As any company, AFI Palace Brasov S.R.L., headquartered in Blvd Vasile Milea, no. 4E, et. 2, room 13, Sector 6, Bucharest, registered at the Trade Register under no. J40 / 7377/2015, unique registration code RO 34664267 (hereinafter referred to as “AFI Brasov”, “Operator”, “we”) processes personal data (personal data). This General Information Policy for data subjects regarding the processing of personal data (“Policy”) contains information that you have the right to be provided to you regarding the processing of your personal data processed by the Operator. Proper protection of personal data is an important objective of the Operator so we invite you to read this Policy to find out how we process your personal data.
This Policy takes into account the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95 / 46 / EC (hereinafter referred to as “the Regulation” or “RGPD“). The terminology used in this Policy has the meaning of RGPD; RGPD consultation can be done (here). To facilitate understanding of the Policy, some definitions are included in Annex 1 below.
The policy is addressed to data subjects outside the Operator’s organization (persons other than employees, legal or conventional representatives or shareholders/ associates of the Operator) such as visitors to the websites on which the Operator holds a right, customers or potential customers, visitors to the spaces owned by Operator (including parking lots), participants in promotional campaigns carried out by the Operator, contractual / business partners or potential contractual / business partners, conventional or legal representatives or employees of contractual / business partners, representatives, civil servants, other community agents local authorities, institutions, public authorities or other entities (eg NGOs, media outlets), former employees (any of these persons and also collectively hereinafter referred to as “you” or “data subject (s)“).
This Policy is intended to inform you, in accordance with your rights, in accordance mainly with Articles 13 and 14 of the RGPD. Thus, this Policy contains the following information:
- the identity and contact details of the Personal Data Operator;
- contact details of the person responsible for personal data protection within the Operator;
- the purposes for which the personal data are processed by the Operator, as well as the legal basis of the processing.
- if the processing of personal data is based on the basis of the processing represented by legitimate interests, the indication of these legitimate interests;
- the categories of personal data processed;
- recipients or categories of recipients of personal data;
- information on the intention of the Personal Data Operator to transfer personal data to a third country or an international organization, if any;
- the period for which the personal data will be stored or the criteria used to establish that period;
- origin of personal data;
- the rights of the data subjects;
- whether the provision of personal data is a legal or contractual obligation or an obligation necessary for the conclusion of a contract, as well as whether the data subject is obliged to provide such personal data and what are the possible consequences of non-compliance with this obligation;
- the existence (if applicable) of an automated decision-making process including the creation of profiles and, in those cases, information on the logic used and on the importance and expected consequences of such processing for the data subject.
Also, in the case of personal data that is not obtained directly from you, this Policy contains information on the source from which the personal data comes and whether they come from public sources.
We may from time to time update this Policy to reflect changes in the Operator’s practice regarding the processing of personal data or changes in applicable law, so we invite you to return to this page from time to time and reread this Policy. If necessary according to the applicable legislation, we will also send you separate and direct information regarding such updates. In any case, the updated form of the Policy will replace the previous form.
This Policy has been written with the intention of being easy to read and understand. For additional information or questions, you may contact the Personal Data Protection Officer within the Operator using the contact details mentioned in Section (2) below.
For a set of basic definitions that can help you understand this document, please refer to Annex 1 below.
(1) IDENTITY AND CONTACT DATA OF THE OPERATOR
The personal data operator is the company AFI PALACE BRASOV S.R.L, with its registered office in B-dul Vasile Milea, no. 4E, et. 2, room 13, Sector 6, Bucharest, registered at the Trade Register under no. J40 / 7377/2015, unique registration code RO 34664267, telephone 021 412 02 20, fax 021 311 81 36.
(2) CONTACT DETAILS OF THE PERSONAL DATA PROTECTION OFFICER
The contact details of the person in charge of personal data protection within the Operator are e-mail: firstname.lastname@example.org, fax: 021 311 81 36, postal address: Blvd. Vasile Milea, no. 4E, et.2, sect. 6, Bucharest.
You can contact the person responsible for the protection of personal data, for example, if you have questions about the information contained in this Policy or for the exercise of any rights you have as a data subject. More information about these rights can be found in Section (9) of this Policy.
