SC GEOSTUD SRL as author, owner and administrator of the website www.geostud.ro, hereinafter referred to as GEOSTUD, respects the privacy and security of personal data processing of each person accessing its website.
1.1 CONTEXT OF THE GENERAL DATA PROTECTION REGULATION (“GDPR”)
The General Data Protection Regulation 679/2016 replaces the 1995 EU Data Protection Directive and replaces the legislation of each Member State, which was developed in accordance with Directive 95/46 / EC on data protection. Its purpose is to protect the “rights and freedoms” of individuals and to ensure that personal data are not processed without their knowledge and that they are processed with their consent.
1.2 DEFINITIONS USED BY THE ORGANIZATION (EXTRACTS FROM GDPR)
Material domain (Article 2) – GDPR applies to the processing of personal data, carried out in whole or in part by automated means, as well as to the processing by means other than automated of personal data, which are part of a data record or which are intended to be part of a data record system.
Territorial scope (Article 3) – The GDPR applies to the processing of personal data in the course of the activities of the premises of an controller or a person authorized by the controller in the territory of the Union, whether or not the processing takes place in the Union. This Regulation shall apply to the processing of personal data of data subjects located in the Union by an operator or a person authorized by the controller, who is not established in the Union, where the processing activities are related to:
a) the provision of goods or services to such data subjects in the Union, whether or not a payment is requested by the data subject;
b) monitoring their behavior if it occurs within the Union.
This Regulation shall apply to the processing of personal data by an controller who is not established in the Union but in a place where domestic law is applied under international law.1.3 DEFINITIONS OF ARTICLE 4
“Headquarters” – the operator’s head office in the EU will be the place where the controller takes the main decisions on the purpose and means of his data processing activities. The main seat of an EU representative will be its administrative center.
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifying element, such as a name, an identification number, location data, an online identifier, or one or more many specific elements, specific to his physical, physiological, genetic, mental, economic, cultural or social identity.
“Special categories of personal data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and processing of genetic data, biometric data for the unique identification of a natural person, health data or data on the sexual life or sexual orientation of an individual.
“Operator” means the natural or legal person, public authority, agency or other body which, alone or together with others, establishes the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law.
“Data subject” – any natural person who is the subject of personal data held by an organization.
“Processing” means any operation or set of operations performed on personal data or personal data sets, with or without the use of automated means, such as the collection, recording, organization, structuring, storage, adaptation or modification, extracting, consulting, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, deleting or destroying.“Profiling” means any form of automatic processing of personal data, which consists in the use of personal data to assess certain personal aspects of an individual, in particular to analyze or predict performance issues in the field of personal data. work, economic situation, health, personal preferences, interests, reliability, behavior, location of the individual or his travels.
“Violation of the security of personal data” means a breach of security, which accidentally or unlawfully leads to the destruction, loss, alteration, or unauthorized disclosure of personal data transmitted, stored or otherwise processed, or to unauthorized access to them.
“Consent” of the data subject means any manifestation of free will, specific, informed and unambiguous of the data subject, by which he accepts by a statement or by an unequivocal action, that the personal data concerning him be processed.
“Child” – GDPR defines a child as any person under the age of 16, although this may be reduced to 13 years by the law of the Member States. The processing of a child’s personal data is legal only if the consent of the parents or guardians has been obtained. The operator will make reasonable efforts to verify, in such cases, whether the holder of parental responsibility over the child grants or authorizes the agreement.
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the controller and persons who, under the direct authority of the controller or controller, are authorized to process data with personal character.
“Data record system” means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or distributed according to functional or geographical criteria.
2. PRIVACY STATEMENT
GEOSTUD management based in Str. Sângerului, no. 11, Bucharest, Sector 1, undertakes to comply with all relevant EU and Member State laws on personal data and the protection of the “rights and freedoms” of persons whose information is collected and processed by GEOSTUD, in accordance with the General Regulation on data protection (GDPR).
Compliance with the GDPR is described by this policy and other relevant policies, such as the Information Security Policy, together with related processes and procedures.
The General Data Protection Regulation (GDPR) will be applied by all persons within GEOSTUD who process personal data, including all persons within GEOSTUD who process the personal data of customers, employees, suppliers and partners, as well as any other personal data on which the organization processes from any source.
The Data Protection Officer is responsible for the annual review of the processing log of any changes to GEOSTUD’s activities (as a result of changes in the data inventory log) and any additional requirements identified by data protection impact assessments. This register must be available at the request of the supervisory authority.
This policy applies to all GEOSTUD employees / staff and stakeholders, such as outsourced providers. Any breach of the GDPR will be dealt with in accordance with GEOSTUD’s disciplinary policy and may also be a misdemeanor, in which case the matter will be reported to the competent authorities as soon as possible.
