Privacy and security policy for the processing of personal data
Privacy and security policy for the processing of
personal data
The protection of your personal data is very important to TPA ROMANIA GROUP (this includes all companies linked via their shareholders to the Austrian company “TPA Quintus Holding GmbH” and legally domiciled in Romania, hereinafter “TPA ROMANIA” or “the operator”), which is a Romanian legal person located at Strada Grigore Cobălcescu 46, 2nd Floor, Ap.4, Sector 1, 010196 Bucharest.
We want you to be properly informed about the ways in which and for what purposes TPA ROMANIA processes your personal data.
The purpose of this Personal Data Processing Privacy and Security Policy (hereinafter “Privacy and Security Policy”) is to outline TPA Romania’s principles with respect to the processing of personal data and to establish appropriate technical and organisational measures and the responsibilities of TPA ROMANIA employees tasked with the processing of personal data and, where this is case, persons empowered by TPA ROMANIA to fulfil the obligations regarding the guarantee and protection of the fundamental rights and freedoms of natural persons, in particular the right to privacy, family and private life with regard to the processing of personal data.
If you find any errors in the processing of personal data concerning you, please inform us as soon as possible using any of the means specified in Section 7 of this Privacy and Security Policy.
- The principles of personal data processing
1.1 Personal data is processed by TPA ROMANIA in good faith and in accordance with the legal provisions in force.
1.2 Personal data is collected by TPA ROMANIA for well-defined, explicit and legitimate purposes, and further processing will not be incompatible with these purposes.
1.3 Personal data is appropriate, relevant and non-excessive in relation to the purpose for which it is collected and subsequently processed.
1.4 Personal data is not to be stored by TPA ROMANIA for a longer period than is necessary to achieve the purposes for which it was collected and as long as TPA ROMANIA is under a legal obligation.
1.5 TPA ROMANIA has taken appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorised access or any other form of illegal processing, as well as the erasure or rectification of inaccurate or incomplete data with regard to the purpose for which they are collected and for which they will be further processed.
2. Types of data and the purpose of using personal data
The personal data referred to in this Privacy and Security Policy includes identification information such as the first and last name, of legal representatives, gender, date and place of birth, age, nationality, telephone/fax number, home address/residence, email address, identity card/passport number, job title, profession, education and qualifications, banking data or similar information that serve to identify you or the persons representing you or that you represent.
TPA ROMANIA will collect, use and process your personal data for the purposes of generating statistics, organising courses, seminars, and training programmes, issuing financial, human resources, payroll and accounting documents, and concluding contracts or any other documents required by TPA ROMANIA.
Personal data is intended for use by TPA ROMANIA and is collected by designated persons. Some of this data may be transferred to the contractual partners of TPA ROMANIA.
The collection and processing of the personal data of minors by TPA ROMANIA will be performed only with the explicit consent of the parents or other legal representatives.
- General rules
3.1 This Privacy and Security Policy sets out the technical and organisational measures implemented by TPA ROMANIA to meet the obligations regarding confidentiality and security of the data processing carried out in the course of its business. The security requirements involve a complex package of technical , informational, organisational, logistical measures and procedures that ensure a minimum level of processing security, according to the provisions of national legislation.
3.2 TPA ROMANIA has adopted appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorised access or any other form of illegal processing. In this respect, a person is designated on behalf of TPA ROMANIA who is responsible for complying with the provisions of Law no. 190/2018 and of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and on the repealing of Directive 95/46/EC (hereinafter referred to as “GDPR”)
3.3 In order to meet the relevant legal provisions and satisfy the requirements on the safe storage of data and information, TPA ROMANIA has developed and implemented organisational and technical measures focused on certain courses of action:
– User identification and authentication
– Types of access
– Data collection
– Execution of backups
– Computers and access terminals
– Access files
– Staff training
– Telecommunication systems
– Computer usage
– Printing of data
- Specific procedures
4.1 User identification and authentication
The term user means any person acting under the authority of TPA ROMANIA or any person authorised by TPA ROMANIA, with a recognised right to access personal data.
To gain access to personal data, users first need to identify themselves.
In the case of automated processing, the identification is performed by authentication in the IT systems of TPA ROMANIA. Authentication is performed by entering unique login data consisting of a username and a password.
Passwords are security strings that are compliant in terms of length and composition with TPA ROMANIA’s IT security policy. When entering passwords, the characters are not displayed clearly on the screen. According to the IT Security Policy of TPA ROMANIA, passwords must be changed periodically.
The operator has implemented an IT system that can automatically deny a user access after several wrong password inputs.
Any user granted access to the personal information database is informed that he/she must respect the confidentiality of the authentication data be held accountable by the operator in this regard.
TPA ROMANIA has established a procedure for administering and managing user accounts provided under TPA ROMANIA’s IT Security Policy. In accordance with the provisions thereof, clear rules are established with regard to the granting and cancellation of rights and means of accessing the user account.
User access to manually managed personal information databases is permitted strictly based on a list approved by TPA ROMANIA’s management.
