Data Privacy Policy
LEGAL
Introduction
Who we are?
How can you contact us?
What personal data do we process, when and for what purposes?
On what grounds do we process personal data?
To whom do we disclose or transfer personal data?
Where and for how long do we store personal data?
What are your rights as data subject?
How can you exercise your rights?
Cookies Policy
Ensuring personal data security
Security incidents. Data Breaches.
Final provisions
1. Introduction
CLA Romania is committed to protecting your personal information and processing it properly and transparently in accordance with the provisions of EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („GDPR Regulation”).
Above all, we are faithful to the following key data processing principles:
Lawfulness, fairness and transparency – we process personal data on legal grounds, fairly and in a transparent manner;
Purpose limitation – we collect personal data for specified, explicit and legitimate purposes;
Data minimization – we only collect and keep personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
Accuracy – we ensure that the personal data we keep is accurate, kept up to date or otherwise erased or rectified;
Storage limitation – we ensure that personal data is stored only for the period of time that is strictly necessary for the fulfilment of our purposes or is otherwise erased or anonymized;
Integrity and confidentiality – we ensure appropriate security by implementing organizational measures and adequate technical solutions which are harmoniously combined as to guard personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage;
Accountability – we are responsible for ensuring the processing of personal data in accordance with the principles listed above.
Your personal information belongs to you and we respect this. It is your right to be fully informed about the processing operations we perform with the personal data you provide us or we collect about you. In order to make available to you all this information in a way that is as accessible and concise as possible, we have drafted this personal data privacy policy (“Privacy Policy”) applicable with respect to online personal data processing operations.
Thus, this Privacy Policy gives you detailed information on the personal data we process, how we collect it, the purposes for which we use personal data, and how we keep it safe. This Privacy Policy also describes what your rights as data subject are, so please review it alongside the Terms and Conditions section.
To facilitate you understanding of this Privacy Policy, please find below definitions and explanations of the specific notions used:
Notion | Definition/Explanation |
|---|---|
Personal data breach | a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
Online identifiers | internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags provided by data subject devices, applications, tools and protocols. These may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons and identify them. |
Consent | Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
Recipient | a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. |
Controller | the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
Processing | means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Personal data | any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
Notion | Definition/Explanation |
|---|---|
Personal data breach | a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
Online identifiers | internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags provided by data subject devices, applications, tools and protocols. These may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons and identify them. |
Consent | Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
Recipient | a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. |
Controller | the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
Processing | means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Personal data | any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
2. Who we are?
Your personal data are being processed by CLA Romania is a group of companies controlled by CLA Romania Holding SA and that the group is formed by the following companies, all acting as controllers of your personal data:
CLA Global Audit S.R.L.
Address: 7B-7C Palas Street, 8th floor, United Business Center 3, Iasi, Iasi county
Sole identification number: 46434784
Registration: Iasi Trade Registry
Registration no. with the Trade Registry: J22/2468/2023
CLA Global BPS S.R.L.
Address: 4D Gara Herastrau street, building C, 5th floor, E04 office, Bucharest, District 2
Sole identification number: 46049118
Registration: Bucharest Trade Registry
Registration no. with the Trade Registry: J40/8211/2022
CLA Global Consulting S.R.L.
Address: 4D Gara Herastrau street, building C, 5th floor, E018 office, Bucharest, District 2
Sole identification number: 32721366
Registration: Bucharest Trade Registry
Registration no. with the Trade Registry: J40/992/2014
CLA Global Corporate S.R.L.
Address: 4D Gara Herastrau street, building C, 5th floor, E018 office, Bucharest, District 2
Sole identification number: 27183155
Registration: Bucharest Trade Registry
Registration no. with the Trade Registry: J40/6820/2010
CLA Global Employer of Records S.R.L.
Address: 4D Gara Herastrau street, building C, 5th floor, E018 office, Bucharest, District 2
Sole identification number: 30860651
Registration: Bucharest Trade Registry
Registration no. with the Trade Registry: J40/12772/2012
CLA Romania Holding S.A.
Address: 4D Gara Herastrau street, building C, 5th floor, E018 office, Bucharest, District 2
Sole identification number: 34959527
Registration: Bucharest Trade Registry
Registration no. with the Trade Registry: J40/10824/2015
CLA Global Tax Compliance & Representation S.R.L.