Partners and any third parties working with or for GEOSTUD and who have or may have access to personal data are expected to have read, understood and complied with this policy. No third party may access personal data held by GEOSTUD without first concluding a data confidentiality agreement, which imposes on the third party obligations no less onerous than those complied with by GEOSTUD and which gives GEOSTUD the right to verify compliance with the agreement.
We may also collect and further process certain information about your behavior while visiting our website in order to personalize your online experience.
3. PURPOSES FOR WHICH WE PROCESS YOUR PERSONAL DATA
The personal data we collect from you will be used for the following purposes:
Name and surname, E-mail address, Telephone number, Address, for direct marketing purposes:
-Guaranteing access to information, tools, resources dedicated to members of the GEOSTUD community;
-Transmission of additional information regarding our activity and / or services;
-Cookies with statistical analysis to improve the operation of our site – Google Analytics;
-Essential cookies in order to comply with legal requirements established in different jurisdictions around the world – Clym.
Name and surname, CNP, Parent’s first name and Place of birth (only for training services cf GEO 129/2000), E-mail address, Telephone number, for the purpose of Contracting in order to provide services (including ANC authorized training services in based on GEO 129/2000, information and professional counseling services (labor mediation) and reporting to the control authorities in the field, to which according to the law we transfer your data, respectively the Technical Secretariat of ANC, AJOFM.
Name and surname, Correspondence address, Telephone number in order to send you the correspondence requested by you.
The data collected through the electronic platform is stored in our internal server, thus applying the principles of data privacy (Privacy Shield EU-US).
Your consent is required for GEOSTUD to process your personal data, and this must be given explicitly.
You can withdraw your consent at any time by requesting the withdrawal form at the e-mail address email@example.com.
4. WHY DOES GEOSTUDE NEED TO COLLECT AND STORE THE INFORMATION YOU PROVIDE AND HOW LONG DOES IT KEEP IT?
GEOSTUD is obliged to process and store your personal data, in order to provide you with services in conditions of legality and high quality. During the provision of services, with your consent, we will transfer your data to third parties in order to fulfill legal obligations (ANAF, ANC, AJOFM).
Your data will be kept for as long as the legislation in force requires. Unless explicitly stated, in accordance with ISO27001 and for a storage period in accordance with the Internal Data Retention Procedure, but not more than 10 years.
5. WHO HAS ACCESS TO THE DATA PROVIDED?
Access to your personal data is held by GEOSTUD employees or third party processors, as described in point 2 – Privacy Statement of this Policy. We do not offer anyone access to personal data without your consent.
6. WHERE IS THE DATA PROVIDED BY YOU?
The personal data provided are stored in the territory of the EEA, in accordance with the requirements of the General Data Processing Regulation (EU GDPR).
7. COOKIES USED BY THE GEOSTUD SITE
This site uses the following categories of cookies:
Essential cookies – help to create a website, allowing basic functions such as page navigation and access to the secure areas of the website. The website cannot function properly without these cookies. It also helps us comply with legal requirements, such as the GDPR.
Remarketing cookies – to advertise on other websites to users who have visited www.geostud.ro. Google will display ads on the websites that www.geostud.ro users access, and Facebook will display them on its platforms (Facebook, Messenger, Instagram). These displayed ads are based on a user’s previous visits to the site www.geostud.ro using cookies. If you wish to opt out of the remarketing cookies used by Google, you may choose to stop using Google Marketing Platform cookies by accessing the Google Marketing Platform opt-out page, the Network Advertising Initiative opt-out page, or your Facebook Advertising Preferences.
8. SECURITY OF YOUR DATA
GEOSTUD has an Information Security Management System according to ISO / IEC 27001: 2013. All employees are responsible for ensuring that all personal data that GEOSTUD holds and is responsible for is kept secure and is not disclosed in any way to a third party unless that third party has been specifically authorized by GEOSTUD. GEOSTUD to receive this information and has concluded a confidentiality agreement.
All personal data is accessible only to those who need to use it. All personal data is processed securely and stored as follows:
-in a closed room with controlled access and / or
-in a closed drawer / cupboard and / or
-if they are stored on computers, stored and backed up in the Cloud, password protected and access rights, in accordance with the requirements of the organization’s Internal Access Control Policy and / or
-stored on (removable) media that are encrypted.
All employees have entered into a user agreement before being allowed access to organizational information of any kind. As soon as the physical records are no longer required for everyday customers, they are safely destroyed in accordance with the internal procedure and legislation in force.
Personal data may be deleted or deleted in accordance with the record keeping procedure and in accordance with applicable law. Physical records that have expired are destroyed using a P3 minimum level shredder.