GDPR

COMMUNICATION

ON THE PROCESSING OF PERSONAL DATA AND FREE MOVEMENT

Purpose of this communication: is to understand the obligations of each of us as a Controller, employer, employee, operator, user, recipient with respect to the processing of personal data and their free movement imposed by EU Regulation 679/2016, which is applied as of May 25, 2018,  on the protection of individuals with regard to the processing of personal data and on the free movement of such data and is directly applicable in all Member States under the Treaty on the Functioning of the European Union.

This communication applies to the processing of personal data made by VAUBAN IT RO SRL, with registered office in Bucharest, Coltei, no. 38, Corp B2, 1st floor, ap. 4, district 3, hereinafter referred to as the „CONTROLLER”.

We process personal data through mixed means (manual and automatic) under conditions that ensure the security, confidentiality and respect of the rights of the data subjects, in accordance with the legislation in force.

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to risk.

This document is relevant to all categories of people, regardless of your position: employee / former employee / potential employee; client and / or partner - natural person, representative of a legal partner, supplier or representative of a supplier; visitor to our site; visitor of our website; visitor of our applications; visitor to our headquarters / business unit.

DEFINITIONS:

Personal Data Processing: is any operation or set of operations that is performed on personal data by automated or non-automatic means such as: collecting, recording, organizing, storing, adapting or modifying, extracting, consulting, using, disclosing to third parties by transmission, dissemination or otherwise, joining or combining, blocking, erasure or destruction.

Personal data: represents any information relating to an identified or identifiable individual; an identifiable person is that person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, psychological, economic, cultural or social identities.

Consent: free, explicit and unequivocal agreement of the data subject to have his or her personal data processed.

Controller: any natural or legal person, public authorities, institutions and any other public or private body that establishes the purpose and means of processing personal data.

Data subject: any natural person whose personal data are processed;

Operator: any natural or legal person, public authority or other body that processes personal data on behalf of the Controller. Each operator is responsible for ensuring the security of the data he is handling.

Data subject: any natural person whose personal data are processed;

Operator: any natural or legal person, public authority or other body that processes personal data on behalf of the Controller. Each operator is responsible for ensuring the security of the data he is handling.

Recipient: means any natural or legal person, public authority, agency or any other body to which personal data is disclosed, irrespective of whether it is a third party or not. However, public authorities to whom personal data may be communicated in a particular investigation under Union or national law shall not be considered as recipients; the processing of such data by the respective public authorities respects the applicable data protection rules in accordance with the purposes of the processing;

Third party - a natural person / legal entity, a public authority, an agency or any body other than the data subject, the controller, the operator and the persons under the direct authority of the controller or the operator, that is authorised to process personal data.

User: Any person acting under the authority of the Controller with a recognized right of access to personal data bases. Each user is responsible for ensuring the security of the data he is handling.

Storage: Storage is done for the period necessary to achieve the purpose for which data were stored. Storing is done in a form that allows the identification of the data subjects for a period that does not exceed the period necessary for the fulfilment of the purposes for which the data are processed;

Privacy: Persons who process personal data on behalf of the Controller have acknowledged the confidentiality of these data and have been trained on how to operate them.

Data accuracy: Inaccurate and incomplete data, taking into account the purpose for which they were processed, can be completed / rectified.

Personal Data Breach - means a security breach that accidentally or unlawfully leads to the unauthorized destruction, loss, modification or disclosure of Personal Data transmitted, stored or otherwise processed, or to an unauthorized access to them.

Supervisory authority - means an independent public authority set up by a Member State pursuant to Article 51 of the GDPR; In Romania, the National Supervisory Authority for Personal Data Processing - ANSPDCP will carry out checks and apply sanctions on behalf of the EU

  1. DPO - Data Protection Officer designated by the Controller.
  2. DPIA - Data Protection Impact Assessment.

Restriction of processing: means the marking of stored personal data in order to limit its future processing;

Profiling: means any form of automatic processing of personal data consisting of the use of personal data to assess certain personal aspects relating to a natural person, in particular to review or predict performance aspects at the workplace, the economic situation, health, personal preferences, interests, reliability, behaviour, the place of the individual's physical presence or movements;

Pseudonymisation: means the processing of personal data in such a way that it can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organization measures to ensure that such personal data are not allocated to an identified or identifiable natural person;

Encryption: means the security technique that ensures that personal data becomes incomprehensible to anyone who is not authorized to access it.

