The identity and contact details of the Operator/Operators that process the personal data and the contact details of the data protection officer

1.1. Personal data will be processed by: Societatea Grosu Media Production S.R.L., with headquarters in Bucharest, Sector 2, Pipera Road, no. 61, block 2, floor 11 DUPLEX, Ap. 201, order number at the Trade Register J40/17920/2021, having unique registration code 45081994, email: [email protected] (“Operator” or “Company”)

1.2. The contact details of the data protection officer can be found on the website https://idbs.ro (hereinafter referred to as “the website” or “idbs website”) to the extent that it was (necessary to be) appointed a data protection officer.

Purpose/Purposes of the processing - Compatible purposes; Targeted persons; Personal data

2.1. The operator will process personal data (“personal data”) of any natural person who, in his own name or in the name and/or on behalf of a professional (referred to in this policy as the “Professional”), wishes to enter/is in a legal relationship with the Operator and/or of any natural person that the Operator becomes aware of in connection with any professional who wishes to enter/is in a legal relationship with the Operator and/or of any natural person who wishes to receive any kind of communications (un)solicited (any of the previously mentioned natural persons will be referred to in this policy as the “data subject”), regardless of whether the personal data is provided (totally or partially) by the data subject and/or by the Professional, in order to carry out the steps needed to establish a legal relationship between the Operator and the Professional (including contacting the data subject in this regard, including if the data subject is involved on behalf of the Professional) and/or for the purpose of executing a legal relationship (e.g. contracts) between the Operator and the Professional (including if the data subject is involved in this regard on the part of the Professional), as the case may be and if applicable.

2.2. The Operator will also process the personal data concerning the data subject for any other purposes for which the data subject has expressed his unambiguous consent as well as for any compatible, related and related purposes [including without limitation in/for (direct) marketing purposes].

2.3. The Operator will be able to process the personal data regarding the data subject and in any cases where the processing is necessary for the purposes of the legitimate interests pursued by the Operator or a third party, in the event that there will be such legitimate interests, unless they prevail the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data.

2.4. The Operator will process the personal data regarding the data subject for any purposes in which it is necessary to fulfill the legal obligations incumbent on the Operator.

2.5. The operator will in each case only process personal data regarding the data subject that are/will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

2.6. Personal data will be collected, recorded, organized, structured, stored, consulted, used and disclosed by transmission.

2.7. The operator will be able to process personal data for any compatible, related and related purposes, including the compatible, related and related purpose of contacting you in order to confirm and/or update your personal data.

2.8. Targeted persons
By way of example, the data subjects may be, as the case may be, the following, without being limited to them:
i) the representatives and/or contact persons of the Professionals, whose data are processed for any of the previously mentioned purposes;
ii) any (other) persons whose personal data are mentioned in the documents and/or information made available by the Professionals and/or by any other persons for the Professionals, including without limitation the data subjects;
iii) natural persons whose data are processed for any of the previously mentioned purposes.

2.9. Personal data
2.9.1. The personal data that will be provided and processed in the case of contact persons will mainly be the contact data (provided) of the data subject (e.g. name, surname, function, email, telephone).
2.9.2. For the other persons in connection with whom personal data is provided, the personal data that will be provided and processed are all the data mentioned in the documents and/or information provided by the data subject and/or Professionals and/or any other persons for Professionals (e.g. name, surname, address, email, etc.).

2.10. Professionals
Professionals represent any professionals within the meaning of the civil code who wish to enter/are in a legal relationship with the Operator.

Legal basis of processing

The legal bases of the processing are/can be, as the case may be, Article 6 paragraph (1) letter (a), (c) and letter (f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 ( referred to in this policy as the “Regulation” or “GDPR”), namely:
” (a) the data subject has consented to the processing of personal data for one or more specific purposes;
….
(c) the processing is necessary in order to fulfill a legal obligation owed to the operator;

(f) the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail, which require the protection of personal data ….”

