general provisions concerning personal data processing
General Policy Concerning Personal Data Processing Within S.C. The Traveling Tulip S.R.L.
SC THE TRAVELING TULIP SRL, headquartered in Ploiești, 3, Aleea Cirezarilor, Building 25A, apt. 7, Prahova, registered in the Trade Register Office with no. J29/2554/2018, Unique Registration Code 39561181, IBAN RO93INGB0000999908067697, opened at ING Bank Romania, legally represented by Mrs. Iulia Alexandra Fălcuțescu as the Administrator (the Operator or the Society) will have to process certain personal data of certain natural people following the 25th of May 2018.
In this kind of situations, personal data will be processed within the Society according to the Regulation 679/2016 concerning the protection of natural persons regarding personal data processing and free circulation of this data, and the abrogation of the Directive 95/46/EC (GDPR) and the other applicable law.
2. Principals regarding the processing of personal data
The Operator as well as every member of the Operator’s staff have partial responsibility for obeying the following principles in any situation in which personal data is processed in the everyday activity of the Society:
- LAWFULNESS, FAIRNESS and TRANSPARENCY. Personal data have to be “processed lawfully, fairly and in a transparent manner in relation to the data subject”. Practically, the Operator and every member of his staff will have to check, prior to processing certain types of data that the processing rests on one of the following legal grounds:
- The data subject gave his consent for the processing of personal data for one or more specific purposes;
- The processing of data is necessary for the fulfilment of an agreement in which the data subject is a party or for actions prior to signing an agreement;
- The processing of data is necessary for the fulfilment of a legal obligation of the Operator;
- The processing of data is necessary in order to protect vital interests of the data subject or of another natural person;
- The processing of data is necessary for the fulfilment of a task in the public interest;
- The processing of data is necessary for the purpose of fulfilling legitimate purposes of the Operator, except for the situation in which the interests of the data subject prevail, in which case the protection of personal data is necessary, especially when the data subject is a child. No member of the Operator’s staff will perform an activity of processing personal data without previously having checked if they can rely on one of the legal grounds mentioned above.
- LIMITATIONS OF THE SCOPE – personal data will be collected for very precise, explicit and legitimate purposes, and any subsequent processing activities will not be incompatible with these purposes.
- REDUCTION TO A MINIMUM OF USED DATA – any collection of personal data will be thoroughly analyzed before effectively obtaining the data. Thus, only relevant and absolutely necessary personal data according to the purposes mentioned above should be obtained and processed.
- ACCURACY OF INFORMATION – The operator will take all necessary measures to ensure validity of data, and the data proved to be inexact shall be immediately updated or deleted, according to the purposes for which the data is processed. The Operator will identify periodically the need for deleting or updating the personal data he processes.
- STORAGE LIMITS – personal data will not be stored longer than it is necessary for each type of processing assumed by the Operator.
- INTEGRITY AND CONFIDENTIALITY – the processing of personal data shall be made in a manner that ensures security, including protection against unauthorized or illegal processing and against loss, destruction or accidental deterioration, by taking appropriate technical and organizational measures, according to the stipulations of the Policy concerning the security and the integrity of personal data in the Society.
Each member of the Operator’s staff or any person working for the Operator has the responsibility to make sure that personal data is processed in an appropriate manner. Therefore, all people who operate with personal data have to make sure that data is processed according to the principles mentioned above and all other stipulations of this Policy. In case of doubt, the members of the Operator’s staff will not decide on their own whether to do or to stop the processing of personal data, but to contact the person responsible with the protection of personal data within the Society and they will closely follow his instructions.
Personal data shall be reviewed and updated regularly, virtually once every 5 years. If unnecessary data is discovered, it should be eliminated from the storage.
4. Rules concerning the storage of personal data
These rules describe the manner of secure processing of personal data. All questions referring to the storage of personal data in a manner that ensures data security can be directed to the IT manager or the person responsible for the protection of data.
If data is stored on paper support, it shall be kept in a secure place, where no unauthorized person has access. For this purpose, the following rules will have to be obeyed:
- When they are not necessary for any of the Operator’s activities, all documents on paper support shall be kept in a locked drawer or in a storage locker, inaccessible to the public.
- Employees shall make sure that the paper and the printed materials are not left in places where unauthorized people might see them, for example near the printing machine.
- Documents on paper shall be shred and destroyed when they are no longer necessary.
5. Rules concerning data accuracy
All employees who operate with personal data are responsible for taking reasonable measures so that all data is being adequately stored. In this purpose, the following rules will be obeyed:
- Data will be kept in as few places as possible, only when necessary, and the staff of the Society shall not create additional data stores;
- The staff of the Society shall take all opportunities to update the data. For example, a client’s details shall be confirmed in case of a direct conversation;
- Data shall be updated/deleted if any discrepancy is observed.