TABLE OF CONTENTS:

This communication includes the following:

Measures adopted;

What categories of personal data we process;

The purposes for which we process personal data;

The grounds on which we process personal data

The categories of people to whom we divulge the data;

Data storage time;

What repercussions exist if you do not provide us with personal data;

Your rights under the laws in force and how you can exercise them;

Data deletion;

Our contact details.

A. MEASURES ADOPTED

1. Confidentiality measures* (Article 32 (1) b) of the GDPR)

1.1. Provide access control at the headquarters / business unit where personal data is processed.

 Secured access system at headquarters and business units.

1.2. Secure control of the access to the system where personal data are processed.

  Rules and regulations on access keys have been implemented.

1.3. Secure access control for the use of the system in which personal data are processed

 Designate authorized persons and give access only to these persons.

1.4. The following measures were taken:

We have developed in the database a functionality that anonymizes personal data from all logs and user history.

2. Measures to ensure the integrity of data*(Article 32 (1) (b) of GDPR)

2.1. Measures or control of encryption / data transmission(Article 32 (1) a) of the GDPR)

We took the following steps:

The data that arrives at the hosted server of the company are automatically encrypted.

2.2. Control of data entry

Measures to ensure the possibility of verification and determination at a later stage if and by whom the personal data in / from the data processing systems have been entered, modified or deleted.

Allocation of individual access keys to persons who have been granted access to and registration of their actions / activities.

3. Measures to ensure the availability and resilience of data*(Article 32 (1) (b) (c) of the GDPR)

Hosted servers of the company and back-ups

4. Process for periodic testing and evaluation of the effectiveness of technical and organizational measures*(Article 32 (1) d) of GDPR) *

Regular organization of stress / resilience tests

5. Workplace control / organizational measures(Article 32 (1) of the GDPR)

Internal policy governing IT & C activity

6. Measures to ensure the limitation of the purpose of processing personal data (the impossibility of creating links).

Providing differentiated access privileges and operations for people with authorized access

7. Data protection from the moment of conception and by default(Article 32 (1), 25 (1), (2) of GDPR)

Measures to ensure that data protection is considered from the moment of conception and by default, including transparency and the ability to interfere with data.

7.1. Data protection from the moment of conception and by default (in general)

The process of opening accounts and onboarding is integrated into the general IT administration system

7.2. Measures to ensure transparency

Publish the Privacy and Cookie Policy, opt in or opt out possibility

7.3. Measures to secure the rights of the data subjects (the possibility of interfering with data)*

Publishing contact data dedicated to taking user requests to intervene (modify, delete, etc.) on data

B. CATEGORIES OF DATA. PURPOSE. BASIS

1. Current or potential clients

We can process your personal data for:

1.1. Providing our services at your request. We will use your personal information in order to be able to submit an offer, to conclude a contract, to execute the contract with you and to offer you the requested services. The data will be processed based on the need to conclude and execute a contract with you. We will mainly process your identity data (name, surname and data entered in the identity card, passport). The data will be processed throughout the contractual period.

1.2. Solving your requests will be done by using your data made available to us as a result of our contractual relationships, in order to respond to your inquiries, complaints, requests, claims. The basis of the processing in this case will be the execution of the contract with you or your consent, as the case may be.

1.3. Communication for marketing purposes. In order to send you communications about our products / services, it is necessary to process your personal data (name, surname, e-mail address, telephone). Data processing, in this case, will be based on your consent.

2. Members (employees / collaborators / third parties) of our contractual partners - legal entities

We can process your data for:

2.1. Maintaining the contractual relationship with the companies with which you have contractual or any other relationship or to whom you have given the consent to the transmission of the data to contractual partners. In order to be able to collaborate with the company with whom we have contractual relations, collaboration or any other nature or including with you to resolve situations, we will need to process personal data that relates to your person. Our processing is based on our legitimate interests.  We will process your first name, last name, email address, phone number and other identification details we have access to.  The data will be processed throughout the contractual period.

2.2. Communication for marketing purposes. In order to send you communications about our products / services, it is necessary to process your personal data (name, surname, e-mail address, telephone). Data processing, in this case, will be based on your consent.

3. Our contractual partners - individuals (business partners / collaborative relationships - not clients)

We can process your data for:

3.1. To be able to conduct business / collaboration relationships with you. In order to start and maintain the collaboration with you, it is necessary to process certain personal data. We will generally process the following data (name, surname, identity card, passport data, identification certificates). In this case, the data will be processed on the basis of the conclusion and execution of a contract between us.