Personal data recipients or recipient categories

The recipients to whom the personal data regarding the data subject will be disclosed and transmitted are all those to whom information must be sent in order to fulfill the aforementioned purposes and includes without limitation, as the case may be, the Operator’s employees, collaborators, representatives, subcontractors and consultants who are involved in the part of the Operator in fulfilling the aforementioned purposes, including taking steps to establish a legal relationship between the Operator and the Professional or the data subject, as the case may be (e.g. taking certain steps to conclude a contract between the Operator and the Professional or the data subject, as the case may be, including contacting the data subject in this sense) and/or the execution of a legal relationship between the Operator and the Professional or the data subject, as the case may be, and/or the fulfillment of any (legal) obligations in relation to them, as the case may be.

Transfer of personal data to a third country

5.1. When applying this policy, no personal data is transferred to a third country.

5.2. A possible transfer or a possible set of transfers of personal data to a third country or an international organization may take place under one of the following conditions: (a) the data subject has explicitly agreed to the proposed transfer, after being informed of the possible risks that such transfers may involve for the data subject as a result of the lack of a decision on the adequacy of the level of protection and adequate guarantees; (b) the transfer is necessary for the execution of a contract between the data subject and the Operator or for the application of pre-contractual measures adopted at the data subject’s request; (c) the transfer is necessary for the conclusion of a contract or for the execution of a contract concluded in the interest of the data subject between the Operator and another natural or legal person; (d) the existence of a decision on the adequacy of the level of protection in accordance with or adequate guarantees in accordance with the Regulation; (e) any other situation permitted by the applicable legal regulations in force.

Period for which personal data will be stored/Criteria used to establish this period.

The personal data will be stored by the Operator during the entire period in which steps are taken to establish a legal relationship between the Operator and the Professional or the data subject, as the case may be (e.g. carrying out certain selection procedures and/or carrying out certain steps in order to conclude of a contract between the Operator and the Professional or the data subject, as the case may be, including contacting the data subject in this regard) and/or for the entire period of the execution of legal relations between the Operator and the Professional or the data subject, as the case may be and/or in order to fulfill any legal obligations in the connection with them as well as for fiscal and legal purposes (e.g. archiving and/or fulfilling obligations in the field of preventing and sanctioning money laundering), as the case may be, and until the expiration of the prescription periods for the recovery of any debits from the Professional(s) or the data subject, as the case may be, but not less than the period provided by the legal regulations in force.

If the data was (also) collected for other purposes and/or on other grounds, the personal data will be (further) stored for the period established for these purposes and/or on the basis of these grounds, if this period is longer than the previously mentioned one.

The obligation to provide personal data and the possible consequences of not complying with this obligation The update of personal data

7.1. The provision of personal data was/is not a legal obligation [unless the personal data was (also) collected on other grounds].

7.2. The provision of personal data represents/may represent a necessary obligation to take steps to establish a legal relationship between the Operator and the Professional or the data subject, as the case may be (e.g. taking certain steps to conclude a contract between the Operator and the Professional or the data subject, as the case may be, including contacting the data subject in this regard) and/or the execution of a legal relationship between the Operator and the Professional or the data subject (including without limitation during the entire period in which the data subject has a valid account), as the case may be and/or the fulfillment of any obligations in relation to these, as the case may be and if applicable.

7.3. The data subject is obliged to provide personal data in order to take steps to establish a legal relationship between the Operator and the Professional (e.g. taking certain steps to conclude a contract between the Operator and the Professional or the data subject, as the case may be, including contacting the data subject in this sense) and/or the execution of a legal relationship between the Operator and the Professional or the data subject, as the case may be and/or the fulfillment of any obligations related to them, as the case may be and if applicable.

7.4. Refusal to provide and/or update data (of a personal nature), may lead (as well as consequences of non-compliance with the obligation to provide and/or update said data) to the refusal and/or impossibility of taking steps to establish a legal relationship between Operator and Professional or the data subject, as the case may be (e.g. carrying out certain steps in order to conclude a contract between the Operator and the Professional or the data subject, as the case may be, including contacting the data subject in this regard) and/or upon refusal and/or impossibility (of steps in order to) execute the legal relations between the Operator and the Professional or the data subject, as the case may be and/or in order to fulfill any legal obligations related to them, as the case may be.

