CERTSIGN S.A. (hereinafter referred to as “certSIGN”), with the registered office in Bucharest, 207A, Sos. Oltenitei, building C1, 1st floor, room 16 , S4, registered with the Trade Register Office under the no. J40/484/17.01.2006, CUI 18288250, telephone: 0311 011 870, Fax: 021 311 9905, E-mail: office@certsign.ro, as a personal data controller, processes your personal data submitted in order for us to provide certification service under the provisions of (UE) 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS), of standards applicable of certification services, of EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and other provisions of Union or national law relating to data protection and remote electronic identification via electronic means.

Contact information of the certSIGN data protection officer:

• Email: dpd@certsign.ro / fax:(+4021) 3119905;
• Address: 29A, Tudor Vladimirescu Bvd., AFI Tech Parc 1 building, 2nd floor, Bucharest, sector 5.

Section 1. Purpose and grounds for the processing of personal data

The purposes of processing your personal data are:

a) to provide trust services for the issuance of digital certificates, the use of the certificate for the electronic signing of documents by the certificate holder, to deliver the digital certificate and the token, if the digital certificate is issued on cryptographic device (token), as well as to provide services for the automatic validation of qualified electronic signatures and seals, including the payment of the trust service if applicable, according to Article 6 (1) (b) of GDPR;

b) to identify the holder of a digital certificate or of the person designated by the holder of a certificate for electronic seal or web server and, for qualified certificates, the validation of his/her identity by verifying the identity data from the identity document that also contains the photograph of the data subject or by using CERTME as an electronic identification tool, as appropriate, operations carried out for the purpose of issuing the digital certificate, according to Article 6 (1) (c) of the GDPR in conjunction with Article 24 (1) of the eIDAS Regulation and applicable standards;

c) to photocopy the identity document in case of your remote video identification for the purpose of issuing qualified digital certificates, as per art. 6 (1) (a) of GDPR and art. 16 (1) of the Norms of the Authority for Digitization of Romania regarding the regulation, recognition, approval or acceptance of the procedure for the remote identification of an individual using video tools approved by the Decision of the Authority for Digitization of Romania no. 564/2021 (ADR Norm);

d) your unique identification by processing biometric data, namely the processing of the facial image transposed into biometric data, if the identification was made by video means, according to art. 6 (1) (a) and art. 9 (2) (a) of GDPR;

e) recording the audio video session if the identification is performed remotely by video means in accordance with Art. 6 (1) (a) of GDPR, the use of this identification method to obtain a qualified digital certificate being your option;

f) your access and use of CERTSIGN Paperless signing or validation platforms, according to Article 6 (1) (b) of GDPR;

g) identification and authentication of the data subject for the use of CERTSIGN Paperless applications for automatic signature or validation of electronic signatures and seals, according to Article 6 (1) (c) of GDPR;

h) renewal of a digital certificate at the request of a data subject, under art. 6 (1) (b) of GDPR;

i) to confirm validity of an electronic signature certificate, at the request of the holder or at the request of a person whose conduct is based on the trust services provided by certSIGN or within a judicial procedure, as applicable, pursuant to:

• article 6 (1) (b) of GDPR for the validation at the request of a data subject or
• article 6 (1) (c) of GDPR in conjunction with Article 24 (2) (h), (3) (4) of the eIDAS Regulation for the validation in other situations;

j) to revoke/suspend a certificate according to the conditions laid down in the agreement according to article 6 (1) (b) of GDPR or as a result of a legal binding of certSIGN as per article 6 (1) (c) GDPR in conjunction with article 24 (3) (4) of eIDAS Regulation;

k) to issue the report of automatic validation of qualified electronic signatures and seals;

l) if you made a purchase of a remote trust service, we would also process your data in order to respect the right of withdrawal you have exercised according to GEO 34/2014 on the consumers’ rights in contracts concluded with professionals, as well as for amending and supplementing some normative, in conjunction with article 6 (1) (c) of GDPR;

m) to ensure the security of systems and databases according to Article 6 (1) (c) of GDPR in conjunction with Article 24 (2) (e), (f), (i) of the eIDAS Regulation;

n) prevention and/or identification of frauds according to Art. 6 para. (1) letter (c) GDPR in conjunction with Art. 24 para. (2) letter (g) of the eIDAS Regulation;

o) compliance with the legal obligations of the Data Controller (e.g. transmission of information that represents personal data at the request of the competent state authorities, establishment and permanent update of the database of electronic signature certificates according to Article 6 (1) (c) GDPR in conjunction with the provisions of the eIDAS Regulation (Article 24 (2) k);

