Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, in this document – GDPR, Regulation or GDPR) was adopted by the European Parliament and the Council of the European Union on 27 April 2016 and its provisions are directly applicable as of 25 May 2018. This Regulation expressly repeals Directive 95/46/EC, thus also replacing the provisions of Law 677/2001 (now repealed).
The Regulation is directly applicable in all Member States, protecting the rights of all individuals within the European Union. From a substantive point of view, the Regulation applies to all controllers processing personal data. The Regulation does not apply to the processing of personal data relating to legal persons, and in particular to undertakings having legal personality, including the name and type of legal person and the contact details of the legal person.
Personal data are defined as any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Identity of the controller
Having regard to Article 4(7) of the Regulation, which defines the notion of “controller” as the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data, the controller processing personal data through this website is Andreea-Cristina Secu – Cabinet de avocat, established in Romania, Bucharest, Sector 1, Strada Paris nr. 17, etaj 1, ap. 1, registered at the Trade Register Office 41/07.01.2020, with CUI RO41192140, legally represented by Andreea-Cristina Secu, with contact details email@example.com.
Collection of personal data
What personal data is collected
The operator of this website collects, stores and processes the following personal data of / about you:
- Name, first name
- Contact details (such as email, phone, fax)
In order for the processing of personal data to be legal, the GDPR requires that it be carried out on the basis of a legitimate reason, such as the execution or conclusion of a contract, the fulfillment of a legal obligation, or on the basis of the valid consent previously expressed by the data subject. In the latter case, the operator is required to be able to prove that the person in question has given his consent for the respective processing. The consent expressed under the rule of Directive 95/46/EC remains valid if it meets the conditions provided by the GDPR.
Consent must be given through a statement or through an unequivocal action that constitutes a freely expressed, specific, informed and clear manifestation of the data subject’s consent to the processing of his personal data. If the data subject’s consent is given in the context of a statement, in electronic form or in writing, which also relates to other matters, the request for consent must be presented in a form that clearly differentiates it from the other matters, can be achieved even by ticking a box. In order for the processing of personal data to be legal, the GDPR requires that it be carried out on the basis of a legitimate reason, such as the execution or conclusion of a contract, the fulfillment of a legal obligation, or on the basis of the valid consent previously expressed by the data subject. In the latter case, the operator is required to be able to prove that the person in question has given his consent for the respective processing. The consent expressed under the rule of Directive 95/46/EC remains valid if it meets the conditions provided by the GDPR.
If you send us questions via the contact form, we will collect the data entered in the form, including the contact data you provide, in order to answer your and others’ subsequent questions. We do not transmit this information without your permission. Therefore, we will process all the data you enter in the contact form only with your consent [in accordance with the provisions of art. 6 para. 1 lit. a) GDPR]. You can revoke your consent at any time, an informal email to this effect is sufficient. Data processed before receiving your request may be processed lawfully. We will keep the data you provide on the contact form until:
- request data deletion;
- revoke consent to their storage or if
- the purpose for storing it is no longer valid.
Any mandatory legal provisions, in particular those relating to mandatory data retention periods, are not affected by the above.
Contact by e-mail, phone or fax
If you contact us by e-mail, telephone or fax, your request, including all the personal data you will provide, will be stored and processed by us for the purpose of solving your request, based on your consent.
Therefore, we will process all the data you provide based on the following legal provisions contained in the GDPR, respectively:
- only with your consent – in accordance with the provisions of art. 6 para. 1 lit. a) GDPR
- for the execution of a contract or in the pre-contractual stage – in accordance with the provisions of art. 6 para. 1 lit. b) GDPR
- for the fulfillment of the purpose and the legitimate interest pursued by us, respectively that of efficient processing of the requests sent by you – in accordance with the provisions of art. 6 para. 1 lit. f) GDPR.
We will keep the data you provide in this way until:
- request data deletion;
- revoke consent to their storage or if
- the purpose for its storage is no longer valid, in all situations except for the mandatory data retention periods.
