General policy regarding the protection of personal data

  1. General presentation

1.1. Introduction

SC Expomedia Agency SRL, as a personal data operator, processes personal data relating to the natural persons with whom it interacts, for the stated purpose.

These may represent data in relation to customers, suppliers, business contacts, employees and other persons with whom the company has concluded a contract or with which it is in a connection: identification data (first and last name, serial/CI no./passport, CNP), contact details (postal and e-mail addresses, telephone numbers), studies, function held.

This policy describes how personal data must be collected, used and stored in order to comply with company standards on data protection – and also to meet the legality requirement. This control applies to all systems, individuals, and processes that make up the organization’s IT systems, including board members, directors, employees, suppliers, and other third parties who have access to the systems. SC Expomedia Agency SRL.

 

1.2. The existence of policies

This policy regarding data protection is ensured within the framework SC Expomedia Agency SRL.

  • The legal requirements at European and national level regarding the protection of applicable personal data and good practices in this field are respected;
  • Protection of the rights of the data subjects: for example of the partners, clients, employees / collaborators;
  • How to store and process personal data collected directly or from third parties;
  • Protection of the company against possible risks related to data security breach;
  • Increased confidence in the external environment, in relation to SC Expomedia Agency SRL.

 

1.2.1. Legislation regarding the protection of personal data

Regulation (EU) no. 679/2016 describes how companies – including SC Expomedia Agency SRL – must process personal data. Significant fines are applicable if an infringement is considered to have been adopted under the GDPR Regulation, which is intended to protect the personal data of EU citizens.

These rules apply regardless of whether the data is stored electronically, on paper or other materials.

In order to be in accordance with the law, personal information must be collected and used correctly, stored securely, without being allowed to use it illegally.

Regulation (EU) No 2016/679 transposes the fundamental principles according to which data processing is allowed, companies having the obligation as the personal data they collect:

  1.  Be processed in a legal, fair and transparent manner towards the data subject (“legality, fairness and transparency”);
  2.  To be collected for specified, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes (“purpose limitations”);
  3.  Be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“minimizing data”);
  4.  Be accurate and, if necessary, be updated; all necessary measures must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay (“accuracy”);
  5.  Not to be stored longer than necessary (“storage limitations”);
  1. To be processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures (“integrity and confidentiality”);
  2. To be processed in accordance with the rights of the data subjects;
  3. They should not be transferred outside the European Economic Area, unless the territory/country where they are to be transferred ensures an adequate level of protection of personal data.

 

1.2.2. Definitions

The GDPR definition of personal data is broad:

Personal data = any information about an identified or identifiable natural person

In order to be able to correctly interpret the definitions of this policy, it is necessary to know the fundamental terms regarding data protection:

The data subject An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, identification number, location data, an online identifier, or to one or more many specific elements, specific to its physical, physiological, genetic, psychological, economic, cultural or social identity.
Processing Any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consulting, use, disclosure by transmission, dissemination or making available in any other way, alignment or combination, restriction, deletion or destruction.
Operator The natural or legal person, the public authority, the agency or other body which, alone or together with others, establishes the purposes and the means for the processing of personal data; when the purposes and means of processing are established by Union law or national law, the operator or the specific criteria for its designation may be laid down in Union law or national law.
Operator authorized person The natural or legal person, public authority, agency or other body that processes personal data on behalf of the operator.

 

1.3. Principles regarding the processing of personal data

Regulation (EU) No 2016/679 transposes the fundamental principles according to which data processing is allowed, companies having the obligation to carry out the processing of personal data under certain conditions.

In order to comply with the applicable legal framework, personal data within the framework SC Expomedia Agency SRL are:

  • processed in a legal, fair and transparent manner vis-à-vis the data subject (“legality, fairness and transparency”);
  • collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the initial purposes, in accordance with Article 89 (1) (“purpose limitations”);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“minimizing data”);
  • accurate and, if necessary, updated; all necessary measures must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay (“accuracy”);
  • kept in a form that allows the identification of the data subjects for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed; personal data may be stored for longer periods insofar as they will be processed solely for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89 (1), subject to the implementation of the appropriate technical and organizational measures provided for in this Regulation in order to guarantee the rights and freedoms of the data subject (“storage limitations”);
  • processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures (“integrity and confidentiality”).

 

We will always do all the necessary activities to ensure that we respect all these principles both in the present processing process and as part of the introduction of new processing methods, such as possible new information systems.

 

1.4. Rights of the data subject

The data subject has several rights, in accordance with the GDPR Regulation. These consist of:

  • The right of withdrawal of consent;
  • The right to information;
  • The right of access;
  • The right to rectification;
  • The right to delete data (“the right to be forgotten”);
  • The right to restrict processing;
  • The right to data portability;
  • The right to oppose processing;
  • The right not to be the subject of a decision based exclusively on automatic processing, including the creation of profiles;
  • The right to file a complaint with the Authority;
  • The right to seek justice.

Each of these rights is supported by appropriate forms from SC Expomedia Agency SRL which allow the necessary action to be taken within the deadlines set by the GDPR Regulation.

The data subjects can exercise some of the above rights by e-mail, addressed to the data operator at mihaela.fulea@expomedia.ro. Applications will be exempt from any fee. The operator will be required to provide a response within a maximum of one month, and in some exceptional cases within two months of receiving the request.

We will always verify the identity of any data subject who addresses us with a request regarding his data processed by us. In order to answer the requests and allow the exercise of rights, the legal department or external legal consultants will have a say in the merits of the request.

