TABLE OF CONTENTS:
CAP. I. Purpose of the data protection policy
CAP. II. Scope and change of data protection policy
CAP. III. Principles of personal data processing
Art. 1. Correctness and legality
Art. 2. Restriction on a certain purpose
Art. 3. Transparency
Art. 4. Data reduction and data economy
Art. 5. Deletion
Art. 6. Accuracy and timeliness of data
Art. 7. Confidentiality and data security
CAP. IV. Reliability of data processing
Art. 1. Data of clients and partners
Art. 1.1 Data processing for a contractual relationship
Article 1.2. Data processing for advertising purposes
Art. 1.3 Consent to data processing
Art. 1.4 Data processing based on a legitimate interest
Art. 1.5 Processing of sensitive data
Art. 1.6 Automated individual decisions
Art. 1.7 User data and internet
Art. 2. Employee data
Art. 2.1 Data processing for the employment relationship
Article 2.2. Data processing based on a legitimate interest
Art. 2.3 Processing of sensitive data
Art. 2.4 Automatic decisions
Art. 2.5 Telecommunications and internet
CAP. V. Transmission of personal data
CAP. VI. The rights of the data subject
CAP. VII. Processing confidentiality
CAP. VIII. Processing security
CAP. IX. Data protection control
CAP. X. Data protection incidents
CAP. XI. Responsibilities and sanctions
CAP. XII. Responsible for the protection of personal data
CAP. XIII. Definitions
CAP. I. Purpose of the data protection policy
As part of its social responsibility, S.C. REGIO IMPEX S.R.L is committed to complying with national and international data protection laws. This data protection policy is applied in the company REGIO IMPEX S.R.L and is based on accepted principles at European and global level on data protection. Ensuring data protection is the foundation of reliable business relationships and the reputation of our company.
The data protection policy provides the framework conditions necessary to ensure the adequate level of data protection provided by Regulation no. 679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
CAP. II. Scope and policy change
This personal data protection policy applies to REGIO IMPEX S.R.L and their employees.
The data protection policy extends to all processing of personal data.
Anonymized data, where available, used e.g. for statistical evaluations or other studies, are not subject to this data protection policy.
The policy is reviewed annually and the latest version approved by the CEO will be immediately available to both employees and customers and business partners.
CAP. III. Principles for the processing of personal data
Art. 1. Correctness and legality
When processing personal data, the individual rights of data subjects must be protected. Personal data must be collected and processed legally and correctly.
Art. 2. Restriction on a certain purpose
Personal data may be processed only for the purpose defined before the data collection and communicated to the data subject. Subsequent changes to the scope are only possible to a limited extent and require a solid rationale.
Art. 3. Transparency
The data subject must be informed of how his or her data is treated. In general, personal data must be collected directly from the person concerned. When data is collected, the data subject must either already know or be informed about:
Data controller identity (the company that collects the data)
Purpose of data processing
Third parties or categories of third parties to whom the data may be transmitted
Art. 4. Data reduction and data minimization
Before processing personal data, you must determine whether and to what extent the processing of personal data is necessary to achieve the purpose for which it is carried out.
Where the purpose allows and where the costs involved are proportionate to the objective, anonymous data should be used. Personal data may not be collected in advance and stored for potential future purposes, unless required or permitted by national law.
Art. 5. Deletion
Personal data that is no longer needed after the expiration of the legal or business process must be deleted. There may be situations in which the legal interests oblige to keep these data for predefined terms. In this case, the data must remain in the files until the legal obligations expire.
Art. 6. Accuracy and timeliness of data
The personal data collected must be accurate, complete and, if necessary, updated. Steps must be taken at all times to ensure that inaccurate or incomplete data is deleted, corrected, supplemented or updated.
Art. 7. Confidentiality and data security
Within the company REGIO IMPEX S.R.L personal data are considered confidential information and are protected by appropriate organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
CAP. IV. Reliability of data processing
The collection, processing and use of personal data is permitted on the basis of the following legal grounds, also if the purpose of the collection, processing and use of personal data must be changed from the original purpose.
