COMMUNICATION ON THE PROCESSING OF PERSONAL DATA AND FREE MOVEMENT
The purpose of this communication: is to understand the obligations of each of us as Controller, employer, employee, operator, user, beneficiary regarding the processing of personal data and their free movement, imposed by EU Regulation 679/2016, which applies to of 25 May 2018 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and is directly applicable in all Member States under the Treaty on the Functioning of the European Union.
This communication applies to the processing of personal data made by dasHaus S.R.L. hereinafter referred to as “CONTROLLER”.
We process personal data by mixed means (manually and automatically) under conditions that ensure the security, confidentiality and observance of the rights of data subjects, in accordance with the legislation in force.
We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
This document is relevant for all categories of people, regardless of your position: employee / former employee / potential employee; customer and / or partner – natural person, representative of a legal partner, supplier or representative of a supplier; visitor of our site; visitor to our website; visitor of our applications; visitor to our headquarters / business unit.
DEFINITIONS:
Processing of personal data: means any operation or set of operations performed on personal data by automatic or non-automatic means, such as: collection, registration, organization, storage, adaptation or modification, extraction, consultation, use, disclosure to third parties by transmitting, broadcasting or otherwise assembling or combining, blocking, deleting or destroying them.
Personal data: represents any information regarding an identified or identifiable person; an identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, psychological, economic, cultural or social identity.
Consent: the free, explicit and unequivocal consent of the data subject to have his / her personal data processed.
Controller: any natural or legal person, public authorities, institutions and any other public or private body which determines the purpose and means of the processing of personal data.
Data subject: any natural person whose personal data are processed;
Operator: any natural or legal person, public authority or other body that processes personal data on behalf of the Controller. Each operator is responsible for ensuring the security of the data they handle.
Data subject: any natural person whose personal data are processed;
Operator: any natural or legal person, public authority or other body that processes personal data on behalf of the controller. Each operator is responsible for ensuring the security of the data they handle.
Beneficiary: means any natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities to which personal data may be communicated in a special investigation under Union or national law shall not be considered as recipients; the processing of such data by the public authorities concerned shall comply with the applicable data protection rules in accordance with the purposes of the processing;
Third party – a natural / legal person, a public authority, an agency or any other body other than the data subject, the controller, the operator and the persons under the direct authority of the operator or operator, who is authorized to process personal data.
User: Any person acting under the authority of the Controller with a recognized right of access to personal databases. Each user is responsible for ensuring the security of the data they manipulate.
Storage: Storage is done for the period necessary to achieve the purpose for which the data was stored. The storage shall take place in a form which allows the data subjects to be identified for a period not exceeding the period necessary to fulfill the purposes for which the data are processed;
Confidentiality: Persons who process personal data on behalf of the Controller have acknowledged the confidentiality of this data and have been instructed on how to operate it.
Data accuracy: inaccurate and incomplete data, taking into account the purpose for which they were processed, can be completed / rectified.
Violation of personal data – means a breach of security that accidentally or illegally leads to the unauthorized destruction, loss, alteration or disclosure of personal data transmitted, stored or otherwise processed or to unauthorized access to them.
Supervisory Authority – means an independent public authority established by a Member State under Article 51 of the GDPR; In Romania, the National Authority for the Supervision of Personal Data Processing – ANSPDCP will carry out controls and will apply sanctions on behalf of the EU
DPO – the data protection officer appointed by the controller.
DPIA – Data protection impact assessment.
Restriction of processing: means the marking of stored personal data in order to limit further processing;
Profiling: means any form of automatic processing of personal data consisting in the use of personal data to assess certain personal aspects concerning an individual, in particular to review or predict aspects related to performance at work, economic situation , health, personal preferences, interests, reliability, behavior, place of presence or physical movements of the individual;
Pseudonymisation: means the processing of personal data in such a way that it can no longer be attributed to a particular data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organizational measures to ensure that this personal data is not assigned to an identified or identifiable natural person;
Encryption: means the security technique that ensures that personal data becomes incomprehensible to anyone who is not authorized to access it.
TABLE OF CONTENTS:
This communication includes the following:
- the measures adopted;
- what categories of personal data we process;
- the purposes for which we process personal data;
- the reasons why we process personal data
- the categories of persons to whom we disclose the data;
- data storage time;
- what repercussions there are if you do not provide us with personal data;
- your rights in accordance with applicable laws and how you can exercise them;
- data deletion;
- our contact details.
MEASURES TAKEN:
Confidentiality measures * (Article 32 (1) (b) of the GDPR)
Provide access control to the headquarters / business unit where personal data is processed.
Secure access system to headquarters and business units.
Secure control of access to the system in which personal data are processed.
Rules and regulations on access codes have been implemented.
Secure access control for the use of the system in which personal data are processed
Designate authorized persons and grant access only to such persons
The following measures have been taken:
We have developed in the database a functionality that anonymizes personal data from all logs and user history.
Measures to ensure data integrity * (Article 32 (1) (b) of the GDPR)
2.1. Measures or control of data encryption / transmission (Article 32 (1) (a) of the GDPR)
I followed
Data arriving on the company’s hosted server is automatically encrypted.
