Privacy and Data Protection Policy
Last update: October 2020
This policy details EUVALUE Business Consulting SRL practice regarding the processing of personal data through the domain https://euvalue.eu (hereinafter briefly, generically, the Website or Site) and is intended to inform users about this subject.
1. Identification of the data controller
Name: EUVALUE Business Consulting S.R.L. (hereinafter the Company)
Headquarters: Str. Bucuresti 984, 300254, Timisoara, Romania
Registration no.: J40/2846/2011
Fiscal code: RO39142973
2. Contact details in the field of personal data protection
The Company collects information from the traffic reports recorded by the servers hosting the Site, as well as through cookies.
Information obtained from the traffic reports recorded by server:
When a website is accessed, users automatically disclose certain information, such as the IP address, the time of the visit, the place where the website was accessed. The Company, like other operators, registers this information.
Information obtained through cookie:
The deadline for the Company to send a response is no more than 30 days from the receipt of the request.
Given that the Company processes personal data of visitors / users of the Site, they hold the status of data subject and declare that they are over 16 years old.
If the information / requests transmitted by the users also concern personal data relating to other persons (those persons hence acquiring the status of data subject), the Company shall process their data strictly in order to be able to respond to that information / request.
Any information regarding an identified or identifiable natural person, respectively the data subject, can be considered as personal data.
Considering the processing purposes indicated herein, the Company tries to reduce as much as possible the personal data processed.
Depending on the cookie settings, other data can be processed (especially those related to user preferences and behavior on the Site).
5. Processing of personal data
It represents the processing of personal data, any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means.
The Company accesses, collects, uses and performs any other actions allowed by the applicable law on the personal data provided by visitors, within the limits indicated at point 4 above.
The visitor of the Website is the person who accesses this page and whose personal data are processed for different purposes (respectively you). Those purposes are:
- For the personal data provided by the traffic reports recorded by server:
– identification of the sections of interest of the Site
– safer administration of the computer system and the Site
– functioning and smooth operation of the Site (needed cookie)
If the Company intends to subsequently process the personal data for a purpose other than those indicated above, it shall provide the data subject prior to such further processing, additional relevant information regarding the secondary purpose, by completing the necessary formalities according to the law.
7. Recipients of the processing
The personal data shall be provided to:
- the support service providers contracted by the Company in order to fulfill its contractual or legal obligations, such as:
– the IT company – can access all the data recorded in the Company’s online records, including those of the users;
– the lawyers of the Company – can access all data recorded in the Company’s records, including those of the users, in case of legal issues that require their involvement;
– advertising, PR and communication companies for the marketing activity. These companies may collect data through cookies or through the registration forms for the event or feedback, and to the extent that this happens, the Company shall provide this information to the data subjects in advance and obtain their consent where needed;
The list of suppliers listed above is not exhaustive, but it does indicate the main such collaborating companies. They shall have the capacity of independent controller, joint controller or processor in relation to the Company – depending on the factual situation and the contract’s clauses. However, regardless of the quality held, they are obliged to maintain the confidentiality and security of the personal data of the data subject, adopting appropriate technical and organizational measures. Upon request, the main clauses of those contracts can be communicated to the data subject.
Although they are not considered as recipients of personal data under the legal provisions, public authorities (including the fiscal authority and the consumer protection authority) and the courts of law may process all/any of the personal data obtained by means of the Site.
8. Legal ground for processing
- 6 letter a GDPR – the processing is carried out based on the consent of the User -> applicable situation when the processing of the data is done in the context of the cookies accepted by the User and which are not necessary for the functioning of the Website;
- 6 letter c GDPR – processing is necessary for compliance with a legal obligation to which the Company as data controller is subject –> situation applicable in the context of data processing in relation to the competent authorities or legal service providers;
- 6 letter f GDPR – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject –> situation applicable in the context of data processing for the normal functioning and administration of the Site.