By accessing the Comments section, certain personal data (such as, but not limited to, email address, username, IP address) will be processed and stored, some of them being necessary from the perspective of preventing illegal actions or defamatory content.
There is also the possibility to sign up/subscribe to this site in order to receive the comments via the provided email, so that:
- The email address may be verified by a confirmation email;
- You can unsubscribe at any time by accessing the link in the content of the e-mails, and the data provided by you will be deleted immediately, with the exception of the data provided as a result of accessing other sections (for example, when signing up for the newsletter) which will remain stored;
We comply with the relevant legal provisions, more precisely we store your comments and personal data based on your consent (art. 6 para. 1 letter of the GDPR), which can be withdrawn at any time (an informal email in this sense being sufficient ).
Purpose of processing collected data
Part of the data collected on this site is used to:
- Periodic user information – We want to keep you informed about our offers. In this regard, we may send you any type of message containing general and topical information, information regarding offers or promotions, as well as other commercial communications such as market research and opinion polls. For communications of this type, we have as a basis the consent previously obtained from you. You can change your mind and withdraw your consent at any time.
The processing of personal data is carried out in accordance with the provisions of the General Regulation on Data Protection, based on both the consent of the data subject and reasons for the compliant execution of contracts or the realization of the legitimate interests of the operator (unless the interests prevail or the fundamental rights and freedoms of the data subject, which require the protection of personal data, especially when the data subject is a child).
Your rights regarding personal data and the means of exercising them are: The right to information, The right to access, The right to rectification, The right to delete data, The right to restrict processing, The right to data portability, The right to opposition, The right not to is the subject of a decision based exclusively on automatic data processing, Right to lodge a complaint and address to the courts, Right to withdraw consent.
- The right to information – you can request information on the processing activities of your personal data, on the identity of the operator and its representative or on the recipients of your data;
- The right of access – you can obtain from the operator a confirmation that personal data concerning you is being processed or not and, if so, access to the respective data and the following information: the purposes of the processing ; the categories of personal data concerned; recipients or categories of recipients to whom the personal data have been or will be disclosed, especially recipients from third countries or international organizations; where possible, the period for which the personal data is expected to be stored or, if this is not possible, the criteria used to establish this period; the right to request the operator to rectify or delete personal data or restrict the processing of personal data or the right to oppose the processing, etc.
- The right to rectification – you can rectify inaccurate personal data or complete them;
- The right to delete data – you can obtain data deletion, if their processing was not legal or in other cases provided by law;
- The right to restrict processing – you can request the restriction of processing if you dispute the accuracy of the data, as well as in other cases provided by law;
- The right to data portability – you can receive, under certain conditions, the personal data you have provided to us in a machine-readable format, or you can request that said data be transmitted another operator
- Right to opposition – you can object, in particular, to data processing based on the legitimate interest of the operator;
- The right not to be the subject of a decision based solely on automatic data processing – you can ask for and obtain human intervention with regard to said processing or express your own point of view regarding this type of processing;
- The right to file a complaint and to address the courts – you can file a complaint against the manner of personal data processing with the National Authority for the Supervision of Personal Data Processing and / or you can the address of the courts to respect your rights;
- Right to withdraw consent – in cases where the processing is based on your consent, you can withdraw it at any time. The withdrawal of consent will only have effects for the future, the processing carried out prior to the withdrawal still remaining valid.
Obligations of the data controller
The personal data registered on this website are stored on servers in Romania. The processing of the data provided and stored complies with the following legal provisions:
- Art. 6 para. 1 lit. a) GDPR – the processing of personal data is based on your consent, obtained after correct and complete information;
Art. 6 para. 1 lit. f) GDPR – data processing is carried out for the purpose of the legitimate interests pursued by us.
