1.1. Purpose and scope
This Personal Data Protection and Security Policy (hereinafter referred to as the “Personal Data Protection Policy” or the “Policy”) mainly aims to set the policy of KMG International and its affiliates (the “Company”) on personal data protection the Company processes in its activities in relation to its employees, customers or any other data subjects.
The Personal Data Protection Policy is implemented and it shall be strictly complied with by the Company’s employees and/or collaborators/business partners, whenever they process personal data during and while carrying out their job duties. The Company collects stores and uses personal data in its daily activity. Therefore, the personal data are processes for legitimate purposes, such as, but not limited to, the performance of the individual employment contracts, or legal or commercial agreement the Company is a contracting party to, for marketing purposes, as well as for other purposes, in accordance with the requirements of the regulations in force.
In line with the requirements of the Law on personal data protection, as well as with its all subsequent related legislation, the Company considers the personal data protection of its own employees, customers and/or collaborators/contractual partners as of outmost importance.
This Policy gives an overview of the minimum personal data protection requirements and directs to more detailed instruction, if applicable. This document is also the basis for adopting and implementing the necessary organizational and technical measures for maintaining the confidentiality and integrity of personal data.
This Policy is applicable and shall be notified to all KMG International companies, irrespective of the data location or the type of device on which they are stored. Therefore, the rules provided by the Policy must be used and implemented by all employees, contractors, consultants, and other members of KMG International Group and third parties having access to information held or maintained by the KMGI Companies and/or to IT systems used for storing and processing them.
2. Definitions and abbreviations
KMG International/ Company KMG International N.V. and its affiliates
KMG Rompetrol KMG Rompetrol S.R.L. and all the other companies within the Romanian Group
KMG International Data, Company’s Data Personal data held, processed or collected, recorded, structured, stored, received, consulted, disclosed by transmission, erased, etc. by KMG International, either primary or secondary, irrespective of the storage location. The term is used interchangeably with the term “information” or “data”. It refers to, but is not limited to any information on an identifiable natural person, such as a name, first name, residence address, personal identification number, series and number of the identity card/passport, civil status, gender, professional background information, data on the personal preferences, his/her behaviour, etc.
Contract A contract between KMG International and a Provider under which:
i) the Provider provides services to KMG International or KMG International customers, and/or
ii) the Provider is granted access to KMG International or the facilities of the KMG International customers, network(s), media and/or confidential information.
Assets Any tangible or intangible assets held by KMG International which the Provider is responsible for.
Availability Any Information system for reaching its aim; it must allow the availability of the information when it is necessary. Therefore, the Information systems used for storing and processing the information, security control used for protecting it and the communication channels used to access it must operate correctly.
Business Information System A computer information system or a business and financial application offering the complete information delivery. The data are an integral part of the conduct of the business, including all information processes and necessary software for meeting the business requirements. A business system comprises the information processes, data control, stored data, reports and other forms.
Business Account Manager (BAM) An internal IT structure of the Group being responsible for ensuring that the Group’s business systems meet the requirements of KMG International and that the systems’ strategies and plans are effectively communicated. This structure cooperates with Company’s business functions and professional within the IT Division for planning, designing, testing, implementing and maintaining automatic information systems.
Business Information System Owner (BISO) The Business Information System Owner (BISO) – also hereinafter referred to as the “System Owner” – is the person responsible for overall acquisition, development, integration, modification, operation, maintenance and recall of an information system. The System Owner is the key person contributing to the development of system design specifications for ensuring that the user’s security and operational needs are documented, tested and implemented.
Business Unit /BU Division, facility or department of the Company organized as such in the Company’s Organizational Chart (e.g. Marketing, HR, Accounting, Compliance, IT, etc.).
Company’s Data/information They include, but are not limited to, data/information produced by the Company, data/information the Company holds the Intellectual Property rights over, data/information the Company owns or holds in custody, communications set to or from the Company, irrespective on the medium they are stored on: systems attached to the Company’s corporate data or phone networks, systems managed by the Company or third parties on behalf of the Company, mobile devices used for connecting to the Company’s networks or those storing the Company’s Data, cloud services operated by third parties on behalf of the Company.
Computer Any desktop or laptop computer, mobile device (e.g., mobile phone, Smartphone, tablet, etc.), server and/or storage device that:
i. is involved in the service performance
ii. can be used for accessing a network or a medium, or
iii. can access or store confidential information.
Confidential Information Any information, irrespective of the format in which they are presented (e.g. orally, on paper or in any other intangible format), including, but not limited to, data, personal information, intellectual property, passwords, information on the Company’s customers, providers, partners and staff, information not yet public on the Company’s products
Confidentiality For complying with the Information Security requirements, it must not be disclosed to the public and/or transmitted to unauthorized persons, companies, or accessed/transferred or involved in any way in unauthorized processes.
Medium Any information medium, including, but not limited to, development, testing, benchmarking, manufacturing and/or supporting application and information medium the Provider has access to under a contract or which is used for providing services and comprises confidential or proprietary information related to the business.
ISO/IEC 27001:2013 This is a specification for the Information Security Management System (ISMS). The organizations meeting the standard may be certified as complaint by an independent and accredited certification body when successfully completing a formal compliance audit.
Facilities Any offices, data centres and other locations (owned or managed by the Company, a Company’s business partner, Provider or a third party) which the Company’s confidential information, media or networks can be accessed from or (b) any handling or permanent or non-permanent storage assets of the Company. The references herein to:
i. “KMG International Facilities” are deemed to include facilities of the KMG International’s business partners, and
ii. “Provider’s Facilities” are deemed to include third party facilities used by the Provider.
