CONFIDENTIALITY OF PERSONAL DATA

Definitions:

1. “Personal data” or “data” means any information relating to an identified or identifiable natural person (‘data subject’); a natural person identifiable individual is a person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

2. “Processing of personal data” or “data processing” means any operation or set of operations on personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3.”GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;

4.”Controller” means the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by the European Union (EU) law or the domestic law of an EU Member State, the controller or the specific criteria for its designation may be laid down in EU or domestic law.

In this document, when we use the term “controller” we usually mean GLOBAL CONSULTING WEB PRODUCTION LABS SRL (abbreviated as “the Company”) – when it processes personal data for purposes established by itself or by the law applicable to it – or, as the case may be, the Company and the entities that are associated operators for certain personal data processing operations when the purposes and means of the processing have been jointly established by us and these entities;

5.”Data subject” means any natural person whose personal data are processed. The category of data subjects also includes entities such as individuals (P.F.A.), sole proprietorships, individual forms of exercising specific liberal professions – “professionals”, such as individual medical practices, lawyer, notary, bailiff, accountant, certified translator, etc.; legal persons are not usually included in the category of ‘data subjects’ and information about them is usually not personal data.

6.”Processor” means the natural or legal person, authority, or body responsible for the processing operation. public authority, agency, or other body that processes personal data on behalf of the controller;

7.”Third party” means a natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and who, under the direct authority of the controller or the processor, is authorized to process personal data;

8.“Recipient” means the natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether or not it is a third party. However, the public authorities to whom personal data may be disclosed in the framework of a specific investigation under the EU or national law of an EU Member State are not considered recipients;

9.”Supervisory Authority” means an independent public authority established by an EU Member State responsible for monitoring the application of the GDPR. In Romania, the Supervisory Authority is the National Supervisory Authority for the Processing of Personal Data – “A.N.S.P.D.C.P.”;

10.”Biometric data” means personal data resulting from specific processing techniques relating to the physical, physiological, or behavioral characteristics of a person which enable or confirm the unique identification of that person, such as facial images or dactyloscopic data being subjected to such techniques;

11.”Health data” means personal data relating to the physical or mental health of an individual, including the provision of healthcare services, that reveal information about the health of the individual;


12.”Real beneficiary” as referred to in Article 4(4) of the Directive. 1 of Law no. 129/2019 on preventing and combating money laundering and terrorist financing, as well as on amending and supplementing certain legal acts, means any natural person who ultimately owns or controls a legal person and/or natural person on whose behalf a transaction, operation or activity is carried out and includes at least the categories of natural persons referred to in Art. 4 para. 2 of this normative act;

Company identification data:

GLOBAL CONSULTING WEB PRODUCTION LABS SRL is a Romanian legal entity with a registered office in the city of Popești-Leordeni, nr. 90 Leordeni street, Villa C7/1,Ilfov County, registered at the Trade Register under no. J23/2761/2018, CUI RO 39491248, website: https://webproductionlabs.com.

The Company’s activity is included in CAEN 6201 – Custom software development activities (client-oriented software). This class includes activities of writing (programming), modifying, testing, and supporting software products. It also includes writing software according to users’ instructions (client-oriented software).

This activity involves:

  1. designing the structure and content and/or writing the computer code required to create and implement:
    • software systems
    • software applications
    • databases
    • web pages
  2. adapting software to specific requirements, i.e. modifying and configuring an existing application so that it becomes compatible and functional within the client’s IT system environment.

Categories of processed personal data, purposes

1. The Company processes the following categories of personal data:

  • personal data relating to identity (name, surname, CNP, ID card series and number, facial or full image, address/residence), including the image of the ID card/passport;
  • ownership data (types of property – movable/property, rights to property);
  • contact details (landline/mobile number, work email, professional position/position, handwritten/electronic signature) for contractual partners or their legal representatives.

2. The Company shall not process the following categories of data from users of the services provided through the Company’s applications or terminals/beneficiaries of the Company’s services:

  • health data;
  • data relating to the commission of criminal offenses;


Such data will only be processed concerning the Company’s employees and only with their consent, and only those categories of data strictly related to the performance of the employment contract.

3. Purposes of data processing by the Company:

  • execution of transactions ordered by the data subject at the Company’s payment terminals/devices or produced by the Company for the beneficiaries of the Company’s services (e.g. parking payments, tax/tax payments, transport service payments, etc.);
  • providing information, taking action, responding to complaints and claims concerning transactions carried out on the Company’s devices or those of beneficiaries of the Company’s services;
  • execution of the Company’s services;


The identification data listed are collected also for the legal representatives or contact persons of the contractual partners (legal persons, institutions, authorities), for the purpose of the execution of the Company’s services.

The basis for the processing of personal data will always be the consent of the data subject. Without the input of personal data necessary to perform the requested operations through the Company’s applications, such operations will not be possible. Also, with regard to the data of the legal representatives/contact persons of the contractual partners, it will not be possible for the Company to conclude/execute collaboration/service contracts.

Withdrawal of consent will make any further processing of personal data impossible. However, withdrawal of consent will not affect previous data processing. Withdrawal of consent for marketing purposes will not affect other operations for the performance of which the data subject has entered his or her personal data in applications developed by the Company.

