Gdpr
Policy regarding the processing of personal data performed by ANFNC.
(“ANFNC” / “Company” / “Power of Attorney”)
1. Respecting the protection of personal data within ANFNC
1.1 ANFNC attaches great importance to the adequate protection of the security and confidentiality of all personal information of its current, past and future employees as well as of other natural persons, such as clients, visitors, contractual partners or their representatives.
1.2 Therefore, ANFNC is fully committed to comply with the requirements of the applicable data protection legislation, respectively of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"), and the purpose of this Policy is to highlight our general practices regarding the processing of your personal information in accordance with the law, for the purposes mentioned below, including the types of information we collect, how we use and protect it, and how you can correct this process.
1.3 ANFNC. with headquarters in Bucharest, sector 6, Bd. Timisoara, no. 76D processes personal data both as an Operator and as a Power of Attorney according to the information presented in Section 2 below.
1.4. Much of the information that ANFNC processes about you has been provided directly by you, however, certain information may come from other internal sources, such as your manager / employer or external sources.
2. The purposes and grounds on which we process / collect your personal data
ANFNC may process / collect your personal data:
I. as an Operator, for the following purposes:
2.1. Personal data of customers, business partners and their representatives / employees:
for the purpose of CCTV Monitoring;
for financial-accounting purposes, for the purpose of developing contractual relations;
(iii) in order to keep the contact details of the contractual partners of the company;
2.2. Personal data of potential employees as well as employees:
for the purpose of CCTV Monitoring
(ii) Human Resources
(iii) Human and Financial Resources
(iv) Human Resources and HSQE
(v) IT (server back-up, archiving emails when an employee leaves)
(vi) Carrying out business contractual relations
(vii) for the recruitment of employed personnel
2.3. The personal data of the employees or family members of the employees in order to include them on the list of beneficiaries of the services offered by the operator's proxies.
2.4. Personal data of visitors for the purpose of monitoring the security of persons, spaces and private property by keeping a register.
II. As a proxy, for the following purposes:
2.5. CCTV monitoring, keeping a register of visitors, ANFNC processes the personal data of visitors, employees, contractual partners;
3. How we may process / collect your personal data
ANFNC collects the personal data of the data subjects from the moment of entering the premises of ANFNC, from the moment of starting the contractual relations, the moment of submitting the CV, of starting your employment / collaboration relations with ANFNC.
4. The types of personal data that we may possibly collect / process
4.1 For the purposes mentioned above, ANFNC collects and / or processes the following categories of data regarding customers, business partners and their representatives / employees:
(i) Image, voice for the purpose of CCTV Monitoring (monitoring the security of persons, spaces and private property) pursuant to Art. 6 (1) (f) of the GDPR, respectively the processing is necessary for the purpose of the legitimate interests of the operator;
(ii) Name, surname, telephone, fax, e-mail address, address, signature, for the financial-accounting purpose, for the purpose of carrying out the contractual relations under Art. 6 (1) (c) of the GDPR - the processing is necessary in order to fulfill a legal obligation incumbent on the operator (keeping accounting records), and Art. 6 (1) (f) - the processing is necessary for the purpose of the legitimate interests pursued by the operator;
(iii) Name, surname, telephone, fax, email, address, signature in order to keep the contact details of the contractual partners of the company, pursuant to Art. 6 (1) (f) - processing is necessary for the purpose of legitimate interests pursued of operator;
(iv) Name and surname, series of identity card information regarding the time interval in which the access was made in and out of the building in which ANFNC has its headquarters and in which the employees carry out their activity, pursuant to Art. 6 (1) (f) of the GDPR in order to fulfill the contractual obligations assumed towards the contractual partners;
(v) Vehicle identification / technical data (registration number, make, model, type, chassis series / identification number - VIN, engine series, date of manufacture, date of first registration, cylinder capacity, color, fuel type, mileage) , financial data (market value of the vehicle) - only if these data are correlated with the identity data of a data subject, in the case of damage files, pursuant to Art. 6 (1) (f) of the GDPR in order to fulfillment of the contractual obligations assumed towards the contractual partners;