9. Type of processing
Data processing activities performed by the Company, mainly refer to:
- use of data for providing feedback and answers to the messages transmitted by the user;
- use of data for the conclusion and execution of the contract;
- use of data for the purpose of each category of cookies chosen by the User;
- collecting other unsolicited data if provided by the data subject (user) in a communication, request or complaint addressed to the Company, so that it can respond and solve the request or remedy the incident;
- storing personal data according to the law and within the limits necessary to achieve the purpose, in the electronic and secure database held by the Company;
- allowing access to personal data to certain employee and external collaborator who provide support services for the Company, whose activity involves the processing of personal data under the condition of undertaking the obligation of confidentiality;
- allowing access to personal data to the competent authorities, insofar as the law obliges.
10. Processing and storing of data duration
The storage period of the personal data collected, is:
- until the withdrawal of the consent or the exercise of the right to data erasure (right to be forgotten) of the user – for the processing of personal data based on the consent of the data subject within the limits indicated by art. 17 of the EU Regulation no. 679/2019;
- a longer period than the abovementioned, when the law regulates in such manner or when there is a well-justified ground for this action (for example, to exercise a right before the court in a litigation started before the expiry of the storage period indicated herein).
Upon expiry of the aforementioned periods, all data shall be deleted from the Company’s records.
11. Rights of the data subject
a). The right to be informed
The Company reserves the right to modify / update the content of the Site, including the policies to which references are made, at its sole discretion, at any time and for any reason (including but not limited to the occurrence of legislative or jurisprudential changes that may affect the consequences to those published on the Site). The revision of this policy in the future shall be signalled by modifying the “Last updated” date at the top of this document. After the date the updated policy is published, accessing the Site shall represent the user’s acceptance of these updated conditions.
However, if there shall be significant changes that could affect the rights and freedoms of the users or if it shall become obligatory to obtain their consent, informing them about these changes shall be made by easily visible indications posted on the Site (pop-ups) or by transmitting e-mails to the addresses provided (if applicable). Such significant changes shall have effects for users within 15 days from the time of the posting the pop-up in question or of sending the email (how the information shall be made being decided by the Company, by on a case by case basis).
Upon request, the data subject shall be informed about the essence of the contracts concluded with the abovementioned recipients of personal data where possible, and also of the data source.
b). The right of access the personal data processed
If the data subject wishes to receive information regarding the processing of data performed by the Company, he/she can send a request to the Company, and a response shall be provided within 30 days as of reception.
c). The right to data rectification
If the data subject wishes to rectify / amend the inaccurate / incomplete personal data concerning him or her as provided to the Company, he / she can send a request to the Company, and a response shall be provided within 30 days as of reception.
d). The right to data erasure (right to be forgotten)
The data subject shall have the right to obtain the erasure of personal data concerning him / her:
- at the expiration of the processing duration;
- if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- if the data subject withdraws his / her consent on which the processing is based and where there is no other legal ground for the processing;
- if the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- if the processing is illegal, the personal data being unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation.
The exceptional cases provided in art. 17 paragraph 3 of the European Regulation no. 679/2016 are applicable.
Some data are part of the Company’s records, which it keeps in relation to its legal obligations or its legitimate interest. Therefore, not all data can be erased, according to the law. However, any refusal to delete the data shall be motivated by the Company and shall be based on a clear legal basis.
e). The right to restriction of processing and the right to object
The restriction of processing can be applied if the data subject finds out that:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are not yet deleted and are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
The Company may continue processing the restricted personal data if it is necessary to establish, exercise or defend a right in court, or protect / defend a person but only with the consent of the data subject.
The Company shall communicate to the recipients that a rectification, deletion or restriction of the personal data took place, unless it is impossible or it involves disproportionate efforts.
f). The right to data portability
The data subject or a third party indicated by him / her, can receive on request, the personal data processed by the Company. The Company assumes no responsibility for the data processing performed by that third party.
The obligation to ensure the right to portability is the responsibility of the Company only if the processing of the personal data is based on the consent of the data subject or on the conclusion and execution of the contract. The actions shall be taken within 30 days from the receipt of the request.
g). The right to object
The data subject shall have the right to object, on grounds relating to his / her particular situation, at any time to processing of personal data based on the legitimate interest of the Company (including profiling).