Group IT The Groups’ Information Technology gives a wide range of technological and support services for KMGI Business Units and its staff. The Group IT is responsible for providing a KMGI infrastructure with a reliable, flexible and safe infrastructure and for delivering information technologies services for supporting business excellence and professional services.
Information Security Incident An incident is an explicit or implicit breach of the Company’s Information Security Policy:
• Attempts (either failed or successful) to gain unauthorized access to a system or its data;
• Unwanted interruption or rejection of the service;
• Unauthorized use of a service for data processing or storing;
• Changes in the system’s hardware, firmware, or software characteristics without the owner’s knowledge, instructions or consent.
Security incident impacting data protection “Personal data security breach” means a security breach accidentally or illegally leading to the destruction, loss, modification, or unauthorized disclosure of personal data sent, stored or otherwise processed, or unauthorized access to them. Finding these circumstances represents in fact finding a “security incident impacting data protection”.
Integrity In Information Security, data integrity means maintaining and ensuring the data accuracy and complexity throughout the entire life cycle (the data cannot be changed without authorization or detection)
Staff All Company’s employees, contractors, subcontractors and agents having access to facilities, networks, media and/or confidential or proprietary information.
Product A finished product, hardware or software component or product assembled, manufactured for or provided to KMG International.
Services The works specified in an agreement, contract, or activity schedule concluded between the Company and a third party.
Provider A company (including ding its staff) that:
i. Provides services under a contract and/or
ii. Has access to the facilities, networks, media and/or confidential and/or proprietary information on the business of KMG International.
System Administrator/Manager The Group managing the daily technical operation of the business system: database management, software distribution and updating, version control, backups and recovery, virus protection, and capacity performance and planning. The Group’s IT Department provides this service to KMG Rompetrol.
User A person (e.g., employee of any KMG Rompetrol Business Unit) interacting with the computer at the application level. Software developers, system administrators/managers and other technical staff are not deemed users when working on the information system in their professional capacity. The system users must use the application as and for the business purpose which it was designed for, and comply with all specified control and security requirements.
Personal data represent any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Identified usually means identified by name, but the identification is not limited to the name and first name of the person, the term of “personal data” including all elements specific to the identity of the data subject as mentioned above.
Identifiable means that a person can be identified by an analysis of the elements/data that are already available or from other sources.
Data subject is the natural person whose personal data are processed by the Company (e.g.: employees, customers, collaborators or business partners – natural persons).
Personal data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal data filing system any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Complaint means complaint, application by which the data subject exercises his/her personal data protection rights under the regulations in force.
Pseudonymised data means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
Anonymous data means the information that, due to their origin or specific processing method, cannot be associated with an identified or identifiable person. Anonymous data do not represent personal data.
Data controller is the natural person or private or public legal entity, including public authorities, institutions and their territorial units, which determines the purposes and means of the processing of personal data. In this case, the Company, KMG International N.V., as well as any of its affiliates is a personal data controller for the data it processes in its business activity.
Processor is the natural person or private or public legal entity which processes personal data on behalf of and for the Company. It may be a provider of KMG International N.V. or its affiliates accessing the data of the data subjects, such as a training service provider, advertising agency or another company which processes personal data on behalf of the Company.
Recipient may be a public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
3. Company’s objectives
By this Policy, the Company aims to:
- ensure that the personal data are processed in accordance with the legitimate purposes for which they were collected;
- ensure that all personal data are adequately protected against attacks/threats, so as the personal data security is assured;
- create an awareness campaign related to the personal data protection requirements, so as they shall be integrated in the daily operations the employees perform, ensuring that all employees are informed on the procedures they must follow for personal data collection, legitimate processing, disclosure, transfer, retention, archiving and destruction;
- ensure that all the Company’s employees understand the importance of practices related to personal data protection, as well as their responsibilities related to maintaining the personal data security, being aware of all contractual, statutory and regulatory implications the incidents that could affect the personal data, respectively personal data security breaches, could trigger;
- ensure that all users, employees, and business partners collecting, storing and processing personal data on behalf and for the Company meet and implement adequate personal data protection and security measures. The personal data shall not be disclosed in any way, accidentally or otherwise, to any unauthorized local person or to any third party.
The links to other relevant documents, applicable within KMG International, are shown at the end of this policy. This list is for information only, and all relevant documents can be found in the KMG International intranet page, under the section designated for this purpose.
Any breach of or failure to comply with this Policy or the available instructions of the Company, in particular, any wilful disclosure of personal data to any unauthorized person or third party may lead to disciplinary actions or any other adequate actions.
The Company shall continue to perform regular audits in order to ensure that this Policy and Governing Law are complied with and in order to ensure that all the instructions and implementation-related support are maintained up to date.
An unauthorized access to or disclosure of personal data or other cases involving the data security breach are reported to the Company’s Legal Department, Company’s Compliance Department or Company’s Information Security Department as soon as possible.
The Company’s Information Security Department, together with all the delegates of the Compliance Department must ensure that the Company’s staff is informed with regard to their obligations under this Policy and Governing Law, to the operational support tasks and recommendations sent to all employees.
4. Governing law
- Regulation no. 679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (EU General Data Protection Regulation/GDPR)
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector,
- Convention for the Protection of Human Rights and Fundamental Freedoms ratified at Rome on 4 November 1950
- Convention for the Protection of individuals with Regard to Automated Processing of Personal Data, adopted at Strasbourg on 28 January 1981, ratified by the Law no. 682/2001
- Guidelines of the European Data Protection Supervisor on video surveillance, published on 17 March 2010
The provisions of these instruments are applicable in Romania, as well as in Bulgaria
- Law no. 677/2001 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
- Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector
- Order of the Ombudsman no. 52/2002 approving minimum security standards in the activity of personal data processing
These provisions set a rights and responsibilities framework designed to protect personal data that applicable only in Romania.
