Data Protection Policy

DATA PROTECTION POLICY

GENERAL

Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, in this document – GDPR, Regulation or GDPR) was adopted by the European Parliament and the Council of the European Union on 27 April 2016 and its provisions are directly applicable as of 25 May 2018. This Regulation expressly repeals Directive 95/46/EC and thus also replaces the provisions of Law 677/2001 (now repealed).

The Regulation is directly applicable in all Member States and protects the rights of all natural persons in the European Union. In substantive terms, the Regulation applies to all controllers processing personal data. The Regulation does not apply to the processing of personal data relating to legal persons and to companies with legal personality, including the name and nature of the legal person and the contact details of the legal person.

Personal data are defined as any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Processing of personal data means any operation or set of operations which is performed upon personal data or on a set of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, and restriction, erasure or destruction.

IDENTITY OF THE CONTROLLER

Pursuant to Article 4(7) of the Regulation, which defines the term “controller” as the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data, the controller of the processing of personal data through this website is ZSOFIA SRL, with registered office at Strada Carpati no. 9 Reghin, registered at the Commercial Registry Office J26/551/2004, with CUI RO16294336, legally represented by Biro Attila, with contact details office@zsofia.ro, +40 365 404 883 .

COLLECTION OF PERSONAL DATA

WHAT PERSONAL DATA IS COLLECTED

The operator of this website collects, stores and processes the following personal data from / about you:

  • Name, first name

  • contact information (such as e-mail, phone, fax)

 

OBTAINING CONSENT

GENERAL

For the processing of personal data to be lawful, the GDPR requires that it be carried out for a legitimate reason, such as for the performance or conclusion of a contract, for compliance with a legal obligation, or on the basis of the data subject’s prior valid consent. In the latter case, the controller must be able to demonstrate that the data subject has given consent to the processing. Consent given under Directive 95/46/EC remains valid if it complies with the conditions set out in the General Data Protection Regulation.

Consent must be given by an unambiguous statement or act by which the data subject expresses his or her consent to the processing of his or her personal data without coercion, for the specific case, in full knowledge of the facts and in a clear manner. If the data subject’s consent is given as part of a statement in electronic or written form that also relates to other matters, the request for consent must be made in a form that is clearly distinguishable from the other matters and may even be made by checking a box. For the processing of personal data to be lawful, the GDPR requires that it be done for a legitimate reason, such as for the performance or conclusion of a contract, for compliance with a legal obligation, or on the basis of the data subject’s prior valid consent. In the latter case, the controller must be able to demonstrate that the data subject has given consent to the processing. Consent given under Directive 95/46/EC remains valid if it complies with the conditions laid down in the General Data Protection Regulation.

COOKIES

Cookies are used on this website. They do not harm your computer and do not contain viruses but are used to make the use of the website easier, more efficient and safer. They are small text files that are stored on your computer and saved by the browser you are using.

Many of the cookies used are called “session cookies”, which are automatically deleted after you visit this website. Others remain in your computer’s memory until you delete them so that your browser can be recognized on a subsequent visit.

You can configure your browser to inform you about the use of cookies, so that you can decide on a case-by-case basis whether to accept or reject a cookie. Alternatively, your browser can be set to automatically accept or always reject cookies under certain conditions, or to automatically delete cookies when you close your browser. Disabling cookies may limit the functionality of this website.

Cookies that are necessary to enable electronic communication or to provide certain functions that you wish to use (e.g. shopping cart) are stored in accordance with the provisions of Article 6(1)(f) of the GDPR, according to which processing is lawful only if and to the extent that it is necessary for the legitimate interests of the controller or a third party. The operator of this website therefore has a legitimate interest in storing certain cookies in order to ensure technically error-free optimization. Other cookies (e.g. those used to analyze your surfing behavior) are also stored and treated separately in this document.

CONSENT MANAGEMENT PLATFORM

This website uses a consent management platform – GDPR Cookie Compliance Plugin (CCPA ready) v4.8.3 – and we are thus able to obtain, manage and document your consent given as a user.

Obtaining your consent is done in a legal way by complying with all legal requirements (contained in the DGPR, the European Court of Justice case law guidelines and the IAB Europe Transparency and Consent Framework) by the platform achieving the optimization of the consent given when visiting this website.

The consent management platform – GDPR Cookie Compliance Plugin (CCPA ready) v4.8.3 – complies with European regulations in this area, processing the personal data of visitors and users only to the extent necessary for the functionality and optimization of the content of the website. The legal basis for the processing of users’ personal data is the express, informed and uncoerced consent of users pursuant to Art. 6 para. 1. 1 lit. a) of the Regulation. For more details, please see the Privacy Policy, which you can view here, GDPR Cookie Compliance Plugin (CCPA ready) v4.8.3.

