Policy on personal data processing
Last updated: 22 June 2019
The General Data Protection Regulation (GDPR) has been applied throughout the European Union since May 25, 2018.
The protection of your personal data is important to us, therefore we pay special attention to protecting the privacy of all those who have made their data available by participating in our campaigns, personally to process a request, as well and those whose personal data have been provided to us by a third party or accessed from another source in accordance with European Parliament Regulation (EU) 2016/679 and the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data (hereinafter referred to as “GDPR”).
Please pay special attention to observing the following Policy to understand how your personal data will be processed.
This Policy explains the practices of KRESTON ROMANIA SRL (hereinafter referred to as “KRESTON”), concerning the application of GDPR provisions, as well and the rights you receive on how your information is processed by KRESTON ROMANIA SRL.
The processing of personal data by KRESTON will always be executed in accordance with GDPR and other personal data protection regulations./p>
By the means of this Policy, KRESTON wishes to inform the data subjects about the nature of the personal data we collect and process, as well as about the purposes of the processing. In addition, the data subjects are informed through the Policy and on the rights they have.
WHO WE ARE?
We are KRESTON ROMANIA SRL, a Romanian legal person having its registered office in 165 Splaiul Unirii, TN Offices 1, Floor 7, Office no. 2, Sector 3, Bucharest, Romania, registered at the Trade Register Office at Bucharest Tribunal under no. J40/17/1996, having fiscal code no. 8025280.
THE DATA PROTECTION OFFICER (DPO)
KRESTON ROMANIA SRL, acting as a personal data controller, has appointed BATTLEGROUP SRL as Data Protection Officer (hereinafter referred to as “DPO”), having the obligation to verify compliance with the GDPR provisions in the data processing operations performed by the operator and representing the operator in relation to the data subjects and the Supervisory Authority.
Interested individuals have the opportunity to address the DPO directly at any time in any matter related to this Policy using the contact details below:
DPO name: BATTLEGROUP SRL
DPO Email: firstname.lastname@example.org
DPO mailing address: Splaiul Unirii nr. 165, TN Offices 1, Etaj 7, Biroul nr. 2, Sector 3, Bucuresti, Romania
WHAT MEANS PERSONAL DATA?
“Personal data” means any information or information that can identify you directly (for example, your name) or indirectly (for example, by pseudonymised data such as a unique identifier). This means that personal data includes things like email address, home address, mobile phone, username, profile photos, personal preferences and shopping habits, user-generated content, financial information, and financial status information. This could include unique numeric identifiers, such as your computer’s IP address or the MAC address of your mobile device, as well as cookies.
WHAT DOES THE PROCESSING OF PERSONAL DATA MEAN?
“Processing” means any operation or set of operations performed on personal data or on personal data sets with or without the use of automated means such as collecting, recording, organizing, structuring, storing, adapting or modifying, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
WHAT TYPES OF PERSONAL DATA WE PROCESS?
The personal data processed by us belong to two categories of natural persons: the employees of the company, situation in which we will be the personal data controller , and the employees of the companies with which we have concluded service contracts, in which case we will have the quality of processor of personal data on behalf of the controller.
A. For company employees,we process the following personal data categories as controller:
(i) name and surname;
(ii) personal identification number;
(iii) Series and number of the identity card/passport;
(iv) address of domicile and / or residence;
(v) date of birth; (vi) signature;
(vii) contact details (phone number, e-mail address);
(viii) copies of identity and civil status documents;
(ix) copies of studies and qualifications documents;
(x) data on health status;
(xi) bank account number.
B. For the employees of the companies with which we have concluded service contracts, we process as the processor of the controller one or more of the following categories of personal data:
(i) name and surname;
(ii) personal identification number;
(iii) series and number of the identity card/passport;
(iv) address of domicile and / or residence;
(v) data on current employment / occupied position/function;
(vi) data on the history of the professional activity, studies and qualifications obtained
(vii) data on health status;
(viii) financial data;
(ix) bank account number.
In the event of labor accidents involving employees of companies with whom we have concluded service contracts, in addition to the items in point B above, we will also process data on civil status, contact details (telephone number and e-mail) as well as data on the family situation of the individuals concerned.