For other KMGI companies in non-EU countries, the local regulations shall prevail, and the current Policy shall operate as a framework reference. However, with regard to processing personal data of EU residents, the non-EU KMGI entities shall comply with this policy and General Data Protection Regulation in order to avoid a breach of regulations applicable to EU KMGI entities, respectively in order to ensure the data protection of data subjects.
5. Personal data
Various type of information are included in the activities carried out by the Company, which relate to: identification data of natural persons, business information and information on service/product development, marketing and business plans, information on customers, human resources, consultancy, partnerships, contracts, mergers and acquisitions.
Taking into consideration the wide range of confidential data the Company manages, it is important that the employees understand the personal data category/categories they process, so as to be able to determine the applicable protection rules to the relevant data and applicable risk management method.
This policy defines the personal data processed by the Company within and during its business activity, the confidential information capacity being applicable to this category.
a) Personal data include any information related to such identified or identifiable natural person, such as, but not limited to:
- Name, first name,
- Identity of the parents and family members (husband/wife, children, dependents of the data subject),
- Address (domicile or residence),
- Data from the identity documents, birth certificates, marriage certificates, driving licence, passport, residence permit, copies of the mentioned documents, etc.;
- Education, Occupation, CV, copies of diplomas, copies of qualification certificates
- Personal data on financial status (e.g. data on income, monthly expenses, assets owned by the data subjects, leasing agreements, benefits, wages, , bonus, performance bonus),
- Email, phone number,
- User accounts for the Company’s applications,
- Banking data (account for the wage payment)
- Data on the services and products purchased or to be purchased (e.g. data on estimated consumption, monthly expenses for fuel, type of fuel used, station where the Operator’s customers choose to collect their card, etc.),
- Geolocation data (e.g. station where they refuel from, route from home to work and back, time of travelling to and from work),
- Data on the work place, including the employer’s name and identification data, work phone number, work email, position, department, manager’s name, internal ID number, date of employment/date of leaving the company, job level,
- Data on the employee’s status (number and date of the individual employment contract, positions, work place, internal ID number, date on which the current job started),
- Number of the retirement file, etc.
Personal data include information that can be found in any form, whether alphabetical, numerical, graphical, photographical or acoustic, and may be found in physically (paper), or electronic (computer memory) format, or even as video and audio recordings.
b) Special categories of personal data
“Special categories of personal data” refer to the racial or ethnic origin, political, religious, philosophical or similar beliefs, trade union membership, as well as personal data concerning health or sexual activity, as well as those concerning offences, security measures or administrative or criminal penalties.
At the same time, biometric data, respectively prints, face structure, voice, or even behavioural characteristics (e.g. handwritten signature, a certain way of walking or talking, etc.), are considered personal data, being included in the special categories of personal data regulated by the national and European regulations in the field.
Special categories of personal data include, but are not limited to:
- Personal Identification Number (PIN),
- Number and series of the identity card and passport,
- Data on political membership and opinions of the data subjects,
- Data on association membership and opinions expressed within their activities,
- Data on criminal records,
- Genetic and biometric data,
- Data on medical records and any data on the employees’, collaborators’, etc., health.
6. Main personal data processing operations performed within the activities carried out by the Company and purpose for processing
6.1. The main processing operations/sets of operations could consist of:
- collecting or recording and organising personal data
- storing, respectively maintaining on any type of medium the personal data collected
- their adapting or changing or use,
- extracting personal data
- consulting personal data
- disclosing to third parties by transmission, dissemination or otherwise
- joining or coupling personal data
- blocking, erasing or destructing personal data.
6.2. Purpose of personal data processing
The personal data of customers/potential customers/customers’/potential customers’ legal representatives can be collected and used during the performance of specific activities and projects, such as:
- creditworthiness assessment and credit risk assessment performance for the specific products provided by the Company (e.g. Fill and Go credit), respectively for recovering the debts to the Company,
- concluding and performing the contracts, including service contracts, product delivery, purchased service and product invoicing,
- fulfilling a legal obligation, such as issuing fiscal invoices or receipts and payment/collection orders,
- performing marketing activities, by sending newsletters or other commercial communications by email, text message or post,
- carrying out a customer profile for receiving customized offers,
- organizing interne and external events,
- processing operations carried out by the Company’s agents/external partners, such as advertising agencies,
- contracting customers – natural persons filling in form for enrolling in loyalty programmes, collecting filled-in form and assisting the customers during the enrolling process,
- managing customers – natural persons, users of Fill&Go cards,
- collecting the price of fuel/other products/services purchased in the fuel distribution stations,
- checking the available credit limit/giving discounts /points/other benefits, as the case may be,
- creating accounts for accessing the Company’s systems.
