PRIVACY NOTE ON THE PROCESSING OF PERSONAL DATA
Regulation no. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data enters into force on 25 May 2018 (hereinafter called “GDPR”). This law ensures the protection of fundamental rights and freedoms of natural persons and especially their right to the protection of personal data.
We, AD AUTO TOTAL S.R.L., are very committed to keep personal data confidential and to protect the rights of our clients and partners.
As a result, we hereby communicate certain relevant information about the way our company processes personal data:
1. Definitions:
In order to provide you with clear information, the meaning of certain terms used herein is explained further below, as they are defined by the applicable legislation:
“Personal Data” means any information related to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller” means the person which determines the purposes and means of the processing of the personal data;
“Processor” means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“Recipient” means the natural or legal person, public authority, agency or other body to which the personal data are disclosed.
2. Data controller:
AD AUTO TOTAL S.R.L. (hereinafter called the „Controller”), with its registered office in Bucharest, 8 Tincani Street, bldg. Z18, entr. A, 10th floor, app. 66, 6th district, Trade Registry number J40/29340/1994, CUI RO 6844726, mailing address at the business unit in Bucharest, 96 Splaiul Unirii, 4th district – access through 16 Verzisori street, is a data controller.
Personal data is processed based on and in compliance with the applicable legislation, in particular Regulation no. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
3. Categories of processed personal data:
Our company processes personal data in several ways. The processed information, the collection method and the other aspects related to data processing may vary considering the purpose of each operation and its legal basis.
We generally process the following categories of personal data:
– name, contact information, signature, position and entity where you work (in particular for the representatives and the employees of our partners – clients, suppliers, other business partners);
address, identification data (series and no of ID, CNP), including the proof thereof;
– professional experience, training and qualifications, other information usually included in the CV (in particular if you apply for a job in our company);
– professional and technical knowledge and abilities, professional qualifications, information on the professional training/ improvement and the contests organised by the Controller attended by you;
– birth date (this is usually required to confirm your age, respectively that you are of age and you can attend the events, activities and/or contests that we organise);
-information on the contractual relationship between you and our company;
information on the contractual relationship between you and our company;
– information related to or necessary for the fulfilment of our legal obligations – including, if the case, information on your incomes and/or prizes received from the Controller and which trigger fiscal obligations for our company (such as submitting fiscal statements, withholding and payment of taxes, duties and contributions to the state budget or other public budgets, etc.);
– information from your driver’s licence, registration certificate and/or instruction manual of motor vehicles, information technical problems/breakdowns of the motor vehicles, information on RCA/CASCO insurance policies of motor vehicles (in particular for persons that buy from our company motor vehicle spare parts and accessories, who benefit from warranty or are indemnified by our partner insurance companies, as well as other similar situations);
– we process the image of the persons visiting our video monitored locations;
We may, case by case or exceptionally, process other personal data; the data subjects will be informed in each particular case.
4. The purposes and legal basis of data processing:
In this section we present the purpose for which we use the personal data and we identify the legal basis for each personal data processing operation.
Our company processes personal data for the following main purposes:
– commercials, marketing and advertising, public relations;
– sell of our products and supply of our services (including professional qualification/training courses);
– conclusion of contracts and follow up on the development of contracts with our partners (clients, suppliers, etc.), including keeping in contact with them;
– your attendance to the events, activities and/or contests that we organise;
– fulfilment of our obligations, as stipulated by applicable legislation, court decisions and orders, decisions and requirements of public authorities;
– safeguard of the Controller’s assets, as well as protection, observance and use of the Controller’s rights.
Personal data is processed only on a legal basis, according to GDPR. The legal basis for personal data processing may be the following:
-fulfilment of a legal obligation of the Controller (fulfilment of fiscal obligations, keeping records as required by law, etc.);
– your freely given consent (when attending events, activities and/or contests that we organize, subscribing to our newsletter, as well as other particular situations, when your consent is given expressly and clearly);
– legitimate interest of the Controller (commercials, marketing and advertising for our products and services, public relations and promoting the Controller’s image, sell of our products and supply of our services to other persons, safeguard and protection of assets, observance and use of our rights);
– performance of a contract to which you are a party or taking steps, at your request, prior to entering into a contract.
5. Categories of recipients:
We generally use your personal data in our interest. Nevertheless, there may be situations where the personal data is disclosed to certain categories of recipients, according to the purpose of each processing operation.
Personal data can be communicated to our business partners (including banks or other credit institutions), as well as to our services suppliers acting as processors. Amongst them, some may have their main establishment in other EU member states.
The name of the winners of our contests are publicly announced during the respective event, as well as on our websites, social pages and network channels, in our magazine and our newsletter, as well as by other communication means. The personal data of the winners is also disclosed to competent public authorities in view of fulfilling fiscal obligations, according to applicable legal provisions.
Personal data is disclosed to public authorities or other third parties whenever required by law, if a mandatory decision/administrative order has been issued, as well as if such disclosure is necessary for the establishment, exercise or defence of legal claims.
6. How long do we store personal data?
Your personal data will be stored in a format that allows the identification of the data subjects for a period not longer than necessary to achieve the intended purposes. Hence, data storage periods may vary considering the purpose of each processing operation.
