SC RENOLITH SYSTEM SRLโ€™S GENERAL POLICY REGARDING THE PROTECTION OF PERSONAL DATA

1. General presentation

Introduction

SC RENOLITH SYSTEM SRL processes personal data regarding natural persons. These may represent data regarding our customers, suppliers, business contacts, employees, and other people whom the Company has entered into a contract with or whom it is in contact with.

This Policy describes how personal data must be collected, used, and stored in order to comply with the company’s data protection standards – and also, to meet the condition of legality.

This control applies to all systems, people and processes that constitute the information systems of the organization, including directors, employees, suppliers and other third parties who have access to the systems of SC RENOLITH SYSTEM SRL.

The existence of the policy

This data protection policy ensures SC RENOLITH SYSTEM SRL

  • Is in compliance with personal data protection legislation and best practices at this level;
  • Safeguards the rights of the data subjects: for example partners, customers, employees;
  • How it stores and processes data of individuals;
  • The protection of the company from possible risks related to data security breaches.

1.2.1 Legislation on the protection of personal data

EU Regulation 679/2016 describes how companies – including SC RENOLITH SYSTEM SRL, have to process personal data. Significant fines are applicable if an infringement is considered to have been adopted under the GDPR Regulation, which has the role of protecting the personal data of citizens of the European Union.

These rules apply regardless of whether the data is stored in electronic format, on paper or on other materials.

In order to be in compliance with the law, personal information must be collected and used correctly, stored securely, and its illegal use is not permitted.

EU Regulation 679/2016 stipulates, inter alia, that personal data must:

  1. Be processed lawfully, fairly, and transparently to the data subject (“legality, fairness and transparency”);
  2. To be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (โ€œpurpose-related limitationsโ€);
  3. Be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed (โ€œminimizing the dataโ€);
  4. Be accurate and, if necessary, be up-to-date; all necessary measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay (โ€œaccuracyโ€);
  5. Not be stored more than necessary (โ€œlegal storage limitationsโ€);
  6. Be processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction, or damage, by taking appropriate technical or organizational measures (โ€œintegrity and confidentialityโ€);
  7. Be processed in accordance with the rights of data subjects;
  8. Not to be transferred outside the European Economic Area unless the territory / country where they are to be transferred ensures an adequate level of protection of personal data.

1.2.2 Definitions

There is a total of 26 definitions listed in the GDPR and it is not appropriate to reproduce them here. However, the most fundamental definitions of this policy are as follows:

Personal dataany information concerning an identified or identifiable natural person (‘data subject’)
Data subjectan identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifying element, such as a name, an identification number, location data, an online identifier, or one or many more specific elements, specific to his physical, physiological, genetic, mental, economic, cultural or social identity
Processingany operation or set of operations performed on personal data or personal data sets, with or without the use of automated means, such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure, dissemination or otherwise made available, alignment or combination, restriction, erasure or destruction
Operatorthe natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or national law, the operator or the specific criteria for its designation may be laid down in Union or national law
Person authorized by the operatorthe natural or legal person, public authority, agency or other body which processes personal data on behalf of the operator

 

Principles regarding the processing of personal data

There are several fundamental principles on which the processing of personal data under the GDPR Regulation is based.

Personal data are:

  • processed lawfully, fairly, and transparently to the data subject (“legality, fairness and transparency“);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes shall not be considered incompatible with the original purposes, in accordance with Article 89 (1) (โ€œpurpose-related limitationsโ€);
  • appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed (โ€œminimizing the dataโ€);
  • accurate and, where necessary, updated; all necessary measures must be taken to ensure that personal data which are inaccurate, related to the purposes for which they are processed, are deleted, or rectified without delay (โ€œaccuracyโ€);
  • kept in a form which allows identification of data subjects for a period not exceeding the period necessary to fulfil the purposes for which the data are processed; personal data may be stored for longer periods to the extent that they are processed exclusively for archiving purposes in the public interest, for scientific or historical research, or for statistical purposes, in accordance with Article 89 (1), subject to the implementation of the appropriate technical and organizational measures provided for in this Regulation in order to guarantee the rights and freedoms of the data subject (โ€œstorage restrictions“);
  • processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by taking appropriate technical or organizational measures (“integrity and confidentiality“).

 

SC RENOLITH SYSTEM SRL will ensure that it respects all these principles both in the processing operation that it is currently carrying out and as part of the introduction of new processing methods, such as the new information systems.

The rights of the data subject

The data subject also has rights under the GDPR Regulation. These consist of:

  • The right to withdraw consent;
  • The right to information;
  • The right of access;
  • The right to rectification;
  • The right to delete data (“the right to be forgotten”);
  • The right to restrict processing;
  • The right to data portability;
  • The right to oppose processing;
  • The right not to be the subject of a decision based exclusively on automatic processing, including the creation of profiles;
  • The right to file a complaint with the Authority;
  • The right to go to court.

 

Each of these rights is supported by appropriate procedures by SC RENOLITH SYSTEM SRL which allow the necessary action to be taken within the guidelines established by the GDPR Regulation.