Art. 1. Data about customers and partners
Art. 1.1 Data processing for a contractual relationship
The personal data of potential customers, existing customers and partners can be processed in order to conclude, execute and complete a contract. It also includes consulting services for the partner if this is related to the contractual purpose. Prior to a contract, during the start-up phase – personal data may be processed to prepare tenders or other documents that meet different requirements of the perspective related to the conclusion of the contract. People can be contacted during the contract preparation process using the personal information they have provided. Any restrictions requested by potential customers must be observed.
Art. 1.2 Data processing for advertising purposes
If the data subject contacts the company REGIO IMPEX S.R.L to request information (eg to receive informative materials about a product), the processing of data to respond to this request is allowed.
Advertising actions are subject to additional legal requirements. Personal data may be processed for advertising, market research and public opinion purposes, provided that such processing is carried out in accordance with the purpose for which the data was originally collected. The data subject (data subject) must be informed of the use of his data for advertising purposes. If the data is collected for advertising purposes only, disclosure by the data subject is voluntary. The data subject must be informed that the provision of personal data for processing for advertising purposes is voluntary and that consent must be obtained from the data subject for the processing of those data for advertising purposes. When consent is given, the data subject should be able to choose between available forms, such as pre-printed printed forms, the transmission of consent by e-mail and telephone (Consent, see Chapter IV Art. 1.3).
If the data subject refuses to use his / her data for advertising purposes, his / her data may no longer be used for these purposes and must be blocked for use for these purposes.
Art. 1.3 Consent for data processing
The data may be processed with the consent of the data subject. Before giving his consent, the data subject must be informed in accordance with the provisions of Chapter III of art. 3. about this data protection policy. Declaration of approval – consent must be obtained in writing or in electronic format and kept for documentation purposes.
In certain circumstances, such as telephone conversations, consent may be given orally. Consent must be documented.
Art. 1.4 Data processing based on a legitimate interest
Personal data may also be processed on the basis of a legitimate interest of REGIO IMPEX S.R.L. Legitimate interests are generally of a legal nature (eg collection of unpaid debts) or of a commercial nature (eg avoidance of breaches of contract). Personal data may not be processed for the purpose of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject need protection and that he has priority.
Art. 1.5 Processing of sensitive data
Highly sensitive personal data can only be processed if the law requires it or the data subject has given his or her express consent. This data may also be processed only if it is mandatory for the fulfillment, exercise or defense of the legal claims concerning the data subject. If there is an intention to process sensitive data, the person responsible for the protection of personal data must be informed in advance.
Art. 1.6 Automatic individual decisions
The automatic processing of personal data, which is used to assess certain aspects, cannot be the only basis for decisions which have negative legal consequences or which could significantly affect the data subject. The data subject must be informed of the facts and results of the individual automated decisions and has the opportunity to respond. To avoid erroneous decisions, a test and a plausibility check must be done by an employee.
Art. 1.7 User and internet data
If personal data is collected, processed and used on websites or in applications, data subjects must be informed of this in an Information Note and, where applicable, information on cookies. The information note and any information about cookies must be integrated so that it is easy to identify, directly accessible and constantly available to the data subjects.
If usage profiles (tracking) are created to assess the use of websites and applications, data subjects should always be properly informed in the information note.
Where sites or applications can access personal data in an area limited to registered users, the identification and authentication of the data subject must provide sufficient protection during access.
Art. 2. Employee data
Art. 2.1 Data processing for the employment relationship
In employment relationships, personal data may be processed if necessary to initiate, perform and close the employment contract. When initiating an employment relationship, the personal data of the applicants can be processed. When the candidate is rejected, his / her data must be deleted (in accordance with the required retention period), unless the applicant has agreed that his / her data will remain in the file for a future selection process.
It is also necessary to give consent to use the data when it is desired to continue the application processes.
In the existing employment relationship, the purpose of the data processing must always correlate with the purpose of the employment contract if there are none of the following circumstances for the processing of the authorized data.
If it is necessary to collect information about an applicant from a third party during the application procedure, the corresponding legal requirements must also be complied with.
Art. 2.2 Data processing based on a legitimate interest
Personal data may also be processed if it is necessary to support a legitimate interest of REGIO IMPEX S.R.L. Legitimate interests are generally of a legal nature (eg filing, enforcing or defending against legal complaints, recovering claims, etc.).
