INFORMATION NOTE ON THE PROCESSING OF PERSONAL DATA

CERTSIGN S.A. (hereinafter referred to as “certSIGN”), with the registered office in Bucharest, 207A, Oltenitei Bvd, building C1, 1st floor, room 16 , S4, registered with the Trade Register Office under the no. J40/484/17.01.2006, CUI 18288250, telephone: 0311 011 870, Fax: 021 311 9905, E-mail: office@certsign.ro, dully represented by Adrian Floarea, CEO, as a personal data controller, processes the personal data provided by you in order to provide certification services for electronic signature, in accordance with the provisions of Regulation (EU) no. 910/2014 of EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”) and other legal provisions of the Union or national law relating to data protection.

Purposes and grounds for the processing of personal data

The purposes of processing your personal data are:

  • to provide certification services for the issuance of digital certificates, the use of the certificate for the electronic signing of documents by the certificate holder, the delivery of the digital certificate and the token, if the digital certificate is issued on a cryptographic device (token), including the payment of the trust service, according to Article 6 (1) ( b) of the GDPR;
  • to identify the certificate holder and to validate his identity by verifying the identity data from the identity document containing the photo of the data subject in order to issue the qualified digital certificate, face to face or by video means, according to article 6 (1) (c) of GDPR in conjunction with Article 24 (1) of the eIDAS Regulation;
  • your unique identification by processing the biometric data, respectively the processing of the facial image rendered into biometric data, in case the identification was made by video means, according to art. 6 (1) (a) of the GDPR;
  • identification and authentication of the data subject for the use of Paperless signing applications belonging to certSIGN, according to article 6 (1) (c) of the GDPR;
  • to access and use by you of the Paperless signing platforms belonging to certSIGN, according to article 6 (1) (b) of the GDPR;
  • to renew the digital certificate upon the request the data subject, as per art 6 (1) (b) of the GDPR;
  • to confirm validity of the electronic signature certificate, at the request of the holder or at the request of a person who bases his conduct on the trusted services provided by certSIGN or in a judicial procedure, as the case may be, according to:
    • Article 6 (1) (b) GDPR for validation at the request of the data subject; or
    • Article 6 (1) (c) GDPR in conjunction with Article 24 (2) (h), (3) (4) of the eIDAS Regulation for validation in the other situations;
  • to revoke/suspend the certificate under the conditions laid down in the contract according to article 6 (1) (b) of the GDPR or as a result of a legal obligation of certSIGN according to article 6 (1) (c) GDPR in conjunction with article 24 (3) (4) of the eIDAS Regulation;
  • in case you have made a purchase of remote certification services, we will process your data in order to respect the right of withdrawal that you exercised according to GEO 34/2014 on consumer rights in contracts concluded with professionals, as well as for modification and completion of some normative acts, corroborated with art. 6 (1) (c) GDPR;
  • to ensure the security of systems and databases in accordance with Article 6 (1) (c) GDPR in conjunction with Article 24 (2) (e), (f), (i) of the eIDAS Regulation;to prevent and / or identify frauds according to art. 6 para. (1) lit. (c) GDPR in conjunction with art. 24 para. (2) lit. (g) of the eIDAS Regulation;
  • to comply with the legal obligations of the Data controler (eg transmission of information representing personal data at the request of competent public authorities, establishment and permanent updating of the database of electronic signature certificates according to Article 6 (1) (c) GDPR in conjunction with the provisions of the eIDAS Regulation (Article 24 (2) (k));
  • to store data for a period of 10 years from the expiration of the electronic signature certificate. These data can also be used in a judicial procedure, in addition to the purpose of ensuring the continuity of the service according to art. 6 para. (1) lit. (c) GDPR in conjunction with art. 24 para. (2) lit. (h) of the eIDAS Regulation;
  • to send newsletters, promotional materials, marketing communications, commercial offers or any other relevant information regarding certSIGN products and services if you have given your consent in this regard 6 (1) (a) GDPR;
  • to pursue the legitimate interests of the data controller or a third party such as for the internal reports of the controller or for streamlining the company’s processes, for managing contracts or supporting accounting documents, for resolving complaints, for auditing or verifying internal processes, for defending the rights of the controller such as the recovery of claims held by him under Article 6 (1) (f) of the GDPR;

The legal grounds for data processing operations refers to Article 6 (1) (a), (b), (c) and (f) of the GDPR, as detailed above.

The categories of personal data we process

Your personal data that we process are, as the case may be, the following:

  • telephone number, email address,
  • name, surname, personal numerical code, series and number of the identity card, address, as well as all other personal data included in your identity document, copy of the identity document;
  • if your identification was made by video means, video recording of the interaction with the certSIGN agent in order to verify the identity, image and voice (in case you agreed to enter the video conference in order to identify yourself by video means)
  • also, if you have given your consent (art. 6 (1) (a) GDPR) for the processing of biometric data for the purpose of your unique identification by processing the facial image translated into biometric data, we also process this category of data.

The processing of the biometric data mentioned above involves obtaining and comparing the biometric templates from the photo of the identity card and from the photo of your face and is done through the videolD application (https://www.electronicid.eu/en/solutions/videoid).

The biometric template is the digital reference of the distinct features that were extracted from a biometric sample. Biometric templates are used during the video identification process. Basically, what is compared are not the photos (from the identity card and the one obtained during the interview, but the biometric templates of the two photos). The biometric proof is in this case the photograph itself.