This site uses SSL encryption for security reasons and to protect the transmission of confidential information. This encryption can be recognized by you by the lock window (“lock icon”) that appears in the browser bar and by changing the address of the respective browser from http:// to https://. Once encryption of this type is activated, the transmitted or transferred data will not be able to be seen by third parties.
According to the GDPR, if the breach of the security of personal data is likely to generate a high risk for your rights and freedoms, the operator of this website will inform you, without undue delay, about this breach, unless the supplementary provisions become incident from the same Regulation (art. 34 paragraph 3).
Data Protection Officer
As the provisions of the GDPR regarding the obligation to appoint a data protection officer are not applicable (art. 37 paragraph 1 – according to which the Operator and the person authorized by the operator appoint a data protection officer whenever:
- the processing is carried out by a public authority or body, with the exception of courts acting in the exercise of their jurisdictional function;
- the main activities of the operator or the person authorized by the operator consist of processing operations which, by their nature, scope and/or purposes, require a periodic and systematic monitoring of the persons concerned on a large scale; or
- the main activities of the operator or the person authorized by the operator consist of the large-scale processing of special categories of data under Article 9 or of personal data relating to criminal convictions and offences, referred to in Article 10 )
for any information or clarifications regarding the operation of this website, please contact us on the following dates:
- Name: Andreea-Cristina Secu
- E-mail: firstname.lastname@example.org
- Mailing address: Str. Paris no. 17, postal code 011813, floor 1, Sector 1, Bucharest, Romania
Records of processing activities
According to the GDPR Regulation, the operator or the person authorized by the operator should keep, for a reasonable period, records of the processing activities under his responsibility. Thus, these records will include the following information:
- the name and contact details of the operator
- the purposes of the processing;
- description of categories of data subjects and categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- if applicable:
- personal data transfers
- the expected deadlines for the deletion of different categories of data
- a general description of technical and organizational security measures
The obligation detailed above does not apply to an enterprise or organization with less than 250 employees, unless the processing it carries out is likely to generate a risk for the rights and freedoms of the data subjects, the processing is not occasional or the processing includes special categories of data or personal data relating to criminal convictions and offences.
Appropriate technical and organizational measures
Taking into account the current state of technology, the context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, the operator implements appropriate technical and organizational measures to ensure that, by default, only personal data that are necessary for each specific purpose of the processing.
Notification of the supervisory authority in case of personal data security breach
According to art. 33 para. 1 of the GDPR, if there is a breach of personal data security, we will notify the National Authority for the Supervision of the Processing of Personal Data without undue delay and, if possible, within 72 hours at most from the date we became aware of it, unless it is unlikely to generate a risk for the rights and freedoms of natural persons.
Informing the data subject about the data security breach of personal data
Related to the provisions of art. 34 of the GDPR, if the breach of the security of personal data is likely to generate a high risk for the rights and freedoms of natural persons, we will inform the data subject without undue delay about this breach, except in situations where:
- adequate technical and organizational safeguards have been implemented and these measures have been applied to personal data affected by the personal data breach, in particular measures to ensure that personal data becomes unintelligible to any people who are not authorized to access them, such as encryption;
- subsequent measures have been taken to ensure that the high risk for the rights and freedoms of the previously mentioned data subjects is no longer likely to materialize;
- would require a disproportionate effort. In this situation, a public information is carried out instead or a similar measure is taken by which the persons concerned are informed in an equally effective way.
Facebook plugins (Like & Share Button)
This service uses social plugins (“plugins”) managed by the social network facebook.com. Plugins can be identified by a Facebook logo (a white “f” on a blue board or a “thumbs up” sign) or are labeled by adding the phrase “Facebook Social Plugin”. The list and layout of Facebook plugins can be seen here: https://developers.facebook.com/docs/plugins/. As long as you use the Like extension, you will like our website’s Facebook page without having to leave it. To the extent that you use the Share extension, you will share our site or certain content from it on your personal Facebook page without having to leave the site.