Regardless to the above, if the Company demonstrates well justified legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, the processing of data can continue.
h). The right to submit a claim
The data subject may submit:
- a request / a claim using the contact data of the Company, as indicated at art. 1 above;
- an action before the competent court;
- a complaint before the Romanian National Supervisory Authority for the Processing of Personal Data (www.dataprotection.ro).
However, the Company wishes any conflict / dispute to be resolved amicably and provides all availability in this regard.
i). The right to withdraw the consent given
The data subject may withdraw his / her consent at any time, without however affecting the legality of the processing before the withdrawal nor the one based on another legal grounds.
j). The right to not be subject to an automated decision
The Company does not take any decision based solely on automatic processing of personal data.
12. Main obligations of the data subject
The data subject has the obligation to keep the confidentiality of all personal data with which he / she comes into contact in relation to the Company, for an unlimited period of time.
b). Complying with the data security measures
The data subject shall not process any confidential data or personal data of third parties, unless it is absolutely necessary, confidentiality is ensured and the specific legislation is fully complied with.
In case of breach of the obligations indicated in this art. 12 by the data subject, the Company shall be entitled to obtain from him / her compensation for all the damages suffered.
13. Obligations of the Company. Security measures applicable to the processed personal data
The Company complied with the provisions of the data protection legislation and has implemented appropriate technical and organizational measures to ensure the security of the processed personal data and the rights of the data subjects. Thus, the Company has implemented measures such as:
- the conclusion of contracts with collaborators which have undertook the obligation of confidentiality in relation to the personal data processed, as well as the general obligation to comply with the applicable legislation in the field of personal data protection;
- training the employees and collaborators on the importance of personal data protection, as well as limiting their access to data according to their attributions and competences;
- establishing internal procedures having the purpose of protecting personal data;
- indicating specially contact data which can be used for questions/claims regarding personal data (ie. the one indicated in art. 1 of the present police);
- implementing information security measures;
- not installing structures that allow access to the Site only if a user account is created;
- not installing cookies in addition to those necessary for the functioning of the Site and offering the users at all times the possibility to choose the additional cookies accepted.
Also, the Company shall inform the competent data protection authority in the event of a breach concerning data security, without undue delay and, if possible, within 72 hours from the moment it became aware of it, unless it is unlikely to create a risk for the rights and freedoms of individuals. If the notification to the authority shall not be made within the 72 hours, it shall be accompanied by a justified explanation for the delay.
In the event of an incident concerning the security of personal data, the Company shall also inform the data subject without undue delay, if the breach of the security of personal data is likely to generate a high risk for his / her rights and freedoms. However, informing the aforementioned data subject is not necessary if any of the following conditions is met:
- the Company has implemented adequate technical and organizational protection measures, and these measures have been applied in the case of the personal data affected by the security breach;
- the Company has taken further measures to ensure that the high risk for the rights and freedoms of the data subjects is no longer likely to occur;
- would require a disproportionate effort. In this situation, a public notification shall be conducted instead or a similar measure shall be taken, so that the data subjects are informed in an equally effective manner.
Any statistics regarding the traffic of the users on the Site, which the Company shall provide to third party advertising networks or to other sites, shall have a data set form and shall not include any identifiable information about any individual user.
Unfortunately, no data transmission through the internet can be guaranteed to be 100% secure. Consequently, despite the Company’s efforts to protect users’ personal data, it cannot guarantee or ensure the security of information transmitted by them through the Site. Users are therefore warned that any information sent through the online environment shall be done at their own risk.
To mitigate this risk, one of the measures took by the Company is to offer all interested users the possibility to send requests / addresses / messages in material form, to the Company headquarters, and not necessarily through the “Contact” box.
The Company’s liability in relation to the data subject shall be established in relation to the quality held in the respective data processing operation, the reason and place of the incident, the security measures taken, the measures took to avoid incidents and the observance of the other legal obligations.
15. Transfer of personal data to third countries / international organizations
The Company does not transfer personal data of the data subjects outside Romania.
This policy applies to the Company and to the Site visitors/users (including those who complete the existing forms on the Site).
This document is part of the Company’s set of security policies. Other policies can apply to the topics addressed herein and can be reviewed according to specific needs.