General Data Protection Regulation Policy

1. Information on the processing of personal data and the data processing controller

The protection of your personal data is very important to ELMAS. We want you to be properly informed about how and why ELMAS processes your personal data. Therefore, as a personal data controller, we are releasing this Personal Data Processing Policy to explain how we process and protect personal data to meet our obligations to guarantee and protect the fundamental rights and freedoms of individuals, in particular the right to intimate, family and private life. Our identification data is: ELMAS SRL., Trade Register no. J08/840/1991, VAT Reg. No. RO 1115033, B-dul Griviței nr. 1Y, Brașov, Brașov County

2. General

“Personal data” means information about an identified or identifiable individual (“the data subject”), relating to the name, address, personal identification number, IP or telephone number, location data, an online identifier, or one or more elements specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity. Every time we ask for your personal information, we’ll explain the purpose for which we need it, where and how we keep your data and who has access to it. Of course, please be advised that, whenever you want, we will make available to you the information we hold about you and we will erase it upon your request. ELMAS takes appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of illegal processing. In this respect, in compliance with the provisions of Regulation (EU) 679/2016, ELMAS has appointed a data protection officer.

3. Principles of data processing by ELMAS

3.1. ELMAS processes personal data in good faith and in accordance with the legal provisions in force. 3.2.  ELMAS collects personal data for well-defined, explicit and legitimate purposes, and further processing shall not be incompatible with these purposes. 3.3.  The personal data is appropriate, relevant and non-excessive in relation to the purpose for which it is collected and further processed. 3.4.  ELMAS stores the personal data only for a period of time necessary to achieve the purposes for which it is collected, unless there are legal provisions stipulating other periods. 3.5.  ELMAS has taken appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of illegal processing, as well as for erasing or rectifying inaccurate or incomplete data in view of the purpose for which it is collected and for which it will be further processed.

4. Categories of data subjects whose data is processed by ELMAS

Elmas processes in its activity the data of the following categories of persons:
- Our contractual partners, such as suppliers and customers (“Business Partners”);
- Visitors and users of our websites, accessible at the elmas.ro, etc. addresses and all the micro-websites thereof (“Website Users”);
- Users of our mobile Apps (“App Users”);
- Persons who wish to apply for a position with Elmas (“Applicants”);
- Participants in Elmas vocational training programmes (“Apprentices”);
- Elmas employees (“Employees”);
- Visitors of Elmas showrooms and other facilities (“Visitors”);
- Potential clients.

5. Data categories and purposes of its processing by Elmas

The personal data covered by this Personal Data Processing Policy includes identification elements, such as first and last name, first and last names of legal representatives, date and place of birth, telephone/fax, home/residence address, email address, personal identification number, ID card series and number, job, profession, training - diplomas - education, banking details or the like serving to identify you or the persons you represent or representing you.

ELMAS will collect, use, process and provide your personal data for purposes such as advertising, marketing and publicity, statistics, organizing courses, seminars, business events, educational purposes for the organization of vocational training programmes, for the issuance of any financial-accounting documents, the conclusion of contracts or other documents necessary for the activity of ELMAS.

The personal data is intended for use by ELMAS and it is collected through online platforms or directly from the data subject. Some of this data may be communicated to ELMAS contracting parties or to state authorities, as the case may be.

The collection and processing of personal data of minors by ELMAS shall only be done with the explicit consent of the parents or other legal representatives.

We collect and process your personal data when you interact with us (for example, the information you provide us by filling in the forms on our websites or by contacting us by phone, email or any other means). This includes information you provide when you register to use one of our websites, when you subscribe to our services by filling in an enrolment form or otherwise, when you sign up for promotions, order a product or request an offer.

The information you provide may include the name, address, email address and telephone number, as well as other information, as the case may be.

Every time you visit our websites, we automatically collect the following data:

  • technical data, for example the Internet Protocol (IP) address used to connect your computer to the Internet, the login information; this data may be collected and processed on our behalf through third-party cookies. More information is available by visiting  www.elmas.ro/politica-cookies.php;

  • data about your visit, for example this may include complete Uniform Resource Locators (URL), the click sequence to, through and from our websites (including date and time), the information or products you have viewed or searched for, the average number of items viewed on our websites, page interaction information, or any email address used to contact our customer service representatives.

