INFORMATION NOTE - Processing of personal data.
- Data privacy
MAINETTI ROMANIA SRL ensures, according to the law, the confidentiality of the personal data of the business partners (clients, suppliers, beneficiaries, providers, etc.) and the observance of their right to the protection of privacy, regarding the processing of their personal data.
- ANSPDCP = National Authority for Surveillance of Personal Data Processing;
- GDPR (General Data Protection Regulation) = Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- "personal data" means any information about an identified or identifiable individual ("the data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more many specific elements that are specific to their physical, physiological, genetic, psychic, economic, cultural or social identities.
- Sensitive personal data is - according to GDPR - called special categories of personal data. Personal data are sensitive if processing of such personal data reveals: - racial origin, - ethical origin, - political opinions, - religious beliefs, - philosophical beliefs, - membership of a trade union. Personal data is also sensitive if: - genetic data is processed for the sole purpose of identifying a natural person, - biometric data is processed for the purpose of uniquely identifying a natural person. Sensitive personal data also includes: - health data, - data relating to the sexual life of a natural person, - data relating to the sexual orientation of a natural person. • the usual personal data is - in GDPR - personal data that does not include special categories of personal data. There is no exhaustive list of these personal data.
- pseudonymization of personal data means the processing of personal data in such a way that it can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is stored separately and is subject to measures of a technical and organizational nature to ensure that such personal data are not allocated to an identified or identifiable natural person.
- processing means any operation or set of operations performed on personal data or personal data sets with or without the use of automated means such as collecting, recording, organizing, structuring, storing, adapting or modifying, extracting , consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Restriction of processing means the marking of stored personal data in order to limit its future processing.
- The purpose of the processing is the reason for the processing of personal data.
- Profiling refers to an automatic form of processing, which includes: 2 - automatic automatic processing (referred to in Article 22 of GDPR); - partially automated processing (if a person is involved in the processing of personal data does not necessarily mean that processing does not constitute profiling); - it must be done with respect to personal data; - the goal of profiling should be to evaluate personal aspects related to an individual, especially to analyze or make predictions about people.
- Decisions based solely on automatic processing
(1) means making decisions by technological means without human involvement; and which
(2) is based on personal data provided directly by the persons concerned (such as answers to a questionnaire); or observed about people (such as location data collected through an application) or derived or deducted, such as the profile of the person who has already been created (e.g., a credit score).
(3) can be made with or without profiling;
(4) profiling can take place without making automated decisions.
- operator means a natural or legal person, a public authority, an agency or other body which, alone or in association with others, establishes the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or national law, the operator or the specific criteria for designating it may be laid down in Union or national law.
- the person empowered by the operator means the natural or legal person, the public authority, the agency or other body that processes the personal data on behalf of the operator.
- recipient means the natural or legal person, public authority, agency or other body to which personal data is disclosed, whether or not a third party. However, public authorities to whom personal data may be communicated in a particular investigation under Union or national law shall not be considered as recipients; the processing of such data by the respective public authorities respects the applicable data protection rules in accordance with the purposes of the processing.
- consent of the person concerned means any manifestation of the free, specific, informed and unambiguous will of the person concerned by which he or she accepts, through a declaration or by unequivocal action, that the personal data concerning him / her are processed .
- third party means a natural or legal person, a public authority, an agency or body other than the data subject, the operator, the person empowered by the operator and the persons under the direct authority of the operator or the person empowered by the operator to process data personal. 3. How to contact us Personal Data Protection Officer (DPO) within MAINETTI ROMANIA SRLSRL is ................................................... email: ................................. ..................... .., Tel. : .......................................... and Fax: ....................................... MAINETTI ROMANIA address ................................................ ......................................................................................................................
Our information notice takes effect from 15.05.2018 and applies to: our website .................................., Our e-mail, our B2B B2B shop and our contracts / relationships our business.
- Why and how do we process your personal data?
MAINETTI ROMANIA SRL colects your email for communication through the website ................................. .. and contracts. MAINETTI ROMANIA SRLSelect your email to register an account within our online B2B shop. MAINETTI ROMANIA SRL collects: your name, function, phone and your business premises for personalization and identification. MAINETTI ROMANIA SRLSelects your id from cookies strictly required, placed to allow you to log in, keep log in as you navigate through the pages in our online B2B shop as well as to allow you to access the facilities your account 6. Who is responsible for processing your personal data? MAINETTI ROMANIA SRL is responsible for processing your personal data. 3 MAINETTI ROMANIA is appointed as a person responsible for the protection of personal data. Contact details are: ..........................................................................................
. From whom and how do we collect your personal data?