4.2 Types of access
Users can only access the personal data they require in order to fulfil the tasks assigned by TPA ROMANIA. In this respect, access types by functionality (e.g. administration, input, processing, rescue, etc.) and actions applied to personal data (e.g. writing, reading and deleting), as well as procedures for these types of access, have been put in place.
Developers of personal data processing systems have access to personal data under a strict privacy agreement signed with TPA ROMANIA, exclusively where necessary, with each transaction being documented.
The technical support department may have access to personal data in order to resolve incidents and problems encountered in the use of IT systems.
Computers and servers containing databases of personal information are located in controlled access rooms. Documents containing personal data of the type considered special categories of data are kept in restricted access rooms.
The operator has established strict ways to destroy personal data.
4.3 Data collection
TPA ROMANIA designates authorised users for the collection, input and processing of personal data in a computer system or in a manual system.
Any changes to personal data may only be made by authorised users designated by the operator.
The operator has taken steps to ensure that the information system keeps a record of the person making the change, as well as the date and time the change was made.
4.4 Execution of backups
The computer system automatically performs a back-up of the databases on a daily basis for the purposes of data recovery in event of the loss, destruction or malfunctioning of computer systems.
TPA ROMANIA establishes the timeframe for the backups of personal information databases as well as the programs used for automated processing. The users executing these backups are designated by the operator in limited numbers. Backups are stored in a safe location with restricted access that is different from the room where the backup was made.
4.5 Computers and access terminals
Computers and other access terminals are installed in lockable restricted access rooms.
If the computers are left switched on without any user input for a certain amount of time, the duration of which is established by the administrator, the session ends automatically.
Users are trained to close personal information databases when unauthorised persons are nearby.
Servers hosting databases can only be accessed in a controlled manner based on access rights.
4.6 Access files
TPA ROMANIA takes steps to ensure that any access to the personal information database is recorded in an access file called a log (in the case of automated processing of personal data) or a register (in the case of manual processing of personal data).
The following information is recorded in the log file and/or the register:
– identification code (the username for databases of manually processed data)
– the name of the file being accessed
– the number of records made
– type of access
– the code for the operation performed or the program used
– date of access (year, month, day)
– time of access (hour, minute, second)
For automated processing, this information will either be stored in a general access file or in separate files for each user.
The operator is required to keep access files for at least 2 years in order for them to be used as evidence in investigations. If the investigations are extended, these files will be kept until the investigations and any actions relating to them are complete.
Access files must allow for the operator or the person empowered by the operator to identify persons who have accessed personal data for no particular reason, for the purposes of applying penalties or notifying the competent authorities.
4.7 Telecommunication systems
TPA ROMANIA, through its authorised users, periodically checks authentication and access types to detect malfunctions in the use of telecommunication systems. Only when strictly necessary will personal data be transmitted through its telecommunication systems.
4.8 Staff training
Users with access to personal information databases are trained in the provisions of the GDPR regulation, in the minimum security requirements for the processing of personal data in keeping with the provisions of the IT Security Policy of TPA ROMANIA, and in the importance of maintaining confidentiality and the risks involved in the processing of personal data.
Users with access to personal data will received notifications in the form of messages on their screens while carrying out their activity. Users are obliged to end their work session when they leave the workplace.
4.9 Computer usage
To maintain the security of the processing of personal data (especially against computer viruses), TPA ROMANIA has taken the following measures:
– it has forbidden the use of software originating from unsafe sources
– it does not allow users to have administrator privileges on computers
– it only uses licensed software
– it has trained users in the IT Security Policy of TPA ROMANIA and other general IT operating policies, including in terms of the danger of computer viruses
– its computers are protected by antivirus software
– it monitors user activity
4.10 Printing of data
Personal data may only be printed by designated users and only for the purposes specified in these Rules.
- The rights of persons whose personal data are being collected and/or processed
Under the GDPR regulation, you have the following rights with regard to the processing of your personal data:
5.1 The right to information
Under Articles 13 and 14 of the GDPR regulation, with the exception of cases where you are already in possession of thereof, you have the right to be provided by TPA ROMANIA with information about the following:
i. the identity and contact details of the controller and the controller’s representative
ii. the purposes of the processing, as well as the legal basis or legitimate interest pursued by the controller through the processing
iii. the recipients or categories of recipients of the personal data, as applicable
iv. the intention to transfer the personal data to a third country or international organisation, as applicable
v. the storage period or, if the period cannot be established, the criteria used to determine that period
vi. your right to request access to, rectification and erasure of your personal data, as well as to request a restriction to the processing of your personal data, your right to object to processing and your right to data portability (the right to object to processing will be presented clearly and separately from all other information)
vii. your right to withdraw consent at any time for processing performed based on your consent (the withdrawal of consent will not affect the lawfulness of processing performed based on consent given prior to its withdrawal)
viii. your right to lodge a complaint with the National Supervisory Authority For Personal Data Processing (ANSPDCP)
ix. whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to entering into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of any failure to do so
x. whether the data was collected directly from the data subject, the source where the data originates and, where applicable, whether it originated from publicly available sources.
