preloader

GDPR

1. Overview

1.1. Introduction

SC GAMAGIM SRL, as a personal data operator, processes personal data relating to the individuals with whom it interacts, for the stated purpose. This may represent data relating to customers, suppliers, business contacts, employees and other persons with whom the company has entered into a contract or with whom it is in a relationship and which refers to, but is not limited to, the following information: identification data (surname and first name), contact data (postal and e-mail addresses, telephone numbers), studies, position held, company in which they work.

This policy describes how personal data must be collected, used and stored in order to be consistent with the company’s data protection standards – and also meet the condition of legality. This control applies to all systems, people and processes that constitute the IT systems of the organization, including board members, directors, employees, suppliers and other third parties who have access to systems of SC GAMAGIM SRL.

1.2. The existence of the policy

This data protection policy ensures that within SC GAMAGIM SRL:

  • European and national legal requirements regarding the protection of applicable personal data and good practices in this field are respected;
  • Protection of the rights of the persons concerned: for example partners, customers, employees/collaborators;
  • How to store and process personal data collected directly or from third parties;
  • Protection of the company from possible risks related to the violation of data security;
  • Increasing the degree of trust of the external environment, in relation to SC GAMAGIM SRL.

1.2.1. The legislation regarding the protection of personal data Regulation (EU) no. 679/2016

describes how companies – including SC GAMAGIM SRL – must process personal data. Significant fines are applicable if a breach is deemed to have been enacted under the GDPR Regulation, which is designed to protect the personal data of European Union citizens.

These rules apply regardless of whether the data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used correctly, stored securely and not allowed to be used illegally.

Regulation (EU) no 2016/679 transposes the fundamental principles on the basis of which data processing is permitted, with companies having the obligation that the personal data they collect:

  1. To be processed legally, fairly and transparently towards the data subject (“legality, fairness and transparency”);
  2. Be collected for specific, explicit and legitimate purposes and are not subsequently processed in a way incompatible with these purposes (“purpose limitations”);
  3. To be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
  4. To be accurate and, if necessary, to be updated; all necessary steps must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is deleted or rectified without delay (“accuracy”);
  5. Not to be kept longer than necessary (“storage limitations”);
  6. To be processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures (“integrity and confidentiality “);
  7. To be processed in accordance with the rights of the persons concerned;
  8. Not to be transferred outside the European Economic Area, unless the territory/country where they are to be transferred ensures an adequate level of personal data protection.

1.2.2. Definitions

The GDPR’s definition of personal data is broad:

Personal data = any information relating to an identified or identifiable individual.

In order to make a correct interpretation of this definition policy, it is necessary to know the fundamental terms in the field of data protection:

Data subjectAn identifiable individual is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more specific elements, specific to his physical, physiological, genetic, psychological, economic, cultural or social identity.
ProcessingAny operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation , use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
OperatorThe natural or legal person, public authority, agency or other body that, alone or together with others, establishes the purposes and means of processing personal data; when the purposes and means of processing are established by Union law or domestic law, the operator or the specific criteria for its designation may be provided for in Union law or domestic law.
Person authorized by the operatorPerson authorized by the operator natural or legal person, public authority, agency or other body that processes personal data on behalf of the operator.

1.3. Principles regarding the processing of personal data

Regulation (EU) No. 2016/679 transposes the fundamental principles on the basis of which data processing is permitted, with companies having the obligation to process personal data under certain conditions.

In order to comply with the applicable legal framework, the personal data within SC GAMAGIM SRL are:

  • processed legally, fairly and transparently towards the data subject (“legality, fairness and transparency”);
  • collected for specific, explicit and legitimate purposes and are not subsequently processed in a way incompatible with these purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered incompatible with the original purposes in accordance with Article 89(1) (“purpose limitations”);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
  • accurate and, if necessary, updated; all necessary steps must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is deleted or rectified without delay (“accuracy”);
  • kept in a form that allows the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed; personal data may be stored for longer periods to the extent that they will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89 paragraph (1), subject to the implementation of the appropriate technical and organizational measures provided for in this regulation in order to guarantee the rights and freedoms of the data subject (“storage-related limitations”);
  • processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by taking appropriate technical or organizational measures (“integrity and confidentiality”).

We will always make all necessary efforts to ensure that we comply with all these principles both in the current processing process and as part of the introduction of new processing methods, such as possible new IT systems.