Address: 4D Gara Herastrau street, building C, 5th floor, E018 office, Bucharest, District 2
Sole identification number: 30328094
Registration: Bucharest Trade Registry
Registration no. with the Trade Registry: J40/6973/2012
CLA Global Tax S.R.L.
Address: 4D Gara Herastrau street, building C, 5th floor, E018 office, Bucharest, District 2
Sole identification number: 42971297
Registration: Bucharest Trade Registry
Registration no. with the Trade Registry: J40/10585/2020
3. How can you contact us?
In order to ask us questions about this Privacy Policy or to submit us request for the exercise of your rights as data subject, please write to us or call us using the following contact details
E-mail address
dpo@cla.com.ro the DPO e-mail address
Headquarters address
4D Gara Herastrau street, building C, 5th floor, Bucharest, District 2
Phone number
+ 40 (721) 202 949
Facsimile
+ 40 (31) 405 10 18
Contact person
appointed data protection officer/manager
4. What personal data do we process, when and for what purposes?
4.1. PERSONAL DATA PROCESSED WHEN YOU VISIT OUR WEBSITE
When visiting our website, your browser could automatically send us information about:
IP address of your device,
Date and time of access,
used browser,
the operating system of your device,
information in relation to your Internet service provider,
status and amount of data transferred during the visit of our websites.
We process the mentioned data for the following purposes:
to ensure a smooth connection to our website and proper use of our website,
for evaluating system security and stability,
for further administrative purposes.
The grounds of processing such data are the performance of the contract for providing you our website and our legitimate interest to ensure that our website functions adequately.
Also, when visiting our website, we install cookies and other tracking technologies on your device and use analysis services. For further details, please refer to section 10 hereto representing our Cookie Policy.
4.2. PERSONAL DATA PROCESSED WHEN SUBSCRIBING TO CLA Romania NEWSLETTER
If you have expressly consented, your e-mail address, first name and last name will be used to send you our newsletter on a regular basis. Once your data is recorded in our databases, the newsletter is automatically sent, without the intervention of a human operator.
In addition to this data, we will also be able to process the following data: (upon opening our newsletter) the IP address of your device, the used browser and your location, via the Mail Chimp web signposts integrated in our newsletter.
Your data will be processed exclusively for sending and personalization of the newsletter, as well as for assessing the degree of access to our newsletter.
Such data will only be disclosed to our partner, Mail Chimp (The Rocket Science Group LLC), a limited liability company from the United States (Georgia), which helps us in sending our newsletter to you and provides us with reports on the degree of access to the newsletter. Your data will also be stored on the Mail Chimp servers in the United States. Data processing performed by Mail Chimp complies with the requirements of the EU-U.S. Privacy Shield principles (Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield).
In case you change your mind and wish to withdraw your consent, you can unsubscribe via a link at the end of each newsletter or by submitting a request using the contact details indicated in section 3 above.
4.3. PERSONAL DATA PROCESSED WHEN YOU SUBMIT AN ENQUIRY OR A REQUEST FOR A BROCHURE OR AN OFFER VIA OUR CONTACT FORMS
When submitting an enquiry or a request for a brochure of financial offer on our website you will need to complete contact forms with the following data: name, organization, phone number, e-mail address, enquiry type and a brief description of your enquiry, as the case may be. When submitting a request for offer you will also have the possibility to attach a document considered by relevant for our analysis.
We consider such enquiries and requests pre-contractual approaches, therefore we shall process your data above for the purposes of answering your to your query based on article 6 (1) b) GDPR.
In case no contractual relationship shall be agreed during a 6 months period after your enquiry or request for brochure/offer, we shall delete your personal information or anonymize it and use in such anonymized way for statistical purposes or training of our employees.
4.4. PERSONAL DATA PROCESSED WHEN APPLYING FOR A VACANT POSITION IN OUR COMPANIES VIA THE CAREERS SECTION OF OUR WEBSITE
When applying for a vacant position within the Group via the Careers section of our website, you are requested to provide us with the following data: name, organization, phone number, e-mail address, enquiry description/letter of intent, education, professional experience and other information you include in your CV, letters of recommendation.
We shall process such information for the purposes of handling your job application, more precisely for evaluating your application; record-keeping related to hiring processes; analysing the hiring process and outcomes; and conducting background checks, to the extent permitted by applicable law.
