Agreement on the processing of personal data

Because assuring your protection in regard to personal data processing is an extremely important objective for us, have done our due diligence to comply with the standards imposed by Regulations UE 2016/679 ( https://eur-lex.europa.eu/legal-content/ro/TXT/PDF/?uri=CELEX:32016R0679 ) and by any other normative act in effect on Romania’s territory

An important step in realizing this objective is represented by informing you in regards to the way your data will be processed ( processing means any operation or set of operations on personal data or sets of personal data, with our without using automated means, like collecting, registering, organizing, structuring, storing, adapting or modifying, extracting, consulting, using, divulging by transmitting, disseminating or making available through any other means, aligning or combining, restricting, deleting or destroying).

We reserve the right to modify and update the privacy policy and the cookie policy.

We continue to inform you regarding the processing of your personal data which we collect from you or which you communicate to us through the present web site, and also regarding to how we’ll process the data. GFR SA. is responsible for the protection of data communicated to this page. When using and processing personal data, GFR SA strictly respects the implemented provisions regarding data protection. The personal data and anonymous data usage rights belongs to the GFR SA society in the limits of the law, respecting the rights of targeted persons described below.

The present declaration regarding data protection is only applied for www.gfr.ro and for connected sub-domains, but not for pages that are controlled or operated by third parties. We ask you to check the data protection declarations of web pages  that are controlled or operated by third parties, because these pages are not under our control and GFR SA doesn’t bear responsibility for their content and their measures regarding data protection.

1. Who we are and how can you reach us:

The data operator is Grup Feroviar Roman SA (‘GFR’ or ‘the company’).

Main headquarters: Calea Victoriei, number 114, sector 1, postal code 010092

Phone: +40-21 318 3090; +40-37 233 6010

Fax: +40-21 318 3091; +40-37 233 6011

Email: office@gfr.ro

Fiscal Code: 14256514 Registered number at Trade Register: J40/8958/2001

2. Collection of data / types of data

1. Gathered automatically as a result of access (by type)
   • IP Address
   • Date and time of access
   • Timezone difference to Meridian Greenwich (GMT)
   • Content of request (website specific)
   • State of access/code of HTTP state
   • Volume of transferred data
   • Access to website request
   • Browser, language settings, browser version, operating system and surface

2. Data collected after completing the contact form, personal data collected after applying for vacant posts in the company:

   • First name, last name;
   • Email;
   • Phone number;
   • Personal data from CV or letter of intent

3. Cookie files

3.1. What are they?

• This website uses so-called ‘cookie files’. Cookie files are small-sized text files that are stored in your terminal’s memory through the browser. These store certain information (like preferred language or website settings) which your browser can resend to us (depending on the lifespan of the cookie file) on your next visit to our website.

3.2. What cookie files do we use?

• Cookies Google Analytics (site analysis cookies)
• Name: Cookie Consent
  • Lifespan – 1 year
  • Purpose: Used to keep user preferences

For the complete list of cookies and modifying settings click here.

3.3. Third-party cookies

• In our website we use Google Analytics, an analysis service from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (which shall be henceforth referred to as ‘Google’).
  • Google will analyze the use of our website in our name. To this very purpose we use cookie files. Information collected regarding your use of our website (like URL, web pages visited, type of browser, language settings, operating system, screen resolution, etc.) will be transmitted to a Google server from the USA, where they’ll be stored and analyzed. The results will then be made available to us with anonymity. Google also respects the Shield of confidentiality EU-USA, that assures an adequate protection of processed data by Google in the USA.
  • You can withdraw your consent regarding the use of web analysis in any moment, downloading and installing the provided Google browser plug-in.
  • More information regarding Google Analytics is available in the Google Analytics terms of use, under Guidelines for data protection and confidentiality of Google Analytics and in the Google privacy policy.

