G.D.P.R. POLICY
G.D.P.R. POLICY
Purpose and application
This policy aims to ensure the alignment of Hodoș and Associates SPRL, HBR Financial Services SRL and Hodos Business Recovery SPRL with the provisions of European Regulation 679/2016 (hereinafter referred to as GDPR). It is part of the organisational measures taken by the companies under this regulation.
Definitions and terms
General Data Protection Regulation (GDPR) = Regulation No 679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)
This regulation specifically concerns the processing of personal data by operators.
Main terms:
“personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data, where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law.
“Consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject signifies his or her agreement, in a statement or in an unequivocal action, to the processing of personal data relating to him or her.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.
Principles and purpose of processing
The processing of all personal data must be in line with the principles defined in the Regulation. For the implementation of the GDPR, it is important to understand the principles that are set out in Article 5. As these principles form the basis of the GDPR requirements, they must be made known and understood by all company employees.
1. Personal data shall be processed lawfully, fairly and transparently in relation to the data subject (“lawfulness, fairness and transparency”). According to this principle all processing of personal data must be fair, i.e. Hodoș and Associates SPRL, HBR Financial Services SRL and Hodoș Business Recovery SPRL shall not carry out processing that is not lawful. The company will also demonstrate transparency with regard to the processing of personal data and will inform the data subject openly and transparently.
2. Personal data are collected for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes (“purpose limitation”). Processing of personal data must be limited to the legitimate purpose for which they were originally collected from the data subject. Processing of personal data outside the legitimate purpose for which they were collected is prohibited.
3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”). Only personal data necessary for the purposes for which they were collected may be requested when collecting personal data. This means that no other data may be requested or stored than necessary.
4. Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (“lawful storage limitations”). The company shall determine the retention period for each set of personal data. After the storage period has expired, the data will be deleted.
6. Personal data are processed in a way that ensures adequate security of personal data by taking appropriate technical or organisational measures (“integrity and confidentiality”).
7. The controller is responsible for compliance with the above principles and can demonstrate this (“accountability”).
Personal data will only be processed if one of the legal grounds set out in Article 6 para. 1 of the Regulation. These grounds establishing the lawfulness of the processing are:
1. Consent of the data subject
2. Processing necessary for entering into or performing a contract
3. Processing necessary for compliance with a legal obligation
4. Processing necessary to protect the vital interests of the data subject or of another natural person
5. Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject require the protection of personal data, in particular where the data subject is a child.
If none of the above legal grounds apply, the processing is unlawful. Law Office Dr. Raul-Felix Hodoș, Hodoș Business Recovery SPRL, HBR Financial services, DPO Expert Solutions, Blue Greener Servicies will not carry out unlawful processing under any circumstances. The choice of the basis under which the processing is done must be correct before the collection of the processing begins
Security measures relating to the processing of personal data
In order to ensure that the necessary organisational measures have been taken in accordance with GDPR requirements, the three associations have developed a set of procedures on information security, backup, incident management. The whole set of procedures will be known and assumed by all employees.
Among the measures adopted to protect personal data we mention:
-Secured local and online networks
-Training and education of employees to apply the new regulations
-Computers secured with passwords
-Designation of a D.P.O. to ensure that all operations are carried out in accordance with the law
Rights of the data subject
In order to respond to requests or complaints from data subjects all employees must be aware of their rights as set out in the GDPR.
The rights of the data subject are:
Right to information
This right gives the data subject the opportunity to request from a company information about the personal data it holds and processes about him/her and the purpose of that processing. For example, a customer may request a list of processors to whom such personal data are transferred.
Right of access
This right gives the data subject the possibility to access his/her personal data that are processed by the controller. This request gives data subjects the right to see or view their own personal data and to request copies of personal data.
Right to rectification
This right gives the data subject the opportunity to withdraw a previous consent to the processing of his/her personal data for a specific purpose. On the basis of a request the data subject will ask the controller to stop the processing of personal data based on the consent previously given. The controller shall be obliged to stop such processing. Processing prior to the withdrawal of consent remains lawful.
Right to object
This right gives the data subject the possibility to object to a processing operation including automated processing and profiling
Right to erasure of data (right to be forgotten)
This right gives the data subject the opportunity to request the erasure of his/her personal data. The controller is obliged to comply with the request without undue delay within a maximum of 30 days from the date of the request. If there is a legal basis given by local or Union law, the data subject will be informed of this and only those data which are covered by these laws will be kept.
Right to data portability
This right gives the data subject the possibility to request the transfer of his/her personal data to another controller.
The right not to be subject to an automated decision
Any complaint by the data subject about a GDPR breach will be documented, recorded by the Customer Services department in the GDPR request/complaint log file and the company management will be informed. The communication of the resolution of the data subject’s request/complaint will be done using the email address ………………………….. if the data subject requests another way of communication (not by email) then a form of response will be agreed with him/her.
Control of complaints and queries of data subjects will be carried out on a monthly basis by the company’s Internal Control Officer. The check will consist of reviewing the requests/complaints and checking their resolution with the persons involved in the process.
The maximum resolution time is 20 days from the date of registration of the request.
Security breaches
Any breach of personal data will be documented. An incident record will be opened and will be resolved with the highest priority. This record will be made by the Custumer Service department. Consideration will be given to finding all possibilities to mitigate or undo the overall impact of this incident.
Incidents will be handled according to the incident management procedure. Any incident related to personal data is categorized as critical and will be escalated to the companies management.
In the event of the need for this reporting, it should be noted that there is a maximum 72-hour time limit for making this report. Failure to report within 72 hours is a breach of the regulation.
Transfer of personal data
Personal data shall not be transferred to other persons or companies unless there is a consent of the data subject, it is necessary for the performance of a contract in force to which the data subject is a party, it is necessary for other legal requirements, it is necessary for the conduct of a legal process or investigation. In the cases listed above the data subject must be informed of such transfers.
If the transfer is lawful we must ensure that the data is encrypted. It is absolutely forbidden to send personal information through unencrypted channels.
Approval and control of the procedure
This procedure will be adopted by the above-mentioned associations, which will appoint a person in charge of the internal control of the company.
The tasks of this officer will be:
-Periodic control of the procedures
-control of the processes by establishing internal audits every 1 year
-Modifying procedures when process changes occur or nonconformities have been recorded.
-Submission of reports on controls to company management
-Providing information and awareness training to employees on internal procedures