1.4. The rights of the data subject

The data subject has several rights under the GDPR Regulation. They consist of:

  • The right to withdraw consent;
  • The right to information;
  • The right of access;
  • The right to rectification;
  • The right to delete data (“the right to be forgotten”);
  • The right to restrict processing;
  • The right to data portability;
  • The right to object to processing;
  • The right not to be the subject of a decision based exclusively on automatic processing, including the creation of profiles;
  • The right to submit a complaint to the Authority;
  • The right to apply justice.

Each of these rights is supported by appropriate forms from SC GAMAGIM SRL that allow the necessary action to be taken within the terms established by the GDPR Regulation.

The persons concerned can exercise some of the above rights by e-mail, addressed to the data operator at info@alertacui.ro. Applications will be exempt from any fee. The operator will be obliged to provide an answer within a maximum of one month, and in certain exceptional cases within two months at the most from the receipt of the request.

We will always verify the identity of any data subject who addresses us with a request regarding their data processed by us. In order to respond to requests and allow the exercise of rights, the legal department or external legal advisors will have a say on the merits of the request.

1.5. Basis of processing

The processing of personal data at SC GAMAGIM SRL is based on the following legal grounds contained in Regulation (EU) 679/2016:

  • in order to conclude and execute service contracts that are the subject of our activities – art. 6, para. 1, lit. (b);
  • in order to fulfill the legal obligation of highlighting and reporting to state bodies – art. 6, para. 1, lit. (c).

The personal data collected and processed are necessary to conclude or execute a contract with the data subject, in which case their explicit consent is not required.

Given that personal data must be collected and processed by us in order to comply with the law, explicit consent is not required. This may be applicable to certain employment and taxation data, for example.

1.6. Purposes of processing

As part of our professional activity, we process personal data to implement the object of the company’s activity – the services of retrieval from public sources, processing, display and monitoring of legal and economic information regarding legal entities and other professionals.

The purpose of collecting personal data is to help us in the following endeavors:

  • providing our offers and services;
  • conclusion or execution of contracts;
  • correspondence with you related to our Services;
  • settlement of disputes and complaints;
  • improvement of the Presentation Site;
  • improving, developing or creating new Services;
  • recruitment;
  • to honor the legal obligations that regulate our field of activity, such as the Civil Code, the Fiscal Code, and the Labor Code.

In order to carry out our professional activity, we can process the following personal data:

1. In the case of visitors to the website www.alertaCUI.ro:

– Information obtained through cookie files, such as how to navigate the site or consent to data processing through cookies.

2. In the case of users of the www.alertaCUI.ro application:

  • Name and surname;
  • User data and account password;
  • Contact data: email address and phone number;
  • The company he represents and the department in which he works within it.

3. In the case of website visitors who contact us through the contact form:

  • Name and surname
  • Contact details: email and phone number
  • Other data that can be contained in the message

4. In the case of persons appearing in published official documents and who are connected to legal entities and other professionals

Considering the object of the company’s activity, namely the services of retrieval from public sources, processing, display, and monitoring of legal and economic information regarding legal entities and other professionals, the personal data associated with the aforementioned entities are also processed in a related manner.

The roles of the data subjects are:

  1. Persons registered as PFA, II, IF
  2. Associates, shareholders, legal representatives, censors, administrators, and judicial liquidators or liquidators

iii. Individuals identified in the Official Gazette publication – part IV;

  1. Individuals engaged in the insolvency procedure of legal persons;
  2. Creditors, Debtors, Guarantors or other parties in the case of registrations made in the National Register of Securities Advertising;
  3. Parties in litigations published on the justice portal: portal.just.ro

The public, official data sources from which personal data can be retrieved are:

The National Trade Registry Office (which publishes data on legal entities registered with RECOM, free of charge or for a fee):

Personal data processed: name, surname, contact details, registered office, position within the company, position, citizenship, gender, date and place of birth, marital status, participation quota or powers of representation, date of appointment and duration of mandate, date of submission signature specimen, contact details.

Ministry of Finance:

Personal data processed: name (especially in the case of PFA, II and IF), contact details of registered office.

National Fiscal Administration Agency:

Personal data processed: name (especially in the case of PFA, II and IF), contact details of registered office.

Official Gazette – part IV:

Personal data processed: personal data differ depending on the content of the act, these being listed by way of example, but not limited to: name, first name, position within the entity, date of birth, personal address, CNP, ID card series and number and so on

Bulletin of Insolvency Procedures:

Personal data processed: identification data, their role in insolvency proceedings;

The justice portal – portal.just.ro:

Personal data processed: name, surname, procedural status in the open file, history of terms, solutions and court decisions.