To whom personal data collected may be disclosed/transferred

The personal data we process may be disclosed/transferred by the Company in accordance with GDPR principles, on the basis of the applicable legal grounds, depending on the situation, and only under conditions of complete confidentiality and security.

Thus, personal data processed will be transferred to:

    • recipients of payments ordered by the data subject through the Company’s applications;
    • contractual partners (banks, recipients of payments ordered through the Company’s applications) only in connection with the execution of the operations ordered, and only those categories of data that are strictly necessary for the execution of the operations ordered through the applications developed by the Company;
    • national authorities (ANAF/ MAI, etc.) or local authorities, at their request, provided that they expressly provide us with the legal basis for the request and only in relation to operations carried out through the applications developed by the Company.
  • NO personal data processed will be transferred to other countries or international organizations;
  • NO automated decision-making processes or automated processing of personal data aimed at creating a profile of the data subject will be used.

Retention period of personal data processed

Personal data processed by the Company will be kept for a maximum of 3 years after the operations ordered by the data subject through the applications developed by the Company.

Rights of data subjects with regard to the processing of personal data

All data subjects are guaranteed the following rights with regard to their personal data processed by the Company. The Company shall treat with the highest degree of professionalism any requests related to the exercise of rights concerning personal data.

Each request is carefully considered, responses are documented and, whenever necessary, the Company takes corrective measures to ensure that we respect the rights of data subjects with regard to lawful processing and adequate protection of personal data.

The rights of data subjects are:

a) right of access: data subjects may obtain from the Company the confirmation that their personal data are processed, as well as information on the specifics of the processing such as: purpose, categories of personal data processed, the recipients of the data, the period for which the data are kept, the existence of the right to rectification, erasure or restriction of processing. This right allows data subjects to obtain a copy of the personal data processed free of charge;

  1. b) the right to rectification: data subjects may ask the Company to amend inaccurate data concerning them or, where appropriate, to complete any incomplete data;

  2. c) the right to erasure (“right to be forgotten”): data subjects may request erasure

their personal data when:

  • they are no longer necessary for the purposes for which we have collected and processed them;
  • consent to the processing of personal data has been withdrawn and the Company can no longer process them on other grounds;
  • personal data are processed unlawfully;
  • personal data must be deleted in accordance with the relevant legislation;

d) the right to withdraw consent: data subjects may, at any time, withdraw their consent to the processing of personal data processed on this legal basis. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal;

e) the right to object: data subjects may object at any time to processing for marketing purposes, as well as processing based on the legitimate interest of the Company, for reasons relating to their specific situation;

f) the right to restrict processing: data subjects may request the restriction of

processing of their personal data if:

  • they contest the accuracy of the personal data, for a period allowing us to verify the accuracy of the data concerned;
  • the processing is unlawful and the data subject objects to the erasure of the personal data, requesting instead to restrict their use;
  • we no longer need the data but the data subject requests it for legal action;

g) the right to data portability: data subjects may request, in accordance with the law, that the Company provide them with certain personal data in a structured, frequently used form that can be machine-readable. If data subjects so wish, the Company may transmit such data to another entity, if technically possible.

h) rights relating to automated individual decision-making: as a rule, individual data subjects have the right not to be subject to a decision taken solely by automated means, including profiling, if it produces legal effects concerning them or similarly affects them to a significant extent. They have the right to express their point of view, to challenge the decision, and to request human intervention (review of the automated decision by an employee of the Company).

i) the right to lodge a complaint with the National Supervisory Authority of

Processing of Personal Data (A.N.S.P.D.C.P.): data subjects have the right to

to lodge a complaint with the Supervisory Authority if they consider that their rights have been infringed


The contact details of the National Authority for the Supervision of Personal Data Processing are: 28-30 Gheorghe Magheru General Boulevard, District 1, postal code 010336 Bucharest, Romania, e-mail: anspdcp@dataprotection.ro.

In order to exercise the rights referred to in points a) – h) above, data subjects may send any request to the address of the Company, mentioned above in the Section under section B or by e-mail to office@webproductionlabs.com.

Protection of personal data processed

Specifically, the Company adopts and applies appropriate technical and organizational measures (policies and procedures, IT security, etc.) to ensure the confidentiality, integrity, and availability of personal data and process them only in accordance with the provisions of applicable legal provisions on personal data.

The Company’s employees are obliged to maintain confidentiality and may not unlawfully disclose personal data to which they have access in the course of their work.

All employees are regularly trained in the processing and protection of personal data.

If your data is involved in incidents that constitute security breaches and if our assessment of the incident leads to the conclusion that the incident is likely to result in high risks to your rights and freedoms as a data subject, we undertake to inform you of the occurrence of the breach and provide you with all information required by law in such cases.

Within the Company we ensure – both before entering into contractual relationships with partners/suppliers who need to have access to personal data (as processor) and throughout the period they have access to the data – that they:

  • process the data only on behalf of and under instructions from the Company (unless are legally obliged to process it);
  • have implemented appropriate technical and organizational measures to ensure appropriate data security;
  • undertake contractual obligations in accordance with the GDPR and these obligations are complied with;
  • do not disclose personal data to other authorized persons without prior authorization of the Company;

We guarantee that the Company will not sell the personal data of any data subject and will disclose such data only to those entitled to know them, in compliance with the principles and obligations established by law.

This policy is regularly reviewed to guarantee the rights of data subjects and to improve the ways of processing and protecting personal data.