The processing of personal data is necessary for the conclusion and execution of the individual labour contract. For this purpose, the legal basis for processing is Article 6 (1) (b) of the GDPR.
Following the conclusion of the recruitment process for a particular position, we keep your personal data for a specified period in order to satisfy our legitimate interests, namely to facilitate future recruitment processes, by maintaining a temporary database containing candidates’ have shown potential. In this case, the legal basis for the processing is Article 6 (1) (f) of the GDPR.
Personal information provided to us for the purpose of a job application will be kept for a period of up to 4 months if your application is unsuccessful or shall be further processed within your employee file for successful applicants.
4.5. PERSONAL DATA PROCESSED WHEN REGISTERING AND LEAVING COMMENTS ON OUR BLOG
When registering or leaving comments on our blog you shall be requested to provide us with the following information: username, password, name, e-mail address, comment, your site URL.
We process such data exclusively for operating the blog section of our website and for granting you the possibility to interact with other users and the authors, based on our legitimate interests to obtain feedback and to interact with our subscribers.
We draw your attention to the fact the comments are a public section, therefore you should avoid disclosing personal information in your comments.
We shall keep the personal data above up to a period of 1 year.
4.6. PERSONAL DATA PROCESSED WHEN USING THE “SEND TO A COLLEAGUE/E-MAIL THIS LINK TO A FRIEND” OPTION
When sending a message or an article to a colleague or friends of yours we shall collect the following data: your name, your e-mail address, the name of the recipient, his/hers e-mail address and your message.
We process such data exclusively for sending the message/link to the recipient indicated by you, based on our legitimate interest to have our website pages and articles forwarded to all potential interested persons.
We shall keep the personal data above only for a period of 1-6 months.
4.7. PROCESSING OF SENSITIVE DATA OR MINORS’ DATA
We shall not collect through our website sensitive information, unless legally required for recruiting purposes.
Our website and its content is not intended for or addressed to minors. Thus, we shall not deliberately collect or maintain personal data about minors, unless this is part of a commitment to provide you professional services.
5. On what grounds do we process personal data?
When processing your personal data, we rely on the following legal grounds:
Consent, as per article 6 (1) a) GDPR – we may (but usually do not) need your consent to use your personal information. You can exercise your right of consent withdrawal by contacting us as described below. If the case, a specific request/form will be provided to you, in order to express your consent for processing the respective personal data.
Performance of a contract or to take steps at your request prior to entering into a contract with us, as per article 6 (1) b) GDPR – we may need to collect and use your personal information in order to take steps for the conclusion of a contract, to conclude a contract with you, to perform our obligations under a contract with you or otherwise execute the contract.
Compliance with law or regulation, as per article 6 (1) c) GDPR – we may use your personal data in order to comply with an applicable law or regulation.
Legitimate interest, as per article 6 (1) f) GDPR – we may use your personal information for our legitimate interests, some examples of which are given above.
6. To whom do we disclose or transfer personal data?
Your personal information will be mainly disclosed to our employees from specific departments and to the companies that are part of CLA Romania, as it will prove to be necessary.
When justified and/or necessary, we may also share your personal information outside our Group. This may include:
Third party agents/suppliers or contractors bound by obligations of confidentiality. This may include, without limitation, IT and communications service providers.
Third parties relevant to the legal services that we provide. This may include, without limitation, counterparties to transactions, other professional service providers, legal representatives, the employer or potential employer, Romanian Immigration Office, Notaries Public, Trade Register, public authorities and institutions, as empowered by the law to request information on personal data collected during CLA Romania’s specific activity.
To the extent required by law, search warrant or court order, for example, if we are under a duty to disclose your personal information in order to comply with any legal obligation.
In case it will be necessary to transfer your personal information outside the European Economic Area, we will ensure that it is protected and transferred in a manner consistent with legal requirements, including the following:
the European Commission has issued a decision recognizing the adequate character of data protection in the envisaged third country or where the recipient is located in the US, it may be a certified member of the EU-US Privacy Shield scheme;
the recipient has signed a contract based on “standard contractual clauses” approved by the European Commission, obliging them to protect your personal information, or
we have obtained your prior explicit consent.
In all cases, however, any transfer of your personal information will be compliant with applicable data protection law.
You can obtain more details of the protection given to your personal information in case of transfer outside the European Economic Area (including a sample copy of the standard contractual clauses) by contacting us using the details set in section 3 above.