5. In case of recruitment by GAMAGIM SRL:

  • Data contained in the CV;
  • References;
  • Information published online.

2.Limits of policy applicability

2.1. The field of politics

This policy applies to:

  • Headquarters of SC GAMAGIM SRL;
  • To all SC GAMAGIM SRL departments;
  • To all staff and volunteers of SC GAMAGIM SRL;
  • To all contractors, suppliers, and other persons working on behalf of SC GAMAGIM SRL.

It applies to all data that the company holds in relation to identifiable natural persons.

2.2. Risks

The policy helps protect SC GAMAGIM SRL from real security risks, including:

  • Violations of confidentiality.
  • Damage to reputation. For example, the company could be harmed if this data were obtained by interested parties from the inside through a security breach.

3. Data storage

These rules describe how and where personal data should be stored.

When data is stored on paper, it should be kept in a secure place where unauthorized persons cannot gain access.

These instructions also apply to data that is normally stored electronically but has been printed for some reason:

  • Papers or files should be kept in a closed place or in a closed drawer;
  • Employees should ensure that paper or printouts are not left with unauthorized people who may see them, such as on the printer;
  • Prints should be destroyed when no longer needed.

When data is stored electronically, it must be protected from unauthorized access, accidental deletion, or intentional hacking attacks:

  • Data should be protected by strong passwords that are changed regularly and never shared between employees, while sensitive data should be encrypted;
  • When data is stored on removable media (such as CD, DVD), it is kept safe when not in use;
  • Data will only be stored on dedicated servers or units and should be uploaded to an approved cloud computing service;
  • Servers containing personal information should be placed in a safe place, away from the general office space;
  • Data must be saved directly on laptops and not on other mobile devices such as tablets or smartphones;
  • The data have a periodic backup;
  • All servers and computers containing data are protected by Security software and firewalls.

4.Use of data

SC GAMAGIM SRL does not process personal data on a large scale or sensitive data. Even so, we want to keep your data safe. In order to prevent risk situations such as those of corruption or even theft, we have established a series of rules that must be followed when using this data:

  • When working with personal data and remaining even for short periods of time unattended, staff ensure that computer screens are closed;
  • Personal data is processed at the headquarters and/or at the workplace of our collaborators. All documents containing personal data, in electronic format, on paper, and on any other storage and transfer medium of personal data are processed/collected/kept/stored/archived/destroyed, etc., by the beneficiary, in the terms of the law;
  • We reduce as much as possible the transmission of personal data by e-mail, considering that this way of communication is not secure. As an exception, the only transmission of sensitive data by e-mail is that intended for the person concerned, at his express request;
  • Sensitive data should be encrypted before being transferred electronically;
  • Personal data are not transferred outside the European Economic Area;
  • Workers are prohibited from saving personal data on their personal devices;
  • Data will be kept in few places; the staff must not create any additional places that are not necessary, such as unnecessary copies;
  • Staff are trained to take every opportunity to ensure data is up to date. For example, by confirming some details when the customer calls;
  • Data is updated when inaccuracies are discovered. For example, when a customer can no longer be contacted via a phone number, it is recommended to remove them from the database.

5. Disclosure of data for other reasons

In certain circumstances, the law allows personal data to be disclosed to law enforcement without the data subject’s consent.

In these circumstances, SC GAMAGIM SRL will disclose the necessary data. The data controller will ensure that the request is legitimate, seeking assistance from the company’s legal advisors where necessary.

6. Provision of information

SC GAMAGIM SRL aims to ensure that data subjects know how data is processed, ensuring that they understand:

  • How their data is used;
  • How they can exercise their rights.

For this purpose, the company has a Website Privacy Policy (regarding the use of cookies) – www.alertacui.ro, establishing how personal data is used within it.

7. Consequences

Failure to comply with this policy by company employees or other external collaborators may lead to disciplinary sanctions (including termination of employment), termination of contracts, and, depending on the circumstances, legal action for full recovery of damages caused to the organization as a result of failure to comply with this policy.

When there is suspicion of illegal activities (such as, for example, the theft of documents, copying, distribution, and transfer of databases), the Company will report the criminal activity to the law authorities for the prosecution of the perpetrator.

This Policy will be brought to the attention of all employees, collaborators, business partners, or other third parties by the management of the company, including by publishing it on the SC GAMAGIM SRL company website.