(3) PURPOSES FOR WHICH PERSONAL DATA ARE PROCESSED BY THE OPERATOR, AS WELL AS THE LEGAL BASIS OF THE PROCESSING
3.1. The processing of your personal data is done for one or more of the following purposes:
- Carrying out the main activity of managing the real estate portfolio
Carrying out by the Operator of the corresponding main commercial activity CAEN Code 6820 – Renting and subleasing of own or rented real estate including among others real estate activities related to shopping centres, business centres, commercial spaces, residential spaces, mixed-use buildings, etc. implicitly the execution of concluded contracts with you or with the entity with which you are in a legal relationship;
- Carrying out activities related to the management of the real estate portfolio
Carrying out by the Operator some commercial activities corresponding to the real estate development or which are generally related, adjacent / related or for the purpose of efficient administration of the developed real estate portfolio; these activities correspond to CAEN codes such as 9004 – Performance hall management activities, 9002 – Support activities for artistic performance (performances), 9001 – Performing arts activities (performances), 7312 – Media services, 7311 – Agency activities of advertising, 6492 – Other credit activities (except for monetary loans outside the banking system, respectively for loans between companies of the same group), 6311 – Data processing, web page administration and related activities, 5819 – Other publishing activities, 5221 – Activities of ancillary services for land transport, 4799 – Retail sale in stores, stalls and markets, 4677 – Wholesale of waste and scrap, 4120 – Construction of residential and non-residential buildings, 4110 – Development (promotion) real estate, 3812 – Collection of hazardous waste, 3811 – Collection d non-hazardous waste, 3700 – Collection and treatment of waste water, 3600 – Capture, treatment and distribution of water, 3530 – Supply of steam and air conditioning, 3514 – Sale of electricity, 3513 – Distribution of electricity, 9329 – Other recreational and leisure activities nec, 7112 – Engineering and technical consultancy relating thereto; 6810 – Buying and selling of own real estate;
- Management of business relations related to the main commercial activity
Evaluation of potential new collaborations with customers (including visitors to shopping centres or buyers or tenants of residential or business spaces that we develop or manage) or new or existing suppliers or existing collaborations (including evaluation related to money laundering legislation, conflicts of interest, reputational verifications, integrity, business ethics), implicitly the processing of personal data of the associates/ shareholders, the representatives (legal/ conventional) of such entities;
- Management of business relations adjacent to the commercial activity
Evaluation, conclusion, termination of business relations with financiers, insurers, other (potential) contractual partners and other persons in connection with them, involved in support activities;
Management of professional/ expert and business contacts and requesting/ providing recommendations;
- Management of procurement procedures
Organizing, participating in, carrying out procurement/ auction procedures;
- Providing various services and facilities
Providing, operating, maintaining services or facilities for the spaces owned by the Operator or offered to the Operator’s clients or the Operator’s business partners or other persons who show an interest in the Operator’s activity, goods, services (examples of such services and facilities may be WI- FI, first aid point, prizes);
- Logistics management of parking lots
Parking administration, including the management of ticketing services at vending machines, ensuring security and compliance with parking regulations, ensuring and managing parking subscriptions, analyzing how parking is used to improve the customer experience, etc .;
- Wi-Fi service management
Maintenance, upkeep and protection of Wi-Fi service, including providing the ability to connect efficiently and quickly to Wi-Fi when you return to the mall; to answer questions, requests for additional information, complaints about Wi-Fi service; for communicating information about the Wi-Fi service, as well as changes made to it; to ensure security and prevent fraud related to Wi-Fi service; for research and analysis of the use of the service in order to identify general consumer trends; to determine the distance of users from the Wi-Fi sensors in the location they visit by using Media Access Control (MAC) addresses, in order to optimize the layout of the locations, design marketing promotions or measure the impact of a campaign].
- Transmission of electronic commercial communications
Direct marketing by transmission of commercial communications through automatic call and communication systems that do not require the intervention of a human operator, by fax or e-mail or by any other method using electronic communications services intended for the public (hereinafter “electronic commercial communications”) , including promotions, offers, promotional campaigns, raffles, competitions, contests, events, information about the latest news and seasonal trends;
Management of subscriptions to electronic commercial communications transmitted by the Operator;
- Carrying out marketing and promotion activities
Marketing activities (other than the transmission of electronic commercial communications) including advertising, promotion of activities, image, trade name and trademarks of the Operator, contests/ promotions/ campaigns, promotion by influencers, granting vouchers for the purchase of certain goods or goods of a certain value, loyalty programs including loyalty cards, gift cards/ gift cards;
Market research, statistics;
Promotion, holding and operation of social media accounts and other platforms or services similar to information society services;
- Conducting behavioural analyzes and/ or creating profiles
Analysis of customer activities/ behaviour in interaction with the Operator (eg through the use of websites, computer applications, Wi-Fi) or its partners (eg tenants of the spaces rented by the Operator, operators of social media platforms ).
Use, monitoring and testing of indicators related to the efficiency of services provided and activities performed;
Geolocation within the Operator’s premises, premises through the use of services or facilities, including computer applications related to/ of the Operator;
- Management of interactions made through websites
Administration of websites (including preparation and publication of content), computer applications, information platforms and the facilities offered through them (eg registration for events, filling in forms on the web-site and downloading documents), as well as efficiency analysis for example, to measure and monitor traffic, to provide adequate technical support for each type of device and browser to improve the quality of web-sites, computer applications, platforms, services and the experience of their users;
Management of user accounts opened on a web-site or application over which the Operator has a right (eg opening, modifying, using, terminating an account), for the provision of services, materials via the Internet;
Ensuring the security of websites, computer applications, information platforms;
Production of audience and statistics on the use of online services;
Further details on the use of “cookie” technology can be found in, available at www.en.afibrasov.ro/cookies-policy.
- Management of the Operator’s activity on social media platforms
Technical management of operator accounts on social media platforms including Facebook, LinkedIn, including account creation, content creation and publishing;
Managing interactions including in the form of public and private messaging;
- Ensuring legal protection
Legal protection of the Operator, management and monitoring of judicial and extrajudicial proceedings regarding the rights and interests of the Operators or of those claimed against the Operator or of any other procedures in which the Operator is involved;
Prevention, reduction of risks or consequences as a result of attacks, fraud, security breaches on or in connection with the Operator, the services provided or its goods/ interests, including in connection with web-sites, applications on which the Operator has a right, including data security breaches;
- Management of requests, suggestions, notifications and complaints
Receiving, verifying, resolving and monitoring requests, suggestions, notifications and complaints (including customer care/ feedback and whistleblowing, as well as requests to exercise certain rights under this Policy and the GDPR), including by submitting the Operator’s responses to such suggestions, notifications and complaints received electronically and/ or physically and time analysis of the recurrence of similar incidents / of the effectiveness of the implemented remedies;
Creating statistics on the types of requests, suggestions, notifications and complaints received, the measures applied and their effectiveness;
- Legislative and procedural compliance
Legislative compliance, including collaboration with public authorities and institutions, including on compliance with accounting legislation, legislation on security and protection of objectives, assets, values and persons, compliance with legislation on archives, legislation on safety and health at work and against fire;
Creation/ implementation of policies and procedures or other means of adequacy;
Organization/ participation in events external to the organization including official events hosted by authorities / third parties, public events to promote the interests of the industry;
- Management of accounting aspects
Administrative management of contracts, including financial and accounting issues, invoicing and debt collection;
Fulfilling the financial, fiscal and accounting activity (including in case of collaboration with external collaborators for performing external audits;
Pursuing the objectives of financial performance and budget execution;
- Logistic management of the activities carried out
Logistical management of the main and adjacent activities of the Operator (including in connection with headquarters security, office and equipment suppliers, parking operation and management of related services, IT service providers, telephony, cloud, archiving, legal, accounting, etc.);
Management of Operator registers, including entry-exit (registry), courier register;
Management of own or rented car fleets;
- IT infrastructure management
Ensuring, protecting, maintaining and developing the hardware and software IT infrastructure and data support to facilitate the development, development and protection of the activities of the Operator and its employees;
Administration and management of information and data security, including backup, fire protection and anti-virus systems; IT security processes and audits, including vulnerability testing, prevention and correction measures;
Administration of electronic signatures and individual authentication certificates
- Video monitoring and security
Implementation of security and safety measures in relation to objectives, goods, works, values and persons and ensuring the maintenance of these measures, including evidence of access to the spaces owned by the Operator (including parking lots) or to objectives, goods, works and values;
Monitoring / ensuring the security of persons/ spaces/ goods by technical means including CCTV systems;
Prevention of attacks or frauds on or in connection with the Operator, with the services provided or with its goods/ interests;
Supervision of operations or procedures related to the goods or activities of the Operator.
