Privacy and Security Policy for the processing of personal data

Privacy and Security Policy for the processing of personal data

  1. IntroductionThe protection of your personal data is very important for our organization. (hereinafter „the organization” or „the operator”) and we want you to be properly informed about the ways and purposes we process your personal data.
    The purpose of this Personal Data Processing Privacy and Security Policy (hereinafter „Privacy and Security Policy”) is to outline the principles of our organization with respect to the processed personal data and to establish appropriate technical and organizational measures and the responsibilities of our employees that are tasked with the processing of personal data, and/or, as the case may be, of the persons empowered by us to fulfill the obligations regarding the guarantee and protection of the fundamental rights and freedoms of natural persons, in particular the right to intimacy, family and private life, with regard to the processing of personal data.
    If you find any errors in the provisioning of personal data concerning you, please inform us as soon as possible using any of the means specified in Section 7 of this Privacy and Security Policy.
  2. The principles of personal data processing
    1. Personal data is processed by our organization in good faith and in accordance with the legal provisions in force.
    2. Personal data is collected by our organization for well-defined, explicit and legitimate purposes, and further processing will not be incompatible with these purposes.
    3. Personal data is appropriate, relevant and non-excessive in relation to the purpose for which it is collected and subsequently processed.
    4. Personal data is not to be stored by our organization for a longer period than is necessary to achieve the purposes for which it was collected and as long as our organization is under a legal obligation.
    5. The organization has taken appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of illegal processing, as well as the erasure or rectification of inaccurate or incomplete data with regard to the purpose for which they are collected and for which they will be further processed.
  3. Types of data and the purpose of using personal dataThe personal data referred to in this Privacy and Security Policy includes identification information such as first and last name, surname and forename of legal representatives, gender, date and place of birth, age, nationality, telephone / fax, home address / residence, e-mail address, civil code number, identity card / passport serial number, job, profession, training – diplomas – studies, banking data or the like that serve to identify you or the persons representing you or that you represent.
    The organization will collect, use, process and provide your personal data for purposes such as statistics, organizing courses, seminars, for organizing training programs, issuing any financial, human resources, payroll, accounting documents, concluding contracts or any other necessary documents in the activity of our organization.
    Personal data is intended for use by our organization is collected by designated persons. Some of this data may be transferred to our contractual partners.
    The collection and processing of personal data of minors by our organization will be done only with the explicit consent of the parents or other legal representatives.
  4. General rules
    1. This Privacy and Security Policy sets out the technical and organizational measures implemented by our organization to meet the obligations regarding confidentiality and security of the processing carried out in the course of its business. Minimum security requirements are considered a complex of technical, informational, organizational and logistical measures and procedures that ensure a minimum level of processing security, according to the provisions of GDPR 679/2016.
    2. The organization has adopted appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of illegal processing. In this respect, a person responsible for complying with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”) is designated on behalf of our organization.
    3. In order to meet the relevant legal provisions and satisfy the requirements on the safe keeping of data and information, our organization has developed and implemented organizational and technical measures focused on certain courses of action:
      • User identification and authentication;
      • Type of access;
      • Data collection;
      • Backup execution;
      • Computers and access terminals;
      • Access files;
      • Staff training;
      • Telecommunication systems;
      • Computer usage;
      • Data printing.
  5. Specific procedures
    1. User identification and authenticationBy user it is meant any person acting under the authority of our organization or a person authorized by us, with a recognized right to access personal data.
      To gain access to personal data, users need to identify themselves.
      In the case of automated processing, the identification is done by authentication in the IT systems of our organization. Authentication is done by entering unique login data, consisting of a username and a password.
      Passwords are security strings that are appropriate in terms of length and composition, according to our IT security policy. When typing passwords, typed characters are not displayed clearly on the monitor. According to our IT Security Policy, passwords must be changed periodically. The organization has implemented an IT system that automatically may refuse a user’s access after several wrong password inputs. Any user that receives access to the personal information database is informed that he / she must maintain the confidentiality of the authentication data and hold accountability to the operator in this regard.
      The organization has established a procedure for administering and managing user accounts provided by our IT Security Policy. In accordance with its provisions, clear rules are set with regard to the granting and cancellation of rights and ways of access to the user account. User access to manually managed personal information databases is done strictly based on a list approved by our management.
    2. Type of accessUsers can only access the personal data required to fulfill the tasks assigned by our organization. For this, access types by functionality (administration, input, processing, rescue, etc.) and applied actions on personal data (writing, reading, deleting) as well as procedures for these types of access are put in place.
      Developers of personal data processing systems have access to personal data under a strict privacy agreement signed with us, exclusively where required, each transaction being documented.
      The technical support department may have access to personal data in order to resolve incidents and problems encountered in the use of IT systems.
      Computers and servers containing databases with personal information are located in controlled access rooms. Documents containing personal data of the type considered as special categories of data are kept in restricted access rooms.
      The operator has established strict ways to destroy personal data.
    3. Data collection The organization designates authorized users for the collection, input and processing of personal data in a computer system or in a manual system.
      Any changes to personal data may only be made by authorized users designated by the operator.
      The operator has taken steps to ensure that the information system records who has made the change, the date and time of the change.
    4. Backup execution The computer system automatically performs back-up of the databases on a daily basis for eventual data recovery in case of loss, destruction or malfunction of computer systems. Our organization sets the timeframe for the backups of personal information databases as well as the programs used for automated processing. The users executing these backups are designated by the operator in a limited number. Backups are stored in a safe location with restricted access, situated in a different room from where the backup is made.
    5. Computers and access terminals Computers and other access terminals are installed in lockable, restricted access rooms. If the computers are on without any user input for a certain time, set by the administrator, the session closes automatically. Users are trained so that personal information databases are closed when unauthorized persons are nearby. Servers hosting databases can only be accessed in a controlled manner based on access rights.
    6. Access files We take steps to ensure that any access to the personal information database is recorded in an access file (called a log, for automated processing) or in a register in case of manual personal data processing, that is set by the operator.
      The information recorded in the access or registry file will be:

