CERTSIGN S.A. (hereinafter referred to as “certSIGN”), with the registered office in Bucharest, 207A, Oltenitei Bvd, building C1, 1st floor, room 16 , S4, registered with the Trade Register Office under the no. J40/484/17.01.2006, CUI 18288250, telephone: 0311 011 870, Fax: 021 311 9905, E-mail: email@example.com, dully represented by Adrian Floarea, CEO, as a personal data controller, processes the personal data provided by you in order to provide certification services for electronic signature, in accordance with the provisions of Regulation (EU) no. 910/2014 of EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”) and other legal provisions of the Union or national law relating to data protection.
Purposes and grounds for the processing of personal data
The purposes of processing your personal data are to provide certification services for the issuance of digital certificates and, if you have given your consent, the transmission of newsletters, promotional materials, marketing communications, commercial offers or any other relevant information on the products and services of certSIGN.
In order to provide certification services, certSIGN has the legal obligation to verify your identity in accordance with the provisions of art. 24 par. (1) of Regulation (EU) 910/2014 and collects your data through the certSIGN registration platform.
The legal ground of the processing is art. 6 para. (1) lit. b) of the GDPR, respectively in order to take steps at the request of the data subject before concluding a contract, art. 9 para. (2) letter a), respectively your consent for the processing of biometric data for your unique identification, by processing the facial image transposed into biometric data, as well as art. 6 para. (1) lit. a) of the GDPR, respectively your consent to the transmission of newsletters, promotional materials, marketing communications, commercial offers or any other relevant information about the products and services of certSIGN.
The processing of the biometric data mentioned above involves obtaining and comparing the biometric templates from the photo of the identity card and from the photo of your face and is done through the videolD application (https://www.electronicid.eu/en/solutions/videoid).
The biometric template is the digital reference of the distinct features that were extracted from a biometric sample. Biometric templates are used during the video identification process. Basically, what is compared are not the photos (from the identity card and the one obtained during the interview, but the biometric templates of the two photos). The biometric proof is in this case the photograph itself.
The categories of personal data we process
Your personal data that we process are the following: telephone number, email address, name, surname, personal numerical code, series and number of the identity card, address, as well as all other personal data included in your identity document, copy of the identity document and video recording of the interaction with the certSIGN agent in order to verify the identity (if you opted for the video identification).
Also, if you have given your consent for identity verification through the videolD application, we also process your biometric data.
Transmission of data and the consequences of non-compliance
The transmission of the personal data mentioned above is required when registering the request for a digital certificate. Your refusal to provide the data makes it impossible to register the request for the digital certificate issuance through the platform of certSIGN.
If you do not want to receive promotional materials and marketing communications regarding our products and services, we will not process your data for this purpose.
Also, if you do not choose to verify your identity by video recording, we will not process your biometric data or record the interaction with the certSIGN agent.
Duration of personal data processing
If you complete the procedure for issuing the digital certificate, the personal data processed by certSIGN will be stored for a period of 10 years from the date of expiry of the certificate issued for you, in particular to be able to prove the certification within a possible litigation.
The data may also be processed after this date, when there is a legal binding or a legitimate interest in this regard.
Please note that the biometric template is not stored, being deleted as soon as the result of the comparison operation described in the first section of this Information Note has been generated, the result of the comparison operation being kept within the 10 years mentioned above.
If after providing the data in the certSIGN platform, you no longer want the digital certificate or do not complete the issuance procedure within 60 days of registration in the platform, certSIGN will delete all personal data collected in the platform.
Also, if you no longer wish to receive newsletters, promotional materials, marketing communications, commercial offers or any other relevant information about our products and services, certSIGN will no longer process your data for this purpose.
Transmission of personal data for the processing purposes of certSIGN
Your personal data may be disclosed: to you to exercise your rights under the GDPR, to the company’s shareholders, auditors, the supervisory body under applicable law, public authorities and institutions under public law obligations, lawyers to represent us in the event of a dispute or for advice, to bailiffs for contractual communications or the execution of any court decisions, debt collection companies, certSIGN’s contractual partners for concluding and executing the contract (such as courier companies), certSIGN affiliates and in any other situations justified with your prior notice, but only for the purpose of fulfilling the purpose mentioned above and pursuing with priority the protection of your rights. Also, the data in the certificate may be disclosed to third parties who base their conduct on the certification services provided by certSIGN (in relation to which you use the certificate), and if the third parties are public institutions, other personal data in the identity document may be disclosed, in addition to those in the certificate, for the purpose of proving certification.
Transfer of data outside the European Union
certSIGN does not transfer your personal data outside the European Union.
Rights of Data Subjects
As a data subject, you have the following rights under the General Data Protection Regulation:
Right to information: the right to be informed about the identity and contact details of the controller and the Data Protection Officer, the purposes for which the data are processed, the categories of personal data concerned, the recipients or categories of recipients of the data, the existence of the rights provided for by the legislation on the protection of personal data for the data subject and the conditions under which they may be exercised.
Right of access to data: the right to obtain from the data controller confirmation that the personal data concerning you are or are not processed by it;
Right to rectification: the right to obtain the rectification of inaccurate data concerning you, as well as the completion of incomplete data;
The right to withdraw your consent at any time, provided that the data processing operation is based on your consent and the digital certificate has not been issued.
In case of consent withdrawal, after the issuance of the digital certificate, we will store the data for a period of 10 years from the date of certificate expiry in particular, in order to prove the certification in case of any dispute.
The right to delete data before the digital certificate is issued. After issuing the digital certificate certSIGN will store your data for the 10-year period mentioned above.
Right to data portability, insofar as the data processing operation is based on your consent.
The right to file a complaint to the ANSPDCP for the protection of any rights guaranteed by the applicable legislation in the field of personal data protection that have been violated.
To exercise these rights, you can submit a written request, dated and signed, to the Department of Personal Data Protection of certSIGN:
If you submit a request regarding the exercise of your rights regarding the protection of personal data, you will receive a response within 30 days, under the conditions provided by GDPR.