Privacy information pursuant to art. 13 of the European Regulation EU 2016/697 (GDPR). Andlay APS No Profit, via Bigari 17/2 40128 Bologna. Email

In relation to the provisions of EU Reg. 2016/679 (European Regulation for the protection of personal data) and subsequent amendments, we hereby communicate the necessary information regarding the processing of personal data provided by the interested party. This information, which is provided pursuant to art. 13 of EU Reg. 2016/679 (European Regulation for the protection of personal data) and pursuant to art. 13 Legislative Decree 30.6.2003 n. 196 (Privacy Code).


Pursuant to art. 4 and 24 of EU Reg. 2016/679, the data controller is the Andlay Association, with official office in Via Bigari 17/2 Bologna, tax code 91375380374. As the data controller, it informs users who consult the site that the personal data entered is processed in the manner and for the purposes described below.


The Data Controller processes personal identification data (for example, name, surname, company name, address, telephone, e-mail, bank and payment references), communicated by the interested party only to finalize the purchase of the products sold for the fundrasing. Data collection is temporary as described in section 8.


I cookies are used only to finalize sales as part of fundraising. Cookies for third parties are only those necessary to finalize payments. For additional information, read the Cookie Policy


The personal data provided will be processed in compliance with the conditions of lawfulness pursuant to art. 6 lett. b of EU Reg. 2016/679, that is to finalize participation in fundraising by purchasing a product and shipping it. Also for:

  • fulfill contractual obligations, legal obligations and administrative-accounting purposes. For the purposes of applying the provisions on the protection of personal data, the treatments carried out for administrative and accounting purposes are those related to the performance of organizational, administrative, financial and accounting activities, regardless of the nature of the data processed;
  • fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority (such as in the field of anti-money laundering);
  • exercise the rights of the owner, for example the right to defense in court.


The personal data provided may be disclosed to recipients, appointed pursuant to art. 28 of EU Reg. 2016/679, which will process the data as managers and / or as natural persons acting under the authority of the Data Controller and Data Processor, in order to comply with contracts or related purposes. Specifically, the data may be disclosed to recipients belonging to the following categories:

  • subjects that provide services for the management of the information system and communication networks of the Data Controller;
  • firms or companies in the context of assistance and consultancy relationships;
  • competent authorities for the fulfillment of legal obligations and / or provisions of public bodies, upon request;

The subjects belonging to the aforementioned categories perform the function of data processing manager, or operate in total autonomy as separate data controllers.


The personal data provided by the interested party will not be transferred abroad within or outside the European Union.


the processing of the data subject's personal data is carried out by means of the operations indicated in art. 4 n. 2) GDPR of EU Reg. 2016/679 and more precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Personal data are subjected to both paper and electronic and / or automated processing.


The processing will be carried out in an automated form, with methods and tools aimed at guaranteeing maximum security and confidentiality, by persons specifically appointed to do so. In compliance with the provisions of art. 5 paragraph 1 letter. e) of EU Reg. 2016/679, the personal data collected will be stored in a form that allows the identification of the data subjects for a period of time not exceeding the achievement of the purposes for which the personal data are processed.


The provision of data for the purposes referred to in point 3 is mandatory. In their absence it will not be possible to guarantee the related services. The data collected are only for the purpose of participating in the fundraising and are not used for the purposes for which the express consent of the interested party is required and are optional, namely:

  • sending information material;
  • sending via e-mail, post, sms, telephone contacts, newsletters, commercial communications or advertising material on products or services offered by the Data Controller or detection of the degree of satisfaction with the quality of services;
  • sending via e-mail, post, sms, telephone contacts, newsletters, commercial and / or promotional communications from third parties.


The interested party may assert their rights as expressed in Articles 15, 16, 17, 18, 19, 20, 21, 22 of EU Regulation 2016/679, by contacting the Data Controller, via the email address

The interested party has the right, at any time, to:

  • obtain confirmation of the existence or not of personal data concerning him, even if not yet registered, and their communication in an intelligible form;
  • obtain the indication: a) of the origin of personal data; b) the purposes and methods of the processing; c) of the logic applied in case of processing carried out with the aid of electronic tools; d) the identity of the owner, managers and designated representative pursuant to art. 5, paragraph 2 of the Privacy Code and art. 3, paragraph 1, GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the State, managers or agents;
  • obtain: a) updating, rectification or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including those that do not need to be kept for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment is proves impossible or involves a manifestly disproportionate use of means with respect to the protected right;
  • object, in whole or in part: a) for legitimate reasons to the processing of personal data concerning him, even if pertinent to the purpose of the collection; b) to the processing of personal data concerning him for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by e-mail and / or through traditional marketing methods by telephone and / or paper mail.

Where applicable, the interested party also has the rights referred to in Articles 16-21 GDPR (Right of rectification, right to be forgotten, right to limitation of processing, right to data portability, right of opposition),

Without prejudice to any other administrative and judicial appeal, if the interested party believes that the processing of data concerning him violates the provisions of EU Reg. 2016/679, pursuant to art. 15 letter f) of the aforementioned EU Reg. 2016/679, has the right to lodge a complaint with the Guarantor for the protection of personal data and, with reference to art. 6 paragraph 1, letter a) and art. 9, paragraph 2, letter a), you have the right to withdraw the consent given at any time.

In the event of a request for data portability by the interested party, the Data Controller will provide the personal data concerning him in a commonly used and legible format, without prejudice to paragraphs 3 and 4 of art. 20 of EU Reg. 2016/679.