PERSONAL DATA CONTROLLER
The Personal Data Controller (hereinafter referred to as the “controller”) is KRESTON.
PRINCIPLES ON DATA PROCESSING
KRESTON is obliged to comply with the principles of personal data protection (hereinafter referred to as the “Principles”) provided by GDPR to ensure that all data is:
1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
4. accurate and, where necessary, kept up to date;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
6. processed in regard to the natural person’s rights, in a manner that ensures appropriate security of the personal data, in order for the data keep its integrity, confidentiality and availability .
THE LEGAL GORUND AND THE PURPOSE OF PERSONAL DATA PROCESSING
1. For the purpose of concluding and executing contracts – According to art. 6 par. 1 lit. b) GDPR, personal data may be processed for the purpose of concluding or executing the contract. In order to be able to offer you our products and services, we need to process personal data that you own.
2. For the purpose of fulfilling legal obligations – According to art. 6 par. 1 lit. c) GDPR, we may process personal data for the purpose of fulfilling legal obligations. We request a series of personal data, including, in some cases, the personal numeric code, in order to meet the tax authorities’ obligations regarding invoicing and reporting to tax authorities.
3. For marketing purposes – According to art. 6 par. 1 lit. a) GDPR may process personal data if the data subject has given his / her consent to the processing of his / her personal data for one or more specific purposes. Thus, in some situations, your personal data will be used to send you marketing messages, offers, news, upcoming campaigns, or invitations to various events.
4. In order to exercise a legitimate interest of the personal data controller – According to art. 6 par. 1 lit. f) GDPR, for conducting the economic activity of the company, as processor for the personal data controllers.
PROCESSING THE CONTACT FORM
KRESTON will use the information you provide to us in various ways (by telephone, fax, e-mail, website or mail) solely for the purpose of meeting your request.
By providing any personal data for commercial purposes, you understand and you agree that your data will be processed in accordance with the provisions of this policy.
Please note that in order to be able to process your requests submitted by any of the contact methods, it is possible that under certain circumstances, we will have an obligation to disclose your data to our partners and / or other any third party service providers of KRESTON.
However, KRESTON has adopted technical measures and organizational tools to ensure the security of data transfer, as well as for processing in accordance with the GDPR requirements of your data by the abovementioned entities.
KRESTON undertakes not to process personal data provided for purposes other than the one for which they were transmitted, except where your express consent to use them and for other purposes.
It is also possible for KRESTON to have access to other personal data, obtained by your interactions with KRESTON, for example by processing the data communicated by telephone conversations, e-mail conversations, visits at our headquarters to obtain information, etc.
By contacting KRESTON in any way specified above, or any other method that involves a mediated or direct communication between you and KRESTON, you understand and agree that your data will be processed in accordance with the provisions of this Policy.
DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
Personal data processed by KRESTON will be disclosed and / or transferred to third parties only if your express consent to doing so exists, except where there is a legal / contractual obligation to KRESTON to do so.
Please be aware that it is possible under certain circumstances for KRESTON to be obliged under law to disclose your personal data to public/state authorities, partners of KRESTON and / or other third party service providers of KRESTON.
DURATION OF DATA STORAGE
KRESTON will store the data processed for different periods of time deemed reasonable for the purposes indicated above. We keep your data only for the period necessary to reach the purpose for which we hold the data, to meet your needs or to fulfill our statutory obligations.
To set the duration of data storage, use the following criteria:
1. When acting as processor for the personal data controllers, we will retain personal data according to the instructions of the personal data controller, but always for the duration of the service contract ; we can also store personal data after termination of the service contract when we have a legal obligation to store the data;
2. If you contact us for a request, we retain your personal data for the duration of the processing of the request you.
3. If you have given us consent to process data for marketing purposes, we keep your personal information until you withdraw your consent or ask us to delete the data.
THE RIGHTS OF DATA SUBJECTS
According to GDPR, data subjects have a series of rights with respect to the personal data that KRESTON processes:
1. Right of access to processing data – You have the right to access our personal data. The first information will be provided without any charge. If you will need copies of the information already provided, it is possible we charge you a reasonable fee, taking into account the administrative costs of providing the information. All manifestly unreasonable, excessive or repeated requests may not receive an answer.