  • hand written signature
  • data contained in the digital certificate
  • electronic signature and the number of signatures granted / used in the case of digital certificates for remote signing
  • the membership of the certificate holder in the account of a client who sent certSIGN the request for issuing the digital certificate
  • OTP/TOTP authorization code
  • IBAN code for the refund of the price in case you express your right of withdrawal
  • the mailing address for delivery of the digital certificate and the token, in case the certificate is issued on a cryptographic device (token)
  • logs/Ips.

Transmission of data and the consequences of non-compliance

The processing of personal data is mainly necessary for the signing of electronically signed documents, respectively for the issuance of digital electronic signature certificates and for the use of certSIGN’s Paperless signing applications. Personal data is thus necessary to identify the data subject for the issuance of digital certificates.

The personal data mentioned above are processed directly by certSIGN or with the help of other operators with whom we associate in order to identify future certificate holders and register certificate issuance applications, in compliance with art. 26 of the GDPR.

certSIGN may also process personal data for the purpose of identifying future certificate holders and registering applications for the issuance of certificates and by authorized persons providing adequate guarantees, in accordance with art. 28 of the GDPR. Such persons may be legal persons to whom the attributions of the delegated registration authority of certSIGN have been delegated or providers of the identification solution by video means.

The refusal to provide the data necessary for the issuance of the digital certificate and the provision of certification services, leads to the impossibility of issuing the certificate, respectively of using the electronic signature.

Duration of personal data processing

After the issuance of the digital certificate, personal data related to the identification of the certificate holder and the digital certificate will be stored for a period of 10 years from the date the certificate issued for you expires, in particular to prove the certification in any dispute and in order to ensure continuity of service in accordance with Article 6 (1) (c) GDPR in conjunction with Article 24 (2) (h) of the eIDAS Regulation.

The data may also be processed after this date, when there is a legal binding or a legitimate interest in this regard.

Please note that the biometric data is not stored, it is automatically deleted as soon as the result of the comparison operation described in the above section on data categories has been generated.

If, after providing the data, you no longer wish to issue the digital certificate or do not complete the issuance procedure within 60 days of requesting the digital certificate, certSIGN will delete all personal data collected.

Also, if you no longer wish to receive newsletters, promotional materials, marketing communications, commercial offers or any other relevant information about our products and services, certSIGN will no longer process your data for this purpose.

Transmission of personal data for the processing purposes of certSIGN

Your personal data may be disclosed: to you to exercise your rights under the GDPR, to the company’s auditors, the supervisory body under applicable law, public authorities and institutions under public law obligations, lawyers to represent us in the event of a dispute or for advice, to bailiffs for contractual communications or the execution of any court decisions, debt collection companies, certSIGN’s contractual partners for concluding and executing the contract (such as legal entities to which the attributions of delegated registration authority have been delegated, courier companies, providers of video identification services or electronic payment providers, support and maintenance service providers, certSIGN affiliates) and in any other justified situations with your prior notice, but only for the purpose of fulfilling the purpose mentioned above and pursuing with priority the protection of your rights. Also, the data in the certificate may be disclosed to third parties who base their conduct on the certification services provided by certSIGN (in relation to which you use the certificate), and if the third parties are public institutions, other personal data in the identity document may be disclosed, in addition to those in the certificate, for the purpose of proving certification.

Transfer of data outside the European Union

certSIGN does not transfer your personal data outside the European Union.

Rights of Data Subjects

As a data subject, you have the following rights under the General Data Protection Regulation:

Right to information: the right to be informed about the identity and contact details of the controller and the Data Protection Officer, the purposes for which the data are processed, the categories of personal data concerned, the recipients or categories of recipients of the data, the existence of the rights provided for by the legislation on the protection of personal data for the data subject and the conditions under which they may be exercised.

Right of access to data: the right to obtain from the data controller confirmation that the personal data concerning you are or are not processed by it;

Right to rectification: the right to obtain the rectification of inaccurate data concerning you, as well as the completion of incomplete data;

Right to restrict processing if the data subject has objected to the processing for the legitimate interests of certSIGN or third parties or if certSIGN no longer needs personal data, but the data subject requests them for finding, exercising or defending a right in court;

The right to withdraw your consent at any time, provided that the data processing operation is based on your consent.

The right to delete data before the digital certificate is issued. After issuing the digital certificate certSIGN will store your data for the 10-year period mentioned above.

Right to data portability, insofar as the data processing operation is based on your consent or is grounded on the contract concluded with you.

Right to object for reasons related to your particular situation regarding the processing of data carried out in order to pursue the legitimate interests of certSIGN or third parties.

certSIGN will notify the recipients to whom it has disclosed personal data of any deletion, rectification or restriction of the processing of personal data carried out in accordance with art. 16, 17 paragraphs (1) and 18 of the GDPR, unless this proves impossible or involves disproportionate efforts

The right to file a complaint to the ANSPDCP (the National Supervisory Authority for Personal Data Processing) for the protection of any rights guaranteed by the applicable legislation in the field of personal data protection that have been violated.

To exercise these rights, you can submit a written request, dated and signed, to the Department of Personal Data Protection of certSIGN:

  • Email address: dpd@certsign.ro
  • fax:(+4021) 3119905
  • 29A, Tudor Vladimirescu Blvd, AFI Tech Parc 1, 2nd floor, Bucharest, S5.

If you submit a request regarding the exercise of your rights regarding the protection of personal data, you will receive a response within 30 days, under the conditions provided by GDPR.

Te sunăm noi!

Îţi mulţumim pentru că vrei să intri în contact cu noi!

We'll call you!

Thank you for getting in touch with us!