INFORMATION PURSUANT TO ART. 13 AND 14 OF EU REGULATION 2016/679
This page represents the ''Privacy Policy'' of this site and has the purpose of providing information on how the personal data of users who interact with this website, and with the app called ''Andalo Life'', who use the services rendered are processed. through these tools, as well as to provide the information required by art. 13 and 14 of EU Regulation 2016/679.
This information is provided only for this site and for the app called ''Andalo Life'' and not for other websites that may be consulted by the user through links on the web pages of this site or present in the app.
Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the ''Regulation'') establishes rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free circulation of such data and protects the fundamental rights and freedoms of natural persons, with particular reference to the right to the protection of personal data.
The art. 4, no. 1 of the Regulation provides that ''Personal Data'' means any information relating to an identified or identifiable natural person (hereinafter, ''Data Subject'').
By ''Processing'' we mean any operation or set of operations, carried out with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction (art. 4, n. 2 of the Regulation).
Pursuant to articles 12 and following. of the Regulation, it is also envisaged that the data subject must be made aware of the appropriate information relating to the processing activities that are carried out by the data controller and to the rights of the data Subjects.
Data Controller
Andalo Gestioni srl
Viale del Parco, 1
38010 - Andalo (TN)
Tel: +39 0461 585776
Mail: info@andalo.life
P.IVA: 0 0319630224
Web sites: https://www.andalogestioni.it/
https://www.andalo.life/
Data Protection Officer
The Data Protection Officer - DPO appointed by the Data Controller can be contacted by email at dpo@andalogestioni.it.
Purpose and legal bases of data processing
The user's personal data will be processed for the pursuit of the following purposes and with the legal bases indicated below:
- for the conclusion and for the correct execution of the contract of which the data subject is a part or for the execution of pre-contractual measures adopted at the request of the same, attributable to the following cases:
- respond to requests for information from the data subject regarding the services/products provided by the Data Controller
- fulfill the request of the data subject for the creation of an andalo.life user, also through the social login function, for access to the reserved area
- fulfill the data subject's request to subscribe to the information newsletters
- consultation of the information made available on the site and/or on the app
- reservation of products/services
- electronic payments of products/services
- association of cards for the recognition of advantages to the data subject (e.g. GuestCard)
The legal basis for the processings listed is represented by the art. 6 par. 1 lit. b) of EU Regulation 2016/679;
- periodically send, via remote communication technologies (email, telephone, sms, whatsapp), commercial communications on the services, products and activities offered by the data controller; the legal basis is represented by consent as required by art. 6 par. 1 lit. a) of EU Regulation 2016/679;
- send e-mails for the purpose of commercial and promotional information for the sale of products/services of the Data Controller, of the same type as those previously purchased by the data subject, except for the refusal to the processing by the same, which can be opposed at any time; the legal basis for this type of processing is represented by the legitimate interest of the Data Controller as provided for by article 6 par. 1 lit. f);
- make navigation of the site and the app indicated above possible and functional, as well as guarantee an adequate level of security, integrity and availability; the legal basis for this type of processing is represented by the legitimate interest of the Data Controller as provided for by article 6 par. 1 lit. f);
- analysis of statistical data on aggregated or anonymous data, with the aim of monitoring the correct functioning of the site and of the app indicated above, traffic, usability and interest; the legal basis for this type of processing is represented by the legitimate interest of the Data Controller as provided for by article 6 par. 1 lit. f);
- ascertain, exercise or defend a right in court; the legal basis for this type of processing is represented by the legitimate interest of the Data Controller as provided for by article 6 par. 1 lit. f);
- to fulfill the obligations established by law (also attributable to the obligations of Administrative Transparency), by a regulation, by community legislation or by an order from the Authority; the legal basis for this type of processing is represented by the provisions of article 6 par.1 lett. c);
- identification data (e.g. Name, Surname, Company name, address, VAT number, tax code)
- contact details (e.g. email, telephone, address)
- login data (e.g. user name, password)
- data relating to the contractual relationship (e.g. Subject of requests, products/services purchased)
- payment data
- data relating to orders/reservations
- data relating to the preferences and interests of the data subject
Navigation data
The computer systems and software procedures used to operate this website and the aforementioned app acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This is information that is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified.
This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user's IT environment.
These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and the app to check their correct functioning and are deleted immediately after processing.
The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site and/or the app.
Refusal to provide data
Apart from that specified for navigation data, users/visitors are free to provide their personal data.
The provision of data is in some cases necessary as, any refusal to provide them, could lead to the failure to conclude or incorrect fulfillment of the contract of which the data subject is a part and/or failure to comply with the legal obligations to which the Data controller is submitted.