We will not collect or process any of your sensitive personal data (for example, information about racial or ethnic origin, political, religious or philosophical beliefs, health, sexual life or orientation), unless (i) obliged by law; and/or (ii) you have provided your explicit consent separately. If you voluntarily provide us sensitive personal data, by interacting with our Websites or by contacting us by telephone, email or in any other way, at your own will and not at our request, we shall erase such personal data from our systems unless we consider its processing to be necessary for a legitimate purpose of Elmas, except if you made this data public (for example, in a publicly accessible message forum), in which case we shall erase this data from our Websites only if the law so requires or if we do not wish to keep it.

In some cases, we obtain your personal data (such as your name, address, email address and phone number, personal description and photo, age, date of birth, and sex) from third parties, such as business partners, subcontractors for technical, payment and delivery services, advertisers, analytical service providers, market research service providers, recruitment agencies, etc. When you visit and register with one of our online platforms, we may obtain your personal data from a third-party social communication provider if you voluntarily opt to register through that third-party social communication platform.

If we obtain your personal data from a third party, we will provide you with all relevant processing information as soon as possible, but in any case no later than one month after the processing of your personal data, including the categories of personal data undergoing processing, the purpose of the processing and its legal basis.

6. How we use personal data and the legal basis of the processing

General

We may process your personal data:

- for the performance of a contract we have concluded with you;
- to observe a legal obligation (for example, employment relationship, accounting, taxation laws);
- when necessary for our legitimate interests and your interests (for example, for fraud detection and prevention, or for IT and network security), unless your fundamental rights prevail over these interests;
- if necessary to protect your vital interests (or the vital interests of others);
- if necessary for the public interest or for official purposes.

We may process your personal data for various technical, administrative and operational reasons, such as:

- drawing up documents specific to the commercial partnership;
- the security of persons and buildings;
- to ensure that content is presented in the most efficient way for you and your computer;
- to improve our Websites, including the functionality thereof;
- to manage our Websites; for internal operations, including debugging, data analysis, testing, research, statistics and research purposes;
- for advertising and marketing, including for specific marketing purposes, so we can offer content, including personalized content, that may be of greater interest to you;
- as part of our efforts to keep our Websites safe.

In some cases, we will process your personal data only with your consent. In these cases, we will separately request your consent in a transparent manner when you provide your personal information. Subsequently, you will be able to withdraw your consent at any time. However, the withdrawal of the consent will not affect the legality of any processing that occurred prior to its withdrawal.

When we request personal data to comply with legal or contractual obligations, the provision of such personal data by you is mandatory. This means that, if such personal data is not provided, we will not be able to manage the contractual relationships or observe the obligations imposed by law. In all the other cases, the provision of personal data is optional and you are under no obligation to provide it.

We may also process your personal data, such as identification data, contact details, and address of residence, in order to exercise our rights in the future. This processing is based on our legitimate interest, and we need to exercise our rights in the event of possible litigation.

Most frequently, we will use your personal data in the following situations:

a. Business partners:

For the purpose of providing services, delivering goods and making payments/collecting the amounts due under contracts, we may process your personal data, such as identification data, business contact details, bank details, and VAT registration number for entities registered for VAT purposes. This processing is based on (i) the performance of a contract to which you, as a Business Partner, are a party, (ii) our legal obligations, and (iii) our legitimate interest.

In some cases, we process personal data such as the names and contact details of employees or representatives of the Business Partners for the purposes of communications relating to the performance of a particular contract with the Business Partners. This processing is based on (i) the performance of a contract to which the Business Partners are a party, (ii) our legal obligations, and (iii) our legitimate interest.

As a Business Partner, we may provide you with communications about our new products and services. If you no longer wish to receive these communications, you may opt-out by sending us an email to  protectia.datelor@elmas.ro .

b. Site Users and Clients:

For the purpose of providing services, delivering goods and collecting the amounts due under contracts and orders, we may process your personal data, such as identification data, contact details, bank details. This processing is based on (i) the performance of a contract to which the Site Users/Customers are a party or (ii) our legal obligations.

We may process your personal data so that we can provide you with information about goods or services we believe are of interest for you.

If you are an existing customer, we may contact you via email, post, SMS or push notifications through Mobile Apps with information about goods and services similar to those that were previously sold or negotiated with you for sale, unless you have opted otherwise previously.

