This Policy regarding processing and protecting the personal data (defined “Policy”) defines the procedure of processing and protection of personal data in Perpetuum S.R.L., a limited liability company organized and operating in accordance with the provisions of Romania, headquartered in Romania, Moreni, Teis street, no. 16D, Dambovita county, registered at Trade Register Dambovita under the no. J15/1386/1993, CUI RO4641601 (here defined as Perpetuum S.R.L. or „Operator”) and establish the procedures that aims at preventing and highlighting any violations of applicable law regarding personal data.
This Policy was made according with Romanian legislation and European Union, especially with the following documents:
• General Data Protection Regulation (GDPR), adopted by the European Parliament and by the European Council on 27 April 2016.
• Any other law regarding the protection of personal data, applicable in Romania
2. PURPOSE OF THIS POLICY
The main purposes of this Policy are:
• Establishing a procedure, as well as the terms and conditions regarding the processing of
personal data, including procedures to prevent violations of laws and procedures of internal control in accordance with applicable law of personal data.
• Presentation of Perpetuum employee responsible with processing personal data.
• Establishing responsibilities for staff who process personal data in case of non-compliance with the applicable law on personal data.
• Respecting the right of subjects to be informed about how PERPETUUM S.R.L processes their personal data
Thus, the purpose of this Policy is to explain what personal data we process, why we process it, and what we do with it. Since personal information belongs to every user, we do our best to safely store and process them carefully. We do not provide information to third parties without our previous obligation to inform the subject about this.
3. FIELD OF APPLICATION AND MODIFYING DATA PROTECTION POLICY
This Policy of personal data protection is applied to Perpetuum S.R.L. and all the employees. The data protection policy extends to all processing of personal data. Present Policy can only be modified under the direct coordination of Data Protection Officer (DPO) of Perpetuum S.R.L, any change being validate by the Data Protection Officer named in the company. Changes will be immediately reported at any level of the company, using the modifying policy process.
4. BASIC DEFINITIONS
In this sense, the following definitions are used:
“Data Protection Officer (DPO)” means the person who is responsible of monitoring the application of GDPR and other applicable laws regarding the protection of individuals concerned with the processing of personal data and performs the functions assigned to it by this Policy and other applicable legislation, provides advice to management of PERPETUUM S.R.L and communicates to its employees about the protection of personal data.
“Personal data” means any information relating to an identified or identifiable person (“the data subject”); an identifiable person is the person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more specific elements of its physical, physiological, genetic, psychic, economical identity , cultural or social aspects of that person;
“Processing” means any operation or set of operations performed on personal data or on personal data sets with or without the use of automated means such as collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consulting , use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Restriction of processing” means the marking of personal data stored with the purpose of limiting the future processing of these data;
“Creating profiles” means any form of automatic processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a person, in particular to analyze or predict performance aspects at the workplace , the economic situation, health, personal preferences, interests, reliability, behavior, the place of the individual or his movements;
“Operator” refers to any person or company, public authority, agency or organisation which, alone or with others, establishes the purposes and means of processing personal data. For the purposes of this Policy, operator is understood to be PERPETUUM S.R.L;
“Authorized person” means the person or company, public authority, agency or organization which is processing personal data in the name of the Operator;
“Receiver” means the person or company, public authority, agency or organization to which personal data is disclosed, whether is a third party or not;
“Third party” means a person or company, a public authority, an agency or organisation other than the data subject, the operator, the person empowered by the operator and the persons under the direct authority of the operator that are authorized to process personal data;
“Consent” of the person concerned means any manifestation of free, specific, informed and unambiguous will of the person concerned by which he or she accepts, through a statement or unequivocal action, that personal data concerning him or her are processed;
“Violation of personal data security” means a security breach that accidentally or illegally causes unauthorized destruction, loss, alteration, or disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to them;
“Health data” means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveals information about his / her state of health;
“Cross-border processing” means either the processing of personal data which takes place in the context of the activities of headquarters in several Member States of an operator or of a person empowered by an operator within the Union, if the operator or the empowered person has headquarters in, at least, two member states; or the processing of personal data take place in the context of the activities in only one headquarter of the operator or empowered person on a state of the Union but which significantly affects or is likely to significantly affect persons from at least two Member States.
