GDPR : TEC: Digital Agency

GDPR MENTIONS

Definitions

TEC Software Solutions S.R.L. – SC TEC Software Solutions S.R.L. identified through J12/1130/2014, CUI 32971419, headquartered in Gherla, 12C Hasdatii St., Cluj County, Romania

Data Controller – Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.

Data Processor – Data Processor means any natural or legal person who processes the data on behalf of the Data Controller.

Data Subject – Data Subject is any living individual who is using our Service and is the subject of Personal Data.

Principles for processing personal data

Our principles for processing personal data are:

Fairness and lawfulness. When we process personal data, the individual rights of the Data Subjects must be protected. All personal data must be collected and processed in a legal and fair manner.

Restricted to a specific purpose. The personal data of Data Subject must be processed only for specific purposes.

Transparency. The Data Subject must be informed of how his/her data is being collected, processed and used.

What personal data we collect and process

SC TEC Software Solutions S.R.L. collects several different types of personal data for various purposes. Personal Data may include, but is not limited to:

Email address

First name and last name

Phone number

Address, State, Province, ZIP/Postal code, City

How we use the personal data

SC TEC Software Solutions S.R.L. uses the collected personal data for various purposes:

To provide you with services

To notify you about changes to our services and/or products

To provide customer support

To gather analysis or valuable information so that we can improve our services

To detect, prevent and address technical issues

Legal basis for collecting and processing personal data

SC TEC Software Solutions S.R.L. legal basis for collecting and using the personal data described in this Data Protection Policy depends on the personal data we collect and the specific context in which we collect the information:

SC TEC Software Solutions S.R.L. needs to perform a contract with you

You have given SC TEC Software Solutions S.R.L. permission to do so

Processing your personal data is in SC TEC Software Solutions S.R.L. legitimate interests

SC TEC Software Solutions S.R.L. needs to comply with the law

Retention of personal data

SC TEC Software Solutions S.R.L. will retain your personal information only for as long as is necessary for the purposes set out in this Data Protection Policy.

SC TEC Software Solutions S.R.L. will retain and use your information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our policies.

Data protection rights

If you are a resident of the European Economic Area (EEA), you have certain data protection rights. If you wish to be informed what personal data we hold about you and if you want it to be removed from our systems, please contact us. In certain circumstances, you have the following data protection rights:

The right to access, update or to delete the information we have on you

The right of rectification

The right to object

The right of restriction

The right to data portability

The right to withdraw consent

Cluj-Napoca

23.04.2019

Privacy Policy

Introduction

TEC is firmly committed to respect the privacy of any individual and takes any necessary technical and organizational measures to ensure privacy and protection of all operations that involves, directly or indirectly, processing of personal data, against unauthorized and unlawfulness processing of those.

The new law, 679/2016, also known as General Data Protection Regulation (GDPR), which updates the rules of the Directive 95/46/CE, lies to the basis of this policy.

Definitions

TEC Software Solutions S.R.L., identified through J12/1130/2014, VAT No. RO 32971419, headquartered in Gherla, Hasdatii St., no 12, Cluj County, Romania:

Binding Corporate Rules– a set of binding rules put in place to allow multinational companies and organizations to transfer personal data that they control from the EU to their affiliates outside the EU (but within the organization).
Biometric data– personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Consent– any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, agrees to the processing of personal data relating to him or her.
Data Controller – Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.
Data Processor– any natural or legal person who processes the data on behalf of the Data Controller.
Data Subject– The data subject is the person whose personal data are collected, held or processed.
Genetic data– personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Privacy impact assessment– a process designed to help organizations identify and mitigate privacy risks associated with proposed data processing activities.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling– any form of automated processing of personal data consisting of the use of data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymisation – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Principles: the fundamental principles imbedded within the GDPR which set out the main responsibilities for organizations.
Personal data breach:a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Restriction on processing– the marking of stored personal data with the aim of limiting their processing in the future.
Right of access– entitles the data subjects to have access to have access to and information about the personal data being processed by the data controller.
Special categories of personal data– personal data revealing a data subjects racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership or the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Audience

TEC’s Privacy policy applies equally to all TEC personnel, that have access to any resources, computing and communications that involves processing of personal data and 3rdParties with/from whom TEC will send and/or receive personal data.

