INFORMATION PURSUANT TO ART. 13 AND 14 OF EU REGULATION 2016/679
This page represents the ''Privacy Policy'' of this site and has the purpose of providing information on how the personal data of users who interact with this website, and with the app called ''Andalo Life'', who use the services rendered are processed. through these tools, as well as to provide the information required by art. 13 and 14 of EU Regulation 2016/679.
This information is provided only for this site and for the app called ''Andalo Life'' and not for other websites that may be consulted by the user through links on the web pages of this site or present in the app.
Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the ''Regulation'') establishes rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules relating to the free circulation of such data and protects the fundamental rights and freedoms of natural persons, with particular reference to the right to the protection of personal data.
The art. 4, no. 1 of the Regulation provides that ''Personal Data'' means any information relating to an identified or identifiable natural person (hereinafter, ''Data Subject'').
By ''Processing'' we mean any operation or set of operations, carried out with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction (art. 4, n. 2 of the Regulation).
Pursuant to articles 12 and following. of the Regulation, it is also envisaged that the data subject must be made aware of the appropriate information relating to the processing activities that are carried out by the data controller and to the rights of the data Subjects.
Data Controller
Andalo Gestioni srl
Viale del Parco, 1
38010 - Andalo (TN)
Tel: +39 0461 585776
Mail: info@andalo.life
P.IVA: 0 0319630224
Web sites: https://www.andalogestioni.it/
https://www.andalo.life/
Data Protection Officer
The Data Protection Officer - DPO appointed by the Data Controller can be contacted by email at dpo@andalogestioni.it.
Purpose and legal bases of data processing
The user's personal data will be processed for the pursuit of the following purposes and with the legal bases indicated below:
- for the conclusion and for the correct execution of the contract of which the data subject is a part or for the execution of pre-contractual measures adopted at the request of the same, attributable to the following cases:
- respond to requests for information from the data subject regarding the services/products provided by the Data Controller
- fulfill the request of the data subject for the creation of an andalo.life user, also through the social login function, for access to the reserved area
- fulfill the data subject's request to subscribe to the information newsletters
- consultation of the information made available on the site and/or on the app
- reservation of products/services
- electronic payments of products/services
- association of cards for the recognition of advantages to the data subject (e.g. GuestCard)
The legal basis for the processings listed is represented by the art. 6 par. 1 lit. b) of EU Regulation 2016/679;
- periodically send, via remote communication technologies (email, telephone, sms, whatsapp), commercial communications on the services, products and activities offered by the data controller; the legal basis is represented by consent as required by art. 6 par. 1 lit. a) of EU Regulation 2016/679;
- send e-mails for the purpose of commercial and promotional information for the sale of products/services of the Data Controller, of the same type as those previously purchased by the data subject, except for the refusal to the processing by the same, which can be opposed at any time; the legal basis for this type of processing is represented by the legitimate interest of the Data Controller as provided for by article 6 par. 1 lit. f);
- make navigation of the site and the app indicated above possible and functional, as well as guarantee an adequate level of security, integrity and availability; the legal basis for this type of processing is represented by the legitimate interest of the Data Controller as provided for by article 6 par. 1 lit. f);
- analysis of statistical data on aggregated or anonymous data, with the aim of monitoring the correct functioning of the site and of the app indicated above, traffic, usability and interest; the legal basis for this type of processing is represented by the legitimate interest of the Data Controller as provided for by article 6 par. 1 lit. f);
- ascertain, exercise or defend a right in court; the legal basis for this type of processing is represented by the legitimate interest of the Data Controller as provided for by article 6 par. 1 lit. f);
- to fulfill the obligations established by law (also attributable to the obligations of Administrative Transparency), by a regulation, by community legislation or by an order from the Authority; the legal basis for this type of processing is represented by the provisions of article 6 par.1 lett. c);
Type of data processed
The Data necessary for the pursuit of the purposes set out above will be collected and processed:
- identification data (e.g. Name, Surname, Company name, address, VAT number, tax code)
- contact details (e.g. email, telephone, address)
- login data (e.g. user name, password)
- data relating to the contractual relationship (e.g. Subject of requests, products/services purchased)
- payment data
- data relating to orders/reservations
- data relating to the preferences and interests of the data subject
Navigation data
The computer systems and software procedures used to operate this website and the aforementioned app acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This is information that is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified.
