Overview
1.1. Introduction
S.C. Bifa Automations S.R.L. , as a controller of personal data, processes personal data relating to the natural persons with whom it interacts for the stated purpose.
This may be data in relation to customers, suppliers, business contacts, employees and other persons with whom the company has entered into a contract or with whom it is in a relationship: identification data (first and last name, serial/no. CI/passport, CNP), contact details (postal and email addresses, telephone numbers), studies, function held.
This policy describes how personal data should be collected, used and stored to be consistent with the company's data protection standards – and also meet the legal condition. This control applies to all systems, persons and processes constituting the organization's IT systems, including board members, directors, employees, suppliers and other third parties having access to S.C. Bifa Automation S.R.L. systems.
1.2. Existence of policy
This data protection policy ensures within S.C. Bifa AutomationS S.R.L.
- Legal requirements at European and national level on the protection of applicable personal data and good practices in this area are respected;
- Protection of the rights of data subjects: e.g. partners, customers, employees/collaborators;
- How personal data collected directly or from third parties are stored and processed;
- Protection of the company from possible risks related to data breaches;
- Increase the confidence of the external environment in relation to S.C. Bifa Automations S.R.L.
1.2.1. Legislation on the protection of personal data
Regulation (EU) No 679/2016 describes how companies – including S.C. Bifa Automation S.R.L. must process personal data. Significant fines shall apply if an infringement is deemed to have been adopted under the GDPR Regulation, which is intended to protect the personal data of citizens of the European Union.
These rules apply regardless of whether the data is stored electronically, on paper or on other materials.
In order to comply with the law, personal information must be collected and used correctly, stored securely, not allowing it to be used illegally.
Regulation (EU) No 2016/679 transposes the fundamental principles on the basis of which data processing is permitted, with companies required that the personal data they collect:
- To be processed lawfully, fairly and transparently towards the data subject ('legality, fairness and transparency');
- They shall be collected for specific, explicit and legitimate purposes and shall not be subsequently processed in a manner incompatible with those purposes ('purpose limitations');
- Be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');
- Be accurate and, if necessary, up-to-date; all necessary measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay ('accuracy');
- Not nuto be kept longer than necessary ('storage-related limitations');
- Be processed in a way that ensures the proper security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by taking appropriate technical or organisational measures ('integrity and confidentiality');
- To be processed in accordance with the rights of data subjects;
- They shall not be transferred outside the European Economic Area unless the territory/country to be transferred provides an adequate level of protection of personal data.
1.2.2. Definitions
The gdpr's definition of personal data is broad:
Personal data = any information about an identified or identifiable natural person
In order to be able to interpret this policy correctly, it is necessary to know the fundamental terms on data protection:
Data subject | An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifying element, such as a name, an identification number, location data, an online identifier, or to one or more specific elements, specific to his physical, physiological, genetic, mental, economic, cultural or social identity. |
Processing | Any operation or set of operations carried out on personal data or on sets of personal data, with or without the use of automated means, such as collection, registration, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction. |
Operator | The natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or national law, the operator or the specific criteria for its designation may be laid down in Union or national law. |
Processor | the natural or legal person, public authority, agency or other body processing personal data on behalf of the controller. |
1.3. Principles on the processing of personal data
Regulation (EU) No 2016/679 transposes the fundamental principles on the basis of which data processing is permitted, with companies required to carry out the processing of personal data under certain conditions.
In order to comply with the applicable legislative framework, personal data within S.C. Bifa Automations S.R.L. Are:
- processed legally, fairly and transparently towards the data subject('legality, fairness and transparency');
- collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1)("purpose limitations");
- appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed('data minimisation');
- accurate and, if necessary, up-to-date; all necessary measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay('accuracy');
- kept in a form which allows the identification of data subjects for a period not exceeding the period necessary to fulfil the purposes for which the data are processed; personal data may be stored for longer periods in so far as they will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89(1), subject to the implementation of the appropriate technical and organisational measures provided for in this Regulation with a view to guaranteeing the rights and freedoms of the data subject ('storage limitations');
- processed in a way that ensures the proper security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by taking appropriate technical or organisational measures ("integrity and confidentiality").