Providing help/ support in case of incidents/ accidents in the spaces, buildings or otherwise in connection with the Operator’s goods;
- Management of public relations and interactions
Public relations management and representation of the Operator’s interests, including in the relationship with organizations of the industries in which the Operator operates, chambers of commerce, NGOs, media platforms, various public authorities, other entities, including drafting, supporting views, opinions, memoranda, other communications;
- Social responsibility and corporate involvement
Social responsibility and community (CSR), development and maintenance of a pleasant working environment including festive/ cultural gatherings of the Operator’s employees or former employees (alumni events), with clients, business partners (their representatives) and family members of thereof;
- Management and development of know-how
- Providing professional practice and various other internships, internships, mentoring
- Management of restructuring or reorganization projects, including mergers and divisions
Development or reorganization operations, including via mergers with other entities, acquisition of other entities, divisions, transfers of activity or assets; identifying opportunities, implementing and monitoring operations, including partnerships;
- Management of group relations
Ensuring, implementing and developing relations between or regarding affiliates within the AFI Europe group (including reporting, aspects regarding the real beneficiary, collaborations, creation of cost centres);
In particular, for the former employees of the Operator, the following processing purposes may be incidents:
- Managing the aspects regarding the labour relations
Management of human resources and other operations related to the employment relationship that existed between the Operator and a natural person; completion, update REVISAL; issuing certificates at the request of the former employee; maintaining and updating one or more internal personnel files, of the job description;
- Management of public relations and interactions
Carrying out specific operations, communications and transmitting information, including in case of seizure requests are received on a person who was an employee of the Operator or information is requested from such a person from public authorities or institutions, in accordance with the law;
- Ensuring continuity in projects
Administration and preservation of documents and professional correspondence in order to transfer information to third parties or to other employees of the Operator, in the context of changing the staff that is involved in a project.
3.2. The legal grounds for the processing of personal data for the purposes indicated above are the following:
- Your consent (art. 6 paragraph 1 letter a of the RGPD). This is the basis for processing only in cases where you have expressly agreed to this, through a statement, a form or another manifestation that includes such an agreement.
For example, the consent substantiates the processing of personal data for electronic commercial communications or, in certain situations, for participation in promotional campaigns organized by the Operator.
- Execution of a contract to which you are a party or taking steps before concluding such a contract (art. 6 paragraph 1 letter b of the RGPD). Execution of the contract is the subject of processing in cases where (i) there is a contract of any kind between you and the Operator (eg sale, rental, sponsorship) and the processing of personal data is necessary for the execution/ fulfillment of that contract or (ii) you have taken an action in the context of concluding a contract with the Operator (for example you have requested an offer), and in order to respond/ meet the action taken by you, the Operator performs certain activities for which the processing of personal data is necessary.
- The legal obligation of the Operator (art. 6 paragraph 2 letter c) of the RGPD. The legal obligation is the basis for processing in cases where a provision of law or other legal act emanating from a public authority or institution obliges the Operator to perform certain activities for the fulfilment of which the processing of personal data is necessary.
For example, the legal obligation is incident for the processing of personal data in the context of the obligations of the Operator in the accounting, financial, prevention and sanctioning of money laundering, labour and social protection legislation, archiving legislation.
