PERSONAL DATA PROTECTION POLICY


THE DATA CONTROLLER

Verdum Romania S.A. based in Oradea commune, Str. Octavian Goga, no. 5., Bihor county, Romania (hereinafter referred to as “the Operator”) processes personal data (hereinafter referred to as “DCP”), as an Operator, in the ways and purposes described in this data protection policy DCP.

As of May 25, 2018, the General Regulation on the Protection of Personal Data (EU) 2016/679 (GDPR) entered into force. GDPR is a unique regulation, directly applicable in all member states of the European Union and replaces Directive 95/46/CE and, implicitly, the provisions of Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data.

The operator applies a privacy and security policy of the DCP in strict accordance with the provisions of the GDPR, and as part of our commitment to respect the rights of natural persons whose personal data we process, we send you below relevant information regarding the manner, purpose, legal basis and duration for which we process personal data, as well as regarding your rights and how you can exercise these rights.

Through this policy, the Operator proposes that employees, future and current business partners have the certainty that the processing of their personal data is based on compliance with the principles imposed and applied at the European level in the field of data protection.

DCP’s protection policy applies to all personal information processed by or on behalf of the Operator.


TYPES OF DCP PROCESSED 

DCP processed by the Operator represents any information related to an identified or identifiable natural person, such as, but not limited to:

name and surname, telephone number (landline and/or mobile), signature, email address, position held (legal representatives of business partners, responsible for the contract), marital status, home address, correspondence address, place of birth, date of birth, CNP, series and no. CI, date of issue, photo, passport number and series, citizenship, data regarding the criminal record (where its acquisition is expressly provided by law), professional experience, data regarding the rights and obligations of the employee, information on how the employee exercises his duties , information on how the employee uses the logistics made available by the company, salary, benefits of any kind (including the data of minors in maintenance in the case of the granting of some help on the occasion of birth and/or holidays) accounts, studies, certifications, certificates, authorizations , professional experience, professional skills, medical condition, medical file, training file, psychological tests, work capacity, work accidents, disciplinary and/or criminal measures, information provided by the GPS of a car, the registration number of a vehicle, any other information listed in CVs and other documents resulting from the personal recruitment process or made available voluntarily in the exercise of business/work relations, IP address, log files, court decisions, web cookies , etc.
the image or voice of the persons who act in the name and on behalf of the business partners, when they move to the headquarters of the subscription and/or work points, premises that are equipped with video surveillance cameras;
DCP of the persons who represent and/or act and/or sign documents, in the name and on behalf of the public authority/institution under control, at the headquarters and/or work points of the subscription:1. references employed within the Trade Registry Office, ANAF inspectors, Environmental Authority inspectors, Competition Council inspectors, Personal Data Protection Authority inspectors, etc.
the data relating to the shareholder’s contribution to the company, the data relating to the shareholder’s participation in benefits and losses, the data relating to the rights and obligations of the individual shareholder and/or of the representative or proxy (in the case where the shareholder is a legal entity) information regarding the participation and method of exercising the vote of the shareholder in the general meetings (date of participation, place of participation, method of exercising the vote, comments made during the meeting, etc.), data regarding the shareholder’s bank account(s), data regarding the income obtained by the shareholder from society.

 DCP PROCESSING PURPOSES: 

– Initiating, developing or terminating a business/partnership relationship (eg: pre-contractual verification activities, sending offers, receiving orders, partnership collaboration proposals, other activities aimed at establishing a contractual relationship, etc.) – carrying out personnel recruitment processes and/or fulfilling the legal obligations regarding the conclusion, execution and termination of professional partnership and/or work relationships. 

– the security of persons, spaces, goods owned and/or used by the Operator. In the sense of protecting this legitimate interest, the Operator can video supervise the premises in which it carries out its business activity to ensure the security and protection of persons and statutory patrimony. In exceptional cases, such as epidemics, pandemics, states of emergency or force majeure, the Operator may collect, in addition to the usual activity, data of a medical nature (sensitive data), location or route of the delegates or their own employees.

– Realization of some corporate operations (sale of shares, payment of dividends, registration of shareholders, appointment / termination of the mandate of administrators, auditors, etc.) 

