Personal data processing policy

  • Home
  • Personal data processing policy

Personal data processing policy

1. Terms


The General Data Protection Regulation (GDPR) – means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Personal data – means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing – means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Restriction of processing – means the marking of stored personal data with the aim of limiting their future processing;

Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or national law, the controller or the specific criteria for its nomination may be provided for by Union or national law.

National Supervisory Authority for Personal Data Processing (ANSPDCP) – means the independent public authority established in Romania, competent in the field of monitoring compliance with the GDPR;

The concepts and terms in this policy that are not defined above will be interpreted in accordance with the GDPR, unless a different meaning is explicitly given.

Introduction

SC ELEKTRA INVEST SRL, headquartered in Bucharest, Sector 2, 8A Maria Rosetti Street, as a controller, processes the personal data of employees, individual clients, and other individuals/legal entities who interact with the Company and/or are engaged in contractual relationships.

This policy describes how personal data must be processed in accordance with the GDPR, the principles of personal data processing, and the rights and obligations of employees involved in the personal data processing process.

The good faith and quality conduct promoted by SC ELEKTRA INVEST SRL in its contractual relationships is based on the standard of protecting the rights to privacy and personal data processing.

Objectives

Compliance with GDPR and best practices in personal data protection;

Protection of data subjects' rights;

Transparency regarding how personal data is protected;

Protection against the risk of personal data security breaches.

2. Applicability


This policy applies to:

The management of SC ELEKTRA INVEST SRL;

The employees of SC ELEKTRA INVEST SRL;  

All natural or legal persons who process personal data for purposes and by means determined by SC ELEKTRA INVEST SRL (e.g., persons authorized by the company)

The clients of SC ELEKTRA INVEST SRL;

Other data subjects whose data are processed by SC ELEKTRA INVEST SRL (e.g., various collaborators)

3. Principles of Personal Data Processing


Personal data must be:

Processed lawfully, fairly, and transparently in relation to the data subject;

Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;

Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;

Accurate and kept up to date;

Stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

4. Types of Personal Data Processed


SC ELEKTRA INVEST SRL, depending on purpose and legal basis, primarily collects the following types of personal data:

A. For employees and authorized persons

a. ID card data (name, surname, home address, date and year of birth, personal identification number, gender, ID series and number) 

b. Email

c. Phone number 

d. Job title

e. Signature -                       

B. For clients/collaborators

a. First name, last name, 

b. Phone number

c. Email (if applicable)

d. Address

e. ID data (if applicable)

5. Legal Basis for Processing


The company operates under Company Law no. 31/1990 and conducts its activities accordingly, as follows:

I. Data processed for employees of SC ELEKTRA INVEST SRL are legally based on:

a. Company Law no. 31/1990,

b. The Labor Code and related labor legislation, for employment-related matters,

c. Accounting Law no. 82/1991, for financial-accounting matters,

d. Emergency Ordinance 158/2005 on sick leave and social health insurance benefits,

e. Emergency Ordinance no. 96/2003 on maternity protection at the workplace, 

II. The data of authorized persons will be processed based on the conclusion and execution of collaboration contracts and protocols.

6. Data Transfers


SC ELEKTRA INVEST SRL does not transfer personal data to third parties outside (outside Romania). Apart from the above, SC ELEKTRA INVEST SRL transfers personal data when required by law: e.g., to Labor Inspectorate, public institutions or courts, or other supervisory authorities.

7. Protection Measures and Safeguards


SC ELEKTRA INVEST SRL implements appropriate technical and organizational measures to ensure a high level of security and protection of personal data.

We use security methods and technologies, policies, and work procedures to protect the personal data collected, in accordance with current legal provisions. 

At SC ELEKTRA INVEST SRL, security procedures apply across the entire network and to all types of data.  

8. Processing Duration


Personal data are stored for processing for as long as necessary to achieve the purposes mentioned in this policy and thereafter, according to legal requirements.

9. Responsibilities


Employees of SC ELEKTRA INVEST SRL are responsible, in accordance with their duties, for the protection of personal data. Furthermore, the following roles carry specific responsibilities:

I. Management – is responsible for ensuring that SC ELEKTRA INVEST SRL meets its obligations regarding personal data protection as provided by the GDPR.

10. Data Subjects' Rights


Any data subject may exercise the following rights, as provided by the GDPR:

Right of access; 

Right to rectification; 

Right to erasure, after the storage period expires or upon achievement of the original processing purpose;

Right to restriction of processing;

Right to data portability;

Right to object to processing;

Right to address the ANSPDCP and the courts;

Requests to exercise GDPR rights must be written, signed, and dated, and addressed to the company’s management.

11. Transparency of Information


SC ELEKTRA INVEST SRL ensures that all data subjects are informed that their personal data is being processed and that they are aware of:

The manner and type of data processed;

The purposes and legal bases of processing;

How to exercise their rights related to processing.