The provision of data for processings that require consent is optional, failure to provide it will not make it impossible to use the products/services offered by the Data Controller. Even in the event of consent, the data subject will still have the right to subsequently object, in whole or in part, to the processing of their personal data for the purposes set out above, by making a simple request to the Data Controller at the addresses indicated above.
Data source
The Data will be provided by the data subject or collected from third parties.
Processing method
In compliance with the provisions of art. 5 of the Regulation, the personal data being processed will be:
The Processing will be performed, in part, directly by the Data Controller: the recipients of the personal data of the data subject include the authorized Subjects belonging to the organization of the Data Controller, suitably trained and made aware of the constraints imposed by EU Regulation 2016/679.
Furthermore, without prejudice to the communications required by law or the exercise of the right of defence, the personal data being processed may be communicated to persons, companies, associations or professional firms that provide services or assistance and consultancy activities to the Data Controller, with particular but not exclusive reference to accounting, legal, administrative, tax and financial matters, as well as technology services. For the pursuit of the purposes indicated above, the data may be communicated to third parties who act as independent Data Controllers or Data Processors designated by the Data Controller. The updated list of Data Processors appointed by the Data Controller can be provided at the request of the data subject.
Data dissemination
Personal data will not be disclosed unless this activity is required for the fulfillment of a specific legal obligation to which the Data Controller is Subject.
Data transfer abroad
For the purposes indicated above, Personal Data will be processed within the European Economic Area (EEA). If they are transferred to third countries, in the absence of an adequacy decision by the European Commission, the provisions of the applicable legislation on the transfer of Personal Data to third countries will in any case be complied with, such as the Standard Contractual Clauses provided by the European Commission.
Data retention
In general, Personal Data will be kept for the time strictly necessary for the pursuit of the purposes for which they were collected and processed, including the retention period required by the applicable legislation and, in any case, for a maximum period of 10 years from the termination of the relationship with the Data Controller and for a maximum period of 2 years for the purposes for which your consent is required, except for the possible need for the Data Controller to defend its right in court.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
If the data controller has made personal data public and is obliged, pursuant to the preceding paragraph, to cancel them, taking into account the available technology and implementation costs, he adopts reasonable measures, including
technical ones, to inform the data controllers that are processing the personal data of the data Subject's request to delete any link, copy or reproduction of his personal data.
b) the data Subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data Subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data Subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is Subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
g) for exercising the right offreedom of expression and information;
h) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is Subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
i) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
j) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
k) for the establishment,exercise or defence of legal claims.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
The data subject who has obtained the limitation of processing pursuant to the initial paragraph is informed by the data controller before said limitation is revoked.
b) the processing is unlawful and the data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data Subject for the establishment, exercise or defence of legal claims;
d) the data Subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data Subject.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
communicates these recipients to the data subject if the data subject requests it.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
In exercising their rights in relation to data portability pursuant to the previous paragraph, the data subject has the right to obtain the direct transmission of personal data from one data controller to another, if technically feasible
b) the processing is carried out by automated means.
The exercise of the right must not harm the rights and freedoms of others.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
The data controller refrains from further processing the personal data unless he demonstrates the existence of compelling legitimate reasons to proceed with the processing which prevail over the interests, rights and freedoms of the data Subject or for the assessment, exercise or the defense of a right in court.
If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him carried out for these purposes, including profiling insofar as it is
connected to such direct marketing.
If the data subject opposes the processing for direct marketing purposes, the personal data are no longer processed for these purposes.
If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to article 89, paragraph 1, the data subject, for reasons connected with his particular situation, has the right to object to the processing of personal data which concerns, unless the processing is necessary for the performance of a task in the public interest.
- reasons related to your particular situation,
- to the processing of personal data concerning him pursuant to article 6, paragraph 1, letters e (the processing is necessary for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller of the processing) or f (the processing is necessary for the pursuit of the legitimate interest of the data controller or of third parties, provided that the interests or the fundamental rights and freedoms of the data Subject who require the protection of personal data do not prevail, in particular if the data subject is a minor.), including profiling on the basis of these provisions
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
Before providing a response, the controller may need to identify the data Subject.
A written response will be provided without unjustified delay and, in any case, no later than one month from receipt of the request.
In the event that the data subject believes that the processing of their personal data violates the provisions of EU Regulation 2016/679, they have the right to lodge a complaint with the Supervisory Authority for the Protection of Personal Data based in Rome, pursuant to art. 77 of the Regulation itself, as well as appealing to the Judicial Authority.
Last update: 17/04/23