Control measures that require the processing of employee data can only be taken if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must always be examined. The company’s justified interests in enforcing control measures (eg compliance with the company’s legal provisions and internal rules and regulations) must be weighed against any employee’s interests that need to be protected so that control measures are appropriate.
Art. 2.3 Processing of sensitive data
Sensitive personal data can only be processed under certain conditions. These are data on racial and ethnic origin, political beliefs, religious or philosophical beliefs, as well as on the health and sexual orientation of the data subject or data relating to the criminal record. Such data may be processed when there are legal obligations or when we have the express consent of the data subject.
Art. 2.4 Automatic decisions
If, at some point, personal data are processed automatically as part of employment relationships and certain specific personal data are evaluated automatically (for example, in the selection of staff or in the evaluation of skills profiles) decisions that could have a negative impact on that employee. To avoid erroneous decisions, the automated process must be assisted by a natural person who assesses the content of the situation and this assessment is the basis of the decision. The data subject must also be informed of the facts and results of the automated individual decisions and of the possibility to respond.
Art. 2.5 Telecommunications and internet
Telephone equipment, e-mail addresses, intranet and internet along with internal applications are provided by the company primarily for work-related tasks. They are a tool and a resource of the company. They can be used in the applicable legal regulations and internal company policies. In the case of authorized use for personal purposes, the provisions of the internal regulations and procedures and the specific telecommunications legislation shall be taken into account.
There will be no general monitoring of telephone and e-mail communications or intranet / internet use. To protect against attacks on IT infrastructure or individual users, protection measures can be implemented for network connections used by REGIO IMPEX S.R.L that block technically harmful content or analyze attack patterns. For security reasons, the use of e-mail addresses, intranets / internet and internal applications may be monitored for a temporary period.
The evaluations of these data regarding a certain person can be made only in a concrete case, justified by the suspicion of violation of the laws or policies of the company REGIO IMPEX S.R.L. Evaluations may be carried out only by the committee of inquiry, while ensuring compliance with the principle of proportionality.
CAP. V. Transmission of personal data
The transmission of personal data to the recipients within the company REGIO IMPEX S.R.L is subject to the authorization requirements for the processing of personal data, and the beneficiary of the data must use the data only for the defined purposes.
CAP. VI. The rights of the data subject
Each data subject has the following rights and their assertion must be processed immediately by the data protection officer and cannot constitute a disadvantage for the data subject.
Art.1. The data subject may request information on what personal data concerning him or her have been stored, how the data were collected and for what purpose. If there are additional rights to view the employer’s documents (for example, the personnel file) in the case of employment relationships in accordance with the relevant employment laws, they will not be affected.
Art. 2. If personal data are transmitted to third parties, information on the identity of the recipient or categories of recipients must be provided.
Art. 3. If the personal data are incorrect or incomplete, the data subject may request their correction or completion.
Art. 4. The data subject may object to the processing of his data for purposes of publicity or market research or opinion. Data must be locked for these types of uses.
Art. 5. The data subject may request the deletion of his data if the processing of these data has no legal basis or if the legal basis has ceased to apply. The same applies if the purpose of the data processing has expired or has ceased to be applicable for other reasons. Attention will be paid to retention periods and possible conflicts of interest.
Art. 6. The data subject has the right to oppose the processing of his data and this must be taken into account if the protection of his interests has priority over the interest of the data controller following a specific personal situation. This does not apply if there is a legal provision requiring the data to be processed.
CAP. VII. Processing confidentiality
Personal data is considered confidential. Any unauthorized collection, processing or use of this data by employees is prohibited. Any data processing performed by an employee who has not been authorized to perform it, as part of his legitimate duties, is unauthorized.
Employees are prohibited from using personal data for private or commercial purposes, disclosing it to unauthorized persons or making it available in any other way.
Heads of departments and the Human Resources department must inform their employees at the beginning of the employment relationship about the obligation to protect the confidentiality of personal data and information. This obligation remains in force even after the end of the employment period.