We will always submit the necessary activities to ensure that we comply with all these principles both in the present processing process and as part of the introduction of new processing methods, such as possible new information systems.
1.4. Rights of the data subject
The data subject has several rights under the GDPR Regulation. They consist of:
- Right to withdraw consent;
- Right to information;
- Right of access;
- Right to rectification;
- Right to erasure of data ("right to be forgotten");
- Right to restriction of processing;
- Right to data portability;
- Right to object to processing;
- The right not to be the subject of a decision based solely on automatic processing, including profiling;
- Right to lodge a complaint with the Authority;
- The right to seek justice.
Each of these rights is supported by appropriate forms in S.C. Bifa Automations S.R.L. which allow the necessary action to be taken within the time limits set by the GDPRRegulation.
Data subjects may exercise part of their above rights by e-mail addressed to the data controller at the office@bifa-automatizari.ro. Applications will be exempt from any tax. The operator shall be obliged to provide a reply within one month and in certain exceptional cases no later than two months after receipt of the request.
We will always verify the identity of any data subject who is addressed to us with a request for his or her processed data. In order to be accountable to applications and to allow the exercise of rights, the legal department or external legal advisers will have a say in the merits of the application.
1.5. Grounds for processing
The processing of personal data at S.C. Bifa Automations S.R.L. is based on the following legal grounds contained in Regulation (EU) 679/2016:
- with a view to the conclusion and performance of the service contracts covered by our activities – Article 5 of Regulation (EEC) No 2081/92. Article 6(1) shall be replaced by the following: Article 1(a) shall be replaced by the following: (b)
- in order to fulfil the legal obligation to highlight and refer to the bodies of the State – Article 5 of regulation (EEC) No 2081/92, Article 6(1) shall be replaced by the following: Article 1(a) shall be replaced by the following: (c)
Personal data collected and processed are necessary to conclude or execute a contract with the data subject, in which case his explicit consent is not necessary. This is because the contract cannot be concluded without the personal data in question, for example an appointment cannot be made without a telephone number to which the customer can be contacted.
Since personal data must be collected and processed by us in order to comply with the law, explicit consent is not required. This may apply to certain employment and tax data, for example.
If S.C. Bifa Automations S.R.L. has to perform a task which it considers to be in the public interest or as part of a formal obligation, then the consent of the data subject will not be requested. The assessment of the public interest will be documented and made available as evidence when necessary.
If the processing of specific personal data becomes necessary in the legitimate interest of S.C. Bifa Automations S.R.L. and does not significantly affect the rights and freedoms of the data subject, then it can be defined as the legal reason for the processing. Again, the reasoning behind this view will be documented.
If personal data are not obtained directly from the data subject, this information will be provided to the data subject at any time he or she shall make a request for access.
Once additional processing occurs and it becomes necessary for the processing of data to be carried out on the basis of the consent of the data subject (Article 6, paragraph 1, point a of the GDPR), S.C. Bifa AutomationS S.R.L. will always obtain the consent of the data subject for that processing, explicitly and informedly. For children under the age of 16, parental/guardian consent will be obtained.
1.6. Purposes of processing
In our professional activity, we process personal data to implement the company's object of activity – the supply of products from the electrical industry (electrical panels, electrical and automation installations as well as standardized and open SCADA systems for process control).
We also process personal data to meet legal obligations governing our field of activity, such as the Civil Code, the Tax Code, the Labour Code.
- Limits on policy applicability
2.1. Policy area
This policy applies to:
- S.C. Bifa Automation S.R.L.
- All departments S.C. Bifa Automations S.R.L.
- All staff and volunteers S.C. Bifa Automations S.R.L.
- All contractors, suppliers and other persons working on behalf of S.C. Bifa Automations S.R.L.
It applies to all data the company holds in relation to identifiable individuals.
The categories of personal data processed are those that you provide when filling out the contact form. These data include: name, email address, and phone number.
