General Policy for the Protection of Personal Data "GDPR Policy"

certSIGN processes personal data in order to carry out its business activity, in compliance with the related legal provisions in the countries in which it operate. The processing of personal data is carried out under conditions that ensure the security, confidentiality and respect of the rights of the data subjects, in compliance with the following principles:

  • lawfulness, fairness and transparency
  • determined, explicit and legitimate purpose, 
  • data minimisation (adequate, relevant and limited data)
  • accuracy, timeliness
  • storage limitation
  • integrity and confidentiality
  • accountability

CHAPTER I

Purpose

The purpose of the General Policy for the protection of personal data ("GDPR Policy") is to establish the rules and practices that regulate how CertSIGN ensures compliance with the principles and rules established by the GDPR in its personal data processing activities of customers, suppliers, partners, employees and other natural persons.

 

CHAPTER II

Scope

This policy applies to all activities carried out by certSIGN that involve the processing of personal data as a controller, as well as those performed as a processor of a controller, activities that fall under the Union law.

 

CHAPTER III

Definitions and Abbreviations

consent of the data subject means any manifestation of free, specific, informed and unambiguous will of the data subject by which he/she accepts, by a declaration or an unequivocal action, that the personal data concerning him/her are processed;

personal data means any information about an identified or identifiable natural person ("the data subject") directly or indirectly, especially by reference to an identification element, such as a name, identification number, location data, an online identifier or to one or more specific elements, specific to its physical, physiological, genetic, psychological, economic, cultural or social identity. 

DPD - Department of personal data protection

DPO – Data protection officer 

GDPR means REGULATION no. 679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

controller means the natural or legal person, the public authority, the agency or another body which, alone or together with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or national law, the controller or the specific criteria for its nomination may be provided for in Union law or in national law operator;

processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

data subject means the natural person whose personal data is processed;

processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

 

CHAPTER IV

GDPR Objectives 

1. Lawfulness of Data Processing 

In carrying out its business, certSIGN processes personal data under the following circumstances:

a.    the data subject has given consent to the processing

b.    processing is necessary for the performance of a contract to which the data subject is a party

c.    processing is necessary for compliance with a legal obligation to which it is subject 

d.    processing is necessary in order to protect the vital interests of the data subject or of another natural person

e.    processing is necessary for the purposes of the legitimate interests pursued by certSIGN or by the controller (where certSIGN acts as a processor).

2. Rights of the Data Subjects 

certSIGN respects the right of individuals to private life. 

When processing personal data, the company communicates to the data subject what data it collects, the purpose of collecting, the recipients or categories of recipients of the personal data, the duration of data storage, their deletion at the end of the storage period. If the controller intends to subsequently process personal data for a purpose other than that for which they were collected, the operator shall provide the data subject, prior to such further processing, with information on the respective secondary purpose and any relevant additional information.

Data processing is done only by the personnel authorized in this regard. 

The personal data processed and used by certSIGN will be stored on electronic media or archive on paper, for the period necessary to achieve the purposes for which they were collected and in accordance with the legal provisions applicable to the activities carried out by the company.

Upon completion of the processing of personal data, the processed personal data are destroyed.

Where certSIGN, in carrying out the activities within its business scope, acts as a processor of a controller, it will conclude with the processor an agreement on the processing of personal data which will ensure that the rights of the data subjects are respected.

Where the data subject wished to exercise his/her right or make a complaint, the DPD can be addressed at the following contact details:

  • address: 29A Tudor Vladimirescu Bvd., AFI Tech Park 1, Sector 5, Bucharest, Romania, CP 050881
  • e-mail: dpd@certsign.ro 
  • fax: (+4021)3119905

 

certSIGN provide the data subject with information on the actions taken following a request under Articles 15-22, without undue delay and in any case not later than one month after receiving the request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. certSIGN informs the data subject of any such extension, within one month of receipt of the request, together with the reasons for the delay. 

If it does not take action on the request of the data subject, certSIGN shall inform the data subject without delay and at the least within one month of receipt of the request, on the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. 

3. Data Security

certSIGN has implemented an information security management system, ISO 27001 certified. Also, certSIGN has obtained the status of a Qualified Trust Service Provider in accordance with EU Regulation no 910/2014 on electronic identification and trust services for electronic transactions on the internal market.

Obtaining and maintaining the ISO 27001 certification and the status of qualified trusted service provider requires annual audits, respectively, every two years of external audits, audits in which the assessment of information security and information, in general, is a very important component.

a. Drawing up and keeping records of data processing activities.

The company keeps a Register of records of personal data processing. The Register is drafted and managed by the DPD. The Register contains at least the information provided by the GDPR.

b. Training of personnel in order to comply with the GDPR provisions

certSIGN staff is periodically trained on the GDPR provisions, on the minimum security requirements for the processing of personal data, as well as on the risks entailed by the processing of personal data.  

Employees who have access to personal data are informed about the special nature of these data and have become aware of the rules that apply to them. All internal provisions regarding the obligation of employees in terms of information security are applicable.

c. Verification of the company business compliance with the GDPR requirements.

Through the DPO within the DPD and external audits, certSIGN will verify the compliance with and implementation of the internal rules, of GDPR provisions and legal stipulations in the field, as well as the recommendations made with regard to the processing of personal data.