If you are a new/potential customer, we will contact you electronically only with your prior consent. If you do not wish for us to use your data in this way, check the appropriate box in the form by which we collect your data (or the registration form) or inform us about it using the contact details listed below. If you have installed a Mobile App and you no longer wish to receive push notifications, you can change the settings on your mobile device or the Mobile App.

c. Applicants and Apprentices:

In connection with the participation in a recruitment or vocational training process, we can collect and process your personal data (identification data, social status, education and professional experience, CV, etc.) for the purposes of preselection/selection, drawing up the documents provided by the labour law and the tax legislation as well as for communicating with you and other people interested in the recruitment/vocational training process. This processing is based on (i) the legitimate interest of Elmas, (ii) the performance of a contract to which you are a party, or (iii) your consent.

d. App Users:

In connection with your use of our mobile apps, we may collect and process your personal data, such as identification data, contact details, debit or credit card information, and geographic location data, when:

  • you register to use our Mobile Apps (including free trials) and provide us with information about you for this purpose;

  • you make a comment, rating, or other post using our Mobile Apps;

  • you interact with us using our Mobile Apps;

  • you interact with us by other means, such as by telephone, fax, SMS, email, social communication, or posts related to a Mobile App;

This processing is based on (i) the performance of a contract to which the App Users are party by registering in such Mobile Apps; (ii) our legitimate interests to check the user account data for the services provided in the territory where you usually reside and for detecting and preventing fraud; (iii) our legal obligations; and/or (iv) your consent to information messages about the products and services offered by ELMAS, newsletters, promotional campaigns and other marketing information sent by or on behalf of ELMAS.

e. Elmas Employees:

In order to observe the legal provisions regarding the performance of the employment contract and the fulfilment of the tasks by the employees, Elmas will process the personal data of the Employees, such as identification data, family data, financial data, banking details, data on health at work, contact details, signature, image, copies of personal documents, etc. The legal grounds for such processing are as follows: (i) the conclusion and performance of an employment contract, (ii) the legitimate interest of Elmas and (iii) the consent of the individual in certain cases.

f. Visitors of Elmas showrooms and other facilities („Visitors”);

In order to comply with the legal provisions on the security of persons and property, Elmas will process the personal data of the Visitors, such as identification data, image, etc. The legal grounds for such processing are as follows: (i) the legitimate interest of Elmas and (ii) the consent of the individual in certain cases.

7. Information on the length of data storage

We intend to retain your personal data only for as long as it is necessary, for a period not exceeding the one required to meet the purposes for which the data was collected and/or required by the relevant laws with respect to the applicable legal minimum retention periods and/or as necessary to exercise our legitimate rights (and the legitimate rights of others).

For example, if you are a Business Partner, we will retain your personal data for the period of the contractual relationship with you. In the case of a continuous business relationship with you as a Business Partner (for example, if we can use the same personal data in separate contractual relationships with you), we will retain such personal data until the cessation of our commercial relationship and for the minimum retention period imposed by law.

In the case of employees, the personal data relating to the specific labour law documentation is archived and stored until the termination of the contractual relationship or the expiry of the retention periods for specific documents set out by the tax legislation and the labour law.

In the case of App Users, we will retain your personal data for the period the Mobile App is downloaded or the period set out by the relevant legislation.

For more information about how long we retain your personal data, please contact us at  protectia.datelor@elmas.ro.

Please note that we may process any of your anonymised personal data without notifying you in advance.

If we process your personal data under your consent, such personal data will be processed only for the period provided by your consent, unless you withdraw or limit your consent before the expiry of that period. In such cases, we will cease the processing of such personal data for the purposes for which it was collected, subject to any legal obligation to process such personal data and/or our need to process such personal data for the purpose of exercising our legitimate rights (including the legitimate rights of others).

8. Personal data recipients. How and to whom we disclose your personal data

We shall not sell your personal data to third parties.

In principle, we only process personal data for the business purposes of ELMAS.

Within Elmas, only a limited number of personnel, such as in the Sales, Legal, Production, Technical, Accounting and IT departments, may have access to your personal data on a need-to-know basis.

Such personnel are subject to confidentiality obligations with respect to personal data.