 

The data subjects can exercise some of the above rights by e-mail, addressed to the data operator at office@renolithsystem.ro. The data operator may attach a standard request, although people are not required to use it.

 

Applications will be exempt from any fees. The operator will be obliged to provide an answer within maximum a month, and in certain exceptional cases within two months from the receipt of the request. established by the operator. The data subject has the right to one free application per year, for several annual applications an administrative fee established by the operator will be charged.

 

The data operator will always verify the identity of any person. In order to respond to requests and to allow the exercise of rights, the legal department or external legal advisers will have a say on the merits of the request.

Bases of processing

There are six alternative ways in which the legality of a specific case of personal data processing can be established in the GDPR Regulation.

1.5.1 Consent

Unless necessary for a reason allowed in the GDPR Regulation, SC RENOLITH SYSTEM SRL will always request the explicit consent of a data subject for the collection and processing of data. In the case of children under the age of 16 (a lower age may be allowed in some EU Member States), parental consent will be obtained. Information granted about the use of our personal data will be provided to data subjects at the time of obtaining consent and explaining their rights regarding their data, such as the right to withdraw their consent. This information will be provided in an accessible form, free of charge, and written in clear language.

If personal data are not obtained directly from the data subject, this information will be provided to the data subject within a reasonable period after the data were obtained.

1.5.2.The conclusion or performance of a contract

If the personal data collected and processed are necessary to conclude or perform a contract with the data subject, explicit consent is not required. This will be the case if the contract cannot be concluded without the personal data in question.

1.5.3 Legal obligation

If personal data must be collected and processed in order to comply with the law, explicit consent is not required. This may be the case for certain employment and taxation data, for example.

1.5.4 The vital interests of the data subject

If personal data are necessary to protect the vital interests of the data subject or another natural person, then this may be used as the legal basis for the processing. SC RENOLITH SYSTEM SRL will keep reasonable, documented evidence that this is necessary whenever this reason is used as a legal basis for the processing of personal data.

1.5.5 Activity carried out in the public interest

If SC RENOLITH SYSTEM SRL must perform a task that it considers to be in the public interest or as part of an official obligation, the consent of the data subject will not be required. The public interest assessment will be documented and made available as evidence when necessary.

1.5.6 Legitimate interest

If the processing of specific personal data is in the legitimate interest of SC RENOLITH SYSTEM SRL and is considered not to significantly affect the rights and freedoms of the data subject, then this can be defined as the legal reason for processing. Again, the reasoning behind this view will be documented.

2. Individuals, risks, and responsibilities

This policy applies to:

  • Headquarters of SC RENOLITH SYSTEM SRL
  • All departments of SC RENOLITH SYSTEM SRL
  • All staff and volunteers of SC RENOLITH SYSTEM SRL
  • All contractors, suppliers and other people working on behalf of SC RENOLITH SYSTEM SRL

It is applicable to all data that the company holds in connection with identifiable individuals. These may include:

  • Names of individuals;
  • Postal addresses;
  • E-mail addresses;
  • Telephone numbers;

and any other data related to an identified or identifiable natural person.

2.2 Risks

The policy helps to protect SC RENOLITH SYSTEM SRL from real security risks, including:

  • Violations of privacy.
  • Reputation damage. For example, the company could be harmed if hackers gain access to these data.

2.3 Responsibilities

Anyone working for or with SC RENOLITH SYSTEM SRL undertakes to ensure that data is collected, stored, and used properly.

Each team using personal data must ensure that they are used and processed in accordance with general data protection policy and principles.

These people have the following attributions:

  • The administration is responsible for ensuring the legal fulfilment of obligations by SC RENOLITH SYSTEM SRL
  • The person in charge of data protection, is responsible for:
  • Informing, advising the employer and other employees, issuing recommendations to the employer as well as other employees on their obligations under (EU) Regulation 2016/679 and other provisions of the Union or domestic law relating to data protection;
  • Regular participation in management meetings, where decisions are made with implications for data processing and providing specific and documented opinions;
  • Collection of information necessary to identify processing activities;
  • Collaboration with other departments such as HR, FINANCIAL, IT, to gather the information necessary to perform the tasks;
  • Recommendations and specific support for the implementation of the requirements of the (EU) Regulation 2016/679, such as the principles of data processing, data subject rights, data protection from the moment of conception and implicitly, record keeping of processing activities, security and proper management of security incidents;
  • Monitoring compliance with the Regulation, other provisions of the Union or national law regarding data protection;
  • Monitoring the compliance with the technical and organizational policies of the operator;
  • Monitoring the performance of the necessary audits;
  • Allocation of responsibilities, awareness and training of staff involved in processing operations;
  • Informing the organization if it is mandatory or necessary to perform an impact assessment on the protection of personal data, according to art. (35) of the Regulation;
  • Specific recommendations on the methodology to be followed for conducting an impact assessment;
  • Recommendation of measures to be implemented (including technical and organizational policies) to mitigate any risks to the rights and interests of data subjects;
  • Supporting the design and constant update of the records of processing activities, according to art. (30) of the Regulation;
  • Cooperation with the Supervisory Authority;
  • Assuming the role of contact point for the Supervisory Authority on processing issues, including the prior consultation referred to in Article 36, as well as, where appropriate, the consultation on any other matter;
  • Assuming the role of point of contact with data subjects on all matters related to the processing of their data and exercising of their rights under the Regulation;
  • Providing specific support in the event of a security incident and providing support regarding the notification of the competent Supervisory Authority/ Authorities and data subjects;
  • Respect for secrecy and confidentiality in the performance of their tasks;
  • Monitoring and providing specific support in any other aspect related to the protection of personal data, in accordance with current legislation;