- The legitimate interest of the Operator or of a third party (art. 6 paragraph 1 letter f of the RGPD)
3.3. The Operator’s processing based on legitimate interest is based on:
- the legitimate interest to enter into contractual relationships as little as possible exposed to risks (for example, from an economic, feasibility, reputational perspective, compliance with legal provisions, standards and practices relevant to the Operator and the group to which it belongs) that would have an impact even on the activity of the Operator;
- the legitimate interest to protect their business by submitting minimum diligence to verify certain aspects, such as the previous conduct of some entities;
- the legitimate interest in the good execution of the contracts and in general for the development and implementation of efficient relations with clients, suppliers/ distributors and other contractual partners;
- legitimate interest in carrying out, developing, protecting, promoting activities according to the object of activity;
- the legitimate interest to analyze and follow development or reorganization operations, including via mergers with other entities, acquisition of other entities, divisions, transfers of activity or assets;
- the legitimate interest in exercising the legal rights and their defence before the competent courts and authorities, including, if necessary, through actions for the recovery of debts or the preservation of potential means of a proof;
- the legitimate interest to submit to internal regulations that establish the obligation to report to the group various situations;
- the legitimate interest in providing quality goods and services to our clients;
- the legitimate interest in promoting the goods, services, brand and reputation of the Operator, in identifying trends in use and developing new products and services, in evaluating and understanding the effectiveness of promotion campaigns, market research, to personalize your experience when you use our goods/ services, to ensure that our goods, services are presented in an efficient manner and dedicated to your needs, to understand your professional and personal interests and to adapt our message, goods and services to your needs and/ or your preferences;
- the legitimate interest of promoting the Operator, implicitly of the activities carried out, including in the context of organizing cultural, artistic, sports or other events;
- the legitimate interest in maintaining and developing a know-how base adequate to the Operator’s activity;
- the legitimate interest of promoting and defending the objectives, the interests of the Operator within the industry in which it operates and in the relationship with authorities, public institutions, chambers of commerce, bodies and other relevant actors;
- legitimate interest in providing medical assistance in case of incidents, accidents in the premises, locations of the Operator;
- the legitimate interest in developing and maintaining a modern infrastructure, including at IT and communication level, correlated with the evolutions of the activities;
- the legitimate interest in protecting the patrimony and the interests of the Operator, including by maintaining the safety and security of the persons, spaces, goods and operations related to the Operator;
- the legitimate interest in carrying out financial, accounting, administrative and logistical operations regarding the operations, documents, legal acts performed or managed by the Operator;
- legitimate interest in good written organization of the activity, including efficient management of correspondence and archives;
- the legitimate interest in receiving, verifying and resolving the notifications, notifications, complaints formulated towards the activity of the Operator or of some associated persons;
- the legitimate interest to maintain a connection/ correspondence with you, for the cases when it is necessary, to provide support/ assistance in the use of the Operator’s goods and services;
- the legitimate interest in ensuring the functionalities of the web-sites and promoting the activity of the Operator or of some partners through them;
- the legitimate interest to develop and maintain good relations with the community and to promote fair values in society, including by supporting social cases, cultural, educational, scientific or anniversary events, to develop and mention a pleasant working environment;
- legitimate interest the legitimate interest in collaborating or interacting with specialized third parties for any aspect relevant to the above interests, including related to IT infrastructure, compliance with accounting, development of partnerships, acquisitions or sales;
- legitimate interest in cooperating with shareholders / other entities in the group to discuss any important issues in order to identify the most appropriate approaches;
- other legitimate interests resulting in connection with the projects pursued by the Operator and the evolutions that it must face in the context of its activities.
3.4. Legal grounds for processing special personal data. Certain categories of personal data have a special character and the Operator processes these data only in the circumstances allowed by the applicable legislation, including RGPD, namely, in general, if:
- there is the prior explicit consent of the data subject in this respect, obtained, in accordance with the applicable legislation;
- the processing is necessary to protect the vital interests of the data subject or of another natural person;
- the processing refers to personal data that are manifestly made public by the data subject;
- the processing is necessary for the ascertainment, exercise or defence of the legal rights;
- processing is necessary for reasons of major public interest;
- processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes;
- the processing is required or allowed by the applicable legislation, especially in order to fulfil the obligations and to exercise specific rights of the Operator in the field of employment and social security and social protection; or
- the personal data were transmitted to the Operator or to a person empowered by the operator in the absence of their request
(4) CATEGORIES OF PERSONAL DATA PROCESSED
4.1. Source of personal data:
Depending on the interactions you have with us or, in limited cases, with our partners, we collect and process your personal data.
Thus, we collect (a) both personal data obtained from you, (b) and personal data that were not obtained from you (but from third parties/ sources).
For example, such interactions that involve, in principle, the collection from you by the Personal Data Operator are: the transmission by you of some requests, suggestions, notifications, complaints; navigation, use of websites, computer applications over which the Operator holds a right; opening a user account in these websites, computer applications, including when such operations are performed through an account held by you for another service of another entity; enrolling in a loyalty program; participation in a contest; providing feedback; participation in an event organized by the Operator; social media; use of parking services; use of the CCTV system; requesting / buying, using a loyalty card; making acquisitions/ orders/ reservations; subscribe to the newsletter; use of Wi-Fi provided by the Operator; participation in a market study.
At the same time, the Operator may additionally generate personal data about you, for example, by deducing such data from others (eg gender by first name or personal numerical code, age of birth or personal numerical code; certain marketing preferences from the mode of use of facilities, such as the website or loyalty cards).
We also collect personal data indirectly (not from you), including: (a) from third parties (eg from companies providing professional development services, witnesses / prosecuting bodies that report the commission of an unlawful act, the entity you work for / represent, (b) from publicly available sources (eg the Internet) or from other media accessible to the general public.
4.2. Personal data processed
Most situations in which personal data are processed are inherent to economic activity, others being completely out of any possibility of prevention, such as receiving electronic correspondence from a third party that includes a chain of electronic correspondence (these, of course, containing) personal data.
The personal data that the Operator can process varies depending on the situation, purpose, the Operator understanding to process only those data that are necessary in relation to the intended purpose.
Thus, the categories of data that the Operator can process include (it is very possible that not all the categories of personal data mentioned below are relevant to you in the context of a single determined interaction with the Operator)
- Contact information, for example, your postal / home address, the entity you worked for and the address of the place of work, e-mail address and telephone/ fax number (s) (landline, mobile, work/ professional/ personal), correspondence address, your name, username on various communication platforms, social media (eg Yahoo Messenger, Skype, Facebook, LinkedIn, etc.) or used within the infrastructure provided by the Operator, personal web page, data contact for emergencies;
- Identity information, for example, full name (including last name or address form), name before marriage, marital status / marital status, date and year of birth, place of birth, sex, nationality, citizenship, photograph/ image (e.g. captured by the CCTV system, from identity documents, from the profile related to platforms such as social media), voice, height, mass, vehicle registration number, personal numerical code, series, number and expiration date of the identity document, passport or another identification document (eg visa), ID of the access card, loyalty card, gift card or another type, age, citizenship, signature, driving license data, data from civil status documents (eg marriage certificate, documents related to divorce), number of children, dependents, personal data regarding family members (husband, parents, children);
- Security data, such as login details (including username and password); details regarding the logging activities; records of internal investigations; evidence of any actual or suspected violation of applicable law, CCTV footage (if applicable); swipe card data;
- Information on preferences relevant to the marketing activity, such as products, favourite brands, more likely days for making purchases; Also, in case you have accepted the receipt of notifications through the AFI Cool application, you can receive notifications related to the points collected based on your purchases, the status of vouchers uploaded to the application, etc.