The employees’ personal data can be collected and used by the Company in order to carry out specific activities and projects, such as:
- carrying out the recruitment process,
- concluding and performing the individual employment contracts, paying wages and benefits, carrying out the activity related to the presence at work, carrying out training programmes, managing the necessary equipment for carrying out the job tasks, making business travels, planning and carrying out the annual leave and other types of leave,
- fulfilling a legal obligation, such as carrying out a medical exam before employment, and carrying out the regular checks for assuring the occupational health and safety, filling-in the occupational health and safety files, professional training and instruction programmes, filling-in the Revisal register, withholding and paying the statutory duties and taxes, paying the allowances provided by the applicable regulations,
- carrying out the legitimate interest of the data controller, in the case of video surveillance for assuring the assets and persons protection, preventing the data loss for guaranteeing the information systems security,
- carrying out specialized studies, such as, for reviewing the wage level, evolution and improvement of employment relationship, for developing data processing IT systems, including for calculating the payment of wages, management of annual leaves,
- carrying out the reporting activities to the Company o other competent authorities and bodies, etc.,
- reviewing the professional experience and training in order to develop professional development programmes on the basis of professional and technical tests,
- granting religious holidays,
- calculating or paying benefits for the employees’ children or other family members,
- recovering any damages arising from the employment relationship or any damages incurred by the Company, sending personal data to competent authorities and bodies, including, but not limited to competent labour, social security authorities and bodies, courts, criminal investigation bodies, companies or entities specialized in debt recovery,
- for statistical purposes.
7. Use of personal data
Irrespective of the category of personal data, they must be used only for the purpose for which they were collected and for the period serving the purpose for which they were collected from the data subjects (either the Company’s customers, non-customers, employees or collaborators, partners) and, respectively, for the necessary period for complying with a legal obligation or for achieving a legitimate interest of the Company.
For example, when a personal data processing is performed with the customer’s express and specific consent, such as the case when a customer agrees to the Company’s processing personal data for marketing purposes, the purposes for which the data shall be processed shall be described in the consent expressed by the data subject.
For the same aim to ensure the legitimacy of the personal data processing by the Company, in case the data subject withdraws their consent related to processing their data for marketing purposes or for other legitimate purposes for which the prior consent of the data is necessary, the Company ensures that the personal data are erased in accordance with the regulations in force.
8. Personal Data Protection Officer
The Company appoints a data protection officer (“Data Protection Officer”) who shall be adequately and timely involved in all aspects related to personal data protection.
The Data Protection Officer has at least the following responsibilities:
(a) to inform and advise the Company, as well as the employees who carry out processing of their obligations responsibilities related to personal data protection;
(b) to monitor the compliance with the legal provisions on data protection and the Company’s policies on personal data protection and give assistance and recommendations to the Company and its internal departments for assuring the compliance with the obligations related to data protection (e.g. to assure consultancy for handling within the legal term the data subjects’ applications lodged for exercising their rights pursuant to Articles 15 to 22 of the GDPR, to assure consultancy in case of security incidents, to assure the necessary assistance for notifying the supervisory authority and the affected data subjects);
(c) to assure assistance for developing the necessary internal policies and procedures for the internal regulation of the personal data processing operations;
(d) to counsel on request concerning the data protection impact assessment and monitoring its operation (to advise in the case of personal data under impact assessment, concerning the Company’s obligation to perform this assessment, methodology to be used, existence of necessary resources, security, technical and organisational measures to be applied for minimizing the risks of the data subject’s rights and freedoms; to issue opinions on the correctness of the way in which the impact assessment was performed and on its conclusions, giving his positive or negative opinion on the performance of the processing operation);
(e) he is the controller’s point of contact in the personal data protection sector, being mentioned in the notification provided to data subjects pursuant to the GDPR Articles 13 and 14;
(f) he is the controller’s point of contact in the relationship with the National Supervisory Authority for Personal Data Processing in case of inspections carried out by it, as well as in the case of its prior consultation pursuant to the GDPR Article 36;
(g) to cooperate with the supervisory authority;
(h) to undertake the role of contact point for the supervisory authority on issues relating to processing;
(i) to take part in professional training programmes for becoming aware of the regulations and practices relating to data protection.
The Company published the contact information of the personal data protection officer and provides it to the supervisory authority.
9. Data Protection Principles
In many instances, the collection of personal data and the operations for further processing of such data by the Company shall be achieved on the grounds of the express and unequivocal consent of the data subject. Whenever the consent of the data subject is needed, the Company provides complete, prior and accurate information to the data subject, so that its consent fulfils the conditions of a manifestation of free will, specific, informed and unambiguous. Therefore, the data subjects, namely, clients/prospective clients/legal representatives of clients/prospective clients/employees/contractual partners have the possibility to accept the processing of their personal data by means of an express consent or by means of an unambiguous act, such as the ticking of a box specifically designated for the respective processing.
There are also instances when the legal grounds for processing are other than the consent, namely:
- whenever the processing is needed for the execution of an agreement where the data subject is a party, or to undertake steps, upon the request of the data subject, prior to the execution of an agreement
- whenever the processing is needed for the fulfilment of a legal duty of the Company
- whenever the processing is needed to protect the vital interests of the data subject or other entities
- whenever the processing is needed for the fulfilment of a task serving a public interest or arising from the exercise of the public authority prerogatives the controller is provided with
- whenever the processing is needed for the fulfilment of a legitimate interest of the Company or the third party to whom the data is disclosed, provided that such interest does not damage the interest or the fundamental rights and freedoms of the data subject.
The processing of special data categories is strictly forbidden, except for the following instances:
- whenever the data subject expressly consented to such processing
- whenever the processing is needed for the purpose of fulfilling the duties and exercising specific rights of the Company or those of the data subject in the field of employment and social security and social protection
- whenever the processing is needed for the protection of life, physical integrity or the health of vital interests of the data subject or any other entity, if the data subject is under physical or legal incapacity to offer their consent
- whenever the processing refers to data openly made public by the data subject
- whenever the processing is needed for the ascertainment, exercise or defence of a right in court
- whenever the processing is needed for purposes of preventive medicine, occupational medicine, assessment of the employee’s work capacity, the determination of a medical diagnosis, the provision of medical or social assistance or medical treatment, on the grounds of Union law or domestic law or on the grounds of an agreement executed with a clinical staff member or for management of health services acting in the interest of the data subject, provided that the processing of such data be performed by or under the supervision of a clinical staff member sworn to professional secrecy, or by or under the supervision of another entity subjected to an equivalent secrecy duty.