4.2 For the purposes mentioned above, ANFNC collects and / or processes the following categories of data regarding its employees:
(i) Name, surname, CNP, copy of identity card, copy of passport, data from the civil status documents, address, signature, citizenship, country of origin, profession, position held, date of conclusion of the individual employment contract and date of commencement of activity, duration of the employment contract, duration of time, basic salary, allowances, bonuses, information regarding the secondment of the employee, study documents / qualification certificates, data regarding the disciplinary sanctions for the purpose of Human Resources pursuant to Art. 6 (1) (c) of the GDPR - the processing is necessary in order to fulfill a legal obligation incumbent on the Operator, based on Decision 905 of 2017 on the General Register of Employees and Art. 6 (1) (b) - the processing is necessary for the execution of a contract, respectively the contract of the work;
(ii) Image, sex, date and place of birth, data from the driving license, no. pension file, telephone, fax, address, e-mail, family situation, details on family members, data on criminal sanctions, data on criminal record only in cases expressly provided by law, CV data, data on previous work experience, the registration numbers of the employees' car, the number of the employee's interior for the purpose of Human Resources under Art. 6 (1) (b) of the GDPR - the processing is necessary for the execution of a contract to which the person concerned is a party and Art.6 (1) (f ) - for the purpose of the legitimate interests pursued by the operator;
(iii) Name and surname, brand number (contract) information on the time interval in which the access was made in and out of the building in which the Operator is based and in which the employees carry out their activity, for the purpose of Human Resources on monitoring employees for storage records of working hours, pursuant to Art. 6 (1) (c) of the GDPR - the processing is necessary in order to fulfill a legal obligation incumbent on the operator;
(iv) Name and surname, CNP, bank details, payment statements, time sheets, data from performance evaluations for the purpose of Human and Financial Resources, pursuant to Art. 6 (1) (b) of the GDPR - processing is necessary for the execution of a contract to which the data subject is a party, respectively for making salary payments;
(v) Data on health status, medical leave, skills sheets, control of occupational medicine for the purpose of Human Resources and HSQE, pursuant to Art. 9 (2) (b) of the GDPR - processing is necessary in order to fulfill the obligations of the operator and of the exercise of certain rights of the data subject in the field of social security and social protection and Art. 9 (2) (h) - the processing is necessary for purposes related to occupational medicine, the evaluation of the work capacity of the employee;
(vi) Information stored on the server and on the company's computers for IT purposes (server back-up, archiving emails when an employee leaves) pursuant to Article 6 (1) (f) of the GDPR - for the purpose of legitimate interests pursued by operator;
(vii) Name, surname, telephone, position, fax, email, address, signature, internal username, for the development of business contractual relations, pursuant to Art. 6 (1) (f) of the GDPR - processing is necessary for the purpose the legitimate interests of the operator.
(viii) Image, voice for the purpose of CCTV Monitoring (monitoring the security of persons, spaces and private property) pursuant to Art. 6 (1) (f) of the GDPR, respectively the processing is necessary for the purpose of the legitimate interests of the operator;
(ix) Name and surname, sex, date and place of birth, citizenship, CV data, telephone, fax, email, address of domicile or residence, profession regarding candidates under Article 6 (1) (b) of the GDPR , respectively the processing is necessary to take steps at the request of the data subject before concluding a contract.
4.3. For the purposes mentioned above, ANFNC collects and / or processes the following categories of data regarding the employees or family members of the employees: name and surname, CNP, copy of CI or birth certificate, pursuant to Art. 6 (1 ) (b) of the GDPR - the processing is necessary to take action at the request of the data subject before concluding a contract.
4.4. For the purposes mentioned above, ANFNC collects and / or processes the following categories of data regarding visitors: name, surname, date of visit, time of arrival and time of departure from the premises, pursuant to Art. 6 (1) ( f) of the GDPR - the processing is necessary for the purpose of the legitimate interests of the operator.
4.5. Usually, your personal data will be provided directly by you or by the representatives of the legal entity with which you have a working / collaboration relationship. If you provide personal data of your employees / representatives to ANFNC, make sure you inform them accordingly about this Policy.