In addition to providing products from the electrical engineering industry, we reserve the right to process personal data for marketingpurposes. To keep up to date with the latest news related to S.C. Bifa Automation S.R.L. services
2.2. Risks
The policy helps protect S.C. Bifa Automation S.R.L.. real security risks, including:
- Privacy violations.
- Damage to reputation. For example,the company could be harmed if this data were obtained by people interested in it, from the inside, by producing a security breach.
Data storage
These rules describe how and where personal data should be stored.
When data is stored on paper,it must be stored in a safe place where unauthorized persons cannot access it.
These instructions also apply to data that are normally stored electronically but have been printed for certain reasons:
- Papers or files should be kept in a closed place or in a closed drawer;
- Employees should ensure that paper or printed paper is not left to unauthorized people who might see them, such as on the printer;
- Prints should be destroyed when they are no longer needed.
When data is stored electronically,electronicit must be protected from unauthorized access, accidental deletions, or intentional hacking attacks:
- Data should be protected by strong passwords that are regularly exchanged and never shared between employees, while sensitive data should be encrypted;
- When data is stored on removable media (such as CD, DVD), it is kept safe when not in use;
- Data will only be stored in specialized servers or drives and should be uploaded to an approved cloud computing service;
- Servers containing personal information should be placed in a safe place away from the general office space;
- Data should be saved directly on laptops and not on other mobile devices such as tablets or smartphones.
Data has a periodic back-up;
- All servers and computers containing data are protected by Security and firewall software.
Using data
S.C. Bifa AutomationS S.R.L. does not process personal data on a large scale or sensitive data. Even so, we want to keep data safe. In order to prevent situations of risk such as corruption or even theft, we have put in place a number of mandatory rules to follow when using this data:
- When working with personal data and remaining even for short periods of unattended time, staff ensure that computer screens are closed;
- Personal data is processed at the premises and/or at the point of work of our beneficiaries. All documents containing personal data, in electronic form, on paper and on any other medium for storing and transferring personal data shall be processed/collected/preserved/storage/archive/destroy, etc., by the beneficiary, in accordance with the law;
- We reduce the transmission of personal data by e-mail as much as this way of communication is not safe. By way of exception, the only transmission by mail of sensitive data is those intended for the data subject, at his express request;
- Sensitive data should be encrypted before being transferred electronically;
- Personal data are not transferred outside the European Economic Area;
- Workers are prohibited from saving personal data to their personal devices;
- The data will be kept in a few places; staff must not create any additional places that are not necessary, such as unnecessary copies;
- Staff are trained to use each opportunity to ensure that the data is up-to-date. For example,by confirming details when the customer calls;
- Data is updated when inaccuracies are discovered. For example, when a customer can no longer be contacted through a phone number, it is recommended that they remove it from their database.
Disclosure of data for other reasons
In certain circumstances, the legislation allows personal data to be disclosed to law enforcement without the consent of the person subject of the data.
In these circumstances, S.C. Bifa Automations S.R.L. will disclose the necessary data. The data controller will ensure that the request is legitimate, seeking assistance from the company's legal advisors where necessary.
Provide information
S.C. Bifa Automation S.R.L. aims to ensure that data subjects know how data is processed, ensuring that they understand:
- How are their data used;
- How they can exercise their rights.
For this purpose, the company has a Website Privacy Policy (on the use of cookies), setting out how people's data is used within it – http://bifa-automatizari.ro/.
Consequences
Failure to comply with this Policy by company employees or other external collaborators may result in disciplinary sanctions (including termination of employment), termination of contracts and, depending on the circumstances, legal action to fully recover damages to the organization as a result of non-compliance with this Policy.
When there is suspicion of illegal activities (such as, for example, evading documents, copying, distributing, transferring databases), the Company will denounce the criminal activity to law enforcement for criminal liability of the perpetrator.
This Policy will be brought to the attention of all employees, employees, business partners or other third parties, including by publishing on the company's website http://bifa-automatizari.ro/.