GDPR – KeyPaaS

Communication on the processing of personal data and free movement

The purpose of this communication is to understand the obligations of each of us as a Controller, employer, employee, operator, user, recipient with respect to the processing of personal data and their free movement imposed by the EU Regulation 679/2016, which is applied as of May 25, 2018, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and is directly applicable in all Member States under the Treaty on the Functioning of the European Union.

This communication applies to the processing of personal data made by EASYDO DIGITAL TECHNOLOGIES S.R.L, with the registered office in Bucharest, Strada Doamnei, Nr. 14-16, building D, room C6-01-b, district 3, here in after referred to as the „CONTROLLER”.

We process personal data through mixed means (manual and automatic) under conditions that ensure the security, confidentiality and respect of the rights of the data subjects, in accordance with the legislation in force.

We have implemented appropriate technical and organizational measures to ensure an appropriate level of security.

This document is relevant to all categories of people, regardless of your position: employee / former employee / potential employee; client and / or partner – natural person, representative of a legal partner, supplier or representative of a supplier; visitor to our site; visitor to our website; user of our applications; visitor to our headquarters / business unit.

Definitions

Personal Data Processing

is any operation or set of operations that is performed on personal data by automated or non-automatic means such as: collecting, recording, organizing, storing, adapting or modifying, extracting, consulting, using, disclosing to third parties by transmission, dissemination or otherwise, joining or combining, blocking, erasure or destruction.

Personal Data

represents any information relating to an identified or identifiable individual; an identifiable person is that person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, psychological, economic, cultural or social identities.

Consent

free, explicit and unequivocal agreement of the data subject to have his or her personal data processed.

Controller

any natural or legal person, public authorities, institutions and any other public or private body that establishes the purpose and means of processing personal data.

Data subject

any natural person whose personal data is processed;

Operator

any natural or legal person, public authority or other body that processes personal data on behalf of the Controller. Each operator is responsible for ensuring the security of the data that he is handling.

Recipient

any natural or legal person, public authority, agency or any other entity to which personal data is disclosed, irrespective of whether it is a third party or not. However, public authorities to whom personal data may be communicated in a particular investigation under Union or national law shall not be considered as recipients; the processing of such data by the respective public authorities respects the applicable data protection rules in accordance with the purposes of processing;

Third party

a natural person / legal entity, a public authority, an agency or anybody other than the data subject, the controller, the operator and the persons under the direct authority of the controller or the operator, that is authorized to process personal data.

User

Any person acting under the authority of the Controller with a recognized right of access to personal data bases. Each user is responsible for ensuring the security of the data that he is handling.

Storage

Storage is done for the period necessary to achieve the purpose for which the data was stored. Storing is done in a form that allows the identification of the data subjects for a period that does not exceed the period necessary for the fulfilment of the purposes for which the data is processed.

Privacy

Persons who process personal data on behalf of the Controller have acknowledged the confidentiality of these data and have been trained on how to operate them.

Data accuracy

Inaccurate and incomplete data, taking into account the purpose for which they were processed, can be completed / rectified.

Personal Data Breach

means a security breach that accidentally or unlawfully leads to the unauthorized destruction, loss, modification or disclosure of Personal Data transmitted, stored or otherwise processed, or to an unauthorized access to them.

Supervisory authority

means an independent public authority set up by a Member State pursuant to Article 51 of the GDPR; In Romania, the National Supervisory Authority for Personal Data Processing – ANSPDCP will carry out checks and apply sanctions on behalf of the EU.

I.DPO – Data Protection Officer designated by the Controller.
II.DPIA – Data Protection Impact Assessment.

Restriction of processing

means the marking of stored personal data in order to limit its future processing.

Profiling

means any form of automatic processing of personal data consisting of the use of personal data to assess certain personal aspects relating to a natural person, in particular to review or predict performance aspects at the workplace, the economic situation, health, personal preferences, interests, reliability, behavior, the place of the individual’s physical presence or movements.

Pseudonymization

means the processing of personal data in such a way that it can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organizational measures to ensure that such personal data is not allocated to an identified or identifiable natural person.