CONTACT FORM

If you send us inquiries via the contact form, your information from the form, including the contact data you provide there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this information without your consent. Therefore, we process the data you enter in the contact form only with your consent. [You can revoke your consent at any time, an informal e-mail is sufficient. Data processed prior to the receipt of your request may be lawfully processed. We store the data you provide in the contact form until:

    • You request the deletion of the data;

    • you revoke your consent to the storage or when

    • the purpose of the storage is no longer valid.

Mandatory legal requirements, in particular regarding the retention period of data, remain unaffected.

CONTACTING US BY E-MAIL, TELEPHONE OR FAX

If you contact us by e-mail, telephone or fax, your request, including the personal data you provide, will be stored and processed by us for the purpose of processing your request based on your consent.

Therefore, we will process all data provided by you in accordance with the following legal provisions of the GDPR:

    • only with your consent – in accordance with the provisions of Article 6 para. 1 lit. a) GDPR

    • for the performance of a contract or at a pre-contractual stage – in accordance with the provisions of Art. 6(1)(b) GDPR

    • to fulfill the purpose and legitimate interest pursued by us, i.e. the efficient processing of the requests you have made – in accordance with the provisions of Art. 6 (1) (f) GDPR.

  • We retain the data you have provided in this way until:

    • You request the deletion of the data;

    • you revoke your consent to the storage or when

    • the purpose of the storage is no longer valid, in all cases except for the prescribed retention periods.



PURPOSE OF THE PROCESSING OF THE DATA COLLECTED.

Some of the data collected on this website is used for the following purposes:

    • To provide the services we offer for your benefit (e.g. to solve problems of any kind related to our products and services, to provide support services, etc.).

    • Optimal functioning and optimization of this website (statistical and analytical purposes) – We always want to provide you with the best experience on our website. Therefore, we may collect and use certain information about your satisfaction while browsing this website, invite you to fill in questionnaires with suggestions or similar.

    • Online advertising and promotional activities. You may request us to stop processing your personal data for marketing purposes at any time by the means described in this document, and we will comply with your request as soon as possible.

The processing of personal data is carried out in accordance with the provisions of the General Data Protection Regulation and is based both on the consent of the data subject and on the proper performance of contracts or the legitimate interests of the controller (unless the interests or fundamental rights and freedoms of the data subject require the protection of personal data, in particular where the data subject is a child).

USER RIGHTS

You have and may exercise the following rights in relation to personal data: right to information, right to access, right to rectification, right to erasure of data, right to restriction of processing, right to data portability, right to object, right not to be subject to a decision based solely on automatic data processing, right to lodge a complaint and to have recourse to the courts, right to withdraw consent.

    • Right to information – you may request information about the processing of your personal data, about the identity of the controller and its representative or about the recipients of your data.

    • Right of access – you may obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, if so, access to those data and to the following information: The purposes of the processing; The categories of personal data concerned; The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; If possible, the period for which the personal data are expected to be stored or, if this is not possible, the criteria for determining this period; The right to obtain from the controller the rectification or erasure of the personal data or to restrict the processing of the personal data, or the right to object to the processing, etc.

    • Right to rectification – you may rectify or supplement inaccurate personal data.

    • Right to erasure of data – you may request the erasure of data if the processing was unlawful, or in other cases provided by law.

    • Right to restriction of processing – You may request restriction of processing if you dispute the accuracy of the data, and in other cases provided by law.

    • Right to data portability – you may, under certain conditions, obtain the personal data you have provided to us in a machine-readable format or request that this data be transferred to another controller.

    • Right to object – You may, in particular, object to data processing based on the legitimate interest of the controller.

    • The right not to be subject to a decision based solely on automated processing – you may request and obtain human intervention in relation to such processing or express your own point of view on such processing.

    • Right to complain and refer to the courts – you may complain to the national supervisory authority for the processing of personal data about the way personal data is processed and/or refer to the courts to enforce your rights.

    • Right to withdraw consent – in cases where processing is based on your consent, you may withdraw it at any time. The revocation of consent is only effective for the future, the processing carried out before the revocation remains valid.

OBLIGATIONS OF THE CONTROLLER

HOSTING

The personal data collected on this website are stored on the servers of SC REEA SRL. The processing of the data provided and stored is carried out in accordance with the following legal provisions:

    • Art. 6 para. 1 lit. a) GDPR – The data processing by SC REEA SRL is based on your consent obtained after correct and complete information.

    • Art. 6 para. 1 lit. b) GDPR – data processing by SC REEA SRL is carried out for the purpose of fulfilling contractual obligations.