5. PRINCIPLES OF PERSONAL DATA PROCESSING
5.1. Legality, equity and transparency
According to this principle, the concerned person must be informed about the processing, the processing must be according to the indications offered to the concerned person and must have a legal purpose. Data processing is considered legal when at least one of the conditions provided in art.6 of GDPR is applied.
The data subject must be clearly and openly informed about how his data will be processed. Generally, personal data should be collected directly from the data subject.
As a result of the processing of personal data, whether or not the data were obtained directly from the data subject, PERPETUUM S.R.L will provide the following information:
-identity and data contact of the company
-contact data of the DPO
-the legal basis of processing
-the legitimate interests pursued by the company or a third party when processing is necessary for legitimate purposes
-the period of time for which the personal data will be stored (if this is possible).
5.2. Purpose limitation
Personal data will be processed only for the purpose defined and communicated to the data subject before collecting them, without the possibility to use them afterwards in an incompatible mode with the communicated purpose.
5.3. Minimizing data
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purpose for which they are processed.
5.4. The accuracy and updating the data
Personal data must be accurate, complete and, if necessary, to be updated. PERPETUUM S.R.L. will take reasonable measures to ensure that the collected personal data are accurate and their source is known. If personal data are inaccurate, taking in consideration the purpose for which are collected, these will be immediately erased or rectified.
5.5. Data storage limitation
Personal data must be kept in a form that allows the identification of the data subjects for a period not exceeding the time required for the purposes for which the data are processed.
Personal data should not be retained if they are no longer necessary for the purpose for which they were collected, except where Union law or national law requires the storage of personal data.
5.6. Reducing and data economy
Before processing personal data, must be determined if and in what extent, processing is necessary to achieve the purpose for which is made.
Where the purposes permit and where the costs involved are proportionate to the objective, anonymous data should be used. Personal data can not be collected in advance and stored for future potential purposes, unless this is required or allowed by law.
5.7. Integrity and confidentiality
Personal data are considered confidential information, being kept safely by the persons responsible with personal data protection, which take the necessary technical and organizational measures to prevent unauthorized access to data, unlawful processing, loss or accidental destruction / deterioration.
6. THE BASIS OF DATA PROCESSING
Collecting, processing and using of personal data is allowed only on the following basis:
6.1. Data about clients and partners
6.1.1. Processing for a contractual relationship
Personal data of partners and clients will be processed in the purpose of signing, execution or ending contracts. At the same time, personal data may also be processed before a contract is concluded for the submission of an offer, or receiving an order.
If the processing of personal data is made on the basis of consent, PERPETUUM S.R.L. will ensure that it has obtained the agreement in a clear and explicit format that will include all the rights of the data subject (access, rectification, withdrawal, etc.).
6.1.2 Data processing for marketing purposes
When personal data processing is wanted for marketing purposes, the data subject will be clearly informed about using his personal data for those purposes, excepting direct marketing, when PERPETUUM S.R.L. will be allowed to process personal data, according to term 47 from GDPR.
If the client asks to be informed about advertising campaigns, PERPETUUM S.R.L. will ask a consent for this purpose, and the client will have the posibility to choose the way to receive the advertising materials (e.g. e-mail, sms, post, etc.)
If the data subject requests that his or her personal data be no longer used for advertising purposes, the operator will ensure that the data will no longer be processed for that purpose, and will be deleted.
6.1.3. Consent as basis for data processing
Consent must be clear, written, including electronic means or oral declaration (e.g. By phone). Thus, consent must be given to a particular activity of processing personal data and for one or more specific purposes.
In case of electronic agreement, the pre-ticking of consent boxes will lead to its invalidation. PERPETUUM S.R.L. will ensure that can prove that the data subject has given his consent for the purpose of processing his data.
The data subject has the right to withdraw his consent at any moment. Withdrawal of consent does not affect the lawfulness of the processing before it is withdrawn.
6.1.4. Data processing in accordance with legal obligation
The processing of personal data is also permitted if applicable law requires, imposes or permits it. The type and magnitude of data processing must be necessary for the legal processing of data and must comply with the relevant legal provisions.