- whenever the processing is needed for purpose of public interest archiving, for purposes of scientific and historical research or for statistical purposes.
Company employees/partners must check the falling of personal data within the aforementioned categories and to enforce the rules provided by the personal data protection laws.
Whenever the Company introduces a new service, product or operational process involving the processing of personal data, they shall request an opinion in relation to personal data protection from the Data Protection Officer.
Therefore, Company employees, as well as Company processors, must comply with the legal personal data processing principles, as provided under the data protection laws, as detailed below.
a) The principle of legitimacy of personal data processing
It sets the following obligations for the Company, employees and partners:
- Personal data shall be processed correctly and lawfully
- Personal data shall only be processed if the data subject expressly and unequivocally consented to such processing, or in case of enforceability of any of the aforementioned instances
- Personal data shall only be obtained for one or more specific purposes and shall not be processed in a way that does not comply with the respective purposes.
Processing for purposes further identified is only allowed in instances where consent is not required, upon a prior notice sent to the data subjects.
b) The principle of transparency of personal data processing
The data subject shall be notified in advance with regard to the la personal data to be processed, the purpose of processing and its legal grounds, the identity of the controller and their processors, the legitimate interest pursued by the controller by the personal data processing, if appropriate, any recipients or recipient categories for such data, if appropriate, the Company’s intent to transfer the personal data to a third-party country or an international organization, if the provision of all data requested is mandatory and the consequences of the refusal to provide such data, the terms for which such personal data shall be stored or, if not possible, the criteria used to determine such period, the existence of an automated decision process including the creation of profiles as well as, at least for such cases, information concerning the logic used, the foreseeable consequences and importance of such a processing to the data subject, the rights of the data subject provided under the laws in the data protection field (listed below in section 10), as well as the conditions under which they may be exercised, as well as in relation to any other information specific to the processing purpose itself.
Based on the principle of transparency, the data subjects – clients/potential clients/employees/partners – shall be notified using an easily accessible and clear language, thus having the right to access the information related to personal data processing operations.
The notice of information addressed to the data subject(s) in relation to the processing of their personal data, shall include the contact points where they may submit applications, as follows:
- Applications submitted by clients/potential clients/legal representatives of clients/potential clients/business partners, employees, natural entities may be submitted at the Company’s registered offices, by post, electronically, using the following email address: email@example.com .
Whenever the data subject, whose data is being processed, shall request information concerning the processing of their data, the department in receipt of such application shall request the opinion of the Data Protection Officer.
The Company must reply any such applications within a maximum of 30 days from the time of their receipt, in compliance with the provisions of data protection laws.
The claim/request by the data subject shall be treated according to the Specific procedure for handling data subject applications
c) Principle of proportionality of personal data processing
The Company processes personal data reasonably, relevant for the processing purpose and without exaggerations, limited to whatever is deemed necessary in relation to the legitimate purposes for which the data is processed.
Prior to processing personal data, the Company, by its relevant departments (e.g. the Marketing Department), with approval by the Data Protection Officer, determines if and to what extent the personal data processing is needed for achieving the purpose for which such data was collected.
d) The principle of data following after the expiry of the legal storage term
In relation to the archiving term for personal data, they shall be stored within Company systems for the fulfilment of the legitimate purposes pursued by the processing, for the time needed for the processing purpose or the period provided under the applicable law, for each personal data category separately. The storage term, under the provisions of art. 5, letter e) of the GDPR, is determined for each operation identified within the Personal Data Processing Register, considering the compulsory legal provisions (e.g. Law no. 16/1996 on national archives, Law no. 82/1991 on accounting).
For instance, in relation to video footage of the data subjects, by video surveillance of areas belonging to the controller, the data obtained by means of the video surveillance system shall be stored for a term proportional to the purpose for which the date is processed, but which may not exceed 30 days, after which they shall be destroyed by deletion. As exception, for instances expressly regulated under the law or some perfectly justifiable cases (e.g., the occurrence of a security incident), the aforementioned term may be extended based on the term necessary and allowed by the law, and the approval of the Data Protection Officer.
The Company must record the evidence of the consent expressed by the client/potential clients/employees/business partners, if the processing of their personal data occurs under such consent.
Personal data shall not be stored more than necessary or imposed by the purposes of personal data processing. Extension of the data storage term shall only occur with the approval of the Data Protection Officer.
After completion of the legitimate processing and storage purposes and after expiry of the legal term for archiving of data/documents containing personal data, if the data subject failed to consent to a future processing and none of the exceptions provided by the data protection laws applies, the following action shall be taken:
- The personal data in the record/IT application systems shall be deleted or
- The personal data in the record/IT application systems shall be converted into anonymous data
- The data existing on hard copy documents shall be destroyed by using special shredders intended for classified documents, such as confidential/restricted documents.
e) The principle of accuracy of personal data processing
Personal data shall be accurate and, if necessary, updated. The Company shall undertake all necessary steps to make sure that any personal data which is inaccurate is immediately deleted or rectified, according to the legitimate purpose of the processing.
f) The principle of personal data confidentiality and the need-to-know principle for data
The Company shall undertake all technical and organizational measures needed to provide adequate security of personal data, so as to prevent the unauthorized access, the illegal processing, the unauthorized disclosure, including the accidental loss, destruction or damage of same. Details on minimum security requirements are mentioned in the following sections.