Appropriate technical and organizational measures are taken to protect personal data. The Elmas personnel have the right to manage personal data only according to the instructions issued by Elmas and in relation to their work duties.

Personal data may be communicated to governmental authorities and/or law enforcement agencies if required by applicable laws or if necessary for the exercise of our rights or for the protection of our legitimate interests (including the legitimate interests of third parties) in accordance with the applicable laws.

Your personal data may also be disclosed to third parties, including:

(i) service providers providing Elmas administrative, professional and technical assistance for IT, security, accounting and human resources support;

(ii) business partners, suppliers and subcontractors for the performance of all the contracts we conclude with you;

(iii) analytics and search engine service providers that help us improve and optimize our Websites;

(iv) courier service providers;

Elmas may also disclose personal data to external consultants (e.g. lawyers, accountants, auditors) if necessary.

In some cases, we may disclose personal data to our Affiliated Companies on a need-to-know basis. Elmas implements appropriate safeguards in the relationship with its affiliates to secure these personal data transfers and its processing.

Elmas may share personal data with its Affiliated Companies and other third parties in the context of certain types of transactions, including in the context of transactions involving a change of control over the Company, the substantial sale of all of its assets, or business restructurings.

Elmas wishes to make an appropriate prior assessment in the selection of third party service providers and requires these service providers to maintain adequate technical and organizational security measures to protect personal data and to process personal data only in accordance with the instructions issued by Elmas. Service providers will be entitled to use subcontractors to provide services to Elmas, provided that the subcontractors observe the same data protection obligations as the service providers.

9. Data transfers to third parties or third countries

We shall not share your personal data with third parties for marketing purposes without your explicit consent to that effect.

We shall not sell your personal data to third parties.

In principle, we use your personal data only within our own company, including in affiliated companies.

Your personal data that we collect is stored in Romania, but in some legally justified situations it can be transferred to the European Union (“EU”) and the European Economic Area (“EEA”). However, the information collected by third parties via cookies shall generally serve the traffic from a data centre closest to where the traffic originates. This means that such information, including ad traffic, may be managed by servers located in the EEA and may be transferred outside the EEA. For more information, see the Cookie Policy www.elmas.ro/politica-cookies.php.

We intend not to transfer your personal data outside the EEA unless there are adequate safeguards, including:

    1. an adequacy decision issued by the European Commission regarding the country or countries of destination;

    2. a „privacy shield” certification”;

    3. appropriate binding corporate rules;

    4. an approved code of conduct, along with the binding and enforceable commitments of the data controller or processor in the country outside the EU and EEA;

    5. an approved certification mechanism, along with the binding and enforceable commitment of the data controller or processor in the country outside the EU and EEA to apply the appropriate safeguards; or

    6. EU standard contract clauses approved by the European Commission.

You may request at the Elmas headquarters or the Data Protection Officer of Elmas more details about the transfers and the appropriate safeguards that Elmas has in place prior to possible data transfers.

10. Your rights as data subjects

Under the EU/679/2016 Regulation, you have the following rights in relation to the processing of your personal data:

-Right to information - you can request information about the processing of your personal data;

-The right of access to data - you also have the right to obtain, upon request, the confirmation whether or not data related to you is being processed by ELMAS.

-The right to rectification - you can have your inaccurate personal data rectified or you can supplement it;

-The right to data erasure (“the right to be forgotten”) - you can have your data erased if the processing was not legal or in other cases provided by the law;

-The right to restrict processing - you may request the restriction of processing if you challenge the accuracy of the data, as well as in other cases provided by the law;

-The right to oppose - you may justifiably and rightly oppose the processing of personal data in certain cases provided by the law;

-The right to data portability - you may receive, under certain conditions, the personal data you have provided us in a machine-readable format or you may request to have the data transmitted to other controller;

-The right to file a complaint - you can file a complaint about the method of processing your personal data with the National Supervisory Authority for Personal Data Processing;

-The right to withdraw your consent - in cases where the processing is based on your consent, you can withdraw it at any time. The withdrawal of your consent will only have effect for the future, the processing carried out before the withdrawal remaining valid;

-The right not to be subject to an individual decision - Another right you are entitled to is to ask and obtain the withdrawal/cancellation/reassessment of any decision having legal effect on you, adopted solely on the basis of personal data processing using automated means, designed to evaluate some aspects of your personality, such as professional competence, credibility, conduct or other such issues.