- Information relevant to the procedures for accepting collaborations or new partners, including financial soundness and reputational issues (eg the existence of disputes);
- Professional information, regarding the job and training: occupation, field of occupation/ specialization, number of the practice authorization and of the issuing entity, position occupied at the workplace, job history, attestation certificates, licenses and/ or other permits and studies performed, form of organization;
- Financial information, for example information regarding payments, such as bank account, fees/ charges;
- Information about a person’s history, for example, information from CVs (in addition to those already mentioned, interests, hobbies, skills);
- Information generated by us in the activities we carry out, such as creating a profile based on the interaction with certain services and facilities of ours or information resulting from reputational checks;
- Other information about you that you may provide to us (eg through a complaint, complaint) or reach us or our partners, such as dietary preferences or car access.
In particular, for former employees of the Operator, personal data such as:
- Information on the employment relationship concluded, such as type of contract (full time or part-time); initial date of employment; last date of employment; the date of starting the exercise of the attributions; seniority in work; the experience; the end date of the probationary period / of the employment relationship; staff group / sub-group; membership in a trade union or other entities representing the interests of employees/ staff members; work schedule specific to the position held; records of hours of absence and attendance at work; promotions; the size of the work equipment; holidays (medical, rest, parenting, etc.); data from individual training sheets on occupational safety and health, from individual training sheets for emergency situations, from medical files; occupational hazards; data on social and health insurance; The ID within the Operator; information relating to legal proceedings; military situation;
- Information on remuneration, such as hourly rate, commission depending on results, salary level, bonuses and benefits that were applicable during the employment relationship; pension information (and information arising from related documents, such as retirement decision); the type of bonus; allotment of shares; tax code; information on the number and travel expenses;
- Vocational training and evaluation, such as occupation, field of occupation/ specialization, number of the practice/ work authorization and the issuing entity, position held at the workplace, job history, attestation certificates, studies / professional training courses performed, form of organization, previous employers; the departments in which you worked; qualifications, specializations, skills obtained, diplomas; references, recommendations; professional status; other information from CVs;
- Compliance and disciplinary measures, such as minutes of violation of the Internal Regulations, internal policies and codes of conduct; complaints made many times against an employee; disciplinary research; disciplinary actions; date and reason for resignation or termination of employment;
- Data related to dependents, such as information regarding spouses and dependents, including: name; first name; sex; marital status; patronymic name/ form of address; date of birth/ age; contact information (including email address, mailing address and telephone number);
4.3. Providing personal data
Depending on the purpose and situation, the processing of your personal data may be required by law (eg based on tax legislation or archives) or may be necessary for the conclusion or execution of a contract between you and the Operator. At other times, the processing of your personal data is necessary to provide services or facilities, as well as to achieve commercial objectives of the Operator. If we are not provided with relevant personal data, we will be unable to honour your requests, to provide certain services, to perform certain obligations or it will be necessary to limit/ reduce some activities of the Operator.
4.4. Source of personal data
It is possible that, in certain situations, your personal data may not be provided directly by you to the Operator, but may be provided to us by third parties or may be available from public sources.
Thus, your personal data may be provided by the entity whose representative, employee, collaborator, associate/ shareholder or in any other legal form of which you are the owner. Entities from any of the categories mentioned in Section (5) below may also provide the Operator with personal data during the development of the respective business / institutional relations.
Equally, during its activities, the Operator may access your personal data from public sources, such as public databases of authorities and institutions relevant to the activity of the Operator such as tax and regulatory authorities – Competition Council. The National Office of the Trade Register, the National Agency for Cadastre and Real Estate Advertising, the National Authority for the Supervision of Personal Data Processing, the Territorial Labor Inspectorate, the National Agency for Fiscal Administration.
(5) THE RECIPIENT OF THE PERSONAL DATA
In order to fulfil the purposes mentioned above, in some cases, it may be necessary for personal data to be transmitted to other entities, such as service providers and contractual partners of the Operator.
Thus, transfers of personal data from/ to other data controllers or to associated data controllers may take place, in accordance with the applicable legislation, each of these categories being themselves responsible for the processing of personal data they perform.
At the same time, the Operator sometimes uses other legal entities for the processing of personal data (including persons authorized by the operator). According to the general principle, personal data are processed only if it is, and the persons authorized by the operator thus have access to personal data only insofar as it is necessary for their activities. The processing of personal data by persons empowered by the operator is based on a contract for the processing of personal data, which the Operator concludes with each such entity. In the context of such a contract, each person empowered by the operator undertakes, in particular, to (i) process personal data exclusively in accordance with the prior instructions of the Operator; and (ii) apply any and all measures necessary to protect the confidentiality and security of personal data.
The categories of recipients to whom your personal data may be transmitted (other operators, associated operators, authorized persons of the Operator) are (it is very possible that not all the recipients mentioned below are relevant for your personal data):
- Contractual partners, such as carriers, suppliers of equipment and construction materials, entities that ensure the maintenance of the equipment used by the Operator and of the spaces owned by the Operator (including parking lots), tenants of the Operator’s spaces.