7. Where and for how long do we store personal data?
Your personal data is stored by CLA Romania mainly on servers located within the European Economic Area.
We process and retain personal data only for as long as is necessary to fulfil our purposes, contractual obligations and other legal obligations of storage / archiving, as the case may be.
We shall retain the data only for as long as is necessary and / or prescribed by law for that purpose. For example:
Data processed for billing purposes and supporting accounting documents will be kept for a period of 5 years, calculated from the date of July 1 of the year following the end of the financial year in which the mandatory accounting registers and the supporting documents that are the basis of the records in the financial accounting were drawn up, according to the Accounting Law no. 82/1991;
Data processed under your consent will be processed during the validity period of your consent or until you choose to withdraw your consent, or the data is no longer necessary;
Data processed under our legitimate interest will be processed for a maximum period of 1 year, after which it will be anonymized and processed for statistical purposes.
8. What are your rights as data subject?
8.1. RIGHT OF ACCESS
Upon your request, we will confirm that we process your personal data and, if so, we will provide you with a copy of your personal data that is subject to our processing and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom personal data has been or is to be disclosed, in particular recipients from third countries or international organizations;
where possible, the period for which personal data are to be stored or, if that is not possible, the criteria used to determine that period;
the existence of the right to require the operator to rectify or erase personal data or to restrict the processing of personal data relating to the data subject or the right to object to processing;
the right to lodge a complaint with a supervisory authority;
where personal data are not collected from the data subject, any available information on their source;
the existence of an automated decision-making process including the creation of profiles and, in those cases, relevant information on the logic used and the significance and expected consequences of such a processing for the data subject.
If we transfer your data outside of the European Economic Area or to an international organization you have the right to be informed of the appropriate safeguards applied.
The first copy of your personal data is provided free of charge. For additional specimens, we may charge a reasonable additional charge, taking into account the related administrative costs.
We also note that the right to obtain a copy of your personal data processed by CLA Romania must not affect the rights and freedoms of other persons.
8.2. RIGHT TO RECTIFICATION AND/OR COMPLETION OF PERSONAL DATA
If the data we hold about you is inaccurate or incomplete, you are entitled to correct it or to complete. On order to do so, you can submit a request using the contact details provided above. Unless this proves impossible or involves disproportionate efforts, we will notify each recipient to whom your data has been disclosed of your rectification or completion of your data. Upon your request, we will inform you of those recipients.
In order to keep personal data accurate, we may request you to reconfirm/renew your personal data from time to time.
8.3. RIGHT TO ERASURE OF PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)
You may ask us to delete your personal information and we will respond to your request without undue delay, if one of the following situation applies:
Data are no longer required for the purposes for which they were collected or processed;
You withdraw consent to the processing of your data when your data processing is based on your consent and there is no other legal basis on which to process your personal data;
You oppose the processing of your data on our legitimate interest, including the creation of profiles based on this ground, or you oppose data processing for direct marketing purposes, including the creation of profiles for direct marketing purposes;
your data has been processed unlawfully;
Personal data should be deleted to comply with a legal obligation under Union law or national law;
Personal data have been collected in connection with the provision of information services to children and the basis of processing is consent.
Unless this proves impossible or involves disproportionate efforts, we will notify each recipient to whom your data has been disclosed of your deletion of your data. Upon your request, we will inform you of those recipients.
We reserve the right to refuse deletion your data when processing is required for:
For the exercise of the right to free expression and information;
In order to comply with a legal obligation that applies to us as a personal data operator;
for purposes of archiving in the public interest, scientific or historical research or for statistical purposes, insofar as the deletion of the data is likely to render impossible or seriously impair the achievement of the objectives of the processing;
To establish, exercise or defend a right in court.
8.4. RIGHT TO RESTRICTION OF PROCESSING
You may ask us to block and restrict the processing of your personal information if one of the situations below applies:
Contest the accuracy of the data – in this case, at your request, we will restrict the processing for the period we perform the necessary checks on the accuracy of your data;
data processing is illegal, and you do not want to delete your data;
We no longer need your data for processing, but processed data about you is necessary to establish, exercise or defend a right in court;
You opposed your processing of your data under our legitimate interest, including the creation of profiles based on this basis – in this case, at your request, we will restrict the processing for the period in which we verify that our legitimate rights do not prevail over your rights.