4. THE PURPOSE OF DATA PROCESSING/ LEGAL BASIS

1. To be able to properly communicate with you
2. To offer services that are specially configured to suit your needs
   We process your personal data, like name and surname, email address, phone number and any other information or details that you communicate to us to answer your question, solve complaints or requests, depending on the channel of communication you use to contact us, having a legitimate interest as a legal basis, which allows us to answer your questions, solve your complaints or requests.
3. Applying for vacant position within the company
   Upon completing a form to apply/load a CV on the GFR website, your personal data from the categories* contact info and identification are processed in the purpose of including you in the selection process for a position you applied for.
   Legal basis – the processing is necessary for executing a contract to which the targeted person takes part or makes steps towards closing a contract at the request of the targeted person.The consequences of refusal: should there be the case where you don’t supply this data, we will not be able to contact you and will not be able to include you in the online selection process.
   *Information fields: name and surname, phone, email address, CV, letter of intent.
4. For marketing purposes – polls, client satisfaction evaluation studies, feedback from clients, etc.

5. HOW LONG DO WE KEEP YOUR PERSONAL DATA

The time-frame for which your data is kept is limited and will be determined by the period of time necessary to fulfill the purposes for which said that is processed. Subsequently, starting with the date the collaboration relationship stops, whether the legal obligation of archiving imposed on GFR expires based on the applicable legislation regarding the fiscal or accounting nature or according to legal regulations, the data will be deleted. In case the “Company” considers it has a legitimate interest or legal obligation to process your personal data in other purposes, you will be made aware of this aspect.

1. Navigation and use of cookie modules – according to cookie policy
2. Applying for vacant position within the company – maximum one year
3. Answering to questions, solving requests or complaints – maximum one year
4. Doing market research or polls, client satisfaction evaluation studies or obtaining feedback regarding our products and services – maximum one year

6. THIRD PARTIES/TO WHOM WE COMMUNICATE YOUR PERSONAL DATA?

To fulfill the purposes described above, the Company uses the services of multiple contractors. One of these are individual data operators, such as Google.

6.1. Google Analytics

• Purpose: Web analytics
• Politics: https://www.google.com/analytics/terms/gb.html, https://support.google.com/analytics/answer/6004245 
  Note: In the case that we have the legal obligation or it’s necessary to protect a legitimate interest, we can divulge certain personal that to public authorities.

Other contractors are third-parties that don’t process data, but can access them to fulfill their own attributions or in relation to the Company, such as financial audit or maintenance service suppliers.

Personal data indicated above can be made available to third parties in the following situations: (i) public authorities, auditors or legal institutions that are capable of inspecting an activity or company assets, which require the company to supply information based on its legal obligation. Such public authorities or institutions can be ; (ii) to fulfill a legal request or to protect the company’s or another entity’s rights and assets or a person, such as the court of law; (iii) to third party buyers, as long as the the company’s activity will be (completely or partially) transferred, and the data belonging to targeted persons will be part of the assets representing the object of the transaction. In the aforementioned processing purposes, we can still communicate your personal data to companies of the Grampet group that GFR is part of, which are subject to instructions supplied by the company regarding data processing with personal data.

The persons and entities to which we can communicate personal data are the following:

• In the purpose of navigating the site and using the cookie modules, we can transmit personal data to analysts and search engine suppliers, so they can offer maintenance service for our websites;
• To answer your questions, solve your requests or complaints, we can transmit your personal data to our call-center services suppliers;
• To hold polls, market studies, client satisfaction evaluation polls or obtaining feedback from our clients regarding our products and services, we can communicate personal data to poll, market research or customer assistance services suppliers

7. Territoriality:

In the context of aforementioned operations, your personal data can be transferred abroad, in member states of the European Union (‘EU’) or from the European Economic State (‘EES’)

We inform you that any transfer done by the “Company” in a member state of EU or EES will respect the requests of RGPD.

If GFR gives your information to a country outside the EES, we will make sure your information is protected accordingly. We will make sure there’s always a proper legal contract which covers the data transfer, according to the approved standards of the European Commission  (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transferpersonal-data-third-countries_en).

Moreover, if it’s considered that the country has no laws equivalent to those of the EU standards of data protection, then we’ll request that third parties have a legal contract to reflect these standards.