Without limiting the generality of the previously mentioned and to avoid any doubt, the refusal to provide the address will lead to the impossibility of delivering any goods and/or gifts.

If your personal (contact) data have changed since they were last provided and/or you want to update them, please send us a request to update them, via any communication channel, including the email mentioned in point 1 of this policy.

The data subject's right of access

8.1. The data subject has the right to obtain from the operator a confirmation that personal data concerning him or her is being processed or not and, if so, access to the respective data and the following information:
(a) the purposes of the processing;
(b)the categories of personal data concerned;
(c) recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients from third countries or international organizations;
(d) where possible, the period for which the personal data is expected to be stored or, if this is not possible, the criteria used to establish this period;
(e) the existence of the right to request the operator to rectify or delete personal data or to restrict the processing of personal data relating to the person concerned or the right to oppose the processing;
(f) the right to lodge a complaint with a supervisory authority;

(g) if the personal data is not collected from the data subject, any available information regarding its source;
(h) the existence of an automated decision-making process including the creation of profiles, mentioned in the Regulation, as well as, at least in the respective cases, relevant information regarding the logic used and regarding the importance and expected consequences of such processing for the data subject.

8.2. If personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards regarding the transfer.

8.3. The operator provides a copy of the personal data that is the subject of processing. For any other copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request in electronic format and unless the data subject requests a different format, the information is provided in a commonly used electronic format.

8.4. The right to obtain a copy referred to in point 8.3 does not affect the rights and freedoms of others.

The right to rectification

The data subject has the right to obtain from the operator, without undue delay, the rectification of inaccurate personal data concerning him. Taking into account the purposes for which the data were processed, the data subject has the right to obtain the completion of personal data that are incomplete, including by providing an additional statement.

Right to erasure ("the right to be forgotten")

10.1. The data subject has the right to obtain from the operator the deletion of personal data concerning him, without undue delay, and the operator has the obligation to delete personal data without undue delay, if one of the following reasons applies:
(a) the personal data are no longer necessary to fulfill the purposes for which they were collected or processed;
(b) the data subject withdraws the consent on the basis of which the processing takes place, if the processing takes place on the basis of the consent given by the data subject to the processing of his personal data for one or more specific purposes, and there is no other legal basis for the processing ;
(c) the data subject objects to the processing, for reasons related to the particular situation in which he is, according to the Regulation, and there are no legitimate reasons that prevail with regard to his processing the data subject objects to the processing of personal data for direct marketing purposes, and there is no other legal basis for the processing;
(d) personal data were processed illegally;
(e) personal data must be deleted to comply with a legal obligation incumbent on the operator under Union law or the internal law to which the operator is subject;
(f) personal data were collected in connection with the provision of information society services to a child, according to the Regulation;

10.2. If the operator has made personal data public and is obliged, under point 10.1., to delete it, the operator, taking into account the available technology and the cost of implementation, takes reasonable measures, including technical measures, to inform the operators that processes personal data that the data subject has requested the deletion by these operators of any links to that data or of any copies or reproductions of such personal data.

10.3. Points 10.1 and 10.2 do not apply to the extent that the processing is necessary:
(a) for exercising the right to free expression and information;
(b) for complying with a legal obligation that provides for processing under Union law or internal law that applies to the operator or for the performance of a task performed in the public interest or in the exercise of an official authority with which the operator is vested;
(c) for reasons of public interest in the field of public health, in accordance with the Regulation;
(d) for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with the Regulation, to the extent that the right mentioned in point 10.1 is likely to make impossible or seriously affect the achievement of the objectives of the respective processing;
or
(e) for establishing, exercising or defending a right in court.