Principles

Lawfulness, fairness and transparency
Having purpose limitations, specific/explicit scope(s)
Data minimization, to only gather what is needed to fulfill the stated scope and kept no longer than the intended scope
Taking reasonable steps to ensure Accuracy of personal data
Storage limitations, considering the scope, period needed, and retention policies organization has in place. Where is the case, old data will be removed or corrected without unnecessary delays
Integrity and confidentiality, as any important information it’s security should be preserved, as part of ourISMS. Only authorized personnel and agreed 3rd parties will have access to process this data
Accountability, TEC is responsible for compliance with the principles of the GDPR

What personal data we collect and process

We collect personal data only if required to provide our products or services, fulfil our legitimate business purposes and/or comply with applicable laws and regulations. Depending on your relationship with TEC we collect and process your personal data as follows:

Sales and marketing: contact details, identification information, information required to purchase our products and services, profile, role and preferences, login credentials, digital activity information and other information as may be relevant (e.g. information from publicly available sources) for the following main purposes: sales and marketing; advertising; creating and delivering targeted adverts and offers; conducting marketing campaigns; managing contacts and preferences; generating leads and opportunities; organizing and managing events; and engaging in social media interactions.

Online Data Collection Tools: digital activity information for the following main purposes: enabling efficient use of our websites, products and services; collecting statistics to optimize the functionality of our websites, products and services; improving user experience and delivering content tailored to their interests; and improving marketing and advertising campaigns.

Online surveys: contact details, login credentials, comments and feedback for the following main purposes: conducting customer satisfaction and engagement surveys.

Partner and supplier programs: contact details for the following main purposes: managing relations with partners and suppliers; engaging and delivering products and services to customers in which case we may receive personal data directly from you or from our partners.

Training and education: contact details for the main purpose of conducting internships, trainings and education programs for interns, customers, partners and suppliers.

Security and authentication: contact details, identification information and CCTV footage for the following main purposes: ensuring safety and security of TEC staff and premises; login credentials, protecting TEC’s network and other digital assets; providing access to restricted areas and information assets and protecting personal data from unauthorized access.

Non-TEC web sites and social media features. TEC sites or services may provide links to third-party applications, products, services or websites for your convenience or information. We may also provide social media features that enable you to share information with your social networks and to interact with TEC on various social media sites. TEC does not control third party sites or their privacy practices and we do not endorse or make any representations about third party sites. The personal data you choose to provide to or that is collected or shared by these third parties is not covered by this Policy. We encourage you to review the privacy policy of any site you interact with before allowing the collection and use of your personal data.

How we share personal data

TEC does not sell, rent or lease personal data to others except as described in this Privacy Policy. We may share and/or disclose your personal data as follows:

Disclosure to third parties. TEC retains suppliers and service providers to manage or support its business operations, provide professional services, deliver products, services and customer solutions and to assist TEC with marketing and sales communication initiatives. Those third parties may receive and process your personal data under appropriate instructions, as necessary to support and facilitate how we use your personal data. Suppliers and service providers are required by contract (Data processing agreement) to keep confidential and secure the information they process on behalf of TEC and may not use it for any purpose other than to carry out the services they are performing for TEC

Where TEC engages with partners, TEC may disclose your personal data to them in order to facilitate sales and delivery of its products and services. Partners are required by contract to keep confidential and secure the information received from TEC and may use it only for the said purposes, unless otherwise authorized by you or applicable laws and regulations.

Except as described in this Privacy Policy, TEC will not share your personal data with third parties without your permission, unless to: (i) respond to duly authorized information requests of police and governmental authorities; (ii) comply with law, regulation, subpoena, or court order; (iii) enforce/protect the rights and properties of TEC or its subsidiaries; or (iv) protect the rights or personal safety of TEC, our employees, and third parties on or using TEC property when allowed and in each case in accordance with applicable law.

Circumstances may arise where, whether for strategic or other business reasons, TEC decides to sell, buy, merge or otherwise reorganize businesses in some countries. Such a transaction may involve the disclosure of personal data to prospective or actual purchasers, or the receipt of it from sellers. It is TEC’s practice to seek appropriate contractual protection for personal data in these types of transactions.

How we transfer personal data internationally

TEC may transfer your personal data as necessary within the TEC group of companies and to other third parties. The recipients may be located in EU or US, which do provide the same or similar level of data protection. TEC will take steps to ensure personal data we transfer is adequately protected as required by applicable data protection laws.

TEC’s privacy practices described in this Privacy Policy comply with EU General Data Protection Regulation, including transparency, accountability, and choice regarding the collection and use of personal data.