We collect your personal data directly from you. We collect your personal data in electronic format as well as on paper. When you provide us with your personal data, your supply is: - Allowed and voluntarily. You can provide them freely: name, email, phone, headquarters, office. - allowed and mandatory. You need to provide them: ex. your billing information or your email for registering an account within our online B2B shop or for communicating on the website ........................................... If you fail to provide us with your personal data and this supply is voluntary, then this can not affect you. If you fail to provide us with your personal data and this is a mandatory supply, then it may affect you: You will not be able to benefit from the goods we sell because the sale is related to the registration and tax details. Mandatory provision of personal data is: - a legal requirement. - a contractual requirement. - a requirement to enter into a contract.
- What are our legal bases for processing your personal data? MAINETTI ROMANIA SRLproceses personal data "not sensitive". MAINETTI ROMANIA SRL does not process personal data "sensitive" (special) or special regime.
The legal basis for processing your "non-sensitive" personal data is:
- your consent.
- a contract to which you are a party.
- a request from you before entering into a contract.
The request justifies the processing of your personal data.
- the need to comply with a legal obligation to which we are subject.
- our legitimate or legitimate interest in a third party.
We process your personal data based on interests that are: real and present legitimate. Processing your personal data is necessary for the legitimate interests we are pursuing. Our legitimate interests can be removed from your interests and your fundamental rights. We protect your interests, rights and freedoms adequately. Our legitimate interest takes precedence over your interests, your fundamental rights and freedoms.
Sensitive or special personal data are:
- race • ethnicity • political orientation • religion • philosophical or similar beliefs • trade union membership • health data • sex life data.
Special-purpose personal data are:
- Personal data having a general applicability identification function such as Personal Number (CNP)
- personal data relating to criminal offenses or contraventions. The legal basis for the processing of your "sensitive" personal data is provided by Law 677/2001 - Chapter III:
- when the data subject expressly consents to such processing;
4 • when processing is necessary to comply with the obligations or specific rights of the operator in the field of labor law, in compliance with the guarantees provided by law; a possible disclosure of the processed data to a third party may be made only if there is a legal obligation on the controller to do so or if the data subject expressly consented to such disclosure;
- where processing is necessary to protect the life, physical integrity or health of the data subject or of another person, if the data subject is physically or legally incapable of giving his / her consent;
- where the processing is carried out in the course of its legitimate activities by a foundation, association or any other non-profit-making and political, philosophical, religious or trade union organization, provided that the person concerned is a member of that organization or to maintain with it, on a regular basis, relationships that relate to the specific nature of the organization's activity and that data are not disclosed to third parties without the consent of the data subject;
- when the processing relates to data made publicly manifest by the data subject;
- where processing is necessary for the establishment, exercise or defense of a right to a fair trial;
- when processing is necessary for the purposes of preventive medicine, establishing medical diagnoses, administering care or medical treatment to the data subject or managing health services acting in the interest of the data subject, provided that the processing of that data is performed by or under the supervision of a medical establishment subject to professional secrecy or by or under the supervision of another person subject to an equivalent obligation of secrecy;
- when the law expressly provides for the protection of an important public interest, provided that the processing is carried out in compliance with the rights of the data subject and other safeguards provided by this law.
- In what situations do we collect and process your personal data?
We collect personal data: business partners in contracts, buyers / customers in our online B2B shop and users of www.mbd.ro. We are: an enterprise - that is, a form of organizing an economic, patrimonial and economic activity authorized under the laws in force to do acts and deeds of commerce in order to obtain profits through the sale of material goods and services, under conditions competition. We process your personal data from: the private sector.
We process your personal data in a situation involving:
- an activity that is professional or commercial.
- A supply of goods, and / or services. • a contract or relating to an entry into a contract.
- Your personal data provided directly as buyer / customer and seller / vendor.
- DO NOT use automated profiling processes and automated decisions.
What is automatic profiling and automated decision? Personal data can be used to automatically evaluate personality aspects of a person.
Automatic evaluation (fully automated profiling):
- can include an analysis of the person's characteristics;
- may include predictions about the person's behavior
- It is made exclusively by computer.
- is done without human involvement.
Automatic decisions (fully automated decision processes):
- may include a person's "fully automatic profiling".
- are only made by a computer. - are made without human intervention.
- About the purposes for which we process personal data.
We process your personal data for contractual and legal purposes, as described in paragraph 5 above. Our purposes for which we process personal data are:
- real, present and legitimate.
- by law, acting in good faith for the conclusion and performance of the contract.
5 We do not process your personal data for secondary purposes that are incompatible with the primary purposes for which your personal data is originally collected,
- without your prior consent,
- without there being a legitimate interest in this, and
- without a legal basis.
We inform you before processing your personal data for secondary purposes,
- First of all, if we initially collect your personal data for a primary purpose and
- if our secondary purpose is incompatible with the main purpose.
- How long do we keep your personal data? We limit the length of time that your personal data is stored to what is required for our processing purposes. We delete your data at the time you request this, except for the data whose supply and processing is required by a legal provision.