-The right to address the courts - at the same time, you have the right to address the courts for the protection of any rights guaranteed by law that have been violated.

For the exercise of these rights, you may submit a written request, dated and signed, using the contact details indicated in this Personal Data Processing Policy.

11. Ways to exercise rights

If you wish to exercise these rights, please contact us via the contact persons listed below. We hope we can answer all of your questions about how we process your personal data. However, you also have the right to file a complaint with the data protection supervisory authorities.. You may file the complaint in the Member State you live in, work in or where the alleged data protection law break occurred.

12. The use of cookies

Our websites use cookies.

When you use our Internet pages, cookies are saved on your computer with your permission. Cookies are small text files saved on your hard disk, classified on the browser you use, by which the entity that places them receives certain information.

This helps us provide you a good experience when browsing our Websites and also allows us to improve our Websites. This processing is based on your consent expressed on our Websites or the settings in your browser. For detailed information about the cookies we use, the period we use them and the purposes for which we use them, see our Cookies Policy www.elmas.ro/politica-cookies.php.

Cookies cannot run programs or send viruses to your computer. These files have the role of making Internet browsing more friendly and efficient.

We or the third parties managing our web pages use the following types of cookies, whose volume and mode of operation are explained below:

-Temporary cookies are automatically deleted when you close your browser. These include especially session-cookies. They save an identification number, the so-called session-ID, through which various visits made from your browser can be classified in a common session. This way, your computer can be identified when you return to our website. Session-cookies are deleted when you log off or close your browser.

-Persistent cookies are automatically deleted after a certain period, which may differ according to the cookie. You may delete the cookies from your security settings at any time.

-You can configure the browser settings according to your wishes and, for example, you may refuse to accept Third-Party Cookies or all cookies. In this context, please note that you will not be able to use all of the features of this website.

13. Social media services

Our websites may include social communication features, such as Facebook, Twitter, Instagram, LinkedIn or YouTube buttons. These features can collect information about you, such as the IP address and the websites you visit, and set a cookie to allow proper operation. The processing of this information through interactions with these features is governed by the disclosure notice/privacy policy of the company providing them (see the section on your rights above).

Please note that as operator of this page we do not receive information about the content of the data transmitted and its use by the social media services. More information about what social media services use data is collected on Facebook, Twitter, Pinterest, or YouTube, and about how this data is used is available from the related data protection provisions at:

Social media operator

Address

Data protection statement

Facebook

Facebook Inc.1601 S. California Ave, Palo Alto CA 94304, USA

http://ro-ro.facebook.com/about/privacy/

Youtube

Google Inc.1600 Amphitheatre Parkway, Mountain View CA 94043, USA

http://www.google.ro/intl/ro/policies/privacy/

Twitter

Twitter Inc.795 Folsom St., Suite 600, San Francisco CA 94107, USA

http://twitter.com/en/privacy

Pinterest

Pinterest Europe Ltd. Palmerston House, 2nd Floor Fenian Street Dublin 2, Ireland

https://policy.pinterest.com/ro/privacy-policy

14. Links to other websites

Any of our Websites may contain links to websites the Company does not control. After clicking on a third-party link, you will be directed to the third-party website. If you visit any of these linked websites, you need to review their privacy policies. We are not responsible for the policies and practices of other companies. Our company does not control and assumes no responsibility for the content, privacy policies and information notices or practices of third-party websites or services.

15. Additional information

15.1 Protection of minors

Children and young people under 18 do not have the right to submit us personal data without the consent of their parents or guardians. We do not specifically request personal data from children or young people, we do not collect it knowingly and do not pass it on to third parties.

15.2 Contact information

You have the right to revoke at any time the agreement expressed for the processing of your data, as well as to submit any request regarding the exercise of your rights through the following channels:

Please do not disclose sensitive personal data (e.g. information about racial or ethnic origin, political opinions, religious or other beliefs, health or membership to a trade union), social security numbers or information related to the criminal record when you contact us.

15.3 Changes to this Data Protection Statement

We reserve the right to modify this Personal Data Protection Policy at any time, with effect for the future. A current version can be consulted at any time on our website. Please visit our website regularly and consult the current version.

The status of this Data Protection Statement: June 2018

Top