5.2 The right of access to data
Under Article 15 of the GDPR regulation, you have the right to obtain from TPA ROMANIA, upon request, confirmation as to whether or not personal data concerning you are being processed and to receive, free of charge, a copy of the personal data subject to processing, as well as information about the following:
- the purposes of the data processing
ii. the categories of personal data involved
iii. the recipients or categories of recipients to whom the personal data have been or are to be disclosed, including, in the case of a transfer to a third country or an international organisation, a description of the appropriate safeguards in place
iv. the envisaged storage period or the criteria used to determine this period, where possible
v. your right to request the rectification, erasure and restriction of processing of personal data or to object to such processing
vi. your right to lodge a complaint with the National Supervisory Authority For Personal Data Processing (ANSPDCP)
vii. any available information regarding the source of the personal data where this was not collected directly from the data subject
For any further copies requested by the data subject, TPA Romania may charge a fee to cover its administrative costs.
5.3 The right to rectification
Under Article 16 of the GDPR regulation, you have the right to request of TPA Romania, upon request and free of charge, the rectification of inaccurate personal data concerning you. In terms of the purposes of the data processing, you have the right to request that incomplete personal data be completed, including through the provision of an additional statement.
5.4 The right to erasure
Under Article 17 of the GDPR regulation, you have the right to request of TPA Romania the erasure of personal data concerning you in any of the following cases:
i. where personal data are no longer necessary in respect of the purposes for which they were collected or otherwise processed
ii. where you withdraw the consent on which the data processing is based and there is no other legal ground for the data processing
iii. where you object to the data processing and there are no overriding legitimate grounds for the data processing
iv. where the personal data was unlawfully processed
v. where the personal data must be erased in order to achieve compliance with a legal obligation under EU or Romanian law to which TPA Romania is subject
5.5 The right to restrict processing
Under Articles 18 and 19 of the GDPR regulation, you have the right to request of TPA Romania a restriction of processing where one of the following applies:
i. you have contested the accuracy of the personal data (with the restriction applying for a period sufficient for TPA Romania to verify the accuracy of the personal data)
ii. the processing is unlawful but you oppose erasure of the personal data and request a restriction of their use instead
iii. TPA Romania no longer requires the personal data in question for the purposes of processing but these data are required by you in the establishment, exercising or defence of legal claims
iv. you have objected to processing pending verification of whether the legitimate grounds of TPA Romania override those of the data subject
When one of the cases of processing restriction applies, with the exception of storage, the personal data will only be processed with your consent or for the limited purposes as listed under the GDPR regulation.
5.6 The right to data portability
Under Article 20 of the GDPR regulation, you have the right to receive the personal data you provided to TPA Romania in a structured, commonly used and machine-readable format and then to transmit those data to another controller without hindrance from TPA Romania in the following cases:
- the processing is based on the consent given by you for one or more specific purposes, or the processing is necessary for the performance of a contract to which the individual is party, or in order to take certain steps at the request of the individual prior to entering into a contract
ii. the processing is carried out by automated means
Where technically feasible, upon request, TPA Romania will transmit the personal data directly to another controller.
5.7 The right to object
Under Article 21 of the GDPR regulation, you have the right at any time to oppose the processing of your personal data by TPA ROMANIA, even if your data is processed in pursuit of the legitimate interests pursued by TPA. In this event, TPA Romania will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or is required to do so in respect of the establishment, exercise or defence of legal claims.
Furthermore, you have to right to object at any time to the processing of your personal data for direct marketing purposes, including profiling. If you choose to object, TPA Romania will cease to process your personal data for such purposes.
5.8 The right not to be subject to an individual decision
Under Article 22 of the GDPR regulation, you are entitled to request and obtain the withdrawal/annulment/re-evaluation of any decision with legal effect on you adopted solely on the basis of the personal data processing carried out by automated means intended to produce legal effects concerning you or similarly significantly affecting you.
5.9 The right to appeal to justice
Under Article 79 of the GDPR regulation, you have the right to appeal to the courts in order to defend any rights guaranteed by the GDPR regulation that have been violated and then to obtain an effective judicial remedy where you consider that your rights under the regulation have been infringed as a result of the processing of your personal data in non-compliance with the regulation.
Please note that any proceedings against TPA Romania will be brought before the Romanian courts
In order to exercise any of the rights listed above, you may submit to us a written, dated and signed request using the contact details provided in Section 7 of this Privacy and Security Policy.
6. Disclosure of personal data to third parties
Any data collected are disclosed to third parties only if TPA ROMANIA is under a legal obligation to do so. In all other cases, any disclosure to third parties of any other personal data will be made only with your express prior consent.
- Contact
For any questions or other queries, please contact TPA ROMANIA using the contacts details provided on the TPA ROMANIA website.
Final provisions
This document contains the entire set of security procedures for the processing of personal data approved by TPA ROMANIA’s management, including the IT Security Policy of TPA ROMANIA.