[Regarding the processing of personal data]
The purpose of this document is to inform you about our practices regarding the processing of personal data and to ensure a better understanding as regards the data we collect, the purposes and legal bases on which we process the data, the retention period and the possible data transfers, as well as your rights as a data subject.
Please read carefully the information presented in this document.
The Company complies with the legal provisions regarding the protection of personal data, including the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR” or “General Data Protection Regulation“).
Types of personal data
For the purposes referred bellow in this document, we can collect and process the following personal data: first and last name, function, company name of which you are a part, signature, e-mail address, telephone number, address of domicile, date and place of birth, personal identification number, no. and series, issuer or other information on identity cards, information regarding visits to the Company’s headquarters, IP addresses and other information as a result of your accessing and using the website www.ecro.ro.
Primarily we collect personal data directly from you when:
- You communicate with a representative of the Company regarding the products and services of the Company or other information that may be of interest to you;
- You request information from the Company or its representative by sending a request for information, a complaint or a request for an offer;
- You or the company you represent, negotiate, conclude and/or carry out a contract with the Company;
- You access, use or interact with the website of the Company www.ecro.ro;
- You make a visit, regardless of its purpose, at the headquarters of the Company.
In certain situations, we may collect personal data about you from third parties, such as: your employers, business partners, information providers, public sites and public authorities in order to comply with our legal obligations.
Purposes of the processing and legal bases for the processing
The Company processes your personal data for the following purposes:
- Communication with you as regards the products and services of the Company and other information of interest for you;
- Communication with you as regards the requests for specific information, complaints or requests for offers addressed to the Company or to one of its representative;
- Negotiation, conclusion and execution of a contract concluded by the Company with you or the company you represent, regardless of the quality you have in relation to this contract, namely legal representative, contact person, contract responsible, person responsible for execution, etc. Depending on the quality you have, your personal data may be processed prior to the conclusion of a contract and/or during its execution, in specific activities, such as: bidding, contracting, commercial activities, execution, communication, invoicing, etc.;
- Observance of legal and compliance obligations of the Company;
- Ensuring the operation and security of the Company’s headquarters and its assets, including IT systems and the website.
The processing of personal data is performed on the basis of at least one of the following legal bases:
- Processing is necessary for the conclusion and/or performance of a contract with you or to which you are a party;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;
- Processing is based on your consent.
Where for the processing of special categories of personal data your prior and explicit consent is required according to the legal provisions, the processing of such data will be performed only after your prior and explicit consent.
Transfer of personal data
The Company may send your personal data, when it is necessary in the conduct of our businesses, to the following third parties:
- Companies that provide products and services to the Company, which are acting as processors of the Company in what concerns the processing of personal data;
- Companies that provide products and services to the Company, which do not process the personal data, but which may have access to them for the purpose of fulfilling the obligations or in relations with the Company;
- Public authorities and institutions, auditors and lawyers, whose activity implies the need to know such data or where the law requires the Company to make this disclosure.
Retention period of personal data
The Company will keep your personal data for the entire duration of the relation with you or the company you represent, as well as during the resolution of any legal claims or disputes for the purpose of realising the Company’s rights, if applicable, and also during the retention periods imposed by the applicable law.
At the expiry of the retention periods imposed by the applicable law, we will delete your personal data that we hold and/or take measures to anonymise the data in order to not permit your identification based on them, as the case may be, in compliance with the legal provisions.
Security of personal data processing
The Company implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, unauthorised alteration, disclosure or access, in particular if such processing involves data transmission within a network, as well as against any other form of unlawful processing. These measures ensure an appropriate level of security in relation to the risks posed by the processing, as well as to the nature of the personal data to be protected.
Transfers of personal data to third countries or international organisations
The Company may transfer personal data to third countries or international organisations in compliance with the provisions of GDPR.
In the case that your personal data are transferred outside the European Economic Area (“EEA”) to third countries that do not provide an adequate level of protection for the processing of personal data, the Company will make sure that any data transfer will take place based on a set of Standard Contractual Clauses or on any other mechanism with adequate guarantees, in accordance with the provisions of art. 44 – 49 of GDPR.
Rights of data subjects
As a data subject, you have the following rights regarding the processing of your personal data:
- The right to be informed – Art. 13 and 14 of GDPR. The data subjects have the right to know information on how the personal data concerning them are processed, such as: the identity of the data operator, the contact details of the data protection officer, the purposes and the legal bases of the processing, to whom the data will be disclosed or transferred, the rights of the data subjects regarding the processed data.
- The right of access to data – Art. 15 of GDPR. The data subjects have the right to obtain from the Company a confirmation whether or not the Company processes the personal data concerning them and, if so, to obtain access to the respective data and other useful information.
- The right to rectification – Art. 16 of GDPR. The data subjects have the right to obtain from the Company without undue delay the rectification or completion of the inaccurate or incomplete personal data concerning them.
- The right to erasure – Art. 17 of GDPR. The data subjects have the right to obtain from the Company the erasure of the personal data concerning them, without undue delay. There are exceptions to this rule, as for example the Company may refuse to execute a request for personal data erasure to the extent that processing is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation which requires processing by European Union or national law or for the establishment, exercise or defence of legal claims.
- The right to restriction of processing – Art. 18 of GDPR. This is a temporary right. For example, between the time the Company decides to erase certain data (personal data are no longer needed for the purposes of processing) and the effective erasure of the data, you have the right to send to the Company a request to oppose the erasure, motivating the fact that you need the data for the establishment, exercise or defence of legal claims. As a result of such a request, the Company will restrict the data processing (erasure) for a certain period of time.
- The right to data portability – Art. 20 of GDPR. The data subjects have the right to receive and reuse the personal data concerning them for their own purposes, within the various services of automated data processing. The data subjects have the right to have their personal data moved, copied or transferred from one IT environment to another.
- The right to object – Art. 21 of GDPR. The data subjects have the right to object to processing of personal data concerning them, for example where data are processed for direct marketing purposes, including profiling, or when the processing is done for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- The right not to be subject to a decision based solely on automated processing, including profiling – Art. 22 of GDPR, which produces legal effects concerning the data subject or similarly significantly affects him or her. The Company does not carry out such profiling to be followed by automated decisions with legal or similar significant effects on the data subjects. At the time when we make such profiling we will update this information.
- The right to file a complaint with the National Supervisory Authority for the Processing of Personal Data, registered office in 28-30 General Gheorghe Magheru Boulevard, District 1, postal code 010336, Bucharest, Romania, tel. +40.318.059.211 / +40.318.059.212, firstname.lastname@example.org.
Also, in the case that you have given your consent to the processing of your personal data, you may withdraw your consent at any time. The consent withdrawal will have effect for the future, starting with the time of withdrawal.
Please also consider the following:
Response period: The Company will try to respond to your request regarding the processing of personal data within 30 days and may extend this deadline for specific reasons, related to the complexity of your request. In all cases, if this period is extended, we will inform you about the extension period and the reasons that led to it.
Restricting the access: In certain situations, the Company may not be able to give you access to all or some of your personal data due to the application of some legal dispositions. If we refuse your request for access, we will inform you about the reason for the refusal.
Exercising of legal rights: In order to exercise your legal rights in accordance with the provisions of GDPR, please contact us in writing, using the contact details provided below in section Contact.
Changes to this policy