6.1.5. Data processing in accordance with the legitimate interests
Personal data can also be processed if this is necessary for a legitimate interest of PERPETUUM S.R.L. . Legitimate interests are generally of a legal nature (for example, collecting overdue claims) or commercial (for example, avoiding breaches of contract).
Personal data can not be processed for purposes of legitimate interest if, in individual cases, there is evidence that the interests of the data subject deserve protection and that it has priority.
Before processing data, it is necessary to determine whether there are interests that are worth protecting.
6.1.6. Processing sensitive personal data
PERPETUUM S.R.L. does not process any information about race, nationality, political opinion, religion, privacy or private life. Sensitive personal data will only be processed if the law requires so or the data subject consented it specifically.
Such data may also be processed if such processing is mandatory for the recognition, exercise or defense of legal rights relating to the data subject. If the company has plans to process extremely sensitive data, DPO must be informed in advance.
6.1.7. User data and internet
Policies mentioned above will be integrated so that they can be easily identifiable, directly accessible and constantly available to the data subjects.
In order to obtain consent for using files as cookies, PERPETUUM S.R.L. will make sure that the consent will be given in an explicit way. (no formulas such as “continued use of the site will be considered an acceptance of this policy” may be used).
6.2. Employees/ future employees data
6.2.1. Data processing for work relationships
In work relationships, personal data will be processed, if necessary, for initiating, exercise or ending a labor contract. Personal data of applicants will be processed when a work project is initiated. If the candidate is rejected, his data must be deleted according to the required retention period, unless the applicant has agreed to remain on the file for a future selection process for a period of 12 months from the date of application .
Consent is also required for the use of data for additional application processes or before sharing the application with other companies. In the existing work report, data processing must always refer to the purpose of the employment contract.
If the request procedure requires that information of a solicitant is collected from a third party, the legal requires of national law must be respected. In case of doubt, an agreement must be obtained from the data subject.
A legal authorization is required to process personal data which are conected with work relationship, but has not been an initial part of exercising the labor contract. These may include legal requirements, collective requirements with employees’ representatives, the consent of employee or the legitimate interest of the company.
6.2.2. Processing data consent
Where necessary, the personal data of employee can be processed after the consent of the person. The consent declaration must be presented on a voluntary basis. Involuntary consent is considered invalid. The declaration of consent must be obtained written or on electronic format and will be kept by the operator. In certain circumstances, the consent can be verbal but it must be obtained legal afterwards.
In the case of informed and voluntary provision of data by the relevant party, an agreement may be presumed unless national law requires express consent.
By “consent” it is understood that the person concerned has given his consent to the processing of personal data concerning his / her own person. The person concerned may withdraw his / her consent at any time by sending an email to: firstname.lastname@example.org;
6.2.3. Processing sensitive personal data
Sensitive personal data can only be processed under certain conditions. In accordance with national law, other categories of data may be considered sensitive or the content of the data categories may be filled in differently. Moreover, data relating to a crime can only be processed according with special request from national law.
Processing must be expressly permitted or prescribed by national law. Moreover, processing can be allowed if it is necessary for the responsible authority to fulfill its rights and obligations in the field of labor law.
If there are any plans to process sensitive personal data, DPO will be informed in advance.
6.2.4. Telecommunication and internet
Mobile phones, e-mail addresses, intranet and internet together with other intern social networks are delivered by the company especially for work missions. They represent an instrument and a resource of the company. They can be used within the applicable legal regulations and the company’s internal policies. In the case of authorized use for personal purposes, the laws on telecommunications secrecy and national telecommunications laws must be respected.
Care must be taken to ensure that screens and PC terminals are only visible to employees / authorized personnel of the operator, and employees are required to block their PC screen when they leave the workspace.
7. SENDING DATA TO A THIRD PARTY
It is forbidden to transmit the data to a third party, except the case when the data subject expresses its consent or whether such transmission is necessary to fulfill a contractual request regarding the data subject, in all cases the transmission of the data to a third party is permitted in accordance with the National law.
If data is transmitted to a receiver outside PERPETUUM in a third country, that country must accept to maintain a level of data protection equivalent with the present policy. This thing will not apply if transmission is based on a legal obligation.
8. PROCESSING OF DATA REGARDING CONTRACTS
Processing data on its behalf means that a vendor is committed to process personal data without assuming responsibility for the affiliate business process. In these cases, a data processing agreement on its behalf must be concluded with external suppliers and PERPETUUM S.R.L..