6. Conditions for the consent of the data subject
There are situations in which the processing of data is made based on the consent of the data subject. Whenever personal data processing is based on the consent of the data subject, the Operator has to be able to demonstrate that he obtained a free consent from a fully informed person, on a clear written form on a paper (or electronic) format from the data subject, to process his personal data.
In order to easily demonstrate the consent of the data subject, we recommend that all members of the Operator’s staff who operate with personal data obey the following rules.
Specifically, it is necessary that we make sure that the data subject understands who the Operator is, for what purposes his personal data will be processed, in what manner his personal data will be processed, what is the duration of the processing of his personal data (or what are the criteria for establishing the duration), the identity of each person (or category of persons) towards which his personal data will be communicated, whether his personal data will be transferred outside the country or not (and, if this is the case, to which location, the identity of the receiver and appropriate guarantees for the transfer should be given to the data subject, where appropriate), as well as which are his rights concerning the personal data he communicated and how he can exercise them.
In any case, the declaration of the consent shall be made in an intelligible and easily accessible form, using a clear and simple language.
All the members of the Operator’s staff shall act with the full knowledge that the data subject is in his right to withdraw his consent at any moment, while the lawfulness of all data processing made on the basis of his consent given prior to this withdrawal will not be affected. The withdrawal of the consent shall be made as easily as the collection of the consent, and all members of the Operator’s staff are responsible for obeying this legal request.
7. Exercising the rights of the data subject
The Society guarantees that all its members obey the rights of the data subject according to the GDPR.
A. Transparency of information, communications and of the manners in which the data subject exercises his rights
The Operator takes appropriate measures in order to provide the data subject, upon request, with all information and communication possibilities stipulated in the GDPR in a concise, transparent, intelligible and easily accessible form, using a clear and simple language. All information shall be provided in written form or by other means, included online, where appropriate. In case the information is communicated in written form, forms available in the addendum of this policy will be used and filled in and adapted according to each individual request;
If the Operator has justified doubts about the identity of the data subject demanding information, he can request ID papers and additional information which prove the data subject’s identity;
The Operator will not refuse the data subject the right to modify, delete, transfer or to communicate his opposition concerning his personal data and/or other rights recognized by the GDPR or the national law.
The Operator supplies the data subject with information concerning the actions performed following a demand of the data subject regarding the exercise of his rights stipulated in the above paragraph, without any unjustified delay and, in any case, no later than a month after receiving the demand. This period of time can be extended by two months when necessary, according to the complexity and the amount of demands that the Operator has to answer in a given period of time. In such a situation, the Operator shall inform the data subject about any delay, in one month from the receipt of the demand, and he will explain the reasons for the delay. In case the data subject makes a demand in electronic format, the Operator will supply the information requested in electronic format as well, whenever possible, except the case in which the request of the data subject a different format.
B. The right to information
Regardless whether the personal data was collected from the data subject or not, the Operator shall supply the data subject the information stipulated in the GDPR, using as a model the forms attached to this document, which will be filled in and adapted accordingly.
C. The right to access of the data subject
Upon request, the Operator will supply the data subject with a confirmation regarding personal data processing or lack of processing in his regard and, in case of processing, the Operator will give the data subject access to the data and to information about:
- The purposes of the processing;
- The categories of the personal data concerned;
- The present and future addressees of the data, especially the addressees from third countries or international organizations;
- Whenever possible, the period estimated for processing the data or, if the period cannot be estimated, the criteria used in establishing this period;
- the right of the data subject to modify or delete the personal data, to limit the processing of his data, or to oppose changes of his personal data;
- the right of the data subject to submit a complaint to the National Supervisory Authority For Personal Data Processing;
- in case the personal data are not collected from the data subject, all information about the source of the data;
- the existence of an automatic decision process that includes profile creation and, at least in certain cases, information relevant to the logic used and the importance and the consequences envisioned for the data subject as a result of the processing of personal data.
- If the personal data is transferred to a third country or an international organization, the data subject will be informed about appropriate guarantees concerning the personal data transfer according to GDPR;
- The Operator supplies a copy of the personal data to the subject of the processing. If the data subject makes a demand in electronic format and except the case in which the data subject requires a different format, information shall be supplied in a commonly used electronic format.
D. The right to change personal data
Following the receipt of such a request, the Operator will proceed, without any unjustified delay, to the change of the inaccurate personal data concerning the data subject.
Taking into consideration the purposes of the processing of personal data, the Operator will proceed to supplement the incomplete personal data, and to supply to the data subject an additional declaration, as appropriate.