If the law stipulates certain data storage periods, the data will be stored for the entire legal period.
Generally, the data used in the contractual relations between our company and its partners are stored for the duration of this contractual relationship, as well as for the statute-barred period of each of the developed legal relationships.
Data processed for other purposes will be stored for reasonable periods of time, not exceeding the period necessary to achieve the intended purpose.
In certain cases (such as, but not limited to: accidents, litigation, crimes or misdemeanours, requests from public authorities, etc.), data will be stored for the entire duration necessary to finally clarify the respective event.
7. The source of the data:
Generally, the data is collected directly from you or, if you are a representative/employee of one of our partners, from your employer or the person that you represent. Data can be collected by us or by our processors, acting in the name and on behalf of the Controller.
In certain cases, we may receive data from our contractual partners, such as insurance companies, auto service units, that we work with or the owners of the motor vehicles you use.
Occasionally, we may receive your data from public authorities, from publicly available sources (such as Trade Registry, Land Book Office, Electronic Archive for Real Movable Collaterals, the website of the courts, etc.), or from third parties, such as recruiting services suppliers.
8. Your rights as data subjects:
You, as data subject, have the following rights:
The right to be informed and the right to access your personal data;
The right of access means your right to obtain from us a confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to have access to the data and the following information:
– the purposes of the processing;
– the categories of personal data being processed;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
– where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
– where the personal data is not collected from you, any available information as to their source;
– the existence of automated decision-making process, including profiling, as well as, in those cases, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
The right to ask for rectification of your personal data when they are inaccurate; this also includes your right to ask for your personal data to be completed when they are incomplete;
The right to request erasure and/or right to restriction of processing, as well as the right to object to processing, under the terms and conditions of GDPR;
We must erase your personal data when:
– the data is no longer necessary to achieve the purposes for which it has been collected or processed;
– you withdraw your consent based on which the data is processed and there is no other legal basis for the processing;
– you object to processing on the basis of legitimate interest of the Controller and there are no overriding legitimate grounds for the processing, or when the data is processed for direct marketing;
– the data has been unlawfully processed;
– the data must be erased for the Controller to comply with a legal obligation.
The obligation to erase the data shall not apply to the extent that processing is necessary:
– for exercising the right of freedom of expression and information;
– for compliance with a legal obligation which requires processing;
– for reasons of public interest in the area of public health;
– for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
– for the establishment, exercise or defence of legal claims.
You have the right to obtain the restriction of processing where one of the following applies:
– you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data;
– the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
– the Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
– you have objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.
You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data based on the Controller’s legitimate interest, including profiling; in this case, the Controller shall no longer process your data unless it demonstrates compelling legitimate grounds for the processing overriding the interests, right and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
When personal data is processed for direct marketing, you have the right to object at any time to processing of your personal data, including profiling to the extent it is related to such direct marketing. If you object to processing for direct marketing purpose, your data shall no longer be processed for such purpose.
Right to data portability, when data is being processed based on your consent or for the conclusion or performance of a contract and the processing is carried out by automated means.
If these conditions are cumulatively met, you have the right to receive the personal data concerning you and that you have provided to us in a structured, commonly used and machine readable format.
You also have the right to transmit this data to another controller without hindrance from us, as well as the right to have your personal data transmitted directly from one controller to another where technically feasible;
Where data is being processed based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
The right not to be subject of a decision based solely on automated processing.
You have the right not to be subject of a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her.
This right shall not apply if the decision:
– is necessary for entering into, or performance of, a contract between you and us;
– is authorised by Union or domestic law and which also lays down suitable measures to safeguard your rights, freedoms and legitimate interests; or
– is based on the data subject’s explicit consent.
In order to exercise these rights, please send a written, dated and signed request to: gdpr@autototal.ro or to the correspondence address of the Controller as mentioned above.
You also have the right to lodge a complaint to the supervisory authority – The National Supervisory Authority for Personal Data Processing (ANSPDCP).
9. Other provisions:
Should we begin other personal data processing operations or intend to process the detained personal data for other purposes than the ones we collected them for, before such subsequent processing, we will inform you on the new processing and the new purpose (subsequent purpose), as well as provide you with any additional relevant information.
Our obligation to inform you about the data processing shall not apply in certain cases expressly stipulated by the law, respectively if and to the extent that:
– you already have the respective information;
– the provision of such information proves impossible or would involve a disproportionate effort or if the obligation to inform is likely to render impossible or seriously impair the achievement of the objectives of the processing; in such cases, the Controller shall take appropriate measures to protect your rights, freedoms and legitimate interests, including making the information publicly available;
– obtaining or disclosure of personal data is expressly stipulated by the European Union or domestic law to which the Controller is subject and which provides appropriate measures to protect your legitimate interests; or
where the personal data must remain confidential subject to a statutory obligation of professional secrecy regulated by the European Union or domestic law, including a legal obligation of secrecy.
In the end, we assure you that we take very seriously your rights related to personal data processing and that we will implement all reasonable measures to make sure that your personal data is protected and your rights are observed.