The customer will assume full responsibility for the correct performance of the data processing. The supplier may process personal data only according to the customer’s instructions.
When an order is launched, the responsible department must be sure that the following conditions are fulfilled:
A) The supplier must be chosen on the basis of his ability to cover the necessary technical and organizational measures;
B) The order must be sent by written. Instructions regarding data processing and the responsibilities both customers and suppliers must be documented;
C) Contractual data protection standard provided by the DPO must be taken into account;
D) In the case of cross-border data processing in contracts, the relevant national requirements for the disclosure of personal data abroad must be met. In particular, personal data in the European Economic Area may be processed in a third country only if the provider can prove that he has a data protection standard equivalent to this data protection policy.
9. DATA SUBJECT RIGHTS
Data subject which personal data are processed by the operator has the following rights:
A) The right to be informed – to obtain from the operator the following information:
I. Identity data contact of PERPETUUM S.RL., its representants and its DPO
II. The purpose and legal basis of personal data processing, legitimate interests of PERPETUUM S.R.L.;
III. Personal data categories
IV. The receiver of personal data, including receivers from third parties and international organization (if there are) and references to guarantees and suitable means;
V. The storage period of personal data and the criteria used to determine that period, providing that the operator keeps and process personal data as long as the laws and regulations so require. Personal data processing stops immediately if there is no reason to do it;
VI. The source from where the personal data are provided (if the data where not obtained from the subject data);
VII. Whether the provision of personal data is a legal or contractual requirement or a requirement to enter into a contract and whether the data subject is required to provide personal data and the possible consequences of failure to provide such data .
B) The right to access personal data – to obtain from PERPETUUM S.R.L. the confirmation that his personal data are processed and the right to receive a copy of every registration that contain his personal data.
C) The right to rectification – to obtain from the operator, wihout unjustified delays, the rectification of inaccurate personal data regarding his person, filling out the incomplete personal data, including by supplying an additional statement.
D) The right to delete personal data (“the right to be forgotten”) – to obtain from PERPETUUM S.R.L. the proof that his data are deleted (if these data are no longer needed to fulfill the purpose for which they where collected, the data subject withdraws his consent, personal data where illegally processed, etc.)
E) The right to restrict processing if personal data are inaccurate; processing is illegal or the data subject asks to restrict the use of his personal data instead of deleting them; processing personal data is no longer needed but these data are asked for establishing, using and protecting a right in instance; the subject data opposed the processing for the period of time when it is verified if the legitimate rights of the operator prevail over the ones of the data subject;
F) The right to data portability – of a subject to receive personal data in a structured format, currently used and can be automatically read and has also the right to send the personal data to another operator without any obstacle from PERPETUUM S.R.L.
G) The right to oppose at any time the processing of personal data (including creating profiles and personal data processed for advertising purpose)
H) The right to withdraw the consent at any moment, without affecting the legal processing based on a preview consent. Thus, the data subject understands and agrees that, in case of withdrawal, the purpose of the processing of personal data cannot be achieved;
10. PROCESSING CONFIDENTIALITY
Personal data are considered confidential information and will be treated as so. Any type of unauthorized collecting, processing and using of these data by the employees is forbiden. Processing personal data is confidential and it will be made only by the persons that act under the authority of the operator and only based on his instructions.
Any personal data processed by an employee, that was not authorized as part of his legitimate duties, is considered unauthorized. It is applied the principle “the need to know”. Employees may have access to personal information based on the suitability of this access to the type of data and the intended purpose. This is based on the careful division and separation of the employees’ duties in PERPETUUM S.R.L. and involves the implementation of the roles and responsibilities for each employee.
Using personal data in private purpose or commercial, revealing it to unauthorized persons or to make them available in any other way it is forbidden for the employees. Hierarchical superiors inform their employees at the beginning of their work relationship about the obligation to protect data privacy.
11. SECURITY OF PROCESSING
PERPETUUM S.R.L. must implement and maintain technical and organizational measures designed to protect personal data, including the protection of confidentiality and integrity of customer data.