Transfers to third parties. With respect to transfers to third parties located in countries which provide an adequate level of data protection, TEC will take appropriate safeguards such as signing Data Processing Agreements with the recipient and making sure that the country of the recipient is within the list of secure third countries for which the European Commission has confirmed a suitable level of protection in a decision of appropriateness.

How to manage communications and preferences

TEC may provide you with information that complements our products and services and/or communications about our new products, services and offers. If you or your organization purchased our products or services, you may receive alerts, software updates or responses to support requests that are part of our products and services. If you choose to receive TEC communications, you may also choose to subscribe to receive specific newsletters and publications.

Unsubscribe from communications. In the event you no longer wish to receive TEC communications, you can unsubscribe from such communications by:

Following opt-out or unsubscribe link and/or instructions included in each email subscription communication;
Indicating to the caller that you do not wish to receive calls from TEC anymore.

In the event your opt-out or unsubscribe request has not been resolved in a timely manner, please contact TEC with details of your name, contact information, and description of the communications you no longer wish to receive from TEC.

Please note that these options do not apply to communications relating to the administration of orders, contracts, support, product safety warnings, or other administrative and transactional notices, where the primary purpose of these communications is not promotional in nature.

Automatic Data Collection Tools

How TEC uses Automatic Data Collection Tools. TEC web sites use cookies, web beacons and other similar technologies (collectively, Automatic Data Collection Tools), to remember log-in details, collect statistics to optimize site functionality, improve your user experience and deliver content tailored to your interests.

When you enter your contact details on a web form on the TEC site, in order to subscribe to a service, download a white paper or request information about TEC’s products and service, your contact details may be stored in a cookie on your device. This information is then accessed on subsequent visits to TEC websites, allowing us to track and record the sites you have visited and the links you have clicked, in order to better personalize your on-line experience, and future TEC communications.

If you choose to receive marketing emails or newsletters from TEC, we may track whether you’ve opened those messages and whether you’ve clicked on links contained within those messages, through the use of web beacons and personalized URLs embedded in these communications. This allows TEC to better personalize future communications and limit these communications to subjects that are of interest to you.

Since cookies allow you to take advantage of some of our web sites’ features, we recommend that you leave them turned on. If you block, turn off or otherwise reject our cookies, some web pages may not display properly or you will not be able, for instance to use any web site services that require you to sign in.

Some of our websites use Google Analytics cookies. Information collected by Google Analytics cookies will be transmitted to and stored by Google on servers in the United States of America in accordance with its privacy practices. To see an overview of privacy at Google and how this applies to Google Analytics, visit https://www.google.com/policies/privacy/. You may opt out of tracking by Google Analytics by visiting https://tools.google.com/dlpage/gaoptout.

How to access, update or delete personal data

TEC strives to keep your personal data accurately recorded. We have implemented technology, management processes and policies to help maintain data accuracy. In accordance with applicable laws, TEC provides individuals with reasonable access to personal data that they provide to TEC and the reasonable ability to review and correct it.

To protect your privacy and security, we will take reasonable steps to verify your identity, such as the requirement to provide a copy of a user ID, before granting access to your personal data. To view and update the personal data you provided directly to TEC, you can return to the web page where you originally submitted your data and follow the instructions on that web page, use TEC Passport where enabled, or contact.

How we keep personal data secure

TEC takes seriously the trust you place in us to protect your personal data. In order to protect your personal data from loss, or unauthorized use, access or disclosure, TEC utilizes reasonable and appropriate physical, technical, and administrative procedures to safeguard the information we collect and process. All systems used to support TEC’s business are governed by TEC’s Information Security policies, which are built upon industry standards and best practices like the International Organization for Standardization (ISO) 27001 family of standards.

When collecting or transferring sensitive information we use a variety of additional security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. The personal data you provide us is stored on computer systems locked in controlled facilities which have limited access or on our online secure spaces in cloud. Access to your information is restricted to TEC employees or authorized third parties who need to know that information in order to process it for us, and who are subject to strict confidentiality obligations. When we transmit sensitive information over the internet, we protect it through the use of encryption, such as the Transport Layer Security (TLS), Internet Protocol Security (IPSec), or Secure Socket Layer (SSL).

How long we keep personal data

Typically, we keep personal data for the length of any contractual relationship and, to the extent permitted by applicable laws, after the end of that relationship for as long as necessary to perform purposes set out in this Privacy Policy, to protect TEC from legal claims and administer our business. When we no longer need to use personal data, we will delete it from our systems and records or take steps to anonymize the data unless we need to keep it longer to comply with a legal or regulatory obligation. If you would like to receive more information about our data retention policies, please contact TEC.