Establishing, exercising or defending the legitimate business and legal rights or interests of the underwriter or other affiliated persons before courts, bailiffs, public notaries, other public authorities, arbitrary tribunals, mediators or other bodies public or private that resolve disputes, of lawyers, of our consultants or other natural or legal persons, public or private, who are involved in those actions and/or to fulfill the obligations imposed by law or by an order of the competent Authority 

Archival purposes

Statistical purposes

LEGAL GROUNDS DCP PROCESSING 

The Operator and any person acting on behalf of the Operator, including affiliated entities, will process the data of the persons concerned based on the following legal grounds: 

for the purpose of concluding, executing or terminating contracts in which the data subject is a party or to take steps prior to the conclusion of the contract at the data subject’s request. Personal data may also be processed prior to the conclusion of a contract (for sending an offer, receiving an order, etc.) 

based on the consent of the persons concerned. In this sense, the consent must be clear, in a clear and explicit format that will include all the rights of the data subject (access, rectification, withdrawal of consent, etc.), including by electronic means or through an oral statement (e.g. on the occasion a telephone conversation). Thus, consent must be obtained for a specific personal data processing activity and for one or more specific purposes. In the case of taking the consent in electronic format, the pre-ticking of some boxes related to the consent will lead to its invalidity. The operator will ensure that he can prove that the data subject has given his consent for the purpose of processing his data. The data subject has the right to withdraw consent at any time. The withdrawal of consent does not affect the legality of the processing before its withdrawal.

Data processing in accordance with the law. The DCP processing can take place based on a basis from Union law/domestic law, the DCP processing being necessary to fulfill a legal obligation of the Operator.

Data processing based on a legitimate interest pursued by the Operator or a third party.   As an example, the Operator will be able to process personal data in order to prevent fraud and protect the company’s assets. 

Processing of sensitive data. The processing of special categories of personal data is prohibited except in situations where the data subject has given explicit consent for the processing of these categories of data or the processing is necessary for the purposes of preventive occupational medicine and/or in the enforcement process/ damage repair. I make exceptions to this situation, the cases of epidemic, pandemic, cases of major form or the state of emergency declared by the Government of Romania, when the processing of sensitive data of the persons concerned will be possible even without obtaining a prior consent. In these situations, the legitimate interest of the Operator regarding the protection of his or his employees’ health, as well as the statutory patrimony or the main, vital activities, will always prevail.

METHOD OF PROCESSING

The operator will process personal data in accordance with the principles of legality, fairness and transparency.

Your personal data is processed through the following operations: collection, recording, organization, structuring, storage, consultation, adaptation or modification, use, dissemination, disclosure by transmission, retrieval, alignment or combination, restriction, erasure or destruction of data. Your personal data is subject to both hard copy and electronic processing.

The operator will process the personal data for the period of time necessary to fulfill the purposes indicated above and, in any case, not more than 10 years after the termination of contractual relations and not more than 2 years after the collection of the data for the purposes marketing.

After 3 years have passed since the termination of the contractual relations, access to the data will be limited to the heads of departments.

If the Operator has a documented need to store the data for a period of time longer than 10 years (for example, if the deletion could compromise its legitimate right of defense or, in general, to protect the assets of its company), said data storage will take place limiting access to said data only to the head of the legal department, to guarantee the legitimate exercise of the Operator’s right to defense. 

AUTOMATED INDIVIDUAL DECISIONS

In principle, the Operator does not resort to making decisions based exclusively on automatic data processing.

However, in the situation where the decision was taken automatically, the Operator will implement measures to respect the rights of the data subjects (the intervention of a person to interpret the decision, the data subject’s right to express a point of view, the data subject’s right to to appeal the decision).


DATA BENEFICIARIES

Your data can be accessed for the purposes indicated in art. 2 to the following beneficiaries:

– the companies affiliated to the Operator, to the extent that this is necessary for processing, in accordance with the mandatory corporate rules adopted by the Operator;

– companies or other third parties (credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, audit firms, surveillance institutions, providers of security and video surveillance services, issuing cards, meal tickets, courier services , IT services, etc.) that carry out activities on an outsourcing basis, on behalf of the Operator;

– public entities, for the fulfillment of legal obligations.