This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user's IT environment.
These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and the app to check their correct functioning and are deleted immediately after processing.
The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site and/or the app.
Refusal to provide data
Apart from that specified for navigation data, users/visitors are free to provide their personal data.
The provision of data is in some cases necessary as, any refusal to provide them, could lead to the failure to conclude or incorrect fulfillment of the contract of which the data subject is a part and/or failure to comply with the legal obligations to which the Data controller is submitted.
The provision of data for processings that require consent is optional, failure to provide it will not make it impossible to use the products/services offered by the Data Controller. Even in the event of consent, the data subject will still have the right to subsequently object, in whole or in part, to the processing of their personal data for the purposes set out above, by making a simple request to the Data Controller at the addresses indicated above.
Data source
The Data will be provided by the data subject or collected from third parties.
Processing method
In compliance with the provisions of art. 5 of the Regulation, the personal data being processed will be:
a) processed in a lawful, correct and transparent manner in relation to the data subject;
b) collected and recorded for specific, explicit and legitimate purposes, and subsequently processed in terms compatible with these purposes;
c) adequate, pertinent and limited to what is necessary with respect to the purposes for which they are processed;
d) accurate and, if necessary, updated;
e) processed in such a way as to guarantee an adequate level of security;
f) stored in a form that allows the identification of the data subject for a period of time not exceeding the achievement of the purposes for which they are processed.
g) The processing will be carried out both with manual and/or IT and telematic tools with organization and processing logics strictly related to the purposes themselves and in any case in order to guarantee the security, integrity and confidentiality of the data in compliance with the organizational measures , physical and logical conditions envisaged by the provisions in force.
Data comunication
The Processing will be performed, in part, directly by the Data Controller: the recipients of the personal data of the data subject include the authorized Subjects belonging to the organization of the Data Controller, suitably trained and made aware of the constraints imposed by EU Regulation 2016/679.
Furthermore, without prejudice to the communications required by law or the exercise of the right of defence, the personal data being processed may be communicated to persons, companies, associations or professional firms that provide services or assistance and consultancy activities to the Data Controller, with particular but not exclusive reference to accounting, legal, administrative, tax and financial matters, as well as technology services. For the pursuit of the purposes indicated above, the data may be communicated to third parties who act as independent Data Controllers or Data Processors designated by the Data Controller. The updated list of Data Processors appointed by the Data Controller can be provided at the request of the data subject.
The Processing will be performed, in part, directly by the Data Controller: the recipients of the personal data of the data subject include the authorized Subjects belonging to the organization of the Data Controller, suitably trained and made aware of the constraints imposed by EU Regulation 2016/679.
Furthermore, without prejudice to the communications required by law or the exercise of the right of defence, the personal data being processed may be communicated to persons, companies, associations or professional firms that provide services or assistance and consultancy activities to the Data Controller, with particular but not exclusive reference to accounting, legal, administrative, tax and financial matters, as well as technology services. For the pursuit of the purposes indicated above, the data may be communicated to third parties who act as independent Data Controllers or Data Processors designated by the Data Controller. The updated list of Data Processors appointed by the Data Controller can be provided at the request of the data subject.
Data dissemination
Personal data will not be disclosed unless this activity is required for the fulfillment of a specific legal obligation to which the Data Controller is Subject.
Data transfer abroad
For the purposes indicated above, Personal Data will be processed within the European Economic Area (EEA). If they are transferred to third countries, in the absence of an adequacy decision by the European Commission, the provisions of the applicable legislation on the transfer of Personal Data to third countries will in any case be complied with, such as the Standard Contractual Clauses provided by the European Commission.
Data retention
In general, Personal Data will be kept for the time strictly necessary for the pursuit of the purposes for which they were collected and processed, including the retention period required by the applicable legislation and, in any case, for a maximum period of 10 years from the termination of the relationship with the Data Controller and for a maximum period of 2 years for the purposes for which your consent is required, except for the possible need for the Data Controller to defend its right in court.