The right to restriction of processing

11.1. The data subject has the right to obtain from the operator the restriction of processing if one of the following cases applies:
(a) the data subject contests the accuracy of the data, for a period that allows the operator to verify the accuracy of the data;
(b) the processing is illegal and the data subject opposes the deletion of personal data, requesting instead the restriction of their use;
(c) the operator no longer needs the personal data for the purpose of processing, but the data subject requests them for establishing, exercising or defending a right in court; or
(d) the data subject objected to the processing for reasons related to the particular situation in which he is, according to the Regulation, for the time interval in which it is verified whether the legitimate rights of the operator prevail over those of the data subject.

11.2. If processing has been restricted pursuant to paragraph 11.1., such personal data may, with the exception of storage, be processed only with the consent of the data subject or for the establishment, exercise or defense of a right in court or for the protection of the rights of a other natural or legal persons or for reasons of important public interest of the Union or a member state.

11.3. A data subject who has obtained the restriction of processing pursuant to paragraph 11.1. is informed by the operator before lifting the processing restriction.

Notification obligation regarding the rectification or deletion of personal data or the restriction of processing

The operator communicates to each recipient to whom personal data has been disclosed any rectification or deletion of personal data or restriction of processing carried out in accordance with point 9, point 10.1. and point 11, unless this proves impossible or involves disproportionate efforts. The operator shall inform the data subject of the respective recipients if the data subject so requests.

The right to data portability

13.1. The data subject has the right to receive the personal data concerning him and which he has provided to the operator in a structured, commonly used and machine-readable format and has the right to transmit this data to another operator, without obstacles on the part of the operator to whom the personal data were provided, if:
(a) the processing is based on consent or a contract; and
(b) the processing is carried out by automatic means.

13.2. In exercising his right to data portability under point 13.1., the data subject has the right to have his personal data transmitted directly from one operator to another where this is technically feasible.

13.3. Exercising the right mentioned in point 13.1. of this article does not affect article 17. This right does not apply to the processing necessary for the performance of a task performed in the public interest or in the exercise of an official authority with which the operator is vested.

13.4. The right mentioned in point 13.1. does not affect the rights and freedoms of others.

The right to opposition

14.1. At any time, the data subject has the right to object, for reasons related to his particular situation, to the processing for the purposes of the legitimate interests pursued by the operator or a third party of the personal data concerning him, including the creation of profiles based on those provisions. The operator no longer processes personal data, unless the operator demonstrates that it has legitimate and compelling reasons that justify the processing and that prevail over the interests, rights and freedoms of the data subject, or that the purpose is to ascertain, exercise or defend a right in court.

14.2. When the processing of personal data is aimed at direct marketing, the data subject has the right to object at any time to the processing for this purpose of personal data concerning him, including the creation of profiles, to the extent that it is related to marketing directly respectively.

14.3. If the data subject objects to the processing for the purpose of direct marketing, the personal data is no longer processed for this purpose. In the event that the data subject opts for the processing of personal data for the purpose of direct marketing, separately and without any connection to any other action, including by activating any accept button regarding the processing of personal data for the purpose of direct marketing, the last personal data personally provided in any way will be processed for the purpose of direct marketing.

14.4. At the latest at the time of the first communication with the data subject, the right mentioned in points 14.1 and 14.2. is explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

14.5. In the context of the use of information society services and notwithstanding Directive 2002/58/EC, the data subject may exercise his right to object by automated means that use technical specifications.

14.6. If personal data are processed for scientific or historical research purposes or for statistical purposes in accordance with the Regulation, the data subject, for reasons related to his particular situation, has the right to object to the processing of personal data that concern, unless the processing is necessary for the performance of a task for reasons of public interest.

Automated individual decision-making, including profiling

15.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects him to a significant extent.

15.2. Point 15.1. does not apply if the decision:
(a) it is necessary for the conclusion or execution of a contract between the data subject and a data controller;
(b) is authorized by Union law or domestic law that applies to the operator and that also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or
(c) is based on the explicit consent of the person concerned.