      • identification code (the user’s name for manual personal information databases);
      • the name of the file being accessed;
      • the number of records made;
      • type of access;
      • the code of the executed operation or the program used;
      • date of access (year, month, day);
      • time of access (hour, minute, second).

      For automated processing, this information will be stored in a general access file or in separate files for each user.
      The operator is required to keep access files for at least 2 years in order to be used as evidence for investigations. If the investigations are prolonged, these files will be kept until investigations and any actions related to them are completed.
      Access files must make it possible for the operator or the person empowered to identify persons who have accessed personal data for no particular reason, for the purpose of applying sanctions or notifying the competent authorities.

    7. Telecommunication systems Our organization, through authorized users, periodically checks authentication and access types to detect malfunctions in the use of telecommunication systems. Only personal data strictly necessary will be transmitted through the telecommunication systems.
    8. Staff training Users who have access to personal information databases are trained on the provisions of “GDPR”, on the minimal security requirements for the processing of personal data regarding the provisions of our IT security policy, as well as the importance of maintaining their confidentiality and the risks involved in the processing of personal data.
      Users who have access to personal data will be notified by messages that will appear on monitors during their activity. Users are forced to close their work session when they leave the workplace.
    9. Computer usageTo maintain security of the processing of personal data (especially against computer viruses), our organization has taken the following measures:
      • use of software originating from unsafe sources is forbidden;
      • users do not have administrator privileges on computers;
      • licensed software is being used;
      • users have been trained on the organization’s IT Security Policy and other general IT operating policies, including the threat of computer viruses;
      • computers are protected through antivirus software;
      • user activity is monitored
    10. Data printing Personal data shall only be printed by the designated users and only for the purposes specified in these Rules.
  6. The rights of persons whose personal data are being collected and/or processedAccording to GDPR, you have the following rights with regard to the processing of your personal data:
    1. The right to informationYou have the right to be provided by our organization, according to art. 13 and 14 of GDPR at least the following information, unless you already have that information:
      • the identity and contact details of the controller and the controller’s representative;
      • the purposes of the processing, as well as the legal basis or legitimate interest pursued by the controller for the processing;
      • the recipients or categories of recipients of the personal data, as applicable;
      • the intention to transfer the personal data to a third country or international organization, as applicable;
      • the storage period or, if the period cannot be established, the criteria used to determine that period;
      • the individual’s right to request from our organization access to, rectification, erasure of personal data, restriction of processing concerning the individual, to object to processing, as well as the right to data portability; the right to object to processing shall be presented clearly and separately from any other information;
      • the individual’s right to withdraw consent at any time, where the processing is done based on the individual’s consent; the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal;
      • the right to lodge a complaint with ANSPDCP;
      • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
      • if the data is not collected directly from the data subject, the source where the data originates and, if applicable, whether it came from publicly available sources.
    2. The right of access to dataYou have the right to obtain from our organization, according to art. 15 of GDPR, upon request confirmation as to whether or not personal data concerning him or her are being processed and to receive, free of charge a copy of the personal data undergoing processing and access to the following information:
      • the purposes of processing;
      • the categories of personal data concerned;
      • the recipients or categories of recipients to whom the personal data have been or will be disclosed, including, in case of transfer to a third country or to an international organization, a description of the appropriate safeguards in place;
      • the envisaged storage period or the criteria used to determine this period, as possible;
      • the right to request from our organization rectification, erasure, restriction of processing of personal data or to object such processing;
      • the right to lodge a complaint with ANSPDCP;
      • any available information regarding the source of the personal data, if it was not collected directly from the data subject.