Encryption

means the security technique that ensures that personal data becomes incomprehensible to anyone who is not authorized to access it.

Table of contents

This communication includes the following:

Measures adopted;
What categories of personal data we process;
The purposes for which we process personal data;
The grounds on which we process personal data;
The categories of people to whom we divulge the data;
Data storage time;
What repercussions exist if you do not provide us with personal data;
Your rights under the laws in force and how you can exercise them;
Data deletion;
Our contact details.

A. Measures adopted

1. Confidentiality measures*

(Article 32 (1) b) of the GDPR)

1.1. Provide access control at the headquarters / business unit where personal data is processed.

Secured access system at headquarters and business units.

1.2. Secure control of the access to the system where personal data is processed.

Rules and regulations on access keys have been implemented.

1.3. Secure access control for the use of the system in which personal data is processed.

Designate authorized persons and give access only to these persons.

1.4. The following measures were taken:

We have developed a functionality in the database that anonymizes personal data from all logs and user history.

2. Measures to ensure the integrity of data*

(Article 32 (1) (b) of GDPR)

2.1. Measures or control of encryption / data transmission

(Article 32 (1) a) of the GDPR) We took the following steps:

The data that arrives at the hosted server of the company is automatically encrypted.

2.2. Control of data entry

Measures to ensure the possibility of verification and determination at a later stage if and by whom the personal data in / from the data processing systems has been accessed, modified or deleted.

Allocation of individual access keys to persons who have been granted access to and registration of their actions / activities.

3. Measures to ensure the availability and resilience of data*

(Article 32 (1) (b) (c) of the GDPR)

Hosted servers of the company and back-ups

4. Process for periodic testing and evaluation of the effectiveness of technical and organizational measures*

(Article 32 (1) d) of GDPR) * Regular organization of stress / resilience tests

5. Workplace control / organizational measures

(Article 32 (1) of the GDPR) Internal policy governing IT & C activity

6. Measures to ensure the limitation of the purpose of processing personal data (the impossibility of creating links).

Providing differentiated access privileges and operations for people with authorized access

7. Data protection from the moment of conception and by default

(Article 32 (1), 25 (1), (2) of GDPR)

Measures to ensure that data protection is considered from the moment of conception and by default, including transparency and the ability to interfere with data.

7.1. Data protection from the moment of conception and by default (in general) The process of opening accounts and onboarding is integrated into the general IT administration system

7.2. Measures to ensure transparency Published the Privacy and Cookie Policy, opt in or opt out possibility

7.3. Measures to secure the rights of the data subjects Published contact data dedicated to taking user requests to intervene (modify, delete, etc.) on data

A. Categories of data. Purpose. Basis

1. Current or potential clients

We can process your personal data for:

1.1. Providing our services

at your request. We will use your personal information in order to be able to submit an offer, to conclude a contract, to execute the contract with you and to offer you the requested services. The data will be processed based on the need to conclude and execute a contract with you. We will mainly process your identity data (name, surname and data entered in the identity card, passport). The data will be processed throughout the contractual period.

1.2. Solving your requests

will be done by using your data made available to us as a result of our contractual relationships, in order to respond to your inquiries, complaints, requests, claims. The basis of the processing in this case will be the execution of the contract with you or your consent, as the case may be.

1.3. Communication for marketing purposes

In order to send you communications about our products / services, it is necessary to process your personal data (name, surname, e-mail address, telephone). Data processing, in this case, will be based on your consent.

2. Members (employees / collaborators / third parties) of our contractual partners – legal entities

We can process your data for:

2.1. Maintaining the contractual relationship

with the companies with which you have contractual or any other relationship or to whom you have given the consent to the transmission of the data to contractual partners. In order to be able to collaborate with the company with whom we have contractual relations, collaboration of any other nature or including with you to resolve situations, we will need to process personal data that relates to your person. Our processing is based on our legitimate interests. We will process your first name, last name, email address, phone number and other identification details we have access to. The data will be processed throughout the contractual period.