Through the plugin, Facebook receives the information that you access on our website. If you are also logged in to Facebook at the same time, Facebook can attribute the actions taken on the page to your account and, implicitly, to you personally. When you interact with the plugins, for example by clicking the Like button or sharing certain content from the website, the corresponding information is transferred directly from your browser to Facebook and stored there. Even if you are not a Facebook member, it is still possible for the social network to obtain and store your IP address.
By clicking on one of these buttons, you agree to the use of this plugin and therefore to the transfer of personal data to Facebook. We have no control over the nature and purpose of this transmitted data, as well as over its further processing. Regarding the purpose and extent of data collection, processing and further use of data by Facebook, as well as permissions and settings to protect privacy.
If you do not want Facebook to associate your visit to this website with your Facebook account information, you can log out.
In order to receive a newsletter, it is necessary to indicate a valid e-mail address, together with specific information by which the owner of this address can be identified. Also, your consent is required for sending the newsletter and, therefore, we inform you that any other personal data will be collected and stored only based on your consent. The data thus collected are processed only for the purpose of sending the newsletter and will not be transmitted to third parties.
Therefore, we will process any data you enter in the contact form only with your consent, in accordance with the provisions of art. 6 para. 1 lit. of the GDPR.
Plugins and Tools
Google Web Fonts
This site uses Web Fonts provided by Google to ensure consistent use of fonts on this site.
When you access a page on this website, your browser will load, as a result of establishing a connection with Google’s servers, the web fonts necessary for the correct display of text and fonts. So,
The use of Google Web Fonts is based on Art. 6 para. 1 lit. f) GDPR, there is a legitimate interest in the uniform presentation of the font on this website. If there is a consent expressed in this regard (for example, consent to the archiving of cookies), the data will be processed exclusively on the basis of art. 6 para. 1 lit. a) GDPR.
This site uses Google Maps, a mapping and location service, through an API. The provider is Google Inc., 1600 Amphitheater Parkway Mountain View, CA 94043, United States of America.
To guarantee data protection on our website, you will find that Google Maps has been disabled when you visit our website for the first time. A direct connection to the Google servers will not be established before the autonomous activation of Google Maps, i.e. with your consent in accordance with Article 6 para. 1 lit. a) GDPR. This will prevent the transfer of data to Google during the first visit to our website. After you have activated the service, Google Maps will store your IP address. As a rule, it is then transferred to a Google server in the United States, where it is stored. The provider of this website has no control over this data transfer once Google Maps has been activated.
Considering the Judgment of July 16, 2020 (pronounced in case C-311/18 – Data Protection Commissioner/Facebook Ireland Limited, Maximillian Schrems), the European Court of Justice ruled that the protection offered by the Privacy Shield EU – US (Privacy Shield) does not have an appropriate character.
Therefore, the transmission of personal data to the USA and other countries outside the European Economic Area (EEA) is based on the Standard Contractual Clauses (SCC) of the European Commission. The Commission has issued two sets of Standard Contractual Clauses for data transfers from EU data controllers to data controllers established outside the EU or the European Economic Area (EEA). It also issued a set of contractual clauses for data transfers from EU operators to processors established outside the EU or EEA. For more information on these Terms, we recommend that you visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses -scc_ro.
Google Maps uses Standard Contractual Clauses as an adequate data protection guarantee, in accordance with the level of protection guaranteed by the GDPR. For more information, see Google’s Data Privacy Statement at the following address: https://policies. google.com/privacy
This policy regarding the processing of personal data is generated in accordance with the provisions of Regulation no. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, but also with the other applicable national legal provisions.
We reserve the right to make any additions or changes to this policy. We recommend consulting the Policy regularly for correct and up-to-date information regarding the processing of personal data.
For more details regarding this GDPR Policy, as well as to exercise any of the aforementioned rights, a written notification can be sent to the contact details indicated above.
Date of last update 06-08-2022