3.2. Solving your requests will be done by using your data made available to us as a result of our contractual relationships, in order to respond to any requests, complaints, requests, claims. The basis of the processing in this case will be the execution of the contract with you or your consent, as the case may be.

3.3. Communication for marketing purposes. In order to send you communications about our products / services, it is necessary to process your personal data (name, surname, e-mail address, telephone). Data processing, in this case, will be based on your consent.

4. Candidates to vacant / open positions in our company. Internship

To render the recruitment process, we can process your personal data.

In order to be able to review your application, it is necessary to process the data included in your CV. The processed data include: last name, first name, e-mail address; telephone number, professional experience, studies / qualifications / certifications, driving license category and any other data that you include in your CV or any other documents that we may request from you or you have voluntarily submitted to us.

The processing is based on the conclusion / execution of the employment and / or collaboration agreement.

Your data may be retained after the end of the recruitment process, for future recruitment processes, based on your consent.

5. Representatives of public authorities.

We may process personal data to fulfil our legal obligations, at the request of the public authorities, for maintaining registers provided by law and the like.

We will process personal data: name, surname, identity card data; passport; registration certificate; e-mail address.

6. If you are a visitor to our websites, our pages on social networks

We may use your personal data for the following purposes:

6.1. Improve our website. In order to take account of the options expressed in the browsing sessions, we process data such as: IP address, cookies, other online identifiers, visit history, date and time of access, type of Internet browser.

The basis for personal data processing will in most cases be your consent or our legitimate interest.  

6.2. If you post, comment, or like, on one of our social media pages, we primarily process your data (username, e-mail address, profile photo). In these cases, we will base our processing on your consent.

6.3. Managing our communications, IT systems and their protection.

In order to ensure our security, manage our communications systems, IT, security audits, protect our data and systems against cyberattacks and any other attacks in the virtual environment, we will mainly process data such as IP address, date and time accessing the website; type of internet browser ........... The processing is based on our legitimate interest, or, as the case may be, the fulfilment of our legal obligations.  

7. If you are a visitor to our premises / employee (headquarters, business units)

We process your personal data to ensure your access and security for individuals and objects. In order to ensure access to our premises, we will process personal data, namely: name, surname, required to issue the access code.

In some of our rooms we have a video surveillance camera installed to ensure security. Thus, we will process images (video) with you. In all cases, we indicated the places where the video surveillance cameras are installed, using plates, according to the law. Processing is based on our legitimate interest in ensuring security on the premises.

8. Third-party data processing.

If personal information is provided to us by you about other people, you must make sure that you have informed them and that you have advised them to review this communication about how VAUBAN processes personal data.

9. We may also process your data for the following purposes:

9.1. Solving your requests.

We will use your data to respond to your requests, applications, or any other questions you may have. Mainly, we will use the name, surname, email address; telephone and other information you include in the request you submit.

The basis of the processing in this case will be either the execution of the contract with you or your consent.

9.2. At the request of the authorities, in order to provide a response or other cases provided by law.

In the case of a legal obligation, we will communicate your data to the requesting authority, store the data for a certain period or process the data in a different way. The basis for processing is, in this case, the fulfilment of our legal obligation.

9.3. For making transactions or other operations.

For transactions or other operations, we may divulge your data to the bank, prospective purchasers, authorities. The data will be reduced as much as possible. The basis of processing is our legitimate interest or the fulfilment of a legal obligation.

9.4. Defence of rights.

We may process your data to defend our rights or others’ before courts, arbitral tribunals, mediators, notary offices, bailiffs, public authorities, other bodies (as an example, but not limited to, lawyers, experts, auditors, specialists). The basis of processing is our legitimate interest or the fulfilment of a legal obligation.

9.5. Fraud prevention

In order to carry out our activity legally, we may process your data and may only transmit or grant the right to review your data to counsellors / auditors / lawyers in order to prevent fraud or other unlawful acts. The basis of processing is our legitimate interest and our legal obligations to ensure the legality of our operations in the field of money laundering prevention.

  1. 10.The categories of people to whom we disclose the data.

In principle, as a rule, we will not disclose personal data to other individuals or businesses.

However, in some cases, you may need to disclose your data, such as:

To fulfil a legal obligation to public authorities, natural or legal persons;

To fulfil a legitimate interest of our company, to other companies or individuals or legal entities acting as operators in various fields such as: payment services, services that we can outsource, or to public authorities, other persons, courts;

To defend and exercise our rights or other person’s rights.

In all cases, we will ensure that personal data transmitted is processed under confidentiality and security, respecting your rights and the purpose for which it was transmitted.

