General Data Protection Regulation (GDPR) - means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Personal data - means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Restriction of processing - means the marking of stored personal data with the aim of limiting their processing in the future;
Controller- means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
The National Supervisory Authority for Personal Data Processing (ANSPDCP) - means independent public authority established Romania, competent in the field of monitoring compliance with GDPR;
Terms in this policy that have not been defined above will be interpreted in accordance with the GDPR unless they are given a distinct meaning.
SMARTDREAMERS, based in Piata Trandafirilor str. 19, Târgu Mureș, Mures county, Romania, as a Controller, processes the personal data o employees, partners, natural persons, and other persons who interact with the company and/or are involved in contractual relations.
This policy describes how personal data should be processed, in accordance with the GDPR, the principles of personal data processing, as well as the rights and obligations of employees involved in the process of processing personal data. The good faith and quality conduct that SMARTDREAMERS has and promotes in contractual and labor relations is based on the quality standard protecting the rights to privacy and the processing of personal data.
- Compliance with the GDPR and good practices regarding the protection of personal data;
- Protection of the rights of the data subjects;
- Transparency on how personal data is protected;
- Protection against risks of breach of security of personal data.
This policy applies to:
- SMARTDREAMERS management;
- To all SMARTDREAMERS employees;
- All-natural or legal persons who carry out the processing of personal data, for the purpose and the means established by SMARTDREAMERS (e.g. persons authorized by the company);
- Other data subjects whose data are processed by SMARTDREAMERS (eg, individuals who have made their data available in professional environments such as LinkedIn, Twitter, Facebook, Instagram, Quora, Reddit or similar platforms).
5. Principles of personal data processing
Personal data are:
- Processed legally, fairly and transparently to the data subject;
- Collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes;
- Appropriate, relevant and limited to what is necessary for relation to the purposes for which they are processed;
- Accurate and updated in time;
- Retained in a form that allows the identification of the data subjects for a period not exceeding the period necessary to fulfil the purposes for which the data are processed;
- Processed in a manner that ensures the adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures.
6. Types of personal data processed
SMARTDREAMERS, depending on the purpose and the legal basis, mainly collects the following types of personal data:
For data subjects from the U.E. or outside (US, Asia):
For employees and authorized persons:
- Identity card details (name, first name, home address, date and year of birth, NOC, gender, series and number Identity card)
- Data from the Curriculum Vitae
- Phone number;
- No. roll;
- Medical data (e.g. medical leave);
- IBAN account;
- Employee photos;
- Photos, videos or testimonials received from customers.
For data subjects from the U.E. or outside (US, Asia):
- Name and surname;
- I.P. address;
- Country of residence, company, city of residence;
- Professional information: e.g., the name of the job had or for which it was applied, professional experience, etc.;
- Personal skills mentioned;
- Number of clicks - social media access;
- Profile photo - Twitter, page views website;
- LinkedIn profile or other social networks.
7. The legal basis of the processing
The company operates on the basis of the Companies Law no. 31/1990 and operates in accordance with it, as follows:
The data processed for Smart Dreamers employees have as legal basis:
- The law of companies no. 31/1990;
- The Labor Code and the legislation related to the work, for the aspects related to the activity of the employees;
- Accounting Law no. 82/1991, for the financial - accounting aspects;
- Government Emergency Ordinance 158/2005 on the holidays and social insurance benefits;
- GEO no. 96/2003 regarding the protection of motherhood at workplaces;
- GD 905/2017 on the general register of employees' records;
- Law 16/1996 of the National Archives, regarding the obligations to keep the documents;
- Fiscal Procedure Code, for reporting issues;
- The Code of Civil Procedure and the Civil Code for other aspects such as the exercise of rights or disputes;
- Express consent for certain specific cases (e.g. pictures of employees).
The data of the authorized persons will be processed based on the conclusion and execution of contracts and collaboration protocols.
Data of the persons concerned from the U.E. or from outside it (US, Asia) are processed based on the electronic consent, which they have granted:
- when they have completed the application forms;
- when they have consented to professional social networks (eg, LinkedIn) or not, and have completed their profile in order to be contacted;
- or when they have requested information from the company (eg, newsletters).
Also, the data of the data subjects mentioned above are processed when the information is made public by the data subject.
8. Data transfer
SMARTDREAMERS transfers personal data to third parties on the basis of the contractual obligations assumed or the protocols concluded, offering guarantees of protection of personal data, their security, non-disclosure, and confidentiality, to:
In addition to the above, SmartDreamers transfer personal data when required by law: e.g., ITM, public institutions, or courts.
9. Protective measures and guarantees
SMARTDREAMERS implements appropriate technical and organizational measures to ensure a high level of security and protection of personal data. We use security methods and technologies, together with policies applied to employees and work, control, and audit procedures, to protect personal data collected in accordance with the legal provisions in force. At SMARTDREAMERS level, there are security procedures that apply across the network and for all types of data.
10. Duration of processing
Personal data are stored for processing for the duration necessary to achieve the processing purposes mentioned in this policy and, subsequently, according to legal requirements.
Each employee of SMARTDREAMERS is responsible, in accordance with his duties, for the protection of personal data. Moreover, the following persons carry out specific tasks:
Management - is responsible for ensuring that SMARTDREAMERS fulfills its obligations regarding the protection of personal data provided by the GDPR.
The data protection officer, outsourced (AMPLUSNET) has the following tasks:
- Informing and advising the operator as well as the employees involved in the processing of their obligations under the GDPR;
- Informing the Management in a timely manner about all aspects of data protection (e.g. risks);
- Regular updating of the procedures and policies for the protection of personal data;
- Initiate and monitor the training of employees in the field of personal data protection;
- Providing on-demand advice on data protection impact assessment and monitoring of its operation;
- Cooperation with ANSPDCP; contact point regarding processing issues;
- Solving the requests of the data subjects, when they refer to the exercise of a right provided by the GDPR.
12. Rights of the data subject
Any data subject may exercise the following rights, as provided by the GDPR:
- The right of access;
- The right of rectification;
- The right to delete, after the expiry of the storage period or once the initial purpose of the processing has been reached;
- The right to restrict processing;
- The right to portability;
- The right to oppose processing;
- The right not to be the subject of a decision based solely on automatic processing, including profiling;
- The right to address ANSPDCP and the courts;
The requests for the exercise of the rights provided by the GDPR will be written, signed, and dated and submitted to the Data Protection Officer.
13. Transparency of information
SMARTDREAMERS aims to inform all data subjects that their personal data are being processed and that they are aware of:
- The mode and type of data processing;
- Purposes and legal grounds for processing;
- Exercise of rights in connection with processing.
In this regard, as well as in order to comply with the obligations stipulated by the GDPR, SMARTDREAMERS has appointed a Data Protection Officer, which can be contacted at firstname.lastname@example.org.