E. The right to delete personal data
Upon request from the data subject, the Operator will delete the personal data without any unjustified delay, in one of the following cases:
- Personal data are no longer necessary for the execution of any of the purposes for which they were collected;
- The data subject withdraws his consent, which was the ground for which personal data were processed, or for the purposes for which they were collected;
- The data subject manifests his opposition to the data processing and there are no prevailing reasons for the data processing;
- Personal data were illegally processed;
- Personal data have to be deleted following a legal obligation of the Operator.
F. The right to limit personal data processing
Upon request, the Operator will limit personal data processing in the following situations:
- The data subject denies the accuracy of the data, and requests the Operator to check the accuracy of the data, by the end of a reasonable period of time;
- Data processing is illegal and the data subject opposes the deletion of his data, requesting instead the limitation of their use;
- The Operator no longer needs to process the personal data, but the data subject requests the data in order to be able to ascertain, exercise or defend a right in court; or
- The data subject opposes the data processing for the period of time during which the prevalence of the Operator’s legitimate rights over the rights of the data subject is being affirmed or rejected.
If the data processing is limited according to the situations mentioned above, the personal data (except for purposes of storage) can be processed by the Operator only with the consent of the data subject or in the purpose of ascertaining, exercising or defending a right in court or in the purpose of protecting other natural or legal person’s rights, or for reasons pertaining to the public interest.
G. The obligation to notify in case of change, deletion or limitation of the processing of personal data
Where necessary, the Operator will communicate to every receiver to whom personal data were disclosed any data change, deletion or limit to data processing, except for the case where this activity is proved to be an impossible endeavor or demands disproportionate efforts to the endeavor itself.
H. The right to data transfer
Upon request, the Operator will provide the personal data of the data subject in a structured format, commonly used, and which can be read automatically (for example, by e-mail to the data subject or in a private cloud), in the following situations:
- The data processing is based on the consent of the data subject or on a contract; and
- The data is processed by automatic means.
If the data subject requests his personal data and if the response to his request is technically possible, the Operator will transfer the personal data directly to another personal data operator.
I. The right to opposition
If the data subject opposes the processing of personal data, because of a particular personal situation, the Operator will no longer process the concerned data, except the case in which he can prove that he has legitimate and imperious reasons which justify data processing and which prevail over the interests, the rights and liberties of the data subject (for example, a legal obligation) or that the purpose of the data processing is to ascertain, to exercise or to defend a right in court.
If personal data is processed for direct marketing purposes, the data subject has the right to oppose the processing of his personal data for this purpose at any time, including to the creation of profiles, as long as this activity is connected to the same direct marketing purposes. If the data subject opposes the processing of his personal data processing for direct marketing purposes, his personal data shall be no longer processed for this purpose.
J. Automatic individual process of decision (including profile creation)
The data subject has the right of not being the subject of a decision based exclusively on automatic processing, including profile creation, which produces legal effects concerning the data subject or affects him significantly, in a similar way.
In such a case, the Operator will apply measures for the protection of the rights, liberties and legitimate interests of the data subject, at least for the protection of his right to human intervention from the Operator and to express his point of view and to challenge the decision.
8. Contractual partners
Before entering contracts/agreements/partnerships that suppose personal data flows, the Operator will take all necessary measures to ensure his contractual partners provide enough guarantees from a technical and organizational point of view.
Therefore, all contractual partners will be carefully selected so that all rights of data subjects are protected.
9. Personal data transfers
Personal data will be transferred to third countries, outside the European Union or the European Economic Area only if the transfer obeys the rest of the rules established in this policy and, at the same time, the stipulations of GDPR. In practice, such a transfer can only take place according to the purpose for which the personal data was collected and if the transfer is necessary for executing this purpose.
The evaluation of the lawfulness of the personal data transfer outside the European Union or the European Union Area is made by following two steps:
- Personal data can be transferred to a third party only based on a legal justification;
- A personal data transfer outside the European Union or the European Union Area is made only to a country regarding which the European Commission has ascertained appropriate data protection exists or if the following guarantees exist
- Standard Contractual Rules;
- Binding Corporate Rules;
- Safe Shield;
- The data subject has expressed his consent for the transfer.
For further questions concerning all the information mentioned above, you can contact S.C. DINAMIC MANAGEMENT S.R.L. which is responsible for the protection of personal data, and is headquartered in Bucharest, 94 Sos. Nicolae Titulescu, Bl. 14-14A, Scara A, Ap 90 etaj 3, Sector 1, registered at the Trade Register Office with No J40/19986/2004 and Unique Registration Code RO 17004732, legally represented by Balasa Radu Florin, e-mail firstname.lastname@example.org.
This policy is an addendum to the Internal Rules of Procedure of the Society and any infringement will be considered a serious misconduct which will be sanctioned according to the applicable law.