4.6. ANFNC processes personal data based on the provisions of GDPR applicable from May 25, 2018.
5. General principles regarding the processing of information on data subjects
Regarding the processing of personal data that it performs, ANFNC will respect the principles below.
5.1 Correct, legal and transparent processing
Your personal data:
(i) be prosecuted lawfully, fairly and fairly against you;
(ii) they will be obtained only for the purposes determined, legitimate, specified and relevant for the fulfillment of the operational needs and will not be further processed in any way incompatible with that purpose or those purposes.
(iii) will be processed in a transparent manner.
5.2 Proportionality and minimization of processing
Your personal data:
(i) be appropriate, relevant and not over-processed in relation to the purpose or purposes for which they are processed;
(ii) shall not be kept longer than is necessary for that purpose or purposes.
(iii) are relevant and strictly limited to what is absolutely necessary for the purposes for which they are processed.
5.3 Integrity and confidentiality of personal data
Your personal data will be correct and, if necessary, will be kept up to date. The processing of personal data will be done in the most secure conditions, which include "protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures."
5.4 Accuracy of personal data
ANFNC will take all measures to ensure the validity of the data, and those that prove inaccurate will be updated quickly or deleted.
5.5 Storage limitation
The personal data will be kept fixed as long as they are necessary for the assumed processing, and the longer periods of storage of personal data are exceptions associated with the legal provisions, as follows:
Data of customers, business partners, their representatives / employees:
(i) for the purpose of CCTV Monitoring: 30 days from the date of registration;
(ii) for keeping a register of visitors: 30 days from the date of registration;
(iii) for financial-accounting purposes, for the purpose of carrying out the contractual relations: for the contractual duration, for a period of 50 years after the registration in the accounting;
(iv) for the purpose of maintaining the contact details of the company's contractual partners: for the duration of the contract, for a period of 10 years from the date of termination of the contracts.
Employee data
(i) For the purpose of Human Resources in order to keep REVISAL for a period of 50 years and for the purpose of carrying out the contract during employment and for a maximum period of 5 (years) after the termination of employment.
(ii) For the purpose of Human Resources for the monitoring of working hours for a maximum period of 2 years in the electronic environment, it is subsequently kept as written time sheets during employment and for a subsequent period of 50 years.
(iii) For the purpose of Human and Financial Resources: during employment and for a period of 10 (years), in the case of payrolls during employment and for a subsequent period of 50 (years), and in the case of performance evaluations during contractual.
(iv) Human Resources and HSQE: during employment and for a maximum period of 5 (years) after termination of employment.
(v) IT (server back-up, archiving emails when an employee leaves) 5 years after the employee leaves;
(vi) Carrying out the contractual business relations: during the employment contract / collaboration / representation mandate. Upon expiration of the above processing / storage terms, personal data will be deleted or destroyed.
(vii) Candidate data: 5 years in the case of candidates in the recruitment and selection process;
Data of employees' employees: during the employee's employment contract;
Visitor data: 30 days from the date of registration;
5.6 Protection of personal data
Personal data will be subject to appropriate technical and organizational measures reasonably necessary to protect it against destruction, loss, alteration, access or other unauthorized or accidental processing.
5.7 Security of data processing
ANFNC will take measures regarding the security of data processing and, consequently, will establish its own internal policy for the security of personal data processing.
In particular, ANFNC will ensure that the Policy on Security Measures regarding the Processing of Personal Data will be implemented at the level of the organization.
6. Disclosure of personal data to third parties located in Romania or outside Romania
In Romania, ANFNC will disclose the personal data of the data subjects to the following recipients:
6.1. In the case of employees for the general purpose of human resources, their personal data will be disclosed to: Banks, AJOFM, Health House, Pension House, companies from the same group, ANFNC., Public and central authorities, credit bureaus , debt collection agencies, insurance companies, reinsurance companies, professional organizations, employment and placement agents, external consultants / service providers (eg lawyers, accountants, and auditors).