    • Art. 6 para. 1 lit. f) GDPR – data processing by SC REEA SRL is carried out for the purposes of safeguarding the legitimate interests of the controller.

Regardless of the purpose for which personal data are processed, the principles of lawfulness, fair processing and transparency are observed, as well as the principle that the personal data processed are adequate, relevant and limited to what is necessary for the purposes for which they are processed.

For more information about the processing of personal data by SC REEA SRL, please visit https://www.reea.net/ro/privacy.

We have entered into a contract/legal agreement/legal act (including the possibility of including and agreeing to the clauses in the General Terms and Conditions of the Website) with SC REEA SRL to ensure the processing of personal data in accordance with the relevant legal provisions. We comply with our obligations under Article 28 of the GDPR by selecting an external service provider that provides sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of the Regulation and ensures the protection of your rights.

DATA ENCRYPTION

This website uses SSL encryption for security reasons and to protect the transmission of confidential information. You can recognize this encryption by the lock symbol that appears in your browser bar and by the change of the browser address from http:// to https://. Once this type of encryption is activated, the transmitted or transferred data can no longer be viewed by third parties.

In accordance with the General Data Protection Regulation, the operator of this website shall inform you without undue delay of any breach of security of personal data if it is likely to result in a high risk to your rights and freedoms, unless the additional provisions of this Regulation apply (Article 34(3)).

DATA PROTECTION OFFICER

Since the provisions of the General Data Protection Regulation on the obligation to appoint a data protection officer (Article 37(1) – under which the controller and processor must each appoint a data protection officer:

a. the processing is carried out by a public authority or a public body, with the exception of courts acting in their judicial capacity;

b. the main activity of the controller or processor consists of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

c. the main activity of the controller or processor consists of large-scale processing of special categories of data pursuant to Article 9 or of personal data relating to criminal convictions and offences pursuant to Article 10).

If you would like information or clarification on the operation of this website, please contact us using the contact details below:

    • Name: IT Department

    • E-mail: office@zsofia.ro

    • Tel: +40 365 404 883

    • Fax:

    • Correspondence Address: Strada Carpati No. 9 Reghin Judetul Mures

RECORDS OF PROCESSING ACTIVITIES

According to the GDPR, the controller or processor should keep records of the processing activities under its responsibility for a reasonable period of time. Thus, these records contain the following information:

    • The name and contact details of the controller; and

    • The purposes of the processing.

    • A description of the categories of data subjects and the categories of personal data.

    • the categories of recipients to whom personal data have been or will be disclosed.

    • if applicable:

  • transfer of personal data

  • estimated time limits for the erasure of the different categories of data

  • a general description of the technical and organizational security measures.

The obligation described above does not apply to companies or organizations with fewer than 250 employees, unless the processing they carry out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing involves special categories of data or personal data relating to criminal convictions and offences.

APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES

Taking into account the state of the art, the circumstances and the purposes of the processing, as well as the risks to the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for the purpose of the processing are processed.

NOTIFICATION OF THE SUPERVISORY AUTHORITY IN THE EVENT OF A PERSONAL DATA BREACH.

Pursuant to Article 33 para. 1 of the General Data Protection Regulation, in the event of a personal data breach, we shall notify the national supervisory authority for the processing of personal data without undue delay and, where possible, within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of individuals.

INFORMING THE DATA SUBJECT ABOUT THE PERSONAL DATA BREACH.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will notify the data subject of the breach without undue delay, with reference to Article 34 of the GDPR, unless the breach presents a high risk to the rights and freedoms of natural persons:

    • appropriate technical and organizational safeguards have been put in place and those safeguards have been applied in the case of personal data affected by the personal data breach, in particular measures to ensure that personal data is rendered unintelligible to persons who are not authorized to access it, such as encryption.

    • Other measures have been taken to ensure that the high risk to the rights and freedoms of data subjects mentioned above no longer exists.

    • Would require a disproportionate effort. In this case, public notification or a similar measure will be taken instead, informing the data subjects in an equally effective manner.

PLUGINS AND TOOLS

YOUTUBE

Our website uses plugins from the YouTube platform, which is operated by Google. The operator of the website is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.

When you visit a page of our website in which a YouTube plugin is integrated, a connection to the YouTube servers is established. This tells the YouTube server which of the pages you have visited

In addition, YouTube may also set various cookies that can be used to obtain information about visitors to our website. This information is used, among other things, to compile video statistics in order to improve the user experience of the website and prevent fraud attempts.

If you are logged into your YouTube account while visiting our website, you allow YouTube to store your browsing behavior directly in your personal profile. You have the option to prevent this by logging out of your YouTube account.

Your use of YouTube is based on our interest in presenting your online content in an appealing way. According to Art. 6 para. 1 lit. f) GDPR, this is a legitimate interest.