- Providers of administrative, logistical or support services for compliance with some legal obligations, such as providers and providers of external services in the field of IT, accounting, tax, technical, auditors, lawyers, insurance, cloud services, telephony, e-mail, archiving, which provide, for example, services for issuing/ receiving invoices, calculating fees/ prices and related activities, banking services for payments/ receipts, correspondence management services, expenses, access rights management services and reception services, services organizing or facilitating access to events, as well as other services meant to assist us in carrying out activities.
- Entities that offer public relations services, advertising services, design of informative materials, entities that organize, carry out or are otherwise involved in services, events in the Operator’s locations or with his involvement.
- Entities that provide services for designing, implementing and analyzing marketing campaigns, services for analyzing people’s consumption behaviour through the acquisition of goods/ interaction with certain services/ facilities.
- Entities through which direct marketing activities are carried out (transmission of commercial communications) through methods/ systems that use electronic communications services.
- Entities providing design/ personalization services, card production (eg loyalty), communication cards and/ or forms, letters (including personalization forms, involvement), handling, registration of coupons/ forms for loyalty campaigns, promotional campaigns, advertising lotteries conducted by the Operator.
- Entities/ services involving social networks, social media, as well as entities that manage the Operator’s accounts on such platforms or in managing the relationship with (potential) clients and/ or business partners.
- Entities that provide information services, related to the use of the Internet or of facilities related to the use of the Internet, implicitly of some web-sites, such as Google / Alphabet.
- Entities offering IT design services, administration, maintenance of websites, computer applications regarding web-sites and applications over which the Operator holds a right.
- Entities that provide services for making calls/ transmitting text messages, managing emails and messages received on the addresses of the Operator, on web-sites or applications or otherwise by the Operator, as well as communication services in response to emails and messages.
- Partners of promotional campaigns or loyalty campaigns.
- Other entities through which the Operator implements marketing activities.
- The public – in this case, with an exceptional character, e.g. regarding the announcement of the winners of the contests (when or if it is the case).
- Providers of computer systems and technical assistance, including those responsible for the maintenance of the CCTV surveillance system and access cards and other security measures.
- Persons involved in investigations or investigations carried out by the Operator or in connection with it (eg witnesses or persons who notify the Operator about the commission of an act that may be a disciplinary offense or another illicit act).
- Persons mentioned in the complaint, notification, complaint, criticism, observation, assessment or who may be related to it.
- Couriers, providers of catering services, tourist services (travel, accommodation), organizational services or transmission of invitations or other communications, suppliers of equipment, materials, content for events organized with the involvement of the Operator.
- Entities from the same group to which the Operator belongs.
- Law enforcement authorities, criminal investigation authorities, public order and national security authorities, courts, arbitration courts insofar as it is necessary for the ascertainment, exercise and defence of legal rights.
- Other authorities and institutions (eg fiscal and regulatory – Competition Council. National Office of the Trade Register, National Agency for Cadastre and Real Estate Advertising, National Authority for Supervision of Personal Data Processing, Territorial Labor Inspectorate National Administration Agency Fiscal), upon request or for the purpose of reporting a real or suspected violation of the applicable regulations.
- Other persons within the entity you represent / in which you work/ are registered.
- Other external professional consultants of the Operator or who can ensure the observance of the interests, rights and freedoms of the Operator or can provide related support (eg mediators, industrial property advisers, bailiffs, notaries public, translators, engineers, designers, architects), with the condition of observing the professional or contractual obligations of confidentiality.
- Entities that provide security, protection, monitoring, intervention services to the Operator.
- Entities with which the Operator collaborates for the implementation of social responsibility and social dialogue actions (eg orphanages, foundations).
- Relevant persons for the correspondence received by the Operator or other persons involved in the projects in connection with which the correspondence took place or their consultants.
- Entities involved in (potential) acquisition/ sale of assets and/ or association in connection with assets, merger, absorption, division or other similar operations in which the Operator is involved or has an interest.
- Other relevant entities for the purpose of preventing, investigating, identifying or prosecuting crimes, executing criminal sanctions, including for the purpose of preventing and countering threats to public security.
We may pass on personal data to other entities to whom you consent in advance or request that we disclose your personal data.
(6) TRANSFER OF PERSONAL DATA
The Operator’s activities require in certain situations the transfer of personal data abroad. By way of example, transfers of personal data to third countries may take place: (i) in the event of disputes or analyzes by an authority the importance of which informs shareholders or insurers or co-opts foreign consultants; (ii) in the case of potential sales or purchases of shares or assets involving parties or consultants abroad; (iii) in the situation of collaborations or potential collaborations with service providers or other commercial partners that carry out their activities abroad; (iv) in the case of collaborations with IT service providers, information services or which support the provision by the Operator of certain facilities (eg login to the account related to an Operator’s website through another service, owned by another entity).
In such situations, the Operator and/ or his authorized persons may transfer personal data to international organizations or third countries that may have different legislation and different compliance requirements for the protection of personal data than those applicable in Romania and other Member States. of the European Economic Area.
In order to protect personal data when they are transferred to states outside the European Economic Area or to international organizations, the Operator provides adequate guarantees and compliance with other legal provisions. Thus, the transfer of personal data can be done on a case-by-case basis based on one of the following guarantees:
- decision of the European Commission recognizing the adequacy of the protection of personal data vis-à-vis a third country, a territory or one or more specified sectors of that third country or international organization.
The list of countries and territories against which such a decision has been issued is available (here) (with the help of this address you can also consult the respective decisions).
- EU-US privacy shield;
The text of the agreement representing the EU – US Privacy Shield can be consulted (here).
- the standard personal data protection clauses adopted by the European Commission,
The standard texts of these tools can be consulted (here).