6.2 In the case of employees / visitors / clients / potential clients for the purpose of CCTV monitoring or monitoring by keeping the Register of Visitors: the proxy of the operator, respectively ANFNC., Relevant authorities for exercising certain rights, public authorities in case of committing a crime;
6.3 In the case of candidates in the recruitment process: data subject, external consultants / service providers (eg lawyers, accountants, and auditors)
6.4 In the case of the contractual partners / representatives of the contractual partners of ANFNC: the persons concerned, contractual partners, the company from the group ANFNC.
6.5 In the case of employees' employees: the proxy of ANFNC
7. The rights of data subjects
7.1 According to the GDPR, data subjects have the following rights regarding personal data, namely: the right to request information from us about the processing of your data, access to data, rectification or deletion ("right to be forgotten") of your data. with personal character, the right to obtain the restriction of processing, to oppose the processing of data, not to be the subject of a decision based exclusively on automatic processing, as well as, in certain circumstances, the right to data portability in accordance with the provisions of Art. 12- 22 of the GDPR.
7.2 If the data subjects have given their consent for the processing of personal data, they have the right to withdraw this consent at any time, which will not affect the lawfulness of the processing before the withdrawal of your consent.
7.3 The data subjects also have the right to lodge a complaint with the National Authority for the Supervision of Personal Data Processing (“DPA”) if they consider that the provisions of the GDPR regarding personal data have not been complied with.
8. Operator contact details
ANFNC is the Data Operator for certain processing mentioned above, and in case you have requests regarding the way your data is processed, you can contact us: at ANFNC
9. The procedure for resolving the requests of the data subjects
9.1 ANFNC has the obligation to communicate to the petitioner, the answer to the request addressed according to the above provisions, within 30 calendar days from the date of registration of the request. This term can be extended motivated by ANFNC, with at most 15 calendar days if ANFNC has to solve several requests and / or the request is complex.
9.2 ANFNC will send to the person concerned the answer to the above request by letter with acknowledgment of receipt to the address indicated by the person concerned or by e-mail in the form of an encrypted pdf.
10. DPA notification in case of personal data breach
10.1 In the event of a breach of the security of personal data, the Operator shall notify the DPA without undue delay and, if possible, within a maximum of 72 hours from the date on which he became aware of it.
10.2 Notification above:
(a)
describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of records of personal data concerned;
(b)
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c)
describe the likely consequences of the breach of personal data security;
(d)
describe the measures taken or proposed to be taken by the controller to remedy the breach of the security of personal data, including, where appropriate, measures to mitigate any possible adverse effects.
10.3 ANFNC keeps documents regarding all cases of personal data breach, which include a description of the factual situation in which the personal data breach took place, its effects and the remedial measures taken. This documentation allows the DPA to verify compliance with the provisions of the GDPR.
10.4 Informing the data subject of personal data breach
10.4.1 If the breach of the security of personal data is likely to pose a high risk to the rights and freedoms of individuals, ANFNC shall inform the data subject without undue delay about such breach.
10.4.2 The information provided to the data subject shall include a clear description in plain and simple language of the nature of the personal data breach.
10.4.3 Information of the data subject is not required if any of the following conditions are met:
(a)
ANFNC has implemented adequate technical and organizational protection measures, and these measures have been applied in the case of personal data affected by personal data breach, in particular measures to ensure that personal data become unintelligible to any people who are not authorized to access them, such as encryption;
(b)
ANFNC has taken further measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
(c)
The information would require a disproportionate effort from ANFNC. In this case, public information shall be provided or a similar measure shall be taken to inform the data subjects in an equally effective manner.
10.4.4 If ANFNC has not already communicated the personal data breach to the data subject, DPA, after considering the likelihood that the personal data breach would pose a high risk, may request to do so or may decide that any of the conditions mentioned in Art. 9.4.3 are met.
11. Practical information
11.1 ANFNC periodically verifies that this Policy is correct, complete in terms of the information to be covered, fully implemented and accessible, in accordance with the requirements of the applicable legislation and its principles.
In case any changes to this Policy are necessary or considered appropriate, ANFNC will inform you about them in time.
11.2 We encourage you to ask any questions, comments regarding this Policy and the processing of your personal data, including applicable law or international transfers, by contacting the email addresses: office {} anfnc.ro and dns.gdpr@gmail.com