2.2. Communication for marketing purposes.

3. Our contractual partners – individuals (business partners / collaborative relationships – not clients)

We can process your data for:

3.1. Being able to conduct business / collaborative relationships with you.

In order to start and maintain the collaboration with you, it is necessary to process certain personal data. We will generally process the following data (name, surname, identity card, passport data, identification certificates). In this case, the data will be processed on the basis of the conclusion and execution of a contract between us.

3.2. Solving your requests

will be done by using your data made available to us as a result of our contractual relationships, in order to respond to any requests, complaints, claims. The basis of the processing in this case will be the execution of the contract with you or your consent, as the case may be.

3.3. Communication for marketing purposes.

4. Representatives of public authorities.

We may process personal data to fulfil our legal obligations, at the request of the public authorities, for maintaining registers provided by law and the like.

We will process personal data: name, surname, identity card data; passport; registration certificate; e-mail address.

5. If you are a visitor on our websites, our pages on social networks

We may use your personal data for the following purposes:

5.1. Improve our website.

In order to take account of the options expressed in the browsing sessions, we process data such as: IP address, cookies, other online identifiers, visit history, date and time of access, type of Internet browser.

The basis for personal data processing will in most cases be your consent or our legitimate interest.

5.2. If you post, comment, or like, on one of our social media pages,

we primarily process your data (username, e-mail address, profile photo). In these cases, we will base our processing on your consent.

5.3. Managing our communications, IT systems and their protection.

In order to ensure our security, manage our communications systems, IT, security audits, protect our data and systems against cyberattacks and any other attacks in the virtual environment, we will mainly process data such as IP address, date and time accessing the website; type of internet browser. The processing is based on our legitimate interest, or, as the case may be, the fulfilment of our legal obligations.

6. If you are a visitor to our premises / employee (headquarters, business units)

We process your personal data to ensure your access and security for individuals and objects. In order to ensure access to our premises, we will process personal data, namely: name, surname, required to issue the access code. In some of our rooms we have a video surveillance camera installed to ensure security. Thus, we will process images (video) of you. In all cases, we have indicated the places where the video surveillance cameras are installed, using plates, according to the law. Processing is based on our legitimate interest in ensuring security on the premises.

7. Third-party data processing.

If personal information is provided to us by you about other people, you must make sure that you have informed them and that you have advised them to review this communication about how Easydo Digital Technologies SRL processes personal data.

8. We may also process your data for the following purposes:

8.1. Solving your requests.

We will use your data to respond to your requests, applications, or any other questions you may have. Mainly, we will use the name, surname, email address; telephone and other information you include in the request you submit. The basis of the processing in this case will be either the execution of the contract with you or your consent.

8.2. At the request of the authorities, in order to provide a response or in other cases provided by law.

In the case of a legal obligation, we will communicate your data to the requesting authority, store the data for a certain period or process the data in a different way. The basis for processing is, in this case, the fulfilment of our legal obligation.

8.3. For making transactions or other operations.

For transactions or other operations, we may divulge your data to the bank, prospective purchasers and authorities. The data will be as limited as possible. The basis of processing is our legitimate interest or the fulfilment of a legal obligation.

8.4. Defense of rights.

We may process your data to defend our rights or others’, before courts, arbitral tribunals, mediators, notary offices, bailiffs, public authorities, other bodies (as an example, but not limited to, lawyers, experts, auditors, specialists). The basis of processing is our legitimate interest or the fulfilment of a legal obligation.

8.5. Fraud prevention

In order to carry out our activity legally, we may process your data and may only transmit or grant the right to review your data to counsellors / auditors / lawyers in order to prevent fraud or other unlawful acts. The basis of processing is our legitimate interest and our legal obligations to ensure the legality of our operations in the field of money laundering prevention

9. The categories of people to whom we disclose the data.

In principle, as a rule, we will not disclose personal data to other individuals or businesses.

However, in some cases, you may need to disclose your data, such as:

To fulfil a legal obligation to public authorities, natural or legal persons;
To fulfil a legitimate interest of our company, to other companies or individuals or legal entities acting as operators in various fields such as: payment services, services that we can outsource, or to public authorities, other persons, courts;
To defend and exercise our rights or other persons’ rights.

In all cases, we will ensure that the personal data transmitted is processed under confidentiality and security, respecting your rights and the purpose for which it was transmitted.