15.3. In the cases mentioned in point 15.2. letters (a) and (c), the data controller implements appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least his right to obtain human intervention from the controller, to express his point of view and to appeal the decision.

The right to lodge a complaint with a supervisory authority

16.1. Without prejudice to any other administrative or judicial remedies, any data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he has his habitual residence, place of work or where the alleged violation occurred, if it considers that the processing of personal data concerning it violates the Regulation.

16.2. The supervisory authority to which the complaint was lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of exercising a judicial remedy under Article 17.

The right to an effective judicial remedy against a supervisory authority

17.1. Without prejudice to any other administrative or non-judicial remedies, every natural or legal person has the right to exercise an effective judicial remedy against a legally binding decision of a supervisory authority affecting him.

17.2. Without prejudice to any other administrative or non-judicial remedies, each data subject has the right to an effective judicial remedy if the supervisory authority that is competent under the Regulation does not deal with a complaint or does not inform the data subject in within three months of the progress or resolution of the complaint under Article 16.

17.3. Actions brought against a supervisory authority are brought before the courts of the Member State where the supervisory authority is established.

17.4. Where actions are brought against a decision of a supervisory authority that has been preceded by an opinion or a decision of the committee under the consistency mechanism, the supervisory authority shall transmit that opinion or decision to the court.

The right to an effective judicial remedy against a controller or a person authorized by the controller

18.1. Without prejudice to any available administrative or non-judicial remedy, including the right to file a complaint with a supervisory authority under the Regulation, each data subject has the right to an effective judicial remedy if he or she considers that the rights which he benefits from under the Regulation were violated as a result of the processing of his personal data without complying with the Regulation.

18.2. Actions brought against an operator or against a person who is authorized by the operator are brought before the courts of the Member State where the operator or person authorized by the operator has its seat. Alternatively, such an action may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless his or her data controller is a public authority of a Member State, acting in the exercise of its public powers.

Representation of the data subjects

19.1. The data subject has the right to mandate a non-profit body, organization or association, which has been duly constituted in accordance with domestic law, whose statutory objectives are of public interest, which are active in the field of protection of rights and freedoms data subjects with regard to the protection of their personal data, to file the complaint on his behalf, to exercise on his behalf the rights referred to in articles 16, 17 and 18, as well as to exercise the right to receive compensation on behalf of the data subject, if this is provided for in domestic law.

19.2. Member States may provide that any body, organization or association referred to in point 19.1. of this article, independently of the mandate of a data subject, has the right to file a complaint in that Member State with the supervisory authority that is competent under article 16 and to exercise the rights referred to in articles 17 and 18, if considers that the rights of a data subject under the Regulation have been violated as a result of the processing.

Right to indemnification and liability

20.1. Any person who has suffered material or moral damage as a result of a violation of the Regulation has the right to obtain compensation from the operator or a person authorized by the operator for the damage suffered.

20.2. Any operator involved in the processing operations is liable for the damage caused by its processing operations that violate the Regulation. A person authorized by the operator is liable for the damage caused by the processing only if he did not comply with the obligations in the Regulation that fall specifically to persons authorized by the operator or acted outside of or in contradiction with the legal instructions of the operator.

20.3. Its operator, person authorized by the operator, is exempted from liability pursuant to point 20.2. if it proves that it is not liable in any way for the event that caused the damage.

20.4. If several operators or several persons authorized by the operator, or an operator and a person authorized by the operator are involved (involved) in the same processing operation and are responsible, pursuant to points 20.2. and 20.3., for any damage caused by the processing, each of its operators or persons authorized by the operator is responsible (responsible) for the entire damage in order to ensure the effective compensation of the person concerned.

20.5. If an operator or a person authorized by the operator has paid, in accordance with point 20.4., in full, the compensations for the damage caused, that operator or that person authorized by the operator has the right to request from the other operators or the other authorized persons of operator involved in the same processing operation the recovery of that part of the compensation that corresponds to their part of liability for the damage, in accordance with the conditions established in point 18.2.

