PRIVACY POLICY
concerning the processing of personal data
Componente Auto S.A., with its headquarters in Topoloveni, Maximilian Popovici street, no. 59, Arges county, Romanian company registered with the Trade Register under number J03/136/1991, with SRC 162657, as personal data operator, processes personal data (hereinafter referred to as “Personal data’) in good faith, and in the attainment of the aims specified in the Policy regarding the processing of personal data (hereinafter referred to as the “Policy”), in accordance with the provisions of Regulation (EU) No. 679 of 27 April 2016 on the protection of individuals, with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation”).
Persons whose Personal data are processed by the company are hereinafter referred to as “Data subject”. The Company has obtained the Personal data of the data subject, either directly, or indirectly from a third party or from other sources.
In carrying out its activities, the Company acts with caution, complying with the Romanian and the European Union applicable legislation, protects the Personal data of Data subject, following strictly the applicable legislation.
This document is intended to be an important source of information offered to the Data subject with regard to the manner in which the company carries out the processing of personal data, additionally to the distinct information the Company shall provide to the data subject in accordance with Articles 12 – 13 or, as the case may be, Article 14 of the Regulation.
WHAT ARE THE PERSONAL DATA?
Personal data (“Personal Data”) means any information relating to an identified or identifiable natural entity; an identifiable entity is one who can be identified, directly or indirectly, in particular by reference to an item of identification, such as name, identification number, location data, the online identifier, or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity.
WHAT COMES WITHIN THE SCOPE OF THE PERSONAL DATA?
In the framework of the activities, related to the purpose of the processing, the Company processes the Personal data of the Data subject, such as, but not limited to:
identification data (e.g. first name, last name, maiden name, pseudonym, gender, the home address and residence, date, country and place of birth, personal numeric code, serial number ID/passport), other data appearing on the identity document, other data of the civil status documents, citizenship, etc.;
contact details (e.g., address, fixed/mobile phone number, fax, e-mail address,
etc.);
data on education, profession, occupation, place of work;
data on the economic and financial situation, data on the goods and the properties owned, collaterals/personal data, financial commitments and sources of income;
the data on sanctions, if this is the case and the health status;
the data relating to the members of the family;
the voice, signature, image, etc.;
information on how to use the equipment, plants and devices made available to the data subject by the Company.
others.
In relation to the purposes of the processing, the use of personal numeric code and other personal data having an identification function of general application may be justified on the basis of:
a) the need for the execution of a contract concluded by the Company with the Data subject, in order to identify unequivocally the Data subject, in such a way that it does not produce a substitution of him/her, for the limitation of mistakes in carrying out the operations, to maintain the rapidity of communication with the data subject in the current verification and also in communication with the third persons;
WHAT DOES THE PROCESSING OF PERSONAL DATA MEAN?
The processing shall mean any operation or set of operations carried out on Personal data or sets of Personal data, with or without the use of automated means, such as: collection, recording, organization, design, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making it available in any other way, alignment or combination, the restriction, erasure or destruction. The company applies, with regard to the processing of personal data, appropriate technical and organizational measures, to protect such data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Personal Data are processed on an individual basis, in the light of the applicable legal regulations. In the situation in which the operation of processing of Personal data is based on the agreement of the Data subject, it is obtained by the Company through a separate document under the conditions of Regulation.
LEGAL GROUNDS – WHICH IS THE LEGAL BASIS OF THE PROCESSING?
The company processes Personal data in consideration of the following legal grounds of the Regulation:
on the basis of the consent of the Data subject – Article 6(1)(a);
for the conclusion and execution of an agreement to which the data subject is party or to be made at the request of Data subject prior to the conclusion of an agreement – Article 6(1)(b);
processing is necessary for compliance with a legal obligation assigned to the Company – Article 6(1)(c);
processing is necessary in order to protect the vital interests of the data subject or of another data subject – Article 6(1)(d);
processing is necessary for the accomplishment of a task that serves a public interest or in the exercise of official authority with which the company is invested – Article 6(1)(e);
processing is necessary for the purposes of the legitimate interests pursued by the Company itself or by a third party, unless prevailing the interests for fundamental rights and
freedoms of the data subject, which requires protection of personal data, in particular where the Data subject is a child – Article 6(1)(f).
WHICH ARE THE PRINCIPLES TO THE PROCESSING OF PERSONAL DATA?