p) to store data for a period of 10 years from the expiration of the electronic signature certificate, including a copy of the identity document if the identification was not made by the certME application for electronic identification. These data can also be used in a judicial procedure, in addition to the purpose of ensuring the continuity of the trust services provided by the controller according to art. 6 para. (1) letter (c) GDPR in conjunction with art. 24 para. (2) letter (h) of the eIDAS Regulation and art. 20 letter (h) of the Romanian Law no. 455/2001 on electronic signature, as well as art. 16 para. (2) and art. 22 of the ADR Norm;

q) to send newsletters, promotional materials, marketing communications, commercial offers or any other relevant information regarding the products and services of CERTSIGN if you have given your consent in this regard according to art. 6 (1) (a) GDPR;

r) to pursue the legitimate interests of the Data Controller or a third party such as for the internal reporting of the Controller or for streamlining the Company’s processes, for managing contracts or accounting supporting documents, for solving complaints, for auditing or verifying internal processes, for defending the Controller’s rights such as recovering the receivables held by the Controller, according to Article 6 (1) (f) of GDPR.

The legal grounds of data processing operations concern article 6 (1) letters (a), (b), (c) and (f) of GDPR, namely art. 9 (2) (a) of GDPR, as detailed above.

Section 2. Categories of personal data we process

Your personal data we process are the following:

• name, surname, personal numerical code, serial number of the identity card, address, as well as all other personal data included in your identity document, copy of the identity document,
• telephone number, e-mail address,
• your image and voice (video recording of the interaction with the CERTSIGN agent in order to verify your identity during the videoconference session);
• biometric data for the purpose of your unique identification by processing your facial image translated into biometric data,
• data contained in the digital certificate,
• electronic signature and the number of signatures granted/used in the case of digital certificates for remote signing,
• affiliation of the certificate holder to the account of a customer who submitted to certSIGN the request for a digital certificate,
• OTP/TOTP authorization code,
• IBAN code, as applicable,
• Shipping address for delivery of the digital certificate and token, where the certificate is delivered on a cryptographic device (token),
• logs/ IP,
• handwritten signature,
• the status of person designated by the holder of a digital certificate for electronic seal or web server,
• reference – encrypted code generated by certME application of certSIGN necessary for identification using the certME electronic identification tool.
• reference – the unique random code generated by the certME issuing application necessary for identification via certME electronic identification tool.
• other data found in electronic documents subject to the trust service of automatic validation of qualified electronic signatures and seals.

The processing of biometric data mentioned above involves obtaining and comparing the biometric templates from the photo of the identity card and from the photo of your face and is done through the videolD application (https://www.electronicid.eu/en/solutions/videoid).

The biometric template represents the digital reference of the distinct characteristics that were extracted from a biometric sample. Biometric templates are used during the video identification process. Basically, what is compared are not the photos (from the identity document and the one obtained during the interview), but the biometric templates of the two photos.

Section 3. Use of personal data and the consequences of not providing them

The processing of personal data is necessary mainly for the signing of documents with electronic signature or the application of electronic seals, respectively for the issuance of digital certificates of electronic signature or for electronic seal or for the use of Paperless signing applications of certSIGN, or for the issuance of digital certificates for web server or the provision of the trust service for automatic validation of electronic signatures and seals.

Thus, personal data are also necessary to verify the identity of the data subject for the issuance of digital certificates.

The personal data mentioned above are processed directly by certSIGN or with the help of other processors with whom we associate in order to identify the future certificate holders or the persons designated by the holders of digital certificates for electronic seal or web server and to register the applications for certificates, in compliance with art. 26 of GDPR.

Also, certSIGN, may process personal data in order to identify future certificate holders or designated persons and to register applications for certificate issuance and by persons mandated to offer adequate guarantees, in accordance with art.28 of GDPR. Such persons may be legal entities to whom powers of delegated registration authority of certSIGN have been delegated or providers of the video identification solution.

Refusal to provide the data necessary for the issuance of the digital certificate and the provision of the trust services leads to the impossibility of issuing the certificate, respectively of using the electronic signature or the electronic seal or the web server certificate, or to the impossibility of providing the trust service for automatic validation of qualified electronic signatures and seals.

Should you no longer agree to the processing of your personal data involved in the remote identification process using the video identification tools provided for in Section 1, letters c) – e), you can come to the Controller’s office or to a partner of the Controller (the list of certSIGN partners being available at www.certsign.ro) to obtain a digital certificate for electronic signature through face-to-face identification by an agent of the Controller.

Section 4. Duration of personal data processing

After the digital certificate issuance, the personal data related to the identification of the certificate holder and the digital certificate will be stored for 10 years from the end of validity of the certificate issued to you, in particular in order to be able to prove the certification in a possible dispute and for the purpose of ensuring the continuity of the service according to Article 6 (1) (c) of GDPR in conjunction with Article 24 (2) (h) of the eIDAS Regulation and with 20 letter of the Romanian law no 455/2001 on electronic signature.