20.6. Actions for the exercise of the right to recover the compensations paid are submitted to the competent courts under the law of the member state referred to in point 18.2.

Withdrawal of consent

When the processing is based on: i) the data subject’s consent given for the processing of his personal data for one or more specific purposes; or ii) on the data subject’s consent given for the processing of certain special categories of personal data for one or more specific purposes, unless Union law or domestic law provides that the prohibition to process special categories of personal data to cannot be lifted with the consent of the person concerned, The Data Subject has the right to withdraw his consent at any time, without affecting the legality of the processing carried out on the basis of the consent before its withdrawal; For the avoidance of doubt, the withdrawal of consent does not affect the processing of personal data on other grounds.

The (general) right to information

Data subjects have the right to receive certain information regarding the processing of their personal data:

22.1. Information to be provided to the data subject where personal data is collected from the data subject

22.1.1.If the personal data relating to a data subject is collected from him, the Operator, at the time of obtaining this personal data, provides the data subject, usually by means of an information note, with all the following information: a) the identity and contact details of the Operator and, as the case may be, of his representative; b) the contact details of the data protection officer, as the case may be; c) the purposes for which the personal data are processed, as well as the legal basis of the processing; d) recipients or categories of recipients of personal data; e) if applicable, the intention of the Operator to transfer personal data to a third country or an international organization and the existence or absence of a Commission decision on adequacy or a reference to appropriate or appropriate guarantees and to the means of obtaining a copy of them, if they were made available, as the case may be; f) the period for which the personal data will be stored or, if this is not possible, the criteria used to establish this period; g) the existence of the right to request the Operator, with regard to personal data relating to the data subject, access to them, their rectification or deletion or the restriction of processing or the right to oppose processing, as well as the right to data portability h) the existence of the right to withdraw consent at any time, without affecting the legality of the processing carried out on the basis of consent before its withdrawal; i) the right to lodge a complaint with a supervisory authority; j) the existence of an automated decision-making process including the creation of profiles, as well as, at least in the respective cases, pertinent information regarding the logic used and regarding the importance and expected consequences of such processing for the data subject.

22.1.2. If the Operator intends to subsequently process the personal data for a purpose other than that for which it was collected, the Operator shall provide the data subject, prior to this further processing, with information regarding that secondary purpose and any additional relevant information, in in accordance with points f)-j) from 22.1.1.

22.1.3. The provisions of articles 22.1.1 and 22.1.2 do does not apply if and to the extent that the data subject already possesses that information.

22.2. Information provided to the data subject where the personal data has not been obtained from the data subject

22.2.1. If the personal data relating to a data subject has not been obtained from the data subject, the Operator will provide the data subject, usually by means of an information note, with all the following information: a) the identity and contact details of the Operator and, as the case may be, of his representative; b) the contact details of the data protection officer, as the case may be; c) the purposes for which the personal data are processed, as well as the legal basis of the processing; d) the categories of personal data concerned; e) recipients or categories of recipients of personal data; f) if applicable, the intention of the Operator to transfer personal data to a third country or an international organization and the existence or absence of a Commission decision on adequacy or a reference to adequate or appropriate safeguards and to the means of obtaining a copy of them, if they were made available, as the case may be; g) the period for which the personal data will be stored or, if this is not possible, the criteria used to establish this period; h) the existence of the right to request the Operator, with regard to personal data relating to the data subject, access to them, their rectification or deletion or the restriction of processing or the right to oppose processing, as well as the right to data portability; i) the existence of the right to withdraw consent at any time, without affecting the legality of the processing carried out on the basis of consent before its withdrawal; j) the right to submit a complaint to a supervisory authority; k) the source of the personal data and, if applicable, whether they come from publicly available sources; l) the existence of an automated decision-making process including the creation of profiles, as well as, at least in the respective cases, pertinent information regarding the logic used and regarding the importance and expected consequences of such processing for the data subject.