In the processing of personal data, the Company and the persons empowered fully meet in the principles of data processing provided for in Article 5 of the Regulation, such as:
the legality, fairness and transparency – Personal data are legally, correctly and transparently processed, the Data subject being informed on the existence of a processing operation and on the purposes of its legitimate expectations, established on the basis of criteria on equity rights and fundamental interests of the Data subject;
limiting the purpose of processing operation – the Personal data are collected by the Company for specified, explicit and legitimate purposes and not further processed for additional purposes that are not compatible with these purposes;
the proportionality and reduce to minimum – The personal data are processed in an appropriate manner, which is relevant and limited to the need to achieve the legitimate purposes and accurately determined for which they are processed;
the accuracy and updating – The processed personal data are accurate and, where necessary, they are updated; in this respect, the Company shall take all necessary measures to ensure that the Personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
the limitation of storage – The personal data are kept in a form that allows the identification of data subjects for a period that does not exceed the period necessary for the purposes for which personal data are processed;
the integrity and confidentiality – The personal data are processed in terms of appropriate safety, so as to ensure their protection against unauthorized or unlawful processing, respectively against loss, destruction or accidental damage of Personal data.
WHAT ARE THE PURPOSES OF PROCESSING THE PERSONAL DATA?
the conclusion and execution of an employment/business agreement;
accomplishment of legal obligations;
in the legitimate interest.
WHY DOES THE COMPANY NEED TO PROCESS PERSONAL DATA?
Personal data are processed in the legitimate purposes mentioned above, including for the accomplishment of the obligations arising from the contractual relationship, both by the Company, and by the Data subject. This will take into account the following aspects:
The personal data necessary for the achievement of the main purpose – in the situation in which the Data subject does not agree/refuses the processing of personal data, the Company will be unable to initiate or continue with the Data subject any legal and contractual relationships and to conclude/develop/execute the contractual relationship;
The personal data necessary for the achievement of the Correlated Purpose, consisting in monitoring and surveillance of persons and goods by placing video cameras, on the premises of Company – if the Data subject expresses the right of objection, it will be reviewed on the basis of the particular characteristics of the situation, whereas the Company has a duty to ensure the security of goods and persons in
accordance with Law no. 333/2003 concerning the security of objectives, goods, values and the protection of persons, as well as to transmit the competent public authorities the information necessary for the maintenance of public order and combating/ sanctioning of crime.
TO WHOM THE COMPANY TRANSMITS PERSONAL DATA?
Operators/Persons Empowered and Recipients of Personal Data
Personal data may be transmitted to the following categories of recipients:
The data subject, the representatives of Data subject;
Other natural or legal entities, which process personal data on behalf of the Company.
Other companies/persons that process personal data within the CAT group;
Institutions and private and public authorities from Romania;
Other collaborators of the Company;
HOW LONG DOES THE COMPANY PROCESS PERSONAL DATA?
Personal data are processed on the following periods of time:
during the validity period of the agreements concluded with the Company, to which add 50 years from the termination of the contractual relationship, if through a legal applicable requirement, it is not necessary to maintain over a longer period;
for a duration of 1 year, provided that no contractual relationship was concluded with the Data subject;
the processing of Personal data by recording the images captured by video cameras, respectively of the phone calls shall be kept for a period of 30 days from the date of registration, unless there are supporting legal grounds to be stored for a longer period of time.
WHAT RIGHTS DOES THE DATA SUBJECT HAVE, AND HOW DOES HE/SHE EXERCISE THEM?
The data subject shall have the following rights excluding regarding his/her data:
the right of access to data, in accordance with Article 15 of the Regulation;
the right of correcting the data, in accordance with Article 16 of the Regulation;
the right of erasing the data, in accordance with Article 17 of the Regulation;
the right to restrict the data, in accordance with Article 18 of the Regulation;
the right to portability of the data, in accordance with Article 20 of the Regulation;
the right to the opposition, in accordance with Article 21 of the Regulation;
the right not to be subject to an automated individual decision, including profiling, in accordance with Article 22 of the Regulation;
the right to refer to the National Authority for the Supervision of the Processing of Personal Data and Justice;
the right to withdraw whenever the consent of direct marketing and your profile for the purpose of marketing, in accordance with Article 7(3) of the Regulation.
In order to exercise these rights, the Data subject may make a written, dated and handwritten signed request, sent to Componente Auto S.A., to the following address:
Maximilian Popovici street, no. 59, Arges county, postal code 115500, or email to dpo@catgroup.ro.
The information related to Personal data and, as the case may be, the measures taken, shall be transmitted to the Data subject, at the address mentioned in the application or in the records of Company, within 30 days, provided for by the Regulation. This period may be extended by two months where necessary, taking into account the complexity of request.
The Company reserves the right to establish a fee in the case of repeated requests in accordance with the Regulation.