The data may also be processed after this date, when there is a legal obligation or a legal justifying ground.

Please note that the biometric data is not stored, being automatically deleted as soon as the result of the comparison operation described in Section 2 above on the categories of data has been generated.

If after providing the data, you no longer wish to issue the digital certificate or do not complete the issuing procedure within 60 days from the request of the digital certificate, certSIGN will delete all your personal data collected.
If the process of your remote identification by video means is rejected, the personal data within the audio video session recording shall be kept for a period of 3 years from the date of recording in order to document the reasons for rejection for internal records, for future external controls/audits, in accordance with the provisions of the ADR Norm, as well as in case of any litigation.

Personal data processed for the purpose of providing the trust service for automatic validation of qualified electronic signatures and seals will be processed as follows:

• data from validated electronic signatures and seals are stored for a period of 3 years from the date the validation report was validated,
• the other data from the electronic documents subject to the automatic validation service are deleted when the validation report is issued.

Also, if you no longer wish to receive newsletters, promotional materials, marketing communications, commercial offers or any other relevant information regarding our products and services, certSIGN will no longer process your data for this purpose.

Section 5. Recipients of personal data

Your personal data may be disclosed: you for the exercise of your rights in accordance with the GDPR, to the auditors of certSIGN, to the supervisory body according to the applicable law, to the authorities and public institutions based on the public law obligations, to the lawyers in order to represent us in case of any litigation or for consultancy, to the bailiffs for contractual communications or enforcement of any court decision, debt collection companies, contractual partners of certSIGN for the conclusion and performance of the contract (such as: legal persons to whom powers of delegated registration authority were delegated, courier companies, providers of identification services by video means or providers of electronic payment services or of maintenance and support services, affiliates of certSIGN). Also, the data from the certificate may be disclosed to third parties who base their conduct on the certification services provided by certSIGN (in relation to which you use the certificate), and if the third parties are public institutions, other personal data from the identity document may be disclosed, in addition to those from the certificate, in order to prove the certification according to the applicable legal provisions.

Section 6. Transfer of data outside the European Union

certSIGN does not transfer your personal data outside the European Union/European Economic Area.

Section 7. Rights of Data Subjects

As a data subject, you have the following rights provided by the General Data Protection Regulation (art. 13 – 22 of GDPR):

• Right to information: the right to be informed about the processing operations of your personal data according to Art. 13 and 14 of GDPR;
• Right of access to data: the right to obtain from the data controller the confirmation that the personal data concerning you are processed or not by him/her as well as information on the processing operations of your data according to art. 15 of GDPR;
• Right to rectification: the right to have your inaccurate data rectified, as well as to have your incomplete data completed, as per art. 16 of GDPR;
• Right to erasure under the conditions laid down in article 17 of GDPR;
• Right to restriction of processing your personal data under the conditions laid down in article 18 of GDPR;
• Right to notification by certSIGN of each recipient to whom personal data have been disclosed about any erasure or rectification or restriction of processing carried out in accordance with art. 16, 17 para.(1) and 18 of GDPR, unless this proves impossible or involves disproportionate effort (art. 19 of GDPR).
• Right to portability of data submitted to us, insofar as the data processing operation is based on your consent and has as grounds the agreement concluded with you under article 20 of GDPR.
• Right to object on grounds relating to your particular situation regarding the processing of data carried out in order to pursue the legitimate interests of certSIGN or other third parties, under art. 21 of GDPR.
• Right to not be the subject of a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her, pursuant to art. 22 of GDPR.

Also, you, as a data subject, have the right to withdraw your consent at any time, insofar as the data processing operation is based on your consent, provided that the lawfulness of processing based on your consent before withdrawal is not affected (art. 7 (3) of GDPR).

Also, we bring to your attention that you have the right to file a complaint to the National Supervisory Authority for Personal Data Processing – ANSPDCP to defend the rights guaranteed by the legislation applicable in the field of personal data protection, which were violated, as well the right to appeal to competent courts.

To exercise the rights provided for in art. 13-22 and art. 7 (3) of GDPR, as presented above, you can submit a written request, dated and signed, to the Department of Personal Data Protection of certSIGN:

• Email address: dpd@certsign.ro / fax:(+4021) 3119905
• 29A, Tudor Vladimirescu Blvd, AFI Tech Parc 1, 2nd floor, Bucharest, sector 5.

Should you submit such request regarding the exercise of your rights over the protection of personal data, you will receive a response within 30 days, under the conditions provided by GDPR.