In light of the judgment of July 16, 2020 (Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems), the European Court of Justice ruled that the protection provided by the EU-US Privacy Shield is not adequate. Transfers of personal data to the U.S. and other countries outside the European Economic Area (EEA) should therefore be based on the European Commission’s Standard Contractual Clauses (SCC).

For more information about how YouTube handles user data, please see YouTube’s privacy policy at: https://policies.google.com/privacy?hl=en.

GOOGLE WEB FONTS

This website uses web fonts from Google to ensure consistent use of fonts on this website.

When you access a page on this website, your browser loads the web fonts required for the correct display of text and fonts by connecting to Google’s servers. Thus,

Google Web Fonts are used based on Art. 6 (1) f) GDPR, as there is a legitimate interest in the uniform display of the font on this website. If there is explicit consent for this (e.g. consent to cookie archiving), the data is used exclusively on the basis of Art. 6 (1) a) GDPR.

For more information on how Google Web Fonts handles user data, please see the privacy policy at: https://policies.google.com/privacy?hl=en.

GOOGLE MAPS

This website uses Google Maps, a mapping and location service, via an API. The provider is Google Inc, 1600 Amphitheater Parkway Mountain View, CA 94043, USA.

To ensure data protection on our website, Google Maps has been deactivated when you visit our website for the first time. A direct connection to Google’s servers is only established with the independent activation of Google Maps, i.e. with your consent according to Art. 6 para. 1 lit. a) GDPR. This prevents the transmission of data to Google during your first visit to our website. Once you have activated the service, Google Maps will store your IP address. As a rule, they are then transferred to a Google server in the United States and stored there. The provider of this website has no influence on this data transfer once Google Maps has been activated.

Considering the judgment of July 16, 2020 (Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems), the European Court of Justice has ruled that the protection provided by the EU-US Privacy Shield is not adequate.

Therefore, transfers of personal data to the U.S. and other countries outside the European Economic Area (EEA) are based on the European Commission’s Standard Contractual Clauses (SCC). The Commission has issued two sets of standard contractual clauses for data transfers from controllers in the EU to controllers located outside the EU or the European Economic Area (EEA). It has also issued a set of contractual clauses for data transfers from EU controllers to processors located outside the EU or EEA. For more information on these clauses, we recommend you visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_ro.

Google Maps uses standard contractual clauses as adequate data protection safeguards in line with the level of protection guaranteed by the GDPR. For more information, please see Google’s privacy policy at: https://policies.google.com/privacy

GOOGLE RECAPTCHA

We use “Google reCAPTCHA” (hereinafter referred to as “reCAPTCHA”) on our website. The provider is Google Inc. located at 1600 Amphitheater Parkway, Mountain View, CA 94043, U.S.A. (“Google”). reCAPTCHA is used to determine whether data entered on our website (e.g. information entered into a contact form) originates from a human user or an automated program. To determine this, reCAPTCHA analyzes the behavior of website visitors based on several parameters. This analysis is automatically triggered as soon as the visitor enters the website. For this analysis, reCAPTCHA evaluates a variety of data (e.g. IP address, time spent by the visitor on the page or user-induced cursor movements). The data collected during these analyses is sent to Google. reCAPTCHA analyses run entirely in the background. Website visitors are not notified that an analysis is being performed. The data is processed based on Art. 6 (1) f) GDPR. The website operators have a legitimate interest in protecting the operator’s web content from misuse by automated economic espionage systems and from SPAM.

Considering the judgment of July 16, 2020 (Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems), the European Court of Justice ruled that the protection provided by the EU-US Privacy Shield is not adequate.

Therefore, transfers of personal data to the U.S. and other countries outside the European Economic Area (EEA) are based on the European Commission’s Standard Contractual Clauses (SCC). The Commission has issued two sets of standard contractual clauses for data transfers from controllers in the EU to controllers located outside the EU or the European Economic Area (EEA). It has also issued a set of contractual clauses for data transfers from EU controllers to processors located outside the EU or EEA. For more information on these clauses, we recommend you visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_ro.

Google reCatpcha uses standard contractual clauses as appropriate data protection safeguards in line with the level of protection guaranteed by the GDPR. For more information, please see Google’s privacy policy, which can be found here: https://policies.google.com/privacy and here https://policies.google.com/terms?hl=en.

CONCLUSION

This Personal Data Processing Policy is prepared in accordance with the provisions of Regulation No. 679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as well as other applicable national legislation.

We reserve the right to make additions or changes to this Policy. We recommend that you read the Policy regularly to obtain accurate and up-to-date information about the processing of personal data.

Further details about this Privacy Policy and how to exercise the above rights can be sent in writing to the contact details provided above.