(1) Privacy
ROMAERO S.A. processes personal data in order to carry out the activities of the company, in compliance with the legal provisions regarding them in the countries in which it operates. The processing of personal data is carried out under conditions that ensure the security, confidentiality and respect of the rights of the data subjects, in compliance with the following principles:
• legality, fairness and transparency;
• determined, explicit and legitimate purpose;
• data minimization (adequate, relevant and limited data);
• accuracy, topicality;
• limited storage;
• integrity and confidentiality;
• responsibility.
CHAPTER I
Purpose
The purpose of the General Policy regarding the protection of personal data („GDPR Policy”) is to establish the rules and practices that regulate how ROMAERO S.A. ensures compliance with the principles and rules established by the GDPR in its personal data processing activities of customers, suppliers, partners, employees and other natural persons.
CHAPTER II
Applicability
This policy applies to all activities carried out by ROMAERO S.A. that involve the processing of personal data as an operator, as well as those performed as a power of attorney of an operator and other activities that fall under European Union law.
CHAPTER III
Definitions and abbreviations
• consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• DPO means data protection officer
• GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
• controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
• processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
• data subject means the natural person whose personal data is processed;
• processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
CHAPTER IV
The objectives of the GDPR policy
1. Ensuring the legality of data processing
In carrying out its activities, ROMAERO S.A. processes personal data under the following conditions:
• the data subject has given his consent
• processing is necessary for the execution of a contract to which the data subject is a party
• processing is necessary in order to fulfill a legal obligation
• processing is necessary to protect the vital interests of the data subject or of another natural person
• processing is necessary for the legitimate interests pursued by ROMAERO S.A. or the operator (if ROMAERO S.A. acts as a proxy)
2. Securing the rights of the data subject
ROMAERO S.A. respects the right of individuals to private life.
When processing personal data, the company communicates to the data subject what data it collects, the purpose of collecting, the recipients or categories of recipients of the personal data, the duration of the data storage, the erasure of them at the end of the storage period. If the operator intends to subsequently process personal data for a purpose other than that for which they were collected, the operator shall provide the data subject, prior to such further processing, with information on that secondary purpose and any relevant additional information.
The data processing is done only by the authorized personnel in this regard.
The personal data processed and used by ROMAERO S.A. shall be stored on electronic media or archived on paper, for the period necessary for the purposes for which they were collected and in accordance with the legal provisions applicable to the activities carried out by the company.
Upon completion of the processing of personal data, the processed personal data are destroyed.
If ROMAERO S.A. in carrying out the activities from the object of activity of the company acts as a power of attorney of an operator, he will conclude with the operator an agreement on the processing of personal data which will ensure that the rights of the data subjects are respected.
If the data subject wishes to exercise a right or make a complaint, the DPO can be contacted at the following contact details:
• address: Bd. Ficusului, no. 44, Sector 1, Bucharest, Romania, mailbox 013965
• e-mail address: alina.dumitriu@romaero.com
• tel: +40753048160
ROMAERO S.A. provides the data subject with information regarding the taken actions following a request under Articles 15-22, without undue delay and in any case no later than one month after receiving the request. This period can be extended by two months when necessary, taking into account the complexity and number of applications. ROMAERO S.A. inform the data subject of any such extension, within one month of receiving the request, presenting also the reasons for the delay.
If it does not take measures regarding the request of the data subject, ROMAERO S.A. informs the data subject, without delay and within a maximum of one month from the receipt of the request, about the reasons for not taking measures and the possibility to file a complaint with a supervisory authority and to file a judicial appeal.
- Ensuring data security
- preparation and maintenance of records of data processing activities
ROMAERO S.A. maintains a Register that documents the processing of personal data, prepared and managed by the DPO. The register contains at least the information as mentioned by the GDPR.
- Training of personnel in order to comply with the GDPR provisions
The staff of ROMAERO S.A. is periodically trained in respect with the provisions of the GDPR, regarding the minimum security requirements of the processing of personal data, as well as on the risks involved in the processing of personal data.
Employees who have access to personal data are informed about the special nature of these data and have become aware of the rules that apply to them. All internal provisions regarding the obligation of employees in terms of information security are applicable.
- Monitoring compliance of the company’s activities with the GDPR requirements
Through the DPO, ROMAERO S.A. permanently checks its compliance and implementation of internal rules, GDPR provisions and legal provisions in the field, as well as other legal recommendations regarding the processing of personal data.