Personal data will be safely stored and will be accessible only for the authorized personnel. Information will be stored as long as they are necessary and asked by the Union law/ internal regulation, and at the end of the period will be properly ordered according to Retaining, Archiving and Destruction of data.
All personal data must be treated with the highest security and must be kept in a locked room, with controlled access and/or:
• in a drawer or locked closet with key; and/or
• if they are computerized, protected password as required by the Access Control Policy;
• stored in external computers that are encrypted according to the standards in the field.
The subject data and the authorities will be notified, according GDPR, about any incidents regarding data security (e.g. Destruction, loss, modification/ reveal/ unauthorized access to personal data) without any unjustified delays.
12. CONTROL OF DATA PROCESSING
PERPETUUM S.R.L. must perform periodic evaluation/ audits regarding personal data and to identify the most efficient way to respect its obligations arising from personal data processing. At the request of the authorities, the operator will make available for them the results obtained from the evaluations/ audits.
13. DATA PROCESSING INCIDENTS
All employees are required to immediately inform their supervisor or the Data Protection Officer in case of violation of this Policy or any other regulations regarding protection of personal data, whether or not there are breach of confidentiality, data integrity or availability.
The manager of the company is required to immediately inform the DPO about any incidents regarding personal data.
In case of:
Inappropriate transmission of personal data to third parties.
Inappropriate access to personal data or
Loss, destruction or alteration of personal data
the manager of the company shall, as a matter of urgency, draw up the refferal reports, according to the rules established for the Management of Security Information` Incidents, so that urgent measures can be taken to limit the impact of personal data holders and reporting obligations of incidents to the Authority.
14. RESPONSiBILITIES AND SANCTIONS
All of PERPETUUM S.R.L.`s employees have the responsibility to notify the DPO immediately of any breach of this Policy. When DPO will consider it necessary, he will inform the Authority about that breach.
The supervisors of each department at PERTPETUUM will be responsible for data processing in their departament and will monitor the new and ongoing data protection risks/ update the relevant risk map of the company. In case of a new risk, they will report this immediately to the manager and to the DPO.
The supervisor of each department where personal data are processed will inform in due time the DPO about every new processing.
The general manager together with the DPO will ensure that an internal audit is made at PERPETUUM S.R.L. to verify the managing of risks regarding confidentiality and data protection.
The general manager is responsible to ensure technical and organizational measures so that any data processing to be made according to this policy, RGDP, Union law/ internal law. The general manager can name another person to do this.
The supervisory authority must be announced/ consulted every time the DPO has an obligation in this sense. Moreover, in case of control from the authority, DPO will be immediately announced.
In the relation with data subjects, the DPO will be directly in charge, having the data contact on every agreement.
All employees working with personal data have the obligation to immediately inform the Data Protection Officer of any violation of this policy or other applicable legal regulations in matters they have become aware of.
The abusive processing of personal data will lead to disciplinary sanctions, which can also be punished by the criminal legislation in the field.
15. DATA PROTECTION OFFICER
Data protection officer can be a PERPETUUM`s employee or can be named by a contract. The operator will name a Data Protection Officer bassed on his professional qualification, knowledge in law and practice in personal data protection.
Contact details of the DPO will be also communicated to the supervisory authority.
PERPETUUM S.R.L. will provide support to Data Protection Officer in fulfilling his tasks by providing him the necessary resources to carry out his tasks. The DPO is independent in fulfilling his tasks, being directly responsible in front of the managing of PERPETUUM S.R.L.
When DPO has also other responsibilities in PERPETUUM S.RL., the general manager will ensure that this fact does not generate a conflict of interests.
The data protection officer will have at least the foloowing tasks:
To train the employees of PERPETUUM S.R.L. with the content of this policy;
To inform the company (general manager, employees that works with personal data processing) regarding the obligations imposed by GDPR, Union law/ internal law;
Monitoring the compliance of GDPR and other applicable legal provisions;
Making internal audits
Evaluating the impact above personal data protection;
Cooperating with supervisory authority.
Contact details of Data Protection Officer are the following:
DPO: David Raluca Elena
16. EFFECTIVE DATE. MODIFICATION
This Policy will starts its effect at 25 of May 2018. PERPETUUM S.R.L. can change or modify this policy periodically. This can happen, for example, by changing of law or if the operator modifies the business or his practices.