If your data processing has been restricted, we will only be able to store your data. Any other way of processing out of storage will be done only:
after obtaining your consent;
for finding, exercising or defending a right in court;
to protect the rights of another natural or legal person;
for reasons of public interest of the Union or of a Member State.
We will inform you before lifting any processing restriction as set out above.
Unless this proves impossible or involves disproportionate efforts, we will communicate to each recipient to whom your data has been disclosed restricting the processing of such data. At your request, we will inform you of those recipients.
8.5. RIGHT TO DATA PORTABILITY
You have the right to receive the data that concerns you and that you have provided us with in order to transmit such data to another controller, in the following circumstances:
Your data processing is based on your consent or on a contract between us and you;
Your data is processed by automatic means.
We will provide your personal data in a structured, commonly used and machine-readable format.
If technically feasible, you can request that your personal data be transmitted directly to the controller indicated by you.
8.6. RIGHT TO OBJECT AND AUTOMATED INDIVIDUAL DECISION-MAKING
You may request us not to further process your personal information for reasons relating to your particular circumstances and if the processing of your data is based on our legitimate interest. We will cease processing of your data unless we demonstrate that we have legitimate and compelling reasons that justify processing and those reasons prevail over your interests, rights and freedoms, or whether the purpose of the processing is to establish, exercise or defend a right in court.
In addition to the above, you may request that we no longer process your personal data for direct marketing purposes, including the creation of profiles related to that direct marketing.
8.7. RIGHTS IN RELATION TO AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING
You have the right not to be subject to a decision when it is based on automatic processing, including not being profiled, if the automatic decision or profiling has legal effects or significantly affects you, except in the following cases:
automatic decision is required to conclude or execute a contract between you and us;
the automatic decision is authorized by European Union or national law applicable to CLA Romania and also provides for appropriate measures to protect the legitimate rights, freedoms and interests of the data subject;
Automatic decision is based on your express consent.
If the cases indicated in (a) and (c) above apply, you may request that you exercise the following correlative rights:
the right to obtain human intervention on our part;
the right to express your point of view;
the right to challenge the automatic decision.
8.8. RIGHT TO WITHDRAW CONSENT
If we rely on your consent (or explicit consent) as the legal basis for processing your personal information, you have the right to withdraw your consent at any time and we will cease processing your personal data.
Withdrawal of consent does not affect the lawfulness of the processing of your personal data on the basis of your consent prior to its withdrawal.
8.9. RIGHT TO LODGE A COMPLAINT WITH NATIONAL SUPERVISORY AUTHORITY FOR PERSONAL DATA PROCESSING OF ROMANIA (“ANSPDCP”)
You have the right to contact the ANSPDCP if you believe the processing of your data is not in compliance with the applicable law. More information about ANSPDCP can be obtained by visiting http://www.dataprotection.ro/.
8.10. RIGHT TO SEEK JUDICIAL REMEDY
Without prejudice to any other administrative or non-judicial remedy, you have the right to pursue an effective judicial remedy against a legally binding decision of ANSPDCP.
9. How can you exercise your rights?
Submitting a request. For the exercise of any rights above, please submit your request in writing or by phone, using the contact details indicated in section 3 above.
Identification of the applicant. In order to be able to properly manage your request, we urge you to identify yourself as completely as possible. In case we have reasonable doubts as to the identity of the applicant, we will ask for further information to confirm your identity.
Response time. We will respond to your requests without undue delay, and in any case within one month from the receipt of the request. Insofar as your application is complex or we are in a position to process a large number of requests, we may reasonably postpone the delivery of your response for up to two months with your prior notice.
Providing our answer. We will provide you with our response and any requested information in electronic format, unless you request them to be provided in another format.
Refusal. In so far as we refuse to meet your request, we will inform you of the reasons which led to such a decision and of the possibility to submit a complaint to ANSPDCP and to apply for a judicial remedy.
Taxes. Exercising your rights as a data subject is free. However, to the extent that your claims are manifestly unfounded or excessive, especially in the light of their repetitiveness, we reserve the right to levy a fee or to refuse the fulfilment of the request.
