- DATA OPERATOR
Bucharest University of Economic Studies based in Bucharest Municipality, adress 6 Romană Square, 1st sector, Bucharest, postal code 010374 (hereinafter referred to as the "Operator") processes personal data (hereafter referred to as "DCP") in its quality as an Operator, according to the ways and purposes described in this DCP protection policy. Starting with May 25, 2018, the General Regulation for General Personal Data Protection (EU) 2016/679 (GDPR) came into force. GDPR is a single regulation, directly applicable in all Member States of the European Union and replaces Directive 95/46 / EC and, implicitly, the provisions of Law no. 677/2001 on the protection of individuals regarding the processing of personal data and the free movement of such data. The operator applies a privacy and security policy of DCP in strict accordance with GDPR and, as part of our commitment to respecting the rights of individuals whose personal data we process, we provide below relevant information on the way, purpose, legal basis and duration for which we process personal data, as well as rights and how you can exercise these rights. Through this policy, the Operator aims that employees, future and current business partners to be certain that the processing of their personal data is done according to compliance with the principles imposed and enforced at European level in the field of data protection. DCP protection policy applies to all personal information processed by or on behalf of the Operator.
- TYPES OF PROCESSED DCP
DCP processed by the Operator is any information relating to an identified or identifiable individual, such as but not limited to: - name and surname, phone number (fixed and / or mobile), signature, e-mail address, position held (legal representatives of business partners, contract officers), marital status, home address, correspondence address, place of residence birth, date of birth, personal numerical code, series and no. ID card, date of ID card issue, picture, number and passport series, citizenship, criminal records data (where expressly provided for by law), professional experience, data on employees' rights and obligations, information on how the employee performs his duties , information on how the employee uses the logistics provided by the company, salary, benefits of any kind (including the data of the underaged children in the situation of granting birth and / or holiday benefits) accounts, studies, certifications, attestations, authorizations , professional experience, medical fitness, medical record, training sheet, psychological tests, work capacity, work accidents, disciplinary and / or criminal measures, information provided by a GPS equipped car, vehicle registration number, any other information listed in CVs and other resulting documents during the process of recruiting staff or made available voluntarily in the exercise of business / work relationships, IP address, log files, court decisions, web cookies, etc.
- the image or voice of the persons acting on behalf of and on behalf of the business partners when moving to the subscribed above office and / or work stations, which are equipped with surveillance cameras,
- DCP of the persons representing and / or acting and / or signing acts in the name and on behalf of the public authority / institution under the control and at the headquarters and / or working points of the subscriber: the clerks employed within the Trade Register Office, the fiscal inspectors, inspectors of the Environmental Authority, inspectors of the Competition Council, inspectors of the Authority for Personal Data Protection, etc.
- the data on the shareholder's contribution to the company, data on shareholder’s share, loss or profit, data on the rights and obligations of the individual person shareholder and / or his/her authorized representative (if the shareholder is a juridical person) the information on the participation and manner of exercise of the shareholder's vote in the general meetings (date of participation, place of participation, manner of exercising the vote, comments made at the meeting, etc.), data on the shareholder's bank account / accounts, data on income obtained by shareholder from the company.
- DCP PROCESSING GOALS
- Initiation, development or ending a business / partnership relationship (e.g. pre-contract verification activities, submission of offers, receipt of orders, partnerships proposals, other activities related to the establishment of a contractual relationship, etc.) - personnel recruitment processes and / the fulfilment of legal obligations regarding the conclusion, execution and termination of professional and / or work partnership relations.
- Security of persons, premises, property owned and / or use by the Operator. In order to protect this legitimate interest, the Operator may supervise the video premises in which he carries out his business in order to ensure the security and protection of the persons and the patrimony. In exceptional cases, such as epidemics, pandemics, emergency situations or force majeure situations, the Operator may collect, in addition to the usual activity, medical data (sensitive data), location or route of the delegates or of their own employees.