Data entry control.
Measures to ensure the possibility of verification and determination at a later stage if and by whom the personal data have been entered, modified or deleted in / from the data processing systems.
Assigning individual access codes to persons who have been granted access and registration of their actions / activities.
3. Measures to ensure the availability and resilience of data * (Article 32 (1) (b) (c) of the GDPR)
Company hosted servers and backups
4. Periodic testing and evaluation of the effectiveness of technical and organizational measures * (Article 32 (1) (d) of the GDPR) *
Regular organization of stress / endurance tests
5. Workplace control / organization measures (Article 32 (1) of the GDPR)
Internal policy governing IT & C activity
6. Measures to ensure the limitation of the purpose of the processing of personal data (impossibility to create links)
Providing differentiated access privileges and operations for persons with authorized access.
7. Data protection at the time of design and their implicit protection (Article 32 (1), Article 25 (1) and (2) of the GDPR)
Measures to ensure that data protection is taken into account from the time of design and implicitly, including transparency and the ability to interfere with data.
Data protection at the time of conception and implicitly (in general)
The process of opening accounts and onboarding is integrated into the general IT administration system.
Measures to ensure transparency
Publish the Cookies and Data Privacy Policy, opt for or against.
Measures to ensure the rights of data subjects (possibility to interfere with data) *
Publication of contact details dedicated to user requests to intervene (modify, delete, etc.) on the data.
DATA CATEGORIES. PURPOSE. THE BASE
1. Current or potential customers
We may process your personal data for:
Providing our services. at your request. We will use your personal information to be able to submit an offer, enter into a contract, perform the contract with you and provide you with the requested services. The data will be processed based on the need to conclude and execute a contract with you. We will mainly process the identity data (name, surname and data entered in the identity card, passport). The data will be processed throughout the contract.
The resolution of your request will be made using your data provided as a result of our contractual relations, to respond to your requests, complaints, requests and claims. The basis for processing in this case will be the execution of the contract with you or your agreement, as the case.
Communication for marketing purposes. In order to send you communications about our products / services, it is necessary to process personal data (name, surname, e-mail address, telephone). Data processing, in this case, will be based on your consent.
2. Members of the contractual partners – legal entities
We may process your data for:
Maintaining the contractual relationship with the companies with which you have a contractual or other relationship or to which you have given your consent for the transmission of data to the contractual partners. In order to be able to collaborate with the company with which we have contractual relations, collaboration or of any other nature or which includes you to solve situations, we will have to process the personal data referring to your person. Our processing is based on our legitimate interests.
We will process your first name, last name, email address, phone number and other identifying information to which we have access. The data will be processed throughout the contract.
Communication for marketing purposes.
In order to send you communications about our products / services, it is necessary to process personal data (name, surname, e-mail address, telephone). Data processing, in this case, will be based on your consent.
3. Contractual partners – natural persons (business partners / collaboration relations – not customers)
We may process your data for:
Being able to conduct business / collaboration with you In order to start and maintain collaboration with you, it is necessary to process certain personal data.
In general, we will process the following data (name, surname, identity card, passport data, identification certificates). In this case, the data will be processed based on the conclusion and execution of a contract between us.
Your requests will be resolved using the data you have provided to us as a result of our contractual relationship, in order to respond to any requests, complaints, requests or claims. The basis for processing in this case will be the execution of the contract with you or the agreement with you, as the case may be.
Communication for marketing purposes.
In order to send you communications about our products / services, we need to process your personal data (name, surname, e-mail address, telephone number). Data processing, in this case, will be based on your consent.
4. Representatives of public authorities.
We may process personal data in order to fulfill our legal obligations, at the request of public authorities, to maintain the registers provided by law and the like. We will process personal data: name, surname, identity data; passport; registration certificate; Email Address.
5. If you are a visitor of our sites, our pages on social networks
We may use your personal data for the following purposes:
5.1. Improving our site
To take into account the options expressed in browsing sessions, we process data such as: IP address, cookies, other online identifiers, visit history, date and time of access, type of Internet browser. The basis for the processing of personal data will, in most cases, be your consent or our legitimate interest.
5.2. To take into account the options expressed in browsing sessions, we process data such as: IP address, cookies, other online identifiers, visit history, date and time of access, type of Internet browser. The basis for the processing of personal data will, in most cases, be your consent or our legitimate interest.
5.3.Managing our communications, computer systems and their protection.
To ensure security, management of communication systems, IT, security audits, protection of data and systems against cyber attacks and other attacks in the virtual environment, we will mainly process data such as IP address, date and time of accessing the site; type of internet browser ……… .. The processing is based on our legitimate interest or, as the case may be, on the fulfillment of our legal obligations.
6. We may also process your data for the following purposes:
6.1.Resolving your requests We will use your data to answer your requests, applications or any other questions you may have. Mainly, we will use the name, surname, e-mail address; phone and other information that you include in the request that you send.
6.2. At the request of the authorities, to give an answer or other cases provided by law.
In case of a legal obligation, we will communicate the data to the requesting authority, we will store the data for a certain period or we will process the data in a different way. The basis of processing is, in this case, the fulfillment of our legal obligation.