According to legal requests, personal data is transferred only in the case that the European Commission has adopted a suiting decision for the third party country, if proper warranties have been agreed upon (for example, the standard contractual clauses of EU – the system of data protection UE-SUA), obligatory corporate rules are applied according to art. 47 of the Rules regarding data protection or there’s a derogation for specific situations in agreement with art. 49 of the general rulebook regarding data protection (for example, for explicitly consenting the proposed transfer, after you have been informed about probable risks from such transfers for the targeted person, due to lack of decision for suiting and proper warranties).

The processing of data is done only on the territory of Romania. Excepting pseudonymised data used for the site analysis described at point 3. ‘Third-party cookies’ which is done in the USA according to described procedure and is regulated by the Shield of confidentiality USA-EU.

8. PROCESSING DATA OF KIDS UNDER THE AGE OF 16

All the processing of personal data present in this document exclusively refers to all the persons that are at least 16. Use of systems and of the results of processing is strictly prohibited for kids under this age without the consent of parents or legal guardians. In the case there are no such processes despite our reasonable efforts to prevent them, these will cease when we will be notified that our users are below the aforementioned age.

9. THE SECURITY OF DATA PROCESSING

The Company informs you that it constantly evaluates and updates the implemented security measures in the purpose of assuring a safe and secure processing of personal data.

For the protection of your data, GFR SA has taken technical and organizational measures to protect these data specially against loss, manipulation or unauthorized access.

The taken measures are often checked and adapted to be state of the art. In the case of breach of your personal data’s safety, which is estimated to have a major risk for your rights and liberties as a consequence, we will notify you, as soon as possible within a 72 hour time-frame.

10. YOUR RIGHTS

Right of access for targeted person

(1)   The targeted person has the right to obtain a confirmation on behalf of the operator whether personal data is processed or not, and if so, access the data and the following information:

1. purpose of processing;
2. the personal data of targeted categories;
3. recipients or categories of recipients whose personal data was or is about to be divulged, especially recipients from other countries or international organizations;
4. where possible, the time-frame allotted for the storage of personal data and, if not possible, the criteria used to determine this period;
5. the existence of the right to request your operator to rectify or delete personal data or restrict personal data processing which refers to the targeted person or of the right to oppose processing;
6. the right to file a complaint in front of surveillance authorities;

The right to rectification

(1) The targeted person has the right to obtain from the operator, without unjustified delays, rectifications to inexact personal data regarding himself or herself. Accounting the purpose to which the data was processed, the targeted person has the right to obtain the completion of incomplete personal data, including by offering additional statements.

The right to data deletion (‘the right to be forgotten’)

(1) The targeted person has the right to obtain personal data deletion from the operator, without unjust delays, and the operator has the obligation to delete personal data without unjust delays in the case one of the following motives is checked: (a) personal data is no longer necessary to fulfill the purpose for which it was collected or processed; (b) the targeted person withdraws their consent on which the processing is based, according to article 6, paragraph (1), letter (a) or with article 9, paragraph (2), letter (a) and there’s no other legal motive for processing; (c) the targeted person opposes the processing based on article 21, paragraph (1) and there’s no legitimate reason to prevail regarding processing or the targeted person opposes based on article 21, paragraph (2); (d) personal data was illegally processed; (e) personal data must be deleted to respect a legal obligation of the operator based on the right on the Union or the internal right under which’s incidence is the operator; (f) personal data was collected regarding offering services of the informational society mentioned at article 8, paragraph (1). (2) In the case the operator published the personal data; (e) personal data must be deleted to respect an operator’s legal obligation based on the Union right or the internal right the operator is obligated by; (f) personal data was collected in order to offer services of the informational society, mentioned on article 8, paragraph (1). (2) In case the operator has made personal data public and is obligated, based on paragraph (1), to delete them, accounting for available technology and implementation costs, to take reasonable measures, including technical measures, to inform the operators that process the personal data that the targeted person has asked for the deletion of any links to personal data or any copies or reproductions of the personal data by these operators. (3) Paragraphs (1) and (2a) don’t apply as long as the processing is necessary: (a) for practicing the right to free speech and information; (b) for respecting a legal obligation that provides the processing based on the right of the Union or the internal right that applies to the operator or for fulfilling a task that’s executed in the public’s interest or by manifesting an official authority that is invested in the operator; (c) out of public interest reasons regarding public health, in conformity with article 9, paragraph (2), letters (h) and (i) and with article 9, paragraph (3); (d) in the purpose or archiving for public interest, in the purpose of scientific, historical or statistical research, in conformity with article 89, paragraph (1), in case that the right mentioned at paragraph (1) is susceptible to hinder or obstruct fulfilling the objectives of the respective processing.; or (e) to ascertain, manifest or defend a right in the court of law.