22.2.2. The operator provides the information mentioned in art. 22.2.1.: a) within a reasonable time after obtaining the personal data, but no longer than one month, taking into account the specific circumstances in which the personal data are processed; b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to the respective data subject; or c) if it is intended to disclose personal data to another recipient, at the latest on the date on which they are disclosed for the first time.

22.2.3. If the Operator intends to subsequently process the personal data for a purpose other than that for which it was collected, the Operator shall provide the data subject, prior to this further processing, with information regarding that secondary purpose and any additional relevant information, in in accordance with points g)-l) from 22.2.1.

22.2.4. The provisions of article 22.2.1 do not apply if and to the extent that: a) the data subject already possesses the respective information; b) the provision of this information proves to be impossible or would involve disproportionate efforts, especially in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, or to the extent that the obligation mentioned in points a)-g) of article 22.2.1. is likely to make impossible or seriously affect the achievement of the objectives of the respective processing. In such cases, the Operator takes appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including making the information available to the public; c) obtaining or disclosing data is expressly provided for by Union law or by internal law under which the Operator falls and which provides for appropriate measures to protect the legitimate interests of the data subject; or d) if the personal data must remain confidential on the basis of a statutory obligation of professional secrecy regulated by Union law or domestic law, including a legal obligation to maintain secrecy.

22.3. The information to be provided to data subjects pursuant to articles 22.1 and 22.2 may be provided in combination with standardized icons to provide in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. If the icons are presented in electronic format, they must be able to be read automatically.

The right to be informed about the breach of the security of personal data

23.1. If the violation of the security of personal data is likely to generate a high risk for the rights and freedoms of natural persons, the Operator informs the data subject without undue delay about this violation.
The information sent to the data subject will include a description in clear and simple language of the nature of the personal data security breach, as well as at least the information and measures regarding:
i) communication of the name and contact details of the data protection officer or another point of contact where more information can be obtained;
ii) description of the likely consequences of the personal data security breach;
iii) the description of the measures taken or proposed to be taken by the Company to remedy the problem of the personal data security breach, including, as the case may be, the measures to mitigate its possible negative effects;

23.2. Information to the aforementioned data subject is not required if any of the following conditions are met:

a) The Operator has implemented appropriate technical and organizational safeguards, and these measures have been applied to the personal data affected by the personal data breach, in particular measures ensuring that the personal data becomes unintelligible to any person who does not is authorized to access them, such as encryption;

b) The operator has taken further measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;

c) If informing the data subject would require a disproportionate effort, then public informing of the data subject is carried out instead or a similar measure is taken by which the data subjects are informed in an equally effective way;

If the Operator has not already communicated the personal data security breach to the data subject, the supervisory authority, after taking into account the likelihood that the personal data security breach will generate a high risk, may request the data subject to this or may decide that any of the aforementioned conditions are met.

Miscellaneous

24.1. The data subject has all the rights provided by this policy as well as any other rights provided by the mandatory legal regulations in force regarding the processing of personal data.

24.2. The rights mentioned in this policy may be exercised in accordance with this policy, in accordance with the Regulation and any other applicable legal regulations in force.

24.3. Any requests and/or requests sent by the data subject to the Operator for the exercise of any of the rights can be made in writing, and submitted or sent to the Operator’s headquarters, including by registered letter, and/or by email to the Operator’s email mentioned in point 1 of this the policy and/or by any other means provided/premised by the legal regulations in force.

24.4. The data subject can request, according to the previously mentioned, and, if necessary, obtain, free of charge, in particular, access to personal data, as well as their rectification or deletion, restriction of processing, data portability and the exercise of the right to opposition such as and the right not to be subject to a decision based exclusively on automatic processing, including the creation of profiles, which produces legal effects that concern the Data Subject or similarly affects him to a significant extent, but also regarding the breach of data security with personal character.

24.5. The terms used in the content of this policy will have the meaning defined in the Regulation unless the context expressly indicates otherwise.

Cookies

The operator uses “cookies”.If you want to know more, you can access Cookie policy.