Rights of data Subject
Pursuant to EU Regulation 2016/679 art. 15 et seq. and the national legislation in force, the data subject may, according to the methods and within the limits established by the legislation in force, exercise the following rights:
Art. 15 Right of access by the data Subject
DESCRIPTION
The data Subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data Subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data Subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data Subject.
Where personal data are transferred to a third country or to an international organisation, the data Subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data Subject, the controller may charge a reasonable fee based on administrative costs.
3Where the data Subject makes the request by electronic means, and unless otherwise requested by the data Subject, the information shall be provided in a commonly used electronic form.
ASSUMPTIONS
The right to obtain a copy of your personal data must not harm the rights and freedoms of others.
HOW TO EXERCISE IT
The data subject can exercise the right by sending a request to the email address dpo@andalogestioni.it
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
Art. 16 Right to rectification
DESCRIPTION
The data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 2Taking into account the purposes of the processing, the data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
ASSUMPTIONS
Processing of inaccurate and/or incomplete data
HOW TO EXERCISE IT
The data subject can exercise the right by sending a request to the email address dpo@andalogestioni.it
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
Art. 17 Right to erasure (‘right to be forgotten’)
DESCRIPTION
The data subject has the right to obtain from the data controller the cancellation of personal data concerning him without unjustified delay and the data controller is obliged to cancel the personal data without unjustified delay.
If the data controller has made personal data public and is obliged, pursuant to the preceding paragraph, to cancel them, taking into account the available technology and implementation costs, he adopts reasonable measures, including
technical ones, to inform the data controllers that are processing the personal data of the data Subject's request to delete any link, copy or reproduction of his personal data.
ASSUMPTIONS
The right can be exercised if one of the following reasons exists:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data Subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data Subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data Subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is Subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
b) the data Subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data Subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data Subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is Subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
The right to erasure does not apply to the extent that the processing is necessary:
g) for exercising the right offreedom of expression and information;
h) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is Subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
i) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
j) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
k) for the establishment,exercise or defence of legal claims.
g) for exercising the right offreedom of expression and information;
h) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is Subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
i) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
j) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
k) for the establishment,exercise or defence of legal claims.
HOW TO EXERCISE IT
The data subject can exercise the right by sending a request to the email address dpo@andalogestioni.it
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
Art. 18 Right to restriction of processing
DESCRIPTION
The data subject has the right to obtain the limitation of the processing from the data controller.
If the processing is limited pursuant to the previous paragraph, such personal data are processed, except for storage, only with the consent of the data subject or for the assessment, exercise or defense of a right in court or for protect the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The data subject who has obtained the limitation of processing pursuant to the initial paragraph is informed by the data controller before said limitation is revoked.
The data subject who has obtained the limitation of processing pursuant to the initial paragraph is informed by the data controller before said limitation is revoked.
ASSUMPTIONS
The right can be exercised if one of the following reasons exists:
a) the accuracy of the personal data is contested by the data Subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data Subject for the establishment, exercise or defence of legal claims;
d) the data Subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data Subject.
b) the processing is unlawful and the data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data Subject for the establishment, exercise or defence of legal claims;
d) the data Subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data Subject.
HOW TO EXERCISE IT
The data subject can exercise the right by sending a request to the email address dpo@andalogestioni.it
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
Art. 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing
DESCRIPTION
The data controller informs each of the recipients to whom the personal data have been transmitted of any corrections or cancellations or limitations of the processing carried out pursuant to article 16, article 17, paragraph 1, and article 18, unless this proves impossible or involves a disproportionate effort. The data controller
communicates these recipients to the data subject if the data subject requests it.
communicates these recipients to the data subject if the data subject requests it.
HOW TO EXERCISE IT
The data subject can exercise the right by sending a request to the email address dpo@andalogestioni.it
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
Art. 20 Right to data portability
DESCRIPTION
The data subject has the right to receive, in a structured format, commonly used and readable by an automatic device, the personal data concerning him provided to a data controller and has the right to transmit such data to another data controller without impediments from part of the data controller to whom you provided them.
In exercising their rights in relation to data portability pursuant to the previous paragraph, the data subject has the right to obtain the direct transmission of personal data from one data controller to another, if technically feasible
In exercising their rights in relation to data portability pursuant to the previous paragraph, the data subject has the right to obtain the direct transmission of personal data from one data controller to another, if technically feasible
The exercise of the right referred to in the initial paragraph is without prejudice to article 17 - Right to cancellation (''right to be forgotten'').