- standard personal data protection clauses adopted by a supervisory authority from a Member State of the European Union and approved by the European Commission.
- mandatory corporate rules.
- a code of conduct approved in accordance with Article 40 of the RGPD, by the competent supervisory authority of a Member State of the European Union and, where appropriate, with the opinion of the European Data Protection Board on compliance with the RGPD of that code.
- certification mechanism approved in accordance with Article 42 of the RGPD, by the competent supervisory authority of a Member State of the European Union or by the European Data Protection Board.
In some cases, personal data may be transmitted in third countries or to international organizations and on the basis of specific grounds such as:
- the explicit prior consent of the relevant data subject in this respect, obtained, in accordance with the applicable legislation;
- the need for the transfer in order to protect the vital interests of the data subject or of other persons, when the data subject does not have the physical or legal capacity to express his / her consent;
- the need for the transfer for the execution of a contract between the data subject and the Operator or for the application of some pre-contractual measures adopted at the request of the data subject;
- the need for the transfer for the conclusion of a contract or for the execution of a contract concluded in the interest of the data subject between the Operator and another natural or legal person;
- the need for the transfer for important reasons of public interest;
- the need for the transfer in order to establish, exercise or defend a right in court.
(7) DURATION OF PERSONAL DATA STORAGE
The Operator shall take reasonable steps to ensure that personal data are processed only for the minimum period necessary for the purposes set forth in this Policy.
The criteria for establishing the period of time during which personal data are stored are generally (i) the duration of the contractual / collaboration relationship on the basis of which a service is provided / a good is provided / a facility is provided (eg subscription to newsletter; use of Wi-Fi; use of a web-site account), to which is added either (ii) the duration imposed by the applicable legislation (eg regarding financial-accounting documents, regarding archiving), regarding archiving – e.g. ., in the case of the documents that make up the personnel file), or (iii) the duration of a limitation period in accordance with the applicable law during which liability or other actions could be attracted by or against the Operator; (iv) until the withdrawal of your consent, in the case of processing based on this processing and if there is no exception, based on which the Operator may further process (and store) the relevant personal data or until the exercise, under the conditions and the applicable limits, of another right that would result in the cessation of the storage of (certain) personal data. An additional period of two months from the end of the periods (ii) or (iii) mentioned above may be necessary to ensure the removal/ anonymization of personal data from the Operator’s systems.
Regarding the personal data processed through the CCTV surveillance camera system, the Operator intends, as a rule, to keep the records for up to 30 days. In the situation of identifying a situation that requires the storage of personal data for a longer period of time (eg an illegal act is committed), the relevant video / personal data recording can be stored for a longer period of time. At the same time, there may be situations in which authorities or public institutions order that such records be stored in addition to the 30-day period. In such situations, the Operator takes into account the following criteria for storing personal data: (i) the durations provided in specific legislations or in order, decisions, binding documents issued to the Operator or which are opposable to him; (ii) until the cessation of the effects towards the Operator of an order, decisions or other binding act towards him.
(8) EXCLUSIVELY AUTOMATED DECISION-MAKING PROCESS, INCLUDING PROFILING
At present, we do not use exclusively automatic or profiling decision-making processes, based on which to issue decisions with legal effects that concern data subjects or that affect them in a similar way to a significant extent.
(9) RIGHTS OF THE PERSONS CONCERNED
According to the provisions of the RGPD, you benefit from the right to information on personal data processing, the right to access personal data, the right to rectify personal data, the right to delete personal data, the right to restrict the processing of personal data, the right to personal data portability, the right to in opposition to the processing of personal data, the right not to be subject to an automatic individual decision, including profiling, the right to file a complaint to the National Authority for Supervision of Personal Data Processing (ANSPDCP), and the right to withdraw consent at any time when processing is based on this basis.
These rights are not absolute, so they must be exercised within the limits described by the RGPD. In general, such limitations concern the conditions under which certain rights operate (eg the incidence of a certain processing ground or the lack of justifications of the prevailing Operator), and on the other hand may aim to ensure: (i) national security ; (ii) defense; (iii) public security; (iv) the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of criminal sanctions, including the protection against and prevention of threats to public security; (v) other important objectives of general public interest of the European Union or of a Member State, in particular an important economic or financial interest of the European Union or a Member State, including in the monetary, budgetary and fiscal fields and in the field of public health; and of social security; (vi) protection of judicial independence and judicial proceedings; (vii) prevention, investigation, detection and prosecution of ethical violations in the case of regulated professions; (viii) the function of monitoring, inspection or regulation related, even occasionally, to the exercise of official authority; (ix) the protection of the data subject or of the rights and freedoms of others; (x) the implementation of civil law claims.
If the requests from a data subject are manifestly unfounded or excessive, we may charge a reasonable fee or we may exercise our right to refuse to comply with the request.
Also, in order to ensure the protection of personal data, if we have reasonable doubts about the identity of the natural person submitting a request to exercise a right, we may request the provision of additional information necessary to confirm the identity of the data subject.
9.1. The right to information – the right to receive a minimum content of information regarding the processing of personal data performed by the Operator, in accordance with legal requirements.
9.2. Right of access – you can obtain from us, upon request and under the conditions established by law, a clarification on whether we process your personal data, and, if so, the right to obtain access or a copy of this personal data, as well as information on the specifics of processing.
The exercise of this right shall not affect the rights and freedoms of other data subjects.
9.3. Right to rectification of personal data – you can ask us to rectify your personal data that you consider incorrect/ inaccurate or, as the case may be, to complete your personal data that are incomplete, including by providing an additional statement.
9.4. The right to delete personal data (“right to be forgotten”) – you can request the deletion of personal data concerning you, without justified delays, in cases provided by law.