The right to restrict processing

(1) The targeted person has the right to obtain the restriction of processing from the operator in one of the following cases: (a) the targeted person contests how exact the data is, which grants the operator time to verify the how exact the data is; (b) the processing is illegal, and the targeted person is opposed to the deletion of personal data, asking for the restriction of their use; (c) the operator no longer needs the personal data for processing but the targeted person requests them for ascertaining, manifesting or defending a right in the court of law; or (d) the targeted person was opposed to the processing in conformity with article 21, paragraph (1), for the time-frame in which the legitimate rights of the operator are being verified as taking priority over the ones of the targeted person. (2) In case the processing was restricted based on paragraph (1), so that personal data can, excepting storage, be processed only with the consent of the targeted person or to ascertain, manifest or defend a right in the court of law or for the protection of another physical or legal person’s rights or out of public interest motives that are important to the Union or a member state. (3) A targeted person that obtained the restriction of processing based on paragraph (1) is informed by an operator before lifting the processing restriction.

The right to data portability

(1) The targeted person has the right to receive personal data regarding himself or herself that was supplied to the operator in a structured format, currently used and that can be automatically read and has the right to transmit this data to another operator, without obstacles from the operator to which the personal data has been supplied, in the case: (a) the processing is based on consent based on article 6, paragraph (1), letter (a) or on article 9, paragraph (2), letter (a) or on a contract based on article 6, paragraph (1), letter (b); and (b) the processing is done through automated means. (2) While manifesting the right to data portability based on paragraph (1), the targeted person has the right to have personal data be directly transmitted from one operator to another where it’s technically feasible. (3) Manifesting the right mentioned on paragraph (1) from the present article doesn’t affect article 17. The aforementioned right does not apply to data processing in order to fulfill a public service task or in the case of manifesting official authority invested in the operator. (4) The right mentioned at paragraph (1) doesn’t influence the rights and freedoms of others.

The right to be notified regarding the rectification, deletion or restriction of personal data processing

• The operator communicates any rectification, personal data deletion or processing restriction to every recipient whose personal data was released, all in conformity with articles 16, articles 17, paragraph (1) and article 18, except the case when this proves impossible or requires massive effort. The operator informs any targeted person regarding the respective recipients if the targeted person requests this.

The right to retreat your consent for processing when the processing is based on consent, without affecting the lawfulness of the processing done up to that point;

The right to opposition

The targeted person has a right to oppose, for legal reasons related to particular situation of the processing based on article 6, paragraph (1), letter (e) or (f), of personal data related to them, including creating profiles based on respective provisions.

The right to not make the object of a decision based exclusively on automated processing, including the creation of profiles

The targeted person has the right to not make the object of a decision based exclusively on automated processing, including the creation of profiles, which produces juridical effects that relate to the targeted person or affect it similarly in a significant measure;

You have the right to file a complaint to the surveillance authority regarding the processing of your personal data. In Romania, the contact info for the surveillance authority for data protection is: The National Authority of Personal Data Processing Surveillance Boulevard G-ral. Gheorghe Magheru number 28-30, Sector 1, postal code 010336, Bucharest, Romania Phone: +40.318.059.211 or +40.318.059.212; E-mail: anspdcp@dataprotection.ro Without affecting your right to contact the authority in any moment, you can contact us beforehand (protectiadatelor@gfr.ro) and we’ll make every effort to solve any problem.