Access to Company employees/business to the personal data processed by the Company or stored within the Company’s IT system, respectively, shall only be awarded on a “need-to-know” basis. There must be a documented authorization and approval process in order to award, maintain and remove access to any information deemed as personal data. Therefore, in order to grant access rights to an employee, the Human Resource Department shall send the IT Department a request this end, upon the employment of a new employee, based on their job description. Access shall be granted based on approval, by the employee’s direct supervisor.
For an existing employee, its request to access the IT systems/applications shall be performed by the direct superior, based on the job description, while access shall be granted by the IT Department.
The provisions of the Policy for IT Access Management shall apply accordingly.
g) The principle of liability in execution of personal data processing
The Company provides compliance with the personal data processing principles, for the data processing directly executed, as well as those executed by processors, thereby providing the inclusion of contractual clauses provided by the laws for protection of data within agreements executed with their contractors.
All technical and organizational measures shall be enforced in order to prevent unauthorized access, unauthorized and illegal processing of personal data, unauthorized disclosure and destruction, alteration or accidental loss of personal data.
Personal data may not be transferred to a country or territory located outside the European Economic Area (“EEA”), under data protection laws, and the objective is to either obtain the prior receipt of the valid consent of the data subjects, or to classify personal data processing as one of the exceptions provided under current laws. In the case of such processing, data transfer is usually possible provided that the destination country warrants an adequate protection level for the rights and liberties of individuals whose data is transferred.
Such processing shall be endorsed by the Data Protection Officer.
10. Rights of processed data subjects
The Company processes the personal data of natural entities, such as employees, clients/potential clients, legal representatives of clients/potential clients, partners, contractors, third parties, business partners and other entities (data subjects).
Rights of data subjects include, among others, the following:
a) The right to be notified in relation to the processing of their personal data, the purpose and legal grounds of such processing, the processing term, the controller, their processors, the legitimate interest pursued by the controller by the personal data processing, if appropriate, whether the provision of personal data is a legal or contractual duty or a duty required for execution of an agreement, whether the data subject must provide the personal data as well as any potential consequences for the failure to comply with such duty, the term of storage for the personal data or, if unfeasible, the criteria used to determine such term.
b) The right to know the data recipients or the data recipient categories
c) The right to be notified in relation to the existence of an automated decision process including the creation of profiles as well as, at least for such cases, information concerning the logic used, the foreseeable consequences and importance of such a processing to the data subject.
The data subject should be allowed not to act as the object of profiling (any form of automated data processing by assessment of personal issues related to any natural entity, particularly for the purpose of reviewing or foreseeing certain issues related to the job output of the data subject, financial status, health state, personal preferences or interests, reliability or behaviour, location or travels), whenever it causes legal effects concerning the data subject or impact it similarly and to a significant extent.
By exception, profiling is allowed if expressly authorized under Union or domestic law
- if necessary for the execution of an agreement between the data subject and the Company, or
- if the data subject expressly granted their consent.
In any case, profiling shall act as the object of adequate warranties (specific notification to the data subject and their right to receive human intervention, express a point of view, receive an explanation on the decision made following such an assessment, as well as the right to challenge the decision).
Profiling must not refer to children.
The Company, if it intends to apply profiling, should implement adequate technical and organizational measures in order to provide particularly the fact that factors leading to inaccuracies of the personal data are corrected and the risk of errors is reduced to a minimum, to secure the personal data in a way considering the potential hazards related to the data subject interests and rights, as well as to proceed with the performance of an impact review.
d) The right to access to their own personal data
e) The right to intervene, whenever necessary, in the personal data, as well as the right to determine the correction, rectification, suppressing, deletion, destruction or restriction of personal data processing, upon their plain demand
f) The right to object against processing of their data
g) The right to data portability (to receive the personal data pertaining to them and supplied to the controller in a structured format, currently used and automatically read, and to send such data to a different controller), if the processing is based on the consent of the individual or an agreement and the processing occurs by automatic means. In this case, the conveyance of personal data must be secured and protected by implementing technical measures meant to adequately and safely provide the transfer, as well as the privacy and integrity of the data. Exercise of the portability right does not prejudice other rights of the data subject, (e.g. access right)
Wherever possible from a technical perspective, the data subject may request that the personal data pertaining to them be directly conveyed by the Company to another personal data controller.
The exercise of the portability right by the data subject does not imply the Company’s duty to delete the personal data of the data subject even if, for instance, the data subject is no longer a client of the Company. In this case, the storage term for the data is set by considering other specific legal grounds.
h) The right to file a complaint with the National Supervisory Authority for Personal Data Processing if it is believed that personal data processing by the Company, directly or by proxy, breaches the provisions of Romanian and European laws;
i) The right to file a judicial challenge against the Company, if it is believed that the rights they benefit from were breached pursuant to the processing of their personal data;
j) The right to receive from the Company, following the submission of a written application, dated and signed, within 30 days from the application date, the information requested in relation to the personal data processed by the Company, as well as to receive, within the same term, the Company’s resolution in relation to the requests under which all other aforementioned legal rights were exercised.
k) The right to withdraw the consent, at any time, in the event that personal data processing occurs under the consent of the data subject or in case of a legal provision to this end. The Company shall make sure than, in such instance, withdrawing the consent may occur as easily as obtained, namely, by methods similar to those applied upon collecting the consent of the data subject.
The Company implements adequate standards to make sure that the aforementioned rights are observed.
Company employees and partners must submit all efforts so as not to collect and process personal data other than absolutely necessary for an approved legitimate purpose.