- Carrying out corporate operations (sale of shares, payment of dividends, registration of shareholders, appointment / termination of directors, auditors, etc.)
- Establishing, exercising or defending the legitimate business and legal rights or interests of the subscriber or other affiliated persons before the courts, bailiffs, notaries, other public authorities, arbitration tribunals, mediators or other public or private dispute settlement bodies, lawyers, consultants or other natural or legal persons, whether public or private, who are involved in those actions and / or to fulfil the obligations imposed by law or by order of the competent authority.
- Archival goals
- Statistical goals
- DCP LEGAL THRESHOLDS
The operator and any person acting on behalf of the Operator, including affiliated entities, will process the data of the data subjects based on the following legal bases:
- For the purpose of concluding, executing or terminating contracts in which the data subject is a party or to take steps prior to the conclusion of the contract at the request of the data subject. Personal data can also be processed prior to the conclusion of a contract (for submission of an offer, receipt of an order, etc.)
- based on the consent of the subjects involved. In this respect, consent must be clear, in a clear and explicit format that will contain all the rights of the data subject (access, rectification, withdrawal, etc.), including by electronic means or by an oral statement (e.g. on a phone conversation). Thus, consent must be given to a particular activity of processing personal data and for one or more specific purposes. In case of electronic consent, the pre-ticking of the consent boxes will lead to its invalidity. The operator shall ensure that he can prove that the data subject has given his consent for the purpose of processing his data. The person concerned has the right to withdraw his / her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing before it is withdrawn.
- Data processing in accordance with the law. DCP processing can take place under a Union / national law basis, DCP processing being necessary to fulfil a legal obligation of the Operator.
- Data processing based on a legitimate interest pursued by the Operator or a third party. By way of example, the Operator will be able to process personal data in order to prevent fraud and protect corporate patrimony.
- Processing of sensitive data. The processing of special categories of personal data is forbidden except when the data subject has given explicit consent to the processing of these data categories or the processing is necessary for the purposes of preventive labour medicine and / or in the forced execution / repairing damages. Exceptions from this situation are the cases of epidemic, pandemic, force majeure case or the state of emergency declared by the Romanian Government, when the processing of sensitive data of the subjects will be possible and without obtaining a constraint in advance. In these situations, the legitimate interest of the Operator will always be the protection of its health or the health of the employees, as well as the patrimony or of the main and vital activities.
- PROCESSING METHOD
The operator will process the personal data in accordance with the principles of legality, fairness and transparency. Your personal data is processed through the following operations: collecting, recording, organizing, structuring, storing, consulting, adapting or modifying, using, disseminating, disclosing, retrieving, aligning or combining, restricting, deleting or destroying data. Your personal data is subject to both print processing and electronic processing.
The operator will process the personal data for a necessary period of time required to meet the above-mentioned purposes but, in any case, no more than 10 years after the termination of contractual relations and no more than 2 years after the data collection for purposes marketing. After 3 years from the termination of contractual relations, access to data will be limited to department managers.
If the Operator has a documented need to store the data for more than 10 years (for example, if deletion could compromise his or her legitimate defence rights or, generally, to protect his company's assets), that data storage will take place by limiting access to those data only to the legal department manager in order to guarantee the legitimate exercise of the Operator's rights of defence.
- AUTOMATED INDIVIDUAL DECISIONS
In principle, the Operator does not make any decision based solely on automatic data processing. However, if the decision was taken automatically, the Operator will implement measures to respect the rights of involved subjects (the intervention of a person to interpret the decision, the right of the person involved to express his / her point of view, the right of the subject to challenge the decision).
- DATA BENEFICIARIES
Your data may be accessible for the purposes indicated in art. 2 of the following beneficiaries:
- the affiliated companies of the Operator, to the extent that this is necessary for processing, in accordance with the mandatory corporate rules adopted by the Operator;
- companies or other third parties (credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, audit firms, supervising institutions, security and video surveillance providers, issuance of meal vouchers, courier services, IT services, etc.) performing outsourcing on behalf of the Operator;
- Public entities to meet legal obligations.