3. General staff regulations

  • The only people who are able to access the data presented in this policy should be those who need them for the activity they perform.
  • Data should not be shared with all employees. When access to confidential information is required, employees may request it directly from their managers.
  • SC RENOLITH SYSTEM SRL will provide training for all employees to help them understand the responsibility they have when handling the data.
  • Employees should ensure data security by taking precautions and using the instructions below.
  • The use of strong passwords will be needed.
  • Personal data will not be disclosed to unauthorized people, either inside the company or outside it.
  • The data should be reviewed and updated if there is a situation where the data are not in line with reality. If no longer needed, the data will be deleted.
  • Employees will ask for the help of their manager or data protection officer if they are unsure about any aspect of data protection.

4. Data storage

These rules describe how and where personal data should be stored.

When data is stored on paper, they must be kept in a safe place where unauthorized people cannot access them.

These instructions also apply to data that are normally stored in electronic format but have been printed for certain reasons:

  • Paper or files should be kept in a closed place or in a closed drawer;
  • Employees should ensure that paper or printed matter is not left to unauthorized people who may see it, such as on the printer;
  • Prints should be destroyed when no longer needed.

When data is stored in electronic format, they must be protected from unauthorized access, accidental deletion or intentional hacking attacks:

  • Data should be protected using strong passwords that are regularly changed and never shared between employees;
  • If data is stored on removable media (such as CDs, DVDs), they should be kept safe when not in use;
  • Data should only be stored on servers or specialized drives and should be uploaded to an approved cloud computing service;
  • Servers containing personal information should be placed in a safe place, away from general office space;
  • Data should not be saved directly on laptops or other mobile devices such as tablets or smartphones;
  • Data should be backed up. These backups should be tested regularly.
  • All servers and computers containing data should be protected by Security software and firewalls.

5. Use of data

The personal data have no value for SC RENOLITH SYSTEM SRL unless it can use them in its activity. It happens when data is accessed and used, and this can be prone to many risks, corruption or even theft:

  • When working with personal data, employees should always keep computer screens closed when left unattended;
  • Personal data should not be transmitted by e-mail, as this means of communication is not secure;
  • Data should be encrypted before it can be transferred electronically. The IT manager should explain how the data should be sent to authorized external contacts;
  • Personal data should not be transferred outside the European Economic Area;
  • Employees should not save personal data on their personal devices. There should always be access and updating of the central copy of all the data.

6. Data accuracy

The legislation requires the Company to reasonably follow the steps to ensure the accuracy and timeliness of the data.

The accuracy of the data is very important, and a considerable effort is needed from SC RENOLITH SYSTEM SRL to ensure it.

It is the responsibility of all employees working with this data to follow the steps to ensure the accuracy and timeliness of the data as much as possible.

  • Data will be stored in few places. Staff must not create other unnecessary additional places, such as unnecessary copies;
  • The staff should use every opportunity to ensure that data is kept up to date;
  • SC RENOLITH SYSTEM SRL will make all the necessary diligences so that the data subjects can update the information that the Company holds;
  • Data should be updated when inaccuracies are discovered. For example, when a customer can no longer be contacted via a phone number, it is recommended that they are removed from the database.

7. Disclosure of data for other reasons

In certain circumstances, the legislation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

In these circumstances, SC RENOLITH SYSTEM SRL will disclose the necessary data. The data operator will ensure that the request is legitimate, seeking assistance from the company’s legal advisers where necessary.

8. Providing information

SC RENOLITH SYSTEM SRL aims to ensure that data subjects know how the data is processed, making sure that they understand:

  • How are their data used;
  • How they can exercise their rights.

To this end, the company has a Privacy Policy, establishing how individuals’ data is used within it.

9. Consequences

Failure to comply with this Policy by employees of the Company or other external collaborators may lead to disciplinary actions (including termination of employment), termination of contracts and, as appropriate, legal action for full recovery of damages caused to the organization for non-compliance with this Policy. When there is a suspicion of illegal activities (such as, for example, stealing documents, copying, distributing, transferring databases), the Company will report the criminal activity to law enforcement for criminal prosecution of the offender.

This Policy will be brought to the attention of all the employees, collaborators, business partners or other third parties by the company’s management.

This Policy has been approved by the management of SC RENOLITH SYSTEM SRL, through Muresan Mihai as manager.