The data subjects may exercise such rights by submitting an application under the relevant section in the Policy herein (section 9, letter b), and such applications shall be settled under the approval of the Data Protection Officer, in compliance with the Policy for exercising the rights of data subjects
11. Technical and organizational measures implemented by the Company to provide data privacy by design and privacy by default
The Company undertakes to protect the personal data of the data subjects which were processed following interactions between same, as well as with any other natural entities.
Considering the nature, scope, setting and purposes of processing, as well as the rights and freedoms of natural data subjects, the Company implements adequate technical and organizational measures” so as to warrant and be able to demonstrate that personal data processing occurs in compliance with current laws, national, as well as European. Such measures are periodically reviewed by the Data Protection Officer, the IT Directorate, Internal Control Forensics and Security, Compliance and Business Information System Owner and shall be updated according to current applicable requirements.
Based on the impact such a personal data processing operation may have, the Company adopts specific data protection and security measures, and the employees/partners of the Company must provide the effectiveness of enforcing such security requirements, throughout their professional business. Such protection measures shall be periodically checked by the individuals holding such duties (e.g. Information Security) , while their efficiency shall be monitored and audited.
Therefore, considering the type, scope, setting and purposes of the processing, in case a particular type of processing, particularly one based on the use of new technologies, is bound to generate a high risk to the rights and freedoms of the data subjects, the Company employees liable for the personal data processing field according to their duties, shall perform, before the processing, an assessment of the impact of processing operations provided on personal data protection. A single assessment may approach a set of similar processing operations showing similarly high risks. In such instances, it is advisable to request the opinion of the Data Protection Officer.
Company employees shall provide the implementations of recommendations received from the Data Protection Officer during the data processing operations executed on behalf of the Company.
It shall be also considered that, for data processing operations involving a high risk related to the fundamental rights and freedoms of the data subjects, the Company, by means of the process officer, shall identify such risks and assess them by means of an impact review on personal data protection, such review to estimate particularly the origin, type, specificity and seriousness of such risk (under Article 35 of the GDPR). Following consultations with the Data Protection Officer, the assessment result shall be considered by the process officer upon determination of adequate measures to be taken in order to demonstrate that the personal data processing complies with legal provisions.
Should there be instances where, even after implementation of technical and organizational measures, the residual risk remains high, the Company shall also consult the National Supervisory Authority for Personal Data Processing, in advance.
In order to comply with such duties, the department(s) involved or affected by the processing shall designated a person responsible for performing the impact review of data protection and they shall make sure that such person is trained to be knowledgeable in the process of performing such review, by observing internal rules, as well as the governing law.
Within the technical & organizational measures, any Company employees with duties in IT equipment and personal data protection and security shall always consider the enforcement of controls adequate to personal data protection, including, without limitation, secured and controlled access of employees/partners to the personal data, as well as the Company’s databases, IT systems or applications.
Moreover, all upgrades and updates concerning the systems and equipment involved in personal data processing shall occur in compliance with the "data protection by design" and "data protection by default" principles, as well as observing the right to data protection by design and by default, as defined under Article 25 of the GDPR.
a. Issues concerning data access authorization
Personal data must be stored in a secured environment, while access must be limited only to such employees and partners holding access rights to Company systems and applications.
Only the staff requiring access to personal data for performance of their job tasks shall be authorized to access Company databases, systems and applications (the “need to know basis” principle).
Company employees and partners having received authorization to access databases or holding administration rights for same, as well as to the IT systems and applications storing such databases, shall regularly take part in training programs on matters of personal data protection and security.
The provisions of the Business Information System Management Policy and the IT Access Management Policy shall apply accordingly.
b. Authentication of authorized staff for personal databases
Access to systems and applications containing/storing personal data may only be granted after the authorized person was identified and authenticated based on a username and password. If the password was entered unsuccessfully, or there is no access authorization, the access to records containing personal data must be denied.
Company employees/partners must not disclose the username and the password to anyone else. In case they suspect that a third party has found out their password for accessing such records, they must proceed at once in changing the password. In such an instance, the employee must notify and consult with the Data Protection Officer.
Identification passwords into the Company systems and applications must be periodically changed by the user, as soon as they receive the automated password expiry notification message.
c. Updating the list of authorized users
The list of staff authorized to access databases must be regularly updated ……thereby assuring that this list is maintained to a minimum, on a “need to know basis”.
Any employees/partners leaving the Company or transferred to another department within the Company shall have their access rights to the record systems/IT applications revoked in the event that they are no longer necessary for the fulfilment of their job tasks.
d. Personal data conveyance
Personal data shall only be conveyed in complete security and any personal data conveyance outside the Company and failing to fall within the procedures approved by the Data Protection Officer shall only be performed with their prior consent.
The Company shall implement data security measures in case of personal data transfer, including by technical applications and solutions for preventing the loss of data and observance, by the Company, of the duty to maintain the integrity and confidentiality of data, according to the GDPR.
e. Safe storage of personal data
Personal data shall be stored in secured environments which include logical (authorization, authentication, encryption and access password), as well as physical (restricted access to the data storage server and equipment) security. Also, similar attention is paid to the physical security of the real estate properties where the Company runs its business, as well as hard copy documents containing personal data.
f. Performance of backup copies
Backup copies shall be made on the disk, on a daily basis, with a retention term of 21 days. Restoration of databases/applications containing personal data shall occur in the presence of the Data Protection Officer (the 4-eye principle) and shall be documented.
Access to the backup copies is a monitored process, subject to internal auditing.
In the case of personal data processing performed by the Company by means of processors in the sense given to them under art. 4 (8) of the GDPR, the Company shall make sure that they, as well, implement adequate technical and organizational measures for the purpose of providing a proper data security level, including within the agreements executed with them such clauses related to the minimum data security requirements as concerns the adequate technical and organizational measures identified.