6.3. For conducting transactions or other operations. For transactions or other operations, we may disclose your data to the bank, potential buyers, authorities. Data will be reduced as much as possible. The basis of the processing is our legitimate interest or the fulfillment of a legal obligation.
6.4. Defending rights. We may process your data in order to defend our rights or others before courts, arbitral tribunals, mediators, notaries, bailiffs, public authorities, other bodies (including but not limited to lawyers, experts, auditors, specialists). The basis of the processing is our legitimate interest or the fulfillment of a legal obligation.
6.5. Fraud prevention
In order to carry out our activity legally, we may process the data and transmit or grant the right to review the data to advisers / auditors / lawyers to prevent fraud or other illegal acts. The basis of processing is the legitimate interest and our legal obligations to ensure the legality of our operations in the field of money laundering prevention.
7. The categories of persons to whom we disclose the data.
In principle, as a rule, we will not disclose personal data to other persons or companies. However, in some cases, it may be necessary to disclose your data, such as:
fulfillment of a legal obligation towards public authorities, natural or legal persons;
To fulfill a legitimate interest of our company, of other companies or natural or legal persons acting as operators in various fields, such as: payment services, services that we can outsource or to public authorities, other persons, courts;
To defend and exercise the rights or rights of others.
In all cases, we will ensure that the personal data transmitted are processed in confidentiality and security, respecting your rights and the purpose for which they were transmitted.
At this time, we do not transfer personal data to third countries or international organizations. If necessary, we will notify you in good time to exercise your rights in accordance with applicable law.
8. Data storage time
The data will be stored according to the purpose of the processing, the category of data processed and our privacy policy.
Storage periods are based on legal provisions (obligations to store certain data, applicable limitation periods, purposes of our business).
9. Your rights in accordance with applicable laws and how you can exercise them.
The right to be informed
When the data are obtained directly from the data subject
at the time of obtaining the data;
If the data are not obtained directly from the data subject
within a reasonable time (maximum one month from the date of data collection);
in the case of data subject to communication with the data subject, at the latest at the time of the first communication with the data subject;
Before the data is disclosed to third parties or at the latest at the time of disclosure;
9.1 Right of access
You have the right to access the personal data collected about you or their copies; You also have the right to obtain information from us about:
purpose of processing;
what categories of personal data we process;
Recipients to whom personal data have been or will be transferred, in particular recipients from third countries or international organizations;
The storage period or, where that is not possible, the criteria used to determine the storage period.
9.2 The right to rectification of data
You have the right to request the rectification of the inaccuracies of your data that we process.
9.3 Right of erasure (right to be forgotten)
You have the right to have the data collected / processed by us deleted under the conditions set out in the EU Regulation on the processing of personal data.
9.4 The right to restrict data processing
You have the right to restrict the processing of data about you that we process.
9.5 Right of opposition
Any data subject has the right to object to the processing of personal data by us or on our behalf for reasons related to the particular situation they are in – Art. 21 of the EU Regulation.
9.6 The right to data portability.
Everyone concerned has the right to the portability of personal data processed by us to another controller.
9.7 The right to withdraw consent
If personal data is processed on the basis of your consent, you have the right to withdraw your consent. The legality of the data processing, done previously, will not be affected by the withdrawal of consent.
9.8 The right to the individual decision-making process
You may not be subject to a decision based solely on automatic processing.
9.9 The right to lodge a complaint with the supervisory authority
You have the right to send a complaint to the supervisory authority regarding the processing of your data by us or on our behalf. This is the National Authority for the Supervision of Personal Data Processing (ANSPDCP).
10. Delete data
Deletion of data – removal or deletion, in whole or in part, of personal data from records, by reaching the retention period, to fulfill the purpose for which they were entered, their laxity, non-existence, inaccuracy.
The procedure for deleting personal data is established when the company has received a request from you from the data controller and complies with the requirements of EU Regulation 679/2016.
You can ask us to delete your personal data, but only if:
personal data are no longer needed for the purposes for which they were collected or processed; or
you have withdrawn your consent (if the data processing is based on consent); or
exercise your legal right to object; or
they were processed illegally; or
we have a legal obligation to do so.
We are not required to comply with your request to delete your personal data if it is necessary to process your personal data:
for compliance with a legal obligation; or
for the establishment, exercise or defense of a right in court.
There are certain other circumstances in which we are not required to comply with your request to delete your data, although these are the most likely circumstances in which we may reject your request.
The deletion of data will be carried out by authorized personnel after verifying your request and identifying the circumstances and compliance with the legal requirements imposed by EU Regulation 679/2016.
The deletion of the data will be provided through a report on the removal procedure.
The answer to the confirmation of the request for deletion of personal data or the reason for the legal obligation to store the data is provided within the legal deadline.
11. How to exercise your rights.
To exercise one or more of your rights under the law or to ask questions about any of these rights or any details about the processing of your personal data by us, you may use our contact information:
dasHaus S.R.L.
Contact details of the data protection officer
E-mail: contact@dashaus.ro