In personal data processing operations on the http://www.shl.ro website the following data is used:
The processing of these data types is subject to the legislation on the processing of personal data: REGULATION (EU) 2016/679 OF THE PARLIAMENT EUROPEAN PARLIAMENT AND THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of of these data and repealing Directive 95/46 / EC (General Data Protection Regulation - GDPR), which explicitly regulates personal data processing activities, the qualities of legal entities processing personal data, roles and responsibilities them.
Protection of personal data
“"PDP legislation"§ means any law, ordinance, decree, regulation or secondary legislation issued by the Surveillance Authority on the processing, confidentiality and use of Personal Data applicable to services provided under the Agreement, including:
- Law no. 677/2001 on the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of such Data ("Law 677/2001"); Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector ("Law 506/2004") and any other normative acts in Romania implementing these laws, Directive 95/46 / EC (Data Protection Directive) and Directive 2002/58 / EC (the "e-Privacy Directive"); and / or
- starting with 25 May 2018, Regulation No 679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation data protection ("GDPR"), from the date on which it will be applicable; and any other national normative acts given in the application of GDPR;
- any judicial or administrative interpretation of any of the above, any guidelines, guidelines, codes of practice, codes of conduct or certification mechanisms approved or issued by any relevant Supervisory Authority throughout the period in which they are in force and enforceable, and any acts amending, supplementing or replacing them over time.
controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
supervisory authority means an independent public authority which is established by a Member State pursuant to Article 51, in Romania represented by ANSPDCP.
Principles of processing personal data
Principles relating to the processing of personal data require that personal data be:
- processed legally, fairly and transparently to the data subject ("legality, fairness and transparency");
- collected for specified, explicit and legitimate purposes and not subsequently processed in a way incompatible with those purposes; further processing for purposes of archiving in the public interest for purposes of scientific or historical research or for statistical purposes is not considered incompatible with the original purposes in accordance with Article 89 (1) GDPR ("purpose limitations");
- appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");
- accurate and, where necessary, updated; all necessary steps must be taken to ensure that personal data which are inaccurate, in the light of the purposes for which they are processed, are erased or rectified without delay ('accuracy');
- stored in a form that permits the identification of the data subjects for a period not exceeding the time required for the purposes for which the data are processed; personal data may be stored for longer periods insofar as they are processed solely for purposes of archiving in the public interest for purposes of scientific or historical research or for statistical purposes in accordance with Article 89 (1) of the GDPR, subject to the implementation of the appropriate technical and organizational measures provided for in the GDPR Regulation in order to guarantee the rights and freedoms of the data subject ("storage limitations");
- processed in a way that ensures the adequate security of personal data, including protection against unauthorized or unlawful processing and against loss, destruction or accidental damage by taking appropriate technical or organizational measures ("integrity and confidentiality").
The Company makes every effort to align with these principles all existing personal data processing activities and any new processing that it intends to carry out.
The rights of individuals
The physical person accessing this site under GDPR has the following rights:
- The right to be informed
- The right to access personal data
- The right to update your personal information
- Right to request the deletion of personal data
- The right to request the restriction of the processing of personal data
- The right to portray personal data
- The right to oppose the processing of personal data
- Rights regarding the automatic processing of personal data
- All the above rights are supported by distinct procedures developed at our company level in accordance with the strict GDPR requirements and within the deadlines defined therein.
The deadlines set by the GDPR for exercising the rights of the data subjects and / or responding to their requests and / or responding are varied as follows:
|Right of the individual||Deadline for obtaining consent / informing / exercising the right and / or providing answer|
|The right to be informed||When data is collected|
|The right to access personal data||It can be exercised at any time during processing and a response is given within 30 calendar days|
|The right to update your personal information||It can be exercised at any time during the processing, is immediately implemented and a response is provided within 30 calendar days|
|Right to request the deletion of personal data||It can be exercised at any time during the processing, is immediately implemented and a response is provided within 30 calendar days|
|The right to request the restriction of the processing of personal data||It can be exercised at any time during the processing, is immediately implemented and a response is provided within 30 calendar days|
|The right to portray personal data||It can be exercised at any time during processing and provide an implementation response / solution within a reasonable time (as soon as possible)|
|The right to oppose the processing of personal data||It can be exerted at any time during processing and is immediately deployed|
|Rights regarding the automatic processing of personal data||Not specified|
Legality of processing
The company processes your personal data on this site only under the following conditions:
- If the data subject has consented to the processing of his or her personal data for one or more specific purposes;
- Where processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract;
- Where processing is necessary to fulfill a legal obligation incumbent upon the operator;
- Where processing is necessary to protect the vital interests of the data subject or other natural person;
- Where processing is necessary for the performance of a task which is in the public interest or which results from the exercise of the public authority with which the operator is invested;
- Where processing is necessary for the legitimate interests pursued by the operator or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular where the data subject is a child.
The Company will ensure at all times that all transactions involving personal data processing are regulated by written contracts between the operator and the authorized persons or between the associated operators, as the case may be. All such contracts will comply with the GDPR express requirements and clauses.
In the event of a personal data security incident:
- will notify you of the occurrence of any security incident involving your personal data;
- investigate the data security breach;
- will take reasonable steps to mitigate the effects and reduce any damage resulting from the Security Incident as well as reasonable measures to prevent the recurrence of such a breach of data security;
- will develop and execute a response plan to counteract the Security Incident;
- shall inform the relevant regulatory authority within 24 hours of the occurrence of the security incident.
GDPR compliance requirements
The following actions are used by the Company to comply with the GDPR principles. All actions below are frequently reviewed to meet all GDPR requirements:
- The company will frequently ensure that there is at all times a legitimate basis for the processing of personal data
- A person in charge of processing personal data is called if this requirement exists
- All employees of the operator comply with the principles of processing personal data
- All operator employees have been trained in the processing of personal data;
- Obtain explicit consumer consent to the processing of personal data;
- Every compliance policy is frequently audited to meet GDPR requirements;
- The following elements are thoroughly documented in the processing of personal data:
- The name of the organization as a personal data operator;
- The purpose for which the work is done;
- The categories of personal data that are processed;
- Deadlines for storing / archiving personal data;
- Security policies on the use of personal data.