At this time, we do not transfer personal data to third countries or international organizations. If necessary, we will notify you in a timely manner to exercise your rights under the applicable law.

10. Data storage period

The data will be stored according to the purpose of the processing, the data category being processed and our privacy policy. Storage periods are based on legal provisions, contractual duration and / or your agreement (obligations to store certain data, applicable terms of prescription, purposes of our activity).

11. What repercussions exist if you do not provide us with your personal data.

If you do not provide the required data, we will not be able to respond to your requests, to send you communications about our offers / services, to conclude or negotiate a contract with you.

12. Your rights under the laws in force and how you can exercise them.

12.1 The right to be informed

When the data is obtained directly from the data subject – at the time of obtaining the data;

If the data is not obtained directly from the data subject:

within a reasonable timeframe (at most one month from the time of data collection);
in the case of data that is subject to communication with the data subject, at the time of the first communication with the data subject, at the latest;
before data is disclosed to third parties or at the time of disclosure, at the latest;

12.2 The right of access

You have the right to gain access to collected personal data related to you or copies thereof; You also have the right to obtain from us information about:

The purposes of the processing;
What categories of personal data we process;
Recipients to which personal data has been or will be transferred, in particular recipients from third countries or international organizations;
The storage period or, when it is not possible, the criteria used to determine the storage period.

12.3. The right to rectification of data

You have the right to ask for rectification of the inaccuracies in the data about you that we process.

12.4. The right to delete (the right to be forgotten)

You have the right to obtain the deletion of your data collected / processed by us under the conditions provided by the EU Regulation on the processing of personal data.

12.5. The right to restrict data processing

You have the right to restrict the processing of data concerning you that we process.

12.6. Right of opposition

Any data subject has the right to oppose the processing of his or her personal data by us or on our behalf for grounds related to the particular situation in which he or she is – Art. 21 of the EU Regulation.

12.7. The right to data portability.

Any data subject has the right to the portability of personal data processed by us to another controller.

12.8. Right to withdrawal of consent

If personal data is processed based on your consent, you have the right to withdraw your consent. The lawfulness of the data processing, made previously, will not be affected by the withdrawal of the consent.

12.9. Right on the individualized decision-making process

You have the right not to be the subject of a decision based exclusively on automatic processing.

12.10. The right to lodge a complaint with the supervisory authority

You have the right to refer a complaint to the Supervisory Authority regarding the processing of your data by us or on our behalf.

This is the National Authority for Surveillance of Personal Data Processing (ANSPDCP).

13. Data deletion

Deleting data – removing or eliminating, in whole or in part, personal data from records, by reaching the retention period, when reaching the purpose for which they were entered.

The personal data deletion procedure is established when the company has received a request from you, from the data controller and complies with the requirements of EU Regulation 679/2016.

You may ask us to delete your personal data, but only if:

personal data is no longer required for the purposes for which they were collected or processed; or
you have withdrawn your consent (if the data processing is based on consent); or
you give a legal right to oppose; or
it has been illegally processed; or
we have a legal obligation to do so.

We have no obligation to comply with your request to delete your personal data if processing of your personal data is required:

to comply with a legal obligation; or
for establishing, exercising or defending a right in court.

There are certain other circumstances in which we are not obliged to respect your request for data deletion, although these are the most likely circumstances in which we may decline your request.

Data deletion will be done by authorized personnel after checking your request and identifying the circumstances and complying with the legal requirements imposed by EU Regulation 679 / 2016.

Data deletion will be provided through a report on the removal procedure.

A response with the confirmation of deletion of personal data as requested will be issued, or the reason for the legal obligation to store the data, will be provided within the legal term.

14. How to exercise your rights.

In order to exercise one or more of the rights provided by law or to ask any question about any of these rights or any details regarding the processing of your personal data by us, you may use our contact information:

EASYDO DIGITAL TECHNOLOGIES S.R.L.

Registered office: Bucharest, Str. Doamnei,no. 14-16, building D, room C6-01-b, district 3 (mailing address): Bucharest, Str. Ion Otetelesanu, no. 2, 1st floor, district 1

Company

Legal