      For any further copies requested by the data subject, we may charge a fee to cover the administrative costs.

    3. The right to rectificationYou have the right to obtain from our organization, according to art. 16 of GDPR, upon request and free of charge, the rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
    4. The right to erasureYou have the right to obtain from our organization, according to art. 17 of GDPR, the erasure of personal data concerning you in any of the following cases:
      • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
      • the individual withdraws consent on which the processing is based and there is no other legal ground for the processing;
      • the individual objects to the processing and there are no overriding legitimate grounds for the processing;
      • the personal data have been unlawfully processed;
      • the personal data have to be erased for compliance with a legal obligation in EU or Romanian law to which our organization is subject.
    5. The right to restriction of processingYou have the right to obtain from our organization, according to art. 18 and 19 of GDPR, the restriction of processing where one of the following applies:
      • the accuracy of the personal data is contested by the individual, for a period enabling our organization to verify the accuracy of the personal data;
      • the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead;
      • the organization no longer needs the personal data for the purposes of the processing, but they are required by the individual for the establishment, exercise or defense of legal claims;
      • the individual has objected to processing pending verification whether the legitimate grounds of our organization override those of the data subject.

      When one of the cases of processing restriction is applicable, with the exception of storage, the personal data shall only be processed with the individual’s consent or for limited purposes listed by GDPR.

    6. The right to data portabilityYou have the right to receive the personal data concerning you, according to art. 20 of GDPR, which you have provided to our organization, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from our organization in the following cases:
      • the processing is based on the consent given by the individual for one or more specific purposes or the processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract; and
      • the processing is carried out by automated means.

      Where technically feasible, at your request, our organization shall transmit the personal data directly to another controller.

    7. The right to object You have the right to oppose at any time to the processing of personal data concerning you by our organization, as per art.21 of GDPR, whenever your data is processed by our organization for purposes of the legitimate interests pursued by our organization. In this case, our organization shall no longer process personal data unless our organization demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
      Furthermore, you have to right to object at any time to processing of your personal data for direct marketing purposes, including profiling. If you object to processing, our organization shall no longer process the personal data for such purposes.
    8. The right not to be subject to an individual decisionYou are entitled under art. 22 of GDPR, to request and obtain the withdrawal / annulment / re-evaluation of any decision having legal effect on you, adopted solely on the basis of a personal data processing carried out by automated means intended to produce legal effects concerning you or similarly significantly affects you.
    9. The right to appeal to justiceYou have, according to art. 79 of GDPR, the right to appeal to the courts for the defense of any rights guaranteed by GDPR that have been violated and to obtain an effective judicial remedy, where you consider that your rights under GDPR have been infringed as a result of the processing of your personal data in non-compliance with GDPR.
      Do note that proceedings against our organization shall be brought before the courts of Romania.

    In order to exercise the rights listed above, you may address us with a written, dated and signed request transmitted using the contact details indicated in Section 7 of this Privacy and Security Policy.

  7. Disclosure of personal data to third partiesCollected data are disclosed to third parties only if our organization is under a legal obligation to do so. In all other cases, any disclosure to third parties of other personal data will be made only with your express prior consent.
  8. Final ProvisionsFor questions or other queries please contact us using the contacts details provided on the contact section of this website.
The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.