The transmission of personal data to the above-mentioned recipients will be made only on the basis of a commitment of confidentiality and of ensuring an adequate level of security on their part, which guarantees that personal data are kept safe and that their transmission is made in accordance with the law in force.

Without needing your explicit consent, the Operator can communicate your data for the purposes indicated in art. 2 to supervisory bodies, judicial authorities, insurance companies for the provision of insurance services, as well as entities to which communication is mandatory in terms of the law, for the fulfillment of the mentioned purposes.

DATA TRANSFERS 

Personal data is stored on servers located in the European Union. In any case, it is understood that if this is necessary, the Operator will have the right to move the servers even outside the EU. In such a case, the Operator guarantees that data transfers outside the EU will be carried out in accordance with the laws in force, including by including standard contractual clauses provided by the European Commission and by adopting mandatory corporate rules for transfers within the group . 

DATA STORAGE

The data processed by the subscriber will be stored according to our DCP retention policy, the storage period being different depending on the purpose of use and the category of data. Our policy is based on the legal provisions in the field of civil law, the protection of personal data and the archiving of documents. 

Regarding the analysis of browsing on our sites and your interactions with the sites, we will keep the data for a period of up to 3 years.

The operator can delete your personal data when he considers that they are no longer necessary for the purposes and grounds for which they were processed. 

THE INDIVIDUAL RIGHTS OF THE PERSONS CONCERNED

DCP must be processed in accordance with the individual rights of data subjects, such as:

the right to request access to data, rectification or restriction of processing of personal data;

the right to data portability;

the right to be forgotten;

the right to object to data processing;

the right to withdraw consent;

the right to object to automated decision-making;

the right to lodge a complaint with an authority.

In order to respect the rights of the data subjects, the Operator can be contacted by e-mail, at protectia.datelor@green-group.ro, or by post, at the headquarters of VERDUM ROM NIA S.A. (Oradea, Str. Octavian Goga, no. 5, Bihor county, Romania). 

DCP CONFIDENTIALITY 

                 When we process your data, we use technical and organizational measures to ensure the confidentiality, availability and correctness of your data.

   We are continuously working to ensure that our security measures are kept at the highest level and we are committed to informing you in a timely manner in case of any security incidents that could present a significant risk to your rights.   

DATA PROTECTION INCIDENTS

The Operator shall implement and maintain security incident management policies and procedures, notifying data subjects of any data security incident without undue delay.

The Operator will monitor, through the person responsible for data protection, new and ongoing risks related to the protection of personal data, immediately updating the relevant register of risks at the level of the Operator. 

If there is a breach of the security of personal data, the Operator will also notify the supervisory authority without undue delay and if possible no later than 72 hours from the date on which he became aware of it, unless it is likely to generate a risk to the rights and freedoms of natural persons.

LIABILITIES AND PENALTIES

It is the responsibility of all Operator personnel to immediately notify the Data Protection Officer of any violation of this policy. When the Data Protection Officer considers it necessary, it will inform the supervisory authority about these violations.

The heads of each department within the Operator will be responsible for data processing within their departments and will monitor new and ongoing data protection risks/update the relevant company-wide risk register. If a risk is reported, they will immediately report this to the general manager and the Data Protection Officer.

The heads of each department in which personal data is processed will inform the Data Protection Officer in good time about each new data processing.

The General Director, together with the Data Protection Officer, will ensure that an internal audit of the Operator is periodically carried out to verify the management of risks regarding confidentiality and data protection.

The competent supervisory authority must be notified/consulted whenever the Data Protection Officer has a legal obligation to do so. Also, in case of a control by the supervisory authority, the Data Protection Officer is notified immediately.

All employees of the Operator who work with personal data have the obligation to immediately inform the Data Protection Officer of any violation of this policy or other applicable legal regulations in the matter of which they have become aware.

Abusive processing of personal data will lead to the application of disciplinary sanctions, and may be punished by criminal legislation in the field.