10. Cookies Policy
10.1. WHAT ARE COOKIES?
Cookies are small files of letters and numbers that are stored on your computer, mobile terminal, or other equipment that you use to access the internet. There are two main types of cookies:
Session cookies – temporary cookies which allow website operators to link the actions of a visitor during a browser session. They are activated when the browser window is opened. Once you close the browser, all session cookies are deleted.
Persistent cookies – remain on a user’s device for a set period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie.
Cookies are installed through the request of our web-server to your browser (eg Internet Explorer, Chrome) and do not contain software, viruses or spyware, and cannot access information from your hard drive.
10.2. WHAT TYPES OF COOKIES DO WE USE AND FOR WHAT PURPOSES?
-
Strictly necessary cookies – are essential to navigate around our website and to use its features. These cookies do not gather personal information about you.
-
Performance cookies – collect data for statistical purposes on how visitors use our website. They do not contain personal information such as names and email addresses and are used to improve your experience on our website. Information supplied by performance cookies can help us understand how you use the website; for example, whether or not you have visited before, what you looked at or clicked on and how you found us. Such data will be used to further improve our services.
-
Analytics cookies – cookies generated by the Google Analytics software to account the activity of visitors, and the frequency of accessing the Site. We have taken care that the data transmitted by these cookies does not lead to your identification.
Name | Purpose | Expiry |
|---|---|---|
_ga | Analytics | 2 years |
_gid | Analytics | 3 months |
_gat | Analytics | 1 month |
_pk_ses | Analytics | 13 months |
_pk_uid | Analytics | 13 months |
-
Functionality cookies – remember usernames, language preferences and regions, thus allowing user to customize how our website looks for them.
Name | Purpose |
|---|---|
9d0baa83813cb2084854e78ee4f5beac | language |
Advertising and targeting cookies – are used to deliver more relevant advertisements to you, but can also limit the number of times you see an advertisement, and be used to chart the effectiveness of an ad campaign by tracking users’ clicks.
Name | Purpose | Expiry |
|---|---|---|
Twitter | Analytics | 13 months |
Linkedin | Analytics | 13 months |
Facebook | Analytics | 13 months |
10.3. HOW CAN YOU REFUSE OR DEACTIVATE COOKIES?
With the opening pop-up message, you can select which cookies you want to use, except for the strictly necessary cookies. Deactivating strictly necessary cookies will disable essential website services rendering it unusable.
You can also disable cookies by changing your browser settings. For more information about this, please visit your browser’s settings page.
10.4. SOCIAL MEDIA TECHNOLOGIES
Facebook Like and Share plugins – allow visitors to Like the CLA Global Roamania Facebook page or share CLA Global Roamania websites with friends. If a person is connected to Facebook and visits the Site, the browser sends this information to Facebook in order for Facebook upload content on that page. Among the data that can be sent to Facebook are: the user ID, the site you visit, the date and time, and other browser-related information. If you are disconnected from your Facebook account less information shall be transferred to Facebook.
This personal information can be used wholly or in part by Facebook to improve Facebook products and services and to provide personalized ads. For more information you can consult Facebook privacy policy.
https://www.facebook.com/business/gdpr
Google+ plugin – when you visit a site that has a Google Plug-in, your browser sends a series of information to Google, such as the URL of the page you’re visiting and your IP address. Google can access and read the cookies stored in the visitor’s device. Apps that use Google’s advertising services also share information with Google, such as the app’s name and a unique identifier for advertising.
https://cloud.google.com/security/gdpr/
“Share with LinkedIn” plugin – when a person visits a site that has integrated such a plugin, LinkedIn receives the following visitor information: the URL of the aside from which it came and the one to which it is going. We also receive information about IP address, proxy server, operating system, web browser and add-ons, device ID and / or ISP and / or mobile phone identifier and features. If the site is accessed from a mobile device, the device will send us your location data according to the visitor’s phone settings.
https://www.linkedin.com/legal/privacy-policy
Tweet plugin – when a person visits a site that has integrated such a plugin, Tweeter can receive the following personal information about the visitor: Visited Web page, IP address, browser type, operating system, and cookie information. This information is collected to improve Tweeter products and services, including personalized customized ads and personalized ads.
11. Ensuring personal data security
For ensuring safety of this website we use the SSL (Secure Socket Layer) method in connection with the website visit, in conjunction with the highest encryption level supported by your browser. In general, this is a 256-bit encryption. Whether a single page of our website is encrypted is indicated by the closed representation of the key or lock icon in the status bar of your browser.
