Starting with the 25th of May 2018, Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“Regulation”) shall be enforced by all EU member states. The Regulation primarily aims at unifying the legislation within the EU and thus removing the need to apply national enforcement measures.
This Data Protection Policy (hereinafter the: “Policy”) was prepared and issued by Budusan & Associates Law Office (Budusan & Associates), registered office at 8 Piata Avram Iancu, Cluj-Napoca, Romania, legally represented by attorney Luiza Iuliana Budusan, in their capacity of controller, in order to comply with the applicable data privacy requirements, including specifically the EU General Data Protection Regulation.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘Supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
Budusan & Associates, in its capacity of controller, processes data in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against the accidental loss, destruction or alteration, by taking appropriate technical or organisational protection measures.
Generally, are personal data the information that relates to a living person:
There are categories of special data and can be processed by the operator, the following data:
Only relevant factual information that Budusan & Associates needs to know should be captured. Budusan & Associates should be clear why it wants the information and how it will be used and this information is captured within the Minimum Data Set.
If the personal data are obtained directly from the Data Subject, the controller has a preliminary obligation to inform the person, prior to any collection, of the processing of the data to be carried out.
The Information must include:
All processing of personal data must be conducted in accordance with the data protection principles (“Principles”) as set out in the GDPR.
The Principles require that personal information:
Shall be processed fairly and lawfully
This means Budusan & Associates must have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the Individuals concerned; be transparent about how Budusan & Associates intends to use the data and give Individuals appropriate fair processing notices when collecting their personal data; handle people’s personal data only in ways they would reasonably expect and make sure Budusan & Associates does not do anything unlawful with the data.
Shall be obtained only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
This means that the Association must be clear from the outset about why Budusan & Associates is collecting personal data and what it intends to do with it; comply with the fair processing requirements, including the duty to give clear fair processing notices to Individuals when collecting their personal data.
Shall be adequate, relevant and not excessive in relation to those purpose(s)
Budusan & Associates holds personal data about an Individual that is sufficient for the purpose it is holding it for in relation to that Individual. Budusan & Associates does not hold more information than needed for that purpose and has a minimum data set to describe this.
Shall be accurate and, where necessary, kept up to date
Budusan & Associates takes reasonable steps to ensure the accuracy of any personal data it obtains, ensures that the source of any personal data is clear, carefully considers any challenges to the accuracy of information and considers whether it is necessary to update the information.
Should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
This means that Budusan & Associates should review the length of time it keeps personal data, consider the purpose or purposes it holds the information for in deciding whether (and for how long) to retain it securely, delete information that is no longer needed for this purpose or these purposes, update, archive or securely delete information if it goes out of date.
Shall be kept secure by the Data Controller and any Data Processor
Budusan & Associates takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information. Budusan & Associates makes sure it has the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff and volunteers be ready to respond to any breach of security swiftly and effectively.
Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals in relation to the processing of personal information.
Processing shall be lawful only if and to the extent that at least one of the following applies:
Budusan & Associates will ensure that data is collected within the boundaries defined within this policy. This applies to data that is collected in person (face to face or over the telephone), electronically or by completing a form. It applies to any location that is being used by Budusan & Associates.
Personal data are collected only for determined and explicit purposes to be communicated to the data subject.
If the controller wishes to process the personal data afterwards for other purposes, the operator must inform the data subject about this new processing, before it actually occurs, and provide information about the purpose of the secondary processing and any other information that might be considered relevant.
The purposes an operator can justify for the processing of personal data are the following: accomplishment of an operator’s legitimate interests or provision of an operator’s specific services.
Personal data are stored in a format which allows the identification of the data subjects for a period of time that can’t exceed the one required for the accomplishment of the purposes for which they were processed.
Personal data may be stored for longer periods of time if they will be exclusively processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, as per article 89 (1) of the Regulation, so as to ensure the rights and freedoms of the data subject.
Budusan & Associates assures you that any data processing is performed in compliance with the principles guaranteed by the Regulation and personal data are processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures, by enforcing appropriate internal policies on data protection.
Personal data will be stored securely and will only be accessible to authorised persons.
Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately in line with the Retention, Archiving and Destruction of Information procedure.
It is Budusan & Associates’ responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation which has been passed on/sold to a third party.
In the case of a personal data breach, the controller shall notify the competent supervisory authority not later than 72 hours after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Where the personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the operator shall notify the data subject about such breach without undue delay.
This policy will be updated as often as necessary to reflect the best practice in data management, security and control and to ensure compliance with any changes or amendments of the law.
This policy should be read in conjunction with the following policies, procedures and guidelines:
Contact person: Luiza Budusan
Telephone: +40 729 019 901