Your rights in relation to your personal data. You may have the following rights to:

Request access or copies of personal data TEC processes about you;
Rectify your personal data, if inaccurate or incomplete;
Delete your personal data, unless an exception applies. For instance, we may need to keep your personal data to comply with legal obligation;
Restrict the processing of your personal data, in certain circumstances. For instance, if you contest accuracy of your personal data you may request that we restrict processing of your personal data for the time enabling us to verify the accuracy of your personal data;
Data portability, in certain circumstances. For instance, you may request us to transmit some of your personal data to another organization if the processing is based on your consent or a contract;
Object to processing of your personal data, in certain circumstances. For instance, you may object to direct marketing including use of your personal data for profiling for direct marketing or where we process your personal data because we have legitimate interest in doing so.

These rights may be limited in some situations such as where TEC can demonstrate that TEC has a legal requirement or legitimate interest to process your personal data.

If you would like to exercise your rights, please contact us here dpo@tecss.com.

Complaint with a supervisory authority. If you consider that the processing of your personal data infringes the GDPR, you have a right to lodge a complaint with a supervisory authority in the country where you live, or work, or where you consider that data protection rules have been breached.

If TEC processes your personal data on behalf of a TEC customer, then we will, in the first instance, refer your complaint to our customer to handle.

Privacy by design

The operator TEC integrates in its operations, practices and technologies, aspects regarding the compliance with GDPR Regulation. All business processes are substantiated by data protection guidelines when the situation calls for.

In support of the privacy “by design”, the operator undertakes the following:

– carrying out a Data protection impact assessment (DPIA), when the personal data processed are likely to harm the data subject

– updating the Privacy policy on a regular basis

– data encryption and pseudonymization

– limiting the processed data to the purpose

– data subjects are being informed of the existence of a Data Protection Officer

– the DPO is informed when new data processing occurs or is risk-generating

Privacy by default

This practice mainly concerns the digital data processing, performed by software applications, technologies, configured in such a way as to be aligned with the provisions of the Regulation. Some of the activities conducted by the operator fall into the category of privacy “by default”, including:

– personal administration application in which employees can only see their personal information

– informing data subjects about their rights in relation with the operator

– the company’s website is designed not to process additional data, except for the necessary ones (functionality cookies)

Personnel training on personal data protection

TEC sets up trainings every year for employees to keep them updated with the latest amendments to GDPR Regulation. Moreover, every new hire/collaborator is trained on his /hers first day of work.

How we deal with data subjects’ requests

TEC has drawn up for each request from data subject a procedure, in which the process of solving the requests is described in detail. The Data Protection Officer (DPO) will proceed to solve the request and send the answer (via phone, e-mail, mail / courier, as appropriate).

The response to the person’s request will be made without undue, within one month from receipt of the request. This period may be extended by one month when necessary, as regards the complexity and number of applications.

If you have any questions about our Privacy policy, any concerns or complaint regarding our collection and use of your personal data or wish to report a possible breach of your privacy, please contact TEC’s Data Protection Officer (DPO) at dpo@tecss.com. We will treat your requests and complaints confidentially.

Cluj-Napoca
24.11.2020

Procedure regarding the processing of personal data resulting from the CCTV surveillance system

Data processor: TEC SOFTWARE SOLUTIONS S.R.L., with headquarters in Gherla town, Hășdații St, no. 12, Cluj County, registered at the Trade Register Office under no. J12/1130/2014, tax code 32971419;

The person designated by the controller as the data protection officer: Florean Sergiu-Ionut

TEC SOFTWARE SOLUTIONS S.R.L., personal data processor under Regulation 679/2016 (hereinafter referred to as “GDPR”). This procedure concerns the processing by the operator of personal data resulting from the records of the CCTV surveillance system located at the entrance of the operator’s office, located in Cluj-Napoca, Plopilor St, no. 68, ground floor, Cluj County.

Categories of personal data subject to processing

– the appearance of employees and third parties entering the operator’s office and server room;

– the entries of employees and third parties at the processor’s office;

– the activity of employees involved every year in projects, exclusively for the duration of projects development.

Video recordings that capture the image of individuals entering the workplace are not biometric data, considering:

– the paragraph 51 in GDPR recitals

– the video recordings are specifically a series of photographs that capture the movements of people in chronological order and

– the video recording means that we use do not allow the unique identification of persons or the authentication of natural persons, by not having a facial identification software.