CAP. VIII. Processing security
Personal data must be protected against unauthorized access and unlawful processing or disclosure, as well as accidental loss, alteration or destruction. This applies whether the data is processed electronically or on paper. Prior to the introduction of new data processing methods, in particular new information systems, technical and organizational measures for the protection of personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing and the need to protect data.
CAP. IX. Data protection control
Compliance with personal data protection policy and applicable data protection laws is regularly verified through data protection audits and other controls. The performance of these controls is the responsibility of the Personal Data Protection Officer.
The results of the data protection checks must be reported to the general manager of REGIO IMPEX S.R.L.
Upon request, the results of the data protection controls shall be made available to the supervisory authority responsible for data protection. The data protection authority may carry out its own checks in accordance with national law.
CAP. X. Data protection incidents
All employees must immediately inform the Head of Department or the Data Protection Officer of breaches of this Data Protection Policy or other personal data protection regulations (Data Protection Incidents).
In cases of
Improper transmission of personal data to third parties,
Inadequate access by third parties to personal data or
Loss of personal data
the reports required by the company through the procedures for reporting and managing information security incidents must be made immediately, so that all reporting obligations can be complied with in accordance with national law.
CAP. XI. Responsibilities and sanctions
The executive functions (heads of departments) in the company are responsible for processing the data in their area of responsibility. Therefore, they are obliged to ensure that the legal requirements for data protection and those contained in the personal data protection policy are met. Management staff is responsible for ensuring organizational, technical and human resources measures so that any data processing is carried out in accordance with data protection. Compliance with these requirements is the responsibility of each relevant employee. If the Supervisory Authority carries out a data protection control, the Data Protection Officer must be informed immediately.
The person responsible for personal data protection is the contact person displayed on the site for data protection relations (e-mail: dpo@regioimpex.ro). It can perform checks and must familiarize employees with the content of data protection policies.
The responsible departments must inform the Personal Data Protection Officer in due time about a new processing of personal data. For the processing of data which may present special risks for the individual rights of data subjects, the Data Protection Officer must be informed before the processing begins. This is especially true for extremely sensitive personal data.
Improper processing of personal data or other violations of data protection laws leads to the bearing of sanctions provided by internal regulations, EU Regulation no. 679/2016 and the legislation in force.
CAP. XII. Responsible for the protection of personal data
The person in charge of personal data protection, being internally independent from the professional subordination, works in order to comply with national and international data protection regulations. He is responsible for the data protection policy and oversees its compliance. The person responsible for personal data protection is appointed by the management of REGIO IMPEX S.R.L.
The heads of departments have the obligation to promptly inform the Personal Data Protection Officer about the occurrence of any risks of personal data protection.
Any data subject may contact the Data Protection Officer at any time to ask questions, request information or lodge complaints regarding data protection or personal data security issues. If there are requests, complaints will be treated confidentially.
If the Data Protection Officer concerned cannot resolve a complaint or remedy a breach of data protection policy, advice will be sought from the Supervisory Authority.
Decisions taken by the Data Protection Officer to remedy data protection breaches must be supported by the company’s management. Investigations and controls carried out by the Supervisory Authority must always be reported to the company’s management.
CAP. XIII. Definitions
➢ Consent is the voluntary agreement, expressly and unequivocally expressed, legally binding for data processing.
➢ Data protection incidents are any events in which there are justified suspicions that personal data are captured, collected, modified, copied, transmitted or used illegally. This refers to the actions of third parties or employees.
➢ The data subject in this data protection policy is any natural person whose data can be processed.
➢ Extremely sensitive data are data about racial and ethnic origin, about political, religious or philosophical opinions, membership of organizations, criminal record data or the health and sexual orientation of the data subject.
➢ Personal data represents all the information about a certain natural person that can lead to its identification.
➢ Processing of personal data means any operation or set of operations performed on personal data or personal data sets, with or without the use of automated means, such as collection, registration, organization, structuring, storage, adaptation or modification , extracting, consulting, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, comparing, restricting, deleting or destroying.
➢ The processing of personal data is necessary if the permitted purpose or justified interest could not be achieved without personal data or only at exceptionally high costs.
➢ Third parties are anyone except the data subject and the data controller.
➢ The transmission is a disclosure of personal data protected by the responsible entity to third parties.