The right to the deletion of personal data knows the following limits / situations when it is not applicable: (i) the existence of another legal basis for the processing of personal data than the consent; (ii) the existence of our legitimate reasons prevailing with regard to the processing of relevant personal data; (iii) if the processing of relevant personal data involves the exercise of the right to free expression and information; (iv) in the case of the processing of relevant personal data, it implies the observance of a legal obligation or the fulfillment of a task executed in the public interest or within the exercise of an official authority; (v) for reasons of public interest in the field of public health; (vi) when relevant personal data are required for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes; (vii) in the case of the processing of personal data implies the ascertainment, exercise or defense of a right in court.
9.5. The right to restrict the processing – under certain conditions, insofar as the conditions provided by law are met, you can request the restriction of the processing of your personal data.
Such conditions in which this right is incidental are: (i) the data subject disputes the accuracy of personal data, for the period that allows us to verify the accuracy of personal data; (ii) the processing is illegal and the data subject objects to the deletion of personal data, requesting in return the restriction of their use; (iii) we no longer need the processing of personal data for the purpose for which they were collected, but the data subject requests that personal data for the establishment, exercise or defense of a right in court; (iv) the data subject has objected to the processing in accordance with Article 21 (1) of the RGPD, for the period during which we verify whether there are legitimate reasons of ours that prevail over the interests, rights and freedoms of the data subject.
At the same time, if the above conditions are met, such personal data may be processed except for storage by us only with the consent of the relevant data subject or to establish, exercise or defend a right in court or to protect the rights of another natural or legal persons or for reasons of important public interest of the European Union or of a Member State of the European Union.
9.6. The right to the portability of personal data – insofar as we process personal data by automatic means and the basis of processing is the consent or execution of the contract, you can request us, in accordance with the law, (i) to provide your personal data you have provided in a structured form, currently used and which can be read automatically, as well as (ii) to transmit this data to another data operator, insofar as the conditions provided by law are met.
The exercise of this right shall not affect the rights and freedoms of other data subjects. At the same time, this right does not apply to the processing of personal data necessary for the performance of a task performed in the public interest or in the exercise of official authority with which we could be invested.
9.7. The right to oppose – you can oppose at any time, for good and legitimate reasons related to your situation. particular, as personal data intended to be processed if, for example, the basis of processing is the legitimate interest, unless we have legitimate reasons that prevail over the interests, rights and freedoms of the data subject;
Also, if your personal data is processed for the purpose of direct marketing activities, you have the right to oppose this processing, including profiling at any time and without any justification.
This right also entitles you to object, for reasons related to your particular situation, if your personal data are processed for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) of the RGPD. the processing of such personal data, unless the processing of such personal data is necessary for the performance of a task for reasons of public interest.
9.8. The right not to be subject to an automatic individual decision, including profiling – the right not to be subject to a decision based solely on automatic processing, including the creation of profiles, which produces legal effects concerning it or affects it in a similar way significant.
This right does not apply if the respective decision: (i) is necessary for the conclusion or execution of a contract between you and the Operator; (ii) is authorized by European Union law or the law of a Member State of the European Union which applies to us and which also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; (iii) is based on your explicit consent.
9.9. The right to file a complaint with a National Supervisory Authority for Personal Data Processing – if you consider that the processing of your personal data violates RGPD, you have the right to file a complaint with a national data processing supervisor personal data, in particular to the authority of the Member State of the European Union in which you have your habitual residence, place of work or where you consider that the alleged breach of the RGPD has taken place.
The exercise of this right is without prejudice to the possibility of addressing justice.
Contact details are as follows:
National Authority for the Supervision of Personal Data in Romania.
Blvd G-ral. Gheorghe Magheru 28-30 Sector 1, postal code 010336, Bucharest, Romania.
9.10. Withdrawal of consent – you can withdraw your consent at any time regarding the processing of your personal data on the basis of consent.
Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal.
Regarding the processing of personal data for direct marketing purposes, you can always withdraw your consent by expressing your option not to receive this information in the future and by clicking on the “Unsubscribe” button when you receive such an e-mail (in addition to the possibility to write to email@example.com).
To exercise the above rights, you can address the Operator at the e-mail address: firstname.lastname@example.org fax: 021 311 81 36, postal address: Blvd. Vasile Milea, no. 4E, et. 2, sector. 6, Bucharest.
ANNEX 1 BASIC DEFINITIONS
According to the General Data Protection Regulation, the terms below have the following meaning:
- “personal data” means any information regarding an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifying element, such as a name, an identification number, location data, an online identifier, or one or more many specific elements, specific to his physical, physiological, genetic, mental, economic, cultural or social identity;
- “operator” means the natural or legal person, public authority, agency or other body which, alone or together with others, establishes the purposes and means of processing personal data;
- “person empowered by the operator” means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the operator;
- “ANSPDCP” means the National Authority for the Supervision of Personal Data Processing in Romania, as an independent supervisory authority in Romania within the meaning of RGPD authorized to supervise the observance of the applicable regulations regarding the protection of personal data;
- “processing” means any operation or set of operations performed on personal data or personal data sets, with or without the use of automated means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consulting, use, disclosure by transmission, dissemination or provision in any other way, alignment or combination, restriction, deletion or destruction;
- “special personal data” means personal data that reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership and the processing of genetic data, biometric data for the unique identification of a natural person, health data or data on the sexual life or sexual orientation of an individual;
- “mandatory corporate rules” means the policies on the protection of personal data which must be complied with by an operator or a person authorized by the operator established in the territory of a Member State of the European Union, regarding transfers or sets of transfers of personal data to an operator or a person authorized by the operator in one or more third countries (which are not members of the European Union) within a group of undertakings or a group of undertakings engaged in a joint economic activity;
- The “EU-US Privacy Shield” is a legal framework for the transfer of personal data from the EU to a US entity, provided that the entity complies with a number of strict rules and guarantees when processing this personal data received.