At organizational level, we have adopted and instructed our employees to follow internal procedures aimed at preventing loss or unauthorized access or disclosure. All persons, including our employees, processing your personal data under our authority have pledged to preserve the confidentiality and security of all such personal data.
We have also implemented adequate security measures to protect your data against informatics treats and other potential data breaches. Such security measures shall be continuously improved in line with technological developments.
12. Security incidents. Data breaches.
Security incidents are events that lead to the accidental or intentional destruction, loss, alteration, disclosure, unauthorized access to certain information and may give rise to security data breaches where personal data is involved.
Who analysis security incidents at CLA Romania level?
The team that will analyze the security incidents at the level of the CLA Romania consists of:
-
a person from the legal department of CLA Romania or an external consultant with legal studies;
-
a person from the CLA Romania ‘s IT department or an external consultant with studies in the IT field;
-
a person from the department where the security incident took place;
-
the person responsible for the protection of personal data of the CLA Romania;
-
a person from the CLA Romania ‘s management.
What do we do in the event of a security incident?
When a security incident is detected or suspected, it must be analyzed from the perspective of the risk and its effects/possible effects.
In the situation where the said security incident is not considered a data breach, in the sense that no personal data is involved, then the incident will only be properly documented in the CLA Romania’s Security Incident Register.
If the security incident is considered a data breach, then an analysis will be required to establish the risk of affecting the rights and freedoms of the data subjects, depending on which notification of the ANSPDCP, as well as the data subjects, will be required or not.
In the risk assessment process in balance with the rights and freedoms of the persons concerned, it is important to focus on the potential negative consequences for the individual.
If, following the evaluation process, it is concluded that the data breach does not affect the rights of the data subject, it will be duly documented in the CLA Romania’s Security Incident Register and the ANSPDCP or the data subjects will not be notified.
Instead, if, following the evaluation process, it is concluded that the data breach affects the rights of the data subject, it will be documented in the CLA Romania’s Security Incident Register and the ANSPDCP will be notified, according to the legal provisions.
Moreover, if the data breach is likely to generate a high risk for the rights and freedoms of the data subjects, respectively their private life, then notification of the data subjects is required.
A high risk represents that situation in which the level of damage to the private life of the person concerned is higher than the threshold required for informing the ANSPDCP.
What time period is regulated for reporting a data breach?
Data breaches that require notification to ANSPDCP must be notified within no more than 72 hours from the date on which the CLA Romania became aware of said data breach.
In the event that the ANSPDCP notification cannot be carried out within the term stipulated by law, then it must be accompanied by a reasoned explanation for the delay.
What categories of information are necessary for notifying the security breach to ANSPDCP?
The CLA Romania must provide ANSPDCP with the following information:
-
a description of the nature of the security incident that occurred;
-
the categories and approximate number of individuals affected or likely to be affected;
-
categories and approximate amount of personal data impacted;
-
the name and contact details of the data protection officer and other relevant persons for the given situation;
-
a description of the consequences of the data breach on the rights and freedoms of the affected persons;
-
a description of the measures taken or proposed to be implemented by the operator, in order to minimize or remedy the negative effects of the data breach on the persons concerned.
The ANSPDCP notification form is regulated and adopted at the level of the CLA Romania.
In the event that CLA Romania does not notify ANSPDCP of those data breaches that require notification, it assumes the consequences provided by the legislation in force.
What information must be provided to the data subjects when we inform them about the occurrence of the data breach?
In case of the need to notify affected individuals of a security breach of personal data, the CLA Romania must communicate, in simple and clear language, at least the following information:
the name of the data protection officer or another contact point where he can obtain more information;
a description of the possible consequences that may occur as a result of the data breach;
a description of the measures adopted or proposed to be adopted in order to limit or cancel the effects of the data breach.
The notification form of the persons concerned is regulated and adopted at the level of the CLA Romania.
Both the task of notifying the ANSPDCP and of notifying the persons concerned, as the case may be, rests with the Personal Data Protection Officer.
All security incidents, including data breaches, will be properly documented in the CLA Romania ‘s Security Incident Register, by the Personal Data Protection Officer.
13. Final provisions
This Privacy Policy was updated on 21.07.2024.
CLA Romania reserves the right to modify or amend this Privacy Policy at any time by publishing an updated version here.