- Do we reveal your personal data? We disclose your personal data to recipients. The legal framework on which the disclosure of your personal data to recipients is based is: your consent. If we will disclose your personal data to a recipient in the future, then we will do so only if we have your consent and we will inform you of the moment of disclosure and the names of the recipients .
- Do we transfer your personal data outside the EU or EEA?
We do not transfer your personal data to countries outside the EU or EEA, or to international organizations.
- Are your personal data safe?
We keep your personal data safe:
- with appropriate technical measures,
- with appropriate organizational measures,
with an adequate level of security,
- against unauthorized processing,
- against unlawful processing,
- against accidental or unlawful loss,
- against accidental or illegal destruction;
We have implemented measures to:
- discover security breaches.
- document the causes of the security incident.
- document which personal data are affected by the security incident
. • document the actions (and reasons for actions) to remedy the security breach
. • limit the consequences of the security incident.
- Recover personal data.
- returning to a normal state of processing personal data.
6 If we have a reasonable degree of certainty that a security breach has occurred in your personal data processing, then:
- i) report the security incident to our company management.
- ii) ii) designate a person responsible for:
- to consider whether the breach of security may have unfavorable effects for you,
- to inform the relevant personnel of our organization, - to determine to what extent notification of the security incident is required, and
- determine whether we need to communicate information about the security incident.
iii) investigate the security incident.
(iv) we try to prevent the security incident from leading to accidental or unlawful destruction of personal data, an accidental or unlawful loss of control of personal data, an accidental or unlawful loss of access to personal data, an accidental or unlawful alteration personal data, unauthorized disclosure of personal data, or unauthorized access to personal data.
- v) make every effort to mitigate the immediate risk of injury. vii) notify the Surveillance Authority of the security incident if the breach is likely to lead to a high risk for the rights and
viii) We inform you of the breach of security:
If the breach is likely to lead to a high risk for your rights and freedoms,
- as soon as possible,
- through suitable contact channels, e.g. by e-mail, SMS, prominent banners on our site, postal communications, prominent advertisements in the media, etc.
We are not required to inform you directly if:
- We have taken steps to make your personal data incomprehensible to anyone who is not authorized to access them,
- Immediately after the security incident, we have taken steps to ensure that the high risk for your rights and freedoms is no longer possible to occur or
- would involve disproportionate efforts. In such a case, we will inform you through public networks.
- What are your rights?
The rights of the person concerned are the following:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to delete;
- the right to restrict processing;
- the right to object;
- the right to data portability;
- the rights to automated and profiled decision making.
- a) We respect your rights regarding the protection of your personal data.
- b) You have access to your personal data.
- c) You have the right to rectify your personal data.
The right to obtain the rectification of your personal data that is inaccurate:
- does not include anonymous data;
- includes only the personal data that you are looking at;
- includes pseudonym data that may be clearly related to you;
- We need to rectify your personal data if we process your personal data, and your personal data is inaccurate, and request to have your personal data rectified
. We need to complete your personal data if
We process your personal data, and
- your personal data is incomplete, and
- Ask to get your personal data complete. A
you are entitled to provide us with an additional statement. We need to communicate the rectification of your personal data to recipients of your personal data (if any). We do not communicate the rectification of your personal data to recipients of your personal data if communication to the recipient is impossible or involves a disproportionate effort.
- d) You have the right to delete your personal data.
We need to delete your personal data without undue delay:
- if you require us to delete your personal data and process your personal data and your personal data is not necessary for our processing purposes;
- if you withdraw the consent on which your personal data is processed, and there is no other legal basis for processing your personal data.
- e) You may obtain from us the restriction of the processing of your personal data. Your right to obtain restrictions on the processing of your personal data does not include anonymous data, includes personal data that concerns you, includes pseudonym data that may be clearly related to you.
- f) If we process your personal data for direct marketing purposes, including profiling (to the extent that it is related to such direct marketing), you have the right to object to the processing of your personal data for that purpose.
Your right to object to the processing of your personal data for direct marketing purposes:
- It is a right that you have at all times.
- Does not include anonymous data.
- includes personal data that you are looking at.
- Does not include personal data that does not concern you.
- includes pseudonym data that may be clearly related to you
If you object to the processing of your personal data for direct marketing purposes then we must omit the processing of your personal data for that purpose. If we process your personal data for direct marketing purposes, including profiling (to the extent that it is related to such direct marketing), then we must explicitly notify you of this right, at the latest first communication with you and we must present this right in a clear and separate way from any other information.
- g) The right to data portability is the prerogative of the person concerned to process, to recover the personal information (which he has provided to an operator) in a structured, commonly used, legibly-readable format, with the possibility that the data transferred to another operator. This right is novel in the context of the use of personal data and presents elements of analogy with the matter of communication through mobile telephony. The operator who has been provided with the data is required not to interfere with the transfer of the information. Data porting consists of moving, copying or, where appropriate, transmitting data from one computer system to another.