 

1.5. The reasons for the processing

Personal data processing at SC Expomedia Agency SRL is based on the following legal grounds contained in the Regulation (UE) 679/2016:

  • in order to conclude and execute the contracts for the provision of services that are the subject of our activities – art. 6, para. 1, lit. (B);
  • in order to fulfill the legal obligation of highlighting and reporting to the state bodies – art. 6, para. 1, lit. (C).

The personal data collected and processed it is necessary to conclude or execute a contract with the data subject, in which case his explicit consent is not required. This is because the contract cannot be concluded without the personal data in question, for example an appointment cannot be made without a telephone number to which the customer can be contacted.

Given that personal data must be collected and processed by us in order to comply with the law, explicit consent is not required. This may be applicable to certain employment and taxation data, for example.

 

1.6. Purposes of processing

As part of our professional activity, we process personal data to implement the object of the company’s activity – to organize the first ever Design Thinking dedicated event in RO – a dynamic and frenzy event entirely about innovation – be it commercial, operational, industrial or social.

We also process personal data to honor the legal obligations that govern our field of activity, such as the Civil Code, the Fiscal Code, the Labor Code.

 

  1. Limits of policy applicability

2.1. Policy area

This policy applies to:

  • SC Expomedia Agency SRL headquarters;
  • All departments of SC Expomedia Agency SRL;
  • All staff and volunteers of SC Expomedia Agency SRL;
  • All contractors, suppliers and other persons working on behalf of SC Expomedia Agency SRL.

It is applicable to all data held by the company in connection with identifiable individuals.

The categories of personal data processed are those that you provide when filling out the contact form. These include: name, email address and phone number.

In addition to the supply of products from the electrotechnical industry we reserve the right to process personal data for marketing purposes. To keep you updated with the latest services news at SC Expomedia Agency SRL.

 

2.2. Risks

The policy helps protect SC Expomedia Agency SRL of real security risks, including:

  •  Violations of confidentiality;
  • Damage to reputation. For example, the company could be harmed if this data were obtained by people interested in it, from inside, by producing a security breach.

 

  1. Data storage

These rules describe how and where personal data should be stored.

When data is stored on paper, it must be stored in a safe place where unauthorized persons cannot access it.

These instructions also apply to data that is commonly stored electronically, but has been printed for certain reasons:

  •  The papers or files should be kept in a closed place or in a closed drawer;
  •  Employees should ensure that paper or printouts are not left to unauthorized people who might see them, such as on the printer;
  • Prints should be destroyed when no longer needed.

When data is stored electronically, it must be protected from unauthorized access, accidental deletion or intentional hacking:

  • Data should be protected by strong passwords that are regularly exchanged and never shared between employees, while sensitive data must be encrypted;
  • When data is stored on removable media (such as CDs, DVDs), they are stored securely when not in use;
  • Data will be stored only on servers or specialized units and should be uploaded to an approved cloud computing service;
  • Servers containing personal information should be placed in a safe place, away from the general office space;
  • Data should be stored directly on laptops and not on other mobile devices such as tablets or smartphones.
  • The data has a regular backup;
  • All servers and computers containing data are protected by Security software and firewall.

 

  1. Use of data

SC Expomedia Agency SRL does not process personal data on a large scale or sensitive data. Even so, we want to keep your data safe. To prevent risk situations such as corruption or even theft, we have established a series of mandatory rules to be followed when using these data:

  • When working with personal data and staying even for short periods of time unattended, the staff ensures that the computer screens are closed;
  • The personal data is processed at the headquarters and/or at the point of work of our beneficiaries. All documents containing personal data, in electronic format, on paper and on any other medium for storing and transferring personal data are processed/collected/stored/archived/destroyed, etc., by the beneficiary, in the conditions of the law;
  • We minimize the transmission of personal data by e-mail, as this means of communication is not secure. By way of exception, the only transmission by mail of sensitive data are those intended for the data subject, at his express request;
  • Sensitive data should be encrypted before being electronically transferred;
  • Personal data are not transferred outside the European Economic Area;
  • Workers are forbidden to save personal data in their personal devices;
  • The data will be kept in a few places; staff should not create any additional places that are not needed, such as useless children;
  • The staff is trained to use every opportunity to ensure the updating of the data. For example, by confirming some details when the customer calls;
  • The data is updated when inadvertence is discovered. For example, when a customer can no longer be reached via a telephone number, deletion from their database is recommended.

 

  1. Disclosure of data for other reasons

In certain circumstances, the legislation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

In these circumstances, SC Expomedia Agency SRL  will disclose the required data. The data operator will ensure that the request is legitimate, seeking assistance from the company’s legal advisors where necessary.

 

  1. Providing information

SC Expomedia Agency SRL aims to ensure that data subjects know how data is processed, making sure that they understand:

  • How are their data used;
  • How they can exercise their rights.

For this purpose, the company has a Privacy Policy for the site (regarding the use of cookies), establishing how the data of the people are used within it.

 

  1. Consequences

Failure to comply with this Policy by company employees or other external collaborators may result in disciplinary sanctions (including termination of employment), termination of contracts and, depending on the circumstances, court action to fully recover damages to the organization as a result of non-compliance with this Policy.

When there is a suspicion of illegal activities (such as, for example, document theft, copying, distribution, transfer of databases), the Company will denounce the criminal activity to the law enforcement agencies for taking criminal responsibility of the perpetrator.

This Policy will be brought by the management of the company to the knowledge of all employees, collaborators, business partners or other third parties, including by posting on the company’s website patientexperience.ro/.