ASSUMPTIONS
The right can be exercised if one of the following reasons exists:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
b) the processing is carried out by automated means.
This right does not apply to processing necessary for the performance of a task in the public interest or connected to the exercise of public authority vested in the data controller.
The exercise of the right must not harm the rights and freedoms of others.
The exercise of the right must not harm the rights and freedoms of others.
HOW TO EXERCISE IT
The data subject can exercise the right by sending a request to the email address dpo@andalogestioni.it
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
Art. 21 Right to object
DESCRIPTION
The data subject has the right to object at any time.
The data controller refrains from further processing the personal data unless he demonstrates the existence of compelling legitimate reasons to proceed with the processing which prevail over the interests, rights and freedoms of the data Subject or for the assessment, exercise or the defense of a right in court.
If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him carried out for these purposes, including profiling insofar as it is
connected to such direct marketing.
If the data subject opposes the processing for direct marketing purposes, the personal data are no longer processed for these purposes.
If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to article 89, paragraph 1, the data subject, for reasons connected with his particular situation, has the right to object to the processing of personal data which concerns, unless the processing is necessary for the performance of a task in the public interest.
The data controller refrains from further processing the personal data unless he demonstrates the existence of compelling legitimate reasons to proceed with the processing which prevail over the interests, rights and freedoms of the data Subject or for the assessment, exercise or the defense of a right in court.
If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him carried out for these purposes, including profiling insofar as it is
connected to such direct marketing.
If the data subject opposes the processing for direct marketing purposes, the personal data are no longer processed for these purposes.
If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to article 89, paragraph 1, the data subject, for reasons connected with his particular situation, has the right to object to the processing of personal data which concerns, unless the processing is necessary for the performance of a task in the public interest.
ASSUMPTIONS
The right can be exercised if one of the following reasons exists:
- reasons related to your particular situation,
- to the processing of personal data concerning him pursuant to article 6, paragraph 1, letters e (the processing is necessary for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller of the processing) or f (the processing is necessary for the pursuit of the legitimate interest of the data controller or of third parties, provided that the interests or the fundamental rights and freedoms of the data Subject who require the protection of personal data do not prevail, in particular if the data subject is a minor.), including profiling on the basis of these provisions
- reasons related to your particular situation,
- to the processing of personal data concerning him pursuant to article 6, paragraph 1, letters e (the processing is necessary for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller of the processing) or f (the processing is necessary for the pursuit of the legitimate interest of the data controller or of third parties, provided that the interests or the fundamental rights and freedoms of the data Subject who require the protection of personal data do not prevail, in particular if the data subject is a minor.), including profiling on the basis of these provisions
HOW TO EXERCISE IT
The data subject can exercise the right by sending a request to the email address dpo@andalogestioni.it
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
In order to be able to provide a positive response to the request, it is necessary to provide the information necessary for the identification of the data subject.
Before providing an answer, the data controller may need to identify the data subject, as the right can only be exercised by the data subject or by his delegate.
The exercise of rights may take place by sending a request which may be addressed without any formality to the Data Controller at the addresses indicated above.
Before providing a response, the controller may need to identify the data Subject.
A written response will be provided without unjustified delay and, in any case, no later than one month from receipt of the request.
Before providing a response, the controller may need to identify the data Subject.
A written response will be provided without unjustified delay and, in any case, no later than one month from receipt of the request.
Complaint
In the event that the data subject believes that the processing of their personal data violates the provisions of EU Regulation 2016/679, they have the right to lodge a complaint with the Supervisory Authority for the Protection of Personal Data based in Rome, pursuant to art. 77 of the Regulation itself, as well as appealing to the Judicial Authority.
In the event that the data subject believes that the processing of their personal data violates the provisions of EU Regulation 2016/679, they have the right to lodge a complaint with the Supervisory Authority for the Protection of Personal Data based in Rome, pursuant to art. 77 of the Regulation itself, as well as appealing to the Judicial Authority.
Version 1.0
Last update: 17/04/23
Last update: 17/04/23
