint with the Supervisory Authority in the event of a breach of data protection rules;
to receive a copy of the data in electronic format concerning them (the data subject) that was provided within the context of the contract and to request that such data be passed onto another data controller (right to data portability).
To exercise these rights, please contact the Data Controller at its address.