At this time, we do not transfer personal data to third countries or international organizations. If necessary, we will notify you in a timely manner to exercise your rights under the applicable law.

  1. 11.Data storage time

The data will be stored according to the purpose of the processing, the data category processed and our privacy policy.

Storage periods are based on legal provisions, contractual duration and / or your agreement (obligations to store certain data, applicable terms of prescription, purposes of our activity).

12. What repercussions exist if you do not provide us with your personal data.

If you do not provide the required data, we will not be able to respond to your requests, to send you communications about our offers / services, to conclude or negotiate a contract with you.

  1. 13.Your rights under the laws in force and how you can exercise them.

13.1 The right to be informed

When the data are obtained directly from the data subject

at the time of obtaining the data;

If the data are not obtained directly from the data subject

within a reasonable time (at most one month from the time of data collection);

in the case of data that is subject to communication with the data subject, at the latest at the time of first communication with the data subject;

Before data is disclosed to third parties or at the time of disclosure at the latest;

13.2The right of access

You have the right to gain access to collected personal data related to you or copies thereof; You also have theright to obtain from us information about: 

 The purposes of the processing;

 What categories of personal data we process;

 Recipients to which personal data have been or will be transferred, in particular recipients from third countries or international organizations;

 The storage period or, when it is not possible, the criteria used to determine the storage period.

13.3. The right to rectification of data

You have the right to ask for rectification of the inaccuracies of the data about you that we process.

13.4. The right to delete (the right to be forgotten)

You have the right to obtain the deletion of your data collected / processed by us under the conditions provided by the EU Regulation on the processing of personal data.

13.5. The right to restrict data processing

You have the right to restrict the processing of data concerning you that we process.

13.6. Right of opposition

Any data subject has the right to oppose the processing of his or her personal data by us or on our behalf for grounds related to the particular situation in which he or she is - Art. 21 of the EU Regulation.

13.7. The right to data portability.

Any data subject has the right to the portability of personal data processed by us to another controller.

13.8. Right to withdrawal of consent

If personal data is processed based on your consent, you have the right to withdraw your consent. The lawfulness of the data processing, made previously, will not be affected by the withdrawal of the consent.  

13.9. Right on the individualized decision-making process

You have the right not to be the subject of a decision based exclusively on automatic processing.

13.10. The right to lodge a complaint with the supervisory authority

You have the right to refer with a complaint to the Supervisory Authority regarding the processing of your data by us or on our behalf. This is the National Authority for Surveillance of Personal Data Processing (ANSPDCP).

14. Data deletion

Deleting data - removing or eliminating, in whole or in part, personal data from records, by reaching the retention period, when reaching the purpose for which they were entered, the laxity, the inexistence, the inaccuracy thereof.

The personal data deletion procedure is established when the company has received a request from you, from the data controller and complies with the requirements of EU Regulation 679/2016.

You may ask us to delete your personal data, but only if:

· personal data are no longer required for the purposes for which they were collected or processed; or

· you have withdrawn your consent (if the data processing is based on consent); or

· you give a legal right to oppose; or

· these have been illegally processed; or

· we have a legal obligation to do so.

We have no obligation to comply with your request to delete your personal data if processing of your personal data is required:

· to comply with a legal obligation; or

· for establishing, exercising or defending a right in court.

There are certain other circumstances in which we are not obliged to respect your request for data deletion, although these are the most likely circumstances in which we may decline your request.

Data deletion will be done by authorized personnel after checking your request and identifying the circumstances and complying with the legal requirements imposed by EU Regulation 679 / 2016.

Data deletion will be provided through a report on the removal procedure.

A response to the confirmation of deletion of personal data as requested, or the reason for the legal obligation to store the data, is provided within the legal term.

15. How to exercise your rights.

In order to exercise one or more of the rights provided by law or to ask any question about any of these rights or any details regarding the processing of your personal data by us, you may use our contact information:

VAUBAN IT RO SRL

Registered office:  Bucharest, Str. Coltei, no. 38, Corp B2, 1st floor, ap. 4, district 3

Business unit (mailing address):  Bucharest, Str. Ion Otetelesanu, no. 2, 1st floor, district 1

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.This email address is being protected from spambots. You need JavaScript enabled to view it.

Contact details of the Data Protection Officer

Mailing address:  Bucharest, Str. Ion Otetelesanu, no. 2, 1st floor, district 1

Phone no. +4021.316.40.41

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.This email address is being protected from spambots. You need JavaScript enabled to view it.