The purpose of the procedure

The purpose of this procedure sets out how the personal data mentioned in Chapter I are processed by the processor, namely ensuring the security of assets and persons, at its office located in Cluj-Napoca, Plopilor St, no. 68, ground floor, Cluj county.

The processing is also necessary to fulfill the legal obligation provided in art. 50 paragraph 1 letter e) of Law 333/2003.

The operator is among the units provided in art. 2 paragraph 1 of Law 333/2003, being a trading company regulated by Law 31/1990, and the CCTV surveillance camera represents an alarm system against burglary, according to the definition provided in art. 27 paragraph 5 of the same normative act.

Besides, obtaining / keeping up to date the ISO 27001 certification, requires the installation of a video surveillance system at the entrance in order to protect the company’s assets.

As regards the activity data of the employees involved yearly in the projects, the purpose of their processing is to ensure an efficient communication between the client of the operator who organizes the events and the operator. More specifically, the camera installed in the office does not store and / or archive the images but ensures a live streaming with the client strictly during the events. Live streaming to the customer is necessary so that it can identify the operator’s employees involved in the events that are available, if any problems arise or if the customer urgently needs to communicate something about the development of events.

The data processed by the operator resulting from the records of the CCTV surveillance system will never be used for the purpose of monitoring the activity of employees.

The basis for the processing of personal data

The personal data resulting from the recordings of the CCTV surveillance system are processed pursuant to art. 6 letter c of the GDPR: The processing is necessary for the fulfillment of a legal obligation of the operator.

With regard to data on the activity of employees involved yearly in projects, the basis of the processing is art.6 letter f of the GDPR: the processing is necessary for the purpose of the legitimate interests pursued by the operator or by a third party.

Regarding the latter data, the provisions of art. 5 of Law 190/2018 are applicable, thus the conditions for processing are being met.

Categories of persons to whom personal data processed by the operator will be disclosed/divulged

a. Operator’s employees, who have signed a confidentiality agreement with the processor regarding the personal data submitted to processing.

Sys Admin is the one to have access to personal data captured by the CCTV surveillance system, only on demand, in case of security incidents that require the consultation of video recordings.

b. Public institutions and authorities, to the extent that the operator has a legal obligation to disclose personal data to them or in so far as the data divulgement necessary for the exercise of the operator’s rights arising from a security incident (eg. disclosure of data to the Public Ministry, following the formulating by the operator of a criminal complaint under the aspect of committing the crime of theft, because the video camera captured the image of the offender).

c. Data on the employees’ activity involved annually in projects will be disclosed by default to the Client who organizes the events.

Expected deadlines for the deletion of data under processing

Personal data captured by video recordings will be deleted after a 30-day period from the recording.

In the event of a security incident at operator’s work point, the data necessary to investigate this incident and only those that are useful for identifying the offender (s) will be stored for as long as the criminal or civil liability of the offender (where appropriate, the limitation period of criminal or civil liability).

Data on the activity of employees involved in projects are not subject to storing.

Technical and organizational measures for the security of personal data

– Personal data resulting from CCTV surveillance system records will only be accessed in case of a security incident at the workplace

– On the assumption of a security incident, the data will be accessed as long as the investigation extent only by SysAdmin on request. SysAdmin is an employee or a person in charge of the operator bound by the obligation of confidentiality with regard to the data processed

– The operator collects just personal data that are necessary for the purposes of processing set out in Chapter II and lays down time-limits for retaining these data, unless a security incident occurs and the data are necessary for criminal or civil liability of the offender (s)

– Security measures of the space in which personal data are stored – personal data are stored in a space that is not accessible to third parties and which is equipped with an alarm and security system

– The CCTV surveillance system purchased by the operator is among the most secure on the market and is able to provide protection against unauthorized access by third parties.

The rights of data subjects

The right to be informed;
The right of access, rectification, erasure, restrict processing, object to processing;
The right to lodge a complaint with the National Supervisory Authority for Personal Data Processing
The right to be informed about the breach of personal data security

Correlative obligations of the operator

The operator hereby provides the data subject with information on the actions taken following a request for the data subject’s rights, without undue delay and in any case within one month of receipt of the request. Data subject has the possibility to lodge a complaint against the operator, with the Supervisory Authority and to make a judicial appeal, if it takes no further action.

The operator shall inform the data subject of any such extension, within one month of the request, stating the reasons for the delay.

The operator will keep a record of the processing activities carried out under his responsibility. The records are put forward both in writing and electronic format.

Cluj-Napoca
22.10.2021