2. Right to data rectification – You have the right to ask for your data to be rectified if it is inaccurate or obsolete and / or you can request to complete the data if it is incomplete.
3. Right to erasure of data (“the right to be forgotten”) – In some cases, you have the right to obtain the deletion or destruction of your data. This is not an absolute right, because sometimes we may be obliged to keep your data for legal reasons.
4. The right to restrict the processing – You have the right to request restriction of your data processing. This means that your data processing is limited, so we can keep the data, but without the possibility for us process it. This right applies in the specific circumstances provided for in the General Data Protection Regulation, namely:
– the accuracy of the data is contested by the data subject (ie by you) for a period which allows the controller (ie KRESTON) to verify the accuracy of the data;
– Processing is illegal and the person concerned (ie you) opposes the deletion of the data and requests the restriction of their use;
– the operator (for example, KRESTON) no longer needs data for processing, but they are requested by the data subject (ie by you) for the establishment, exercise or defense of legal claims;
– the person concerned (ie you) raised objections to the underlying processing on legitimate grounds on the part of the controller (in this case KRESTON) under the verification whether the legitimate rights of the controller (KRESTON) exceed those of the data subject (ie you).
5. Right to data portability – You have the right to move, yes copy or do transfer the data that you interested from our base data into another. This applies only the data you provided when processing is based on your consent or based on a contract and is implemented by automatic means.
6. The right to object – You you may at any time oppose the processing of your data when such processing is based on a legitimate interest of the controller.
7. The right to withdraw your consent at any time – You may withdraw consent to the processing of your data when such processing is based on consent. The withdrawal of consent does not affect the lawfulness of processing on the basis of consent prior to its withdrawal.
8. The right to lodge a complaint with the competent supervisory authority – You have the right to file a complaint with the data protection authority of your country residence or domicile to challenge the data protection practices offered by KRESTON.
9. The right to oppose processing of your data for direct marketing purposes – You can give up our communication for direct marketing at any time.
10. The right not to be subject to a decision based solely on automated processing, including profiling – You you may at any time oppose the processing of your data by means of automated processing and/or profiling. At the present time, KRESTON does not process your data by automated means and does not use tour data for profiling.
You can exercise any of these rights as regards the personal data that KRESTON processes by making a simple request to KRESTON DPO. In such a situation, it is very possible to request proof of your identity.
We access, keep and provide your information to regulators, law enforcement authorities or other entities:
1. In response to a legal request, when we consider in good faith that the law requires us to do so. We may also respond to legal claims when we consider in good faith that the response required by the laws of that jurisdiction affects users in that jurisdiction and is in line with internationally recognized standards.
2. When we believe, in good faith, that it is necessary to: detect, prevent and to respond to acts of fraud, unauthorized use of any material belonging to us, violations of our terms or policies or other harmful or unlawful activities to protect us (including our rights, property or materials), you and others, including judicial investigations or investigations by regulatory authorities, or to prevent imminent death or injury. For example, if relevant, we provide information to and we receive information from third parties about the reliability of your account, to prevent fraud, abuse and other harmful activities within and beyond our materials.
The information we receive about you can be accessed and stored for a longer period of time when subject to a legal request or legal obligation, a government inquiry, or investigations into possible violations of our terms or policies, or in other cases to prevent damage.
KRESTON has adopted technical and organizational measures for data processing, updated in accordance with GDPR requirements, in order to protect your personal data against any unauthorized access, improper use or disclosure, unauthorized modification, accidental destruction or loss. All KRESTON employees and collaborators, as well as any third parties acting on their or KRESTON behalf, are required to respect the confidentiality of your information and the GDPR requirements, in accordance with the provisions of this policy.
UPDATING THE POLICY ON PROCESSING OF PERSONAL DATA
Please note that this policy may be subject to periodic content alterations.
Should this Policy be modified, you will be able to identify the timing of its update by the date mentioned at its beginning, under the Last Updated paragraph; please review the Revised Policy before choosing to continue using our materials.
The terms of this Policy are interpreted in accordance with applicable law.
If you have questions or concerns about how we treat and use your personal data or you want to exercise yourself any of your rights, please contact us by accessing our DPO contact details.