The transfer of personal data to the above-mentioned recipients will be made only on the basis of a confidentiality commitment and to ensure an adequate level of security by which they guarantee that the personal data are kept secure and that their transmission is done according to the legislation in force.
Without the need for your explicit consent, the Operator may communicate your data for the purposes indicated in art. 2 to the supervisory bodies, judicial authorities, insurance companies for the provision of insurance services, as well as the entities to whom the communication is mandatory under the terms of the law, for the fulfilment of the stated purposes.
- DATA TRANSFERS
Personal data is stored on servers located in the European Union. In any case, it is understood that, if necessary, the Operator will have the right to move the servers even outside the EU. In such a case, the Operator warrants that transfers of data outside the EU will be made in accordance with applicable laws, including the inclusion of standard contractual clauses provided by the European Commission and the adoption of mandatory corporate rules for intra-group transfers.
- DATA STORAGE
The processed data for the subscribed company will be stored according to our DCP storage policy, the storage period being different depending on the purpose of the use and the data category. Our policy is based on the legal provisions in the field of civil law, the protection of personal data and the archiving of documents.
Regarding the navigation on our websites and your interactions with the websites, we will keep the data for a period of up to 3 years. The operator may delete your personal data when deemed unnecessary for the purposes and purposes under which they were processed.
- INDIVIDUAL RIGHTS OF PERSONS COVERED
DCPs must be processed in accordance with the individual rights of the data subjects, such as:
- the right to request access to data, rectify or restrict the processing of personal data;
- the right to data portability;
- the right to be forgotten;
- the right to oppose on data processing;
- the right to withdraw consent;
- the right to oppose the taking of a decision automatically;
- the right to lodge a complaint with an authority.
- DCP CONFIDENTIALITY
When processing your data, we use technical and organizational measures to ensure the confidentiality, availability and accuracy of your data. We work continuously to ensure that our security measures are kept at the highest level and we commit ourselves to inform you in time of any security incidents that could pose a significant risk to your rights.
- DATA PROTECTION INCIDENTS
The operator will implement and maintain security incident management policies and procedures by notifying the involved subjects of a potential incident of data security without undue delay.
The operator will monitor, through the Data Protection Officer, new and ongoing risks related to the protection of personal data, updating the relevant risk register at the Operator level immediately.
In the event of a breach of personal data security, the Operator shall notify the supervisor accordingly without undue delay and if possible, within 72 hours of the date on which it became aware of it, unless it is likely to generate a risk to the rights and freedoms of individuals.
- RESPONSIBILITIES AND PENALTIES
It is the responsibility of all Operator personnel to immediately notify the Data Protection Officer of any violation of this policy. When the Data Protection Officer deems it necessary, he / she shall inform the supervisory authority of such breaches.
The heads of each department within the Operator will be responsible for data processing within their departments and will monitor new and ongoing data protection risks / update the relevant risk map at the company level. In the event of a risk being reported, they will report this immediately to the Director General and the Data Protection Officer.
The heads of each department in which personal data are processed will inform the Data Protection Officer in a timely manner about each new data processing.
The General Manager, together with the Data Protection Officer, will ensure that an Operator's internal audit is performed periodically to verify the management of privacy and data protection risks.
The competent supervisory authority must be notified / consulted whenever the Data Protection Officer has a legal obligation to do so. Also, in the case of control by the supervisory authority, the Data Protection Officer is immediately notified.
All employees of the Operator who work with personal data have the obligation to immediately inform the Data Protection Officer of any violation of this policy or other applicable legal regulations in matters they have become aware of. Abusive processing of personal data will lead to the application of disciplinary sanctions, which may also be punished by criminal legislation.