Such measures may include, without limitations:
a) Measures concerning the mitigation of personal data amounts by filtering and removal, sensitivity reduction by conversion, reduction in data accumulation, restricting access, reduction in the ability to identify the type of data, according to Company instructions.
b) Measures concerning traceability – the presence of a traceability and log management policy, with maintaining same throughout the entire data processing operations, but at minimum, 2 years.
c) Measures concerning the relationships between processors and subcontractors – the presence of a policy and processes for reduction of unauthorized access risk to the data.
d) Measures for purposes of deleting, becoming anonymous and/or returning the personal data by the processor, after completion of the processing on behalf of the controller, except instances where there is a legal requirement to store such personal data even after the processing has been completed.
12. Security of processing. Data protection and security incidents
The Company shall implement technical and organizational measures specific to their business, including, among others, as appropriate:
- the ability to provide continuous privacy, integrity, availability and resistance of record systems and IT applications containing or storing personal data;
- the ability to restore the availability of personal data and access to same, in due time, should a physical or technical incident occur;
- pseudonymization, and encryption of personal data or such data becoming anonymous;
- a process for period testing, assessment and evaluation of the effectiveness of technical and organizational measures in order to warrant the security of personal data processing.
- access to the IT systems / applications of the Company only by authorized users holding an account with a valid password.
Any incidents of IT systems affecting the personal data of Company clients or other data subjects are deemed high-risk incidents.
In the event of a personal data security incident, the Information Security Policy provisions, adopted by the Company (including relevant appendices), shall also be considered.
The effects of the personal data security incidents on the data subject (client/subject/employee) may consist in: physical, material and moral damages, discrimination, identity theft or fraud, compromising reputation, loss of privacy of personal data sworn under professional secrecy, or any other significant or social advantage, including, without limitation, deprivation of their rights or the inability to exercise control over their personal data.
Examples of personal data security incidents:
- theft or loss of a laptop or external drives containing personal data of clients;
- the personal data of clients having used the enrolment service by the mobile app/website are accessed by taking advantage of vulnerability in the application;
- an email containing sensible information, sent to a recipient different than the one initially meant to receive the email etc.
- unauthorized accessing of the Company’s intranet;
- conveyance of personal data via personal email addresses
In case an IT security incident affects the personal data, the IT Directorate of the Company employee having gained knowledge of such incident shall immediately notify the Data Protection Officer, in order for the latter to review the immediate steps to be made by the Company, such as notifying the National Supervisory Authority for Personal Data Processing concerning the incident, within 72 hours from the time the Company employee gained knowledge of same and/or notification to the data subjects, in case of presence of a high risk concerning their fundamental rights and freedoms.
The notification sent by the Data Protection Officer to the National Supervisory Authority for Personal Data Processing, in case such incident occurs:
- describes the feature of breaching the personal data security, including, wherever possible, the categories and approximate number of the respective data subjects, as well as the categories and the approximate number of records for the respective personal data;
- communicates the name and contact details of the Data Protection Officer or another point of contact where more details may be obtained from
- describes the probable consequences of breaching the personal data security
- describes the measures undertaken or proposed to be undertaken by the Company in order to remedy the personal data security breach, including, as appropriate, any measures for mitigation of any potential negative effects.
Also, any other type of incident which may impact the personal data processed by the Company, shall be brought to the attention of the Data Protection Officer, or reviewing, under personal data protection laws.
In the event of occurrence of a security incident susceptible of generating a high risk to the rights and freedoms of natural entities, the Company shall notify the impact individual, without undue delays, in relation to such incident.
13. Training on personal data protection and security
Employees are trained by Compliance, the Data Protection Officer, the Information Security by means of professional trainings in the field of personal data protection and security, by means of internal/external specialized staff, periodically and whenever necessary.
Employees are not permitted to process, disclose, convey to third parties, allow access to, or use the personal data without authorization for a purpose other than that of legal fulfilment of job tasks.
14. Specific CCTV and access control issues
The Company uses access control systems for the purpose of securing, managing IT systems and office buildings and to provide public safety. The Company’s CCTV system shall be used according to the Company’s Code of Conduct and its provisions related to the CCTV.
Any requests issued by the Police, in compliance with the relevant exceptions under the governing law for the information within the CCTV system and the access control system of the Company shall be managed by the Department for Internal Control, Investigations and Security within the Group and countersigned by the representative of the Group’s Legal Department.
Requests issued by any other entities or organizations for information in the CCTV system and the access control systems shall be managed by the representatives of the Department for Internal Control, Investigations and Security within the Group.
15. Compliance, disciplinary procedures
The loss or breach of personal data privacy is a severe breach and the may lead to court proceedings being initiated against KMG International. Therefore, all personal data users within the Company’s IT systems must comply with this Policy and the instruments offered for enforcement of such Policy, as well as the Information Security Policy of the Group.
All Company employees, consultants and contractors must be directly information in relation to the existence of such Policy and the supporting policies, practice codes and guidelines.
Any breach of this policy shall be managed according to relevant Company policies, including the Standard on the Conditions for Use of Information Resources in KMG International and by disciplinary procedures of the Human Resources Department.
Any person aware of or suspecting a breach of this policy must immediately report the facts to the Data Protection Officer and/or at firstname.lastname@example.org.
16. Final provisions
List of related internal regulations
- KMGI – Standard on Information Classification
- Standard on the Conditions for Use of Information Resources in KMGI
- KMGI – Information Security Policy
- Management policy for business IT systems.
- Management policies for IT access.