Agreement on the processing of personal data
Because assuring your protection in regard to personal data processing is an extremely important objective for us, have done our due diligence to comply with the standards imposed by Regulations UE 2016/679 ( https://eur-lex.europa.eu/legal-content/ro/TXT/PDF/?uri=CELEX:32016R0679 ) and by any other normative act in effect on Romania’s territory
An important step in realizing this objective is represented by informing you in regards to the way your data will be processed ( processing means any operation or set of operations on personal data or sets of personal data, with our without using automated means, like collecting, registering, organizing, structuring, storing, adapting or modifying, extracting, consulting, using, divulging by transmitting, disseminating or making available through any other means, aligning or combining, restricting, deleting or destroying).
We continue to inform you regarding the processing of your personal data which we collect from you or which you communicate to us through the present web site, and also regarding to how we’ll process the data. GFR SA. is responsible for the protection of data communicated to this page. When using and processing personal data, GFR SA strictly respects the implemented provisions regarding data protection. The personal data and anonymous data usage rights belongs to the GFR SA society in the limits of the law, respecting the rights of targeted persons described below.
The present declaration regarding data protection is only applied for www.gfr.ro and for connected sub-domains, but not for pages that are controlled or operated by third parties. We ask you to check the data protection declarations of web pages that are controlled or operated by third parties, because these pages are not under our control and GFR SA doesn’t bear responsibility for their content and their measures regarding data protection.
The data operator is Grup Feroviar Roman SA (‘GFR’ or ‘the company’).
Main headquarters: Calea Victoriei, number 114, sector 1, postal code 010092
Phone: +40-21 318 3090; +40-37 233 6010
Fax: +40-21 318 3091; +40-37 233 6011
Fiscal Code: 14256514 Registered number at Trade Register: J40/8958/2001
Data collected after completing the contact form, personal data collected after applying for vacant posts in the company:
3.1. What are they?
3.2. What cookie files do we use?
3.3. Third-party cookies
The time-frame for which your data is kept is limited and will be determined by the period of time necessary to fulfill the purposes for which said that is processed. Subsequently, starting with the date the collaboration relationship stops, whether the legal obligation of archiving imposed on GFR expires based on the applicable legislation regarding the fiscal or accounting nature or according to legal regulations, the data will be deleted. In case the “Company” considers it has a legitimate interest or legal obligation to process your personal data in other purposes, you will be made aware of this aspect.
To fulfill the purposes described above, the Company uses the services of multiple contractors. One of these are individual data operators, such as Google.
6.1. Google Analytics
Other contractors are third-parties that don’t process data, but can access them to fulfill their own attributions or in relation to the Company, such as financial audit or maintenance service suppliers.
Personal data indicated above can be made available to third parties in the following situations: (i) public authorities, auditors or legal institutions that are capable of inspecting an activity or company assets, which require the company to supply information based on its legal obligation. Such public authorities or institutions can be ; (ii) to fulfill a legal request or to protect the company’s or another entity’s rights and assets or a person, such as the court of law; (iii) to third party buyers, as long as the the company’s activity will be (completely or partially) transferred, and the data belonging to targeted persons will be part of the assets representing the object of the transaction. In the aforementioned processing purposes, we can still communicate your personal data to companies of the Grampet group that GFR is part of, which are subject to instructions supplied by the company regarding data processing with personal data.
The persons and entities to which we can communicate personal data are the following:
In the context of aforementioned operations, your personal data can be transferred abroad, in member states of the European Union (‘EU’) or from the European Economic State (‘EES’)
We inform you that any transfer done by the “Company” in a member state of EU or EES will respect the requests of RGPD.
If GFR gives your information to a country outside the EES, we will make sure your information is protected accordingly. We will make sure there’s always a proper legal contract which covers the data transfer, according to the approved standards of the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transferpersonal-data-third-countries_en).
Moreover, if it’s considered that the country has no laws equivalent to those of the EU standards of data protection, then we’ll request that third parties have a legal contract to reflect these standards.
According to legal requests, personal data is transferred only in the case that the European Commission has adopted a suiting decision for the third party country, if proper warranties have been agreed upon (for example, the standard contractual clauses of EU – the system of data protection UE-SUA), obligatory corporate rules are applied according to art. 47 of the Rules regarding data protection or there’s a derogation for specific situations in agreement with art. 49 of the general rulebook regarding data protection (for example, for explicitly consenting the proposed transfer, after you have been informed about probable risks from such transfers for the targeted person, due to lack of decision for suiting and proper warranties).
The processing of data is done only on the territory of Romania. Excepting pseudonymised data used for the site analysis described at point 3. ‘Third-party cookies’ which is done in the USA according to described procedure and is regulated by the Shield of confidentiality USA-EU.
All the processing of personal data present in this document exclusively refers to all the persons that are at least 16. Use of systems and of the results of processing is strictly prohibited for kids under this age without the consent of parents or legal guardians. In the case there are no such processes despite our reasonable efforts to prevent them, these will cease when we will be notified that our users are below the aforementioned age.
The Company informs you that it constantly evaluates and updates the implemented security measures in the purpose of assuring a safe and secure processing of personal data.
For the protection of your data, GFR SA has taken technical and organizational measures to protect these data specially against loss, manipulation or unauthorized access.
The taken measures are often checked and adapted to be state of the art. In the case of breach of your personal data’s safety, which is estimated to have a major risk for your rights and liberties as a consequence, we will notify you, as soon as possible within a 72 hour time-frame.
Right of access for targeted person
(1) The targeted person has the right to obtain a confirmation on behalf of the operator whether personal data is processed or not, and if so, access the data and the following information:
The right to rectification
(1) The targeted person has the right to obtain from the operator, without unjustified delays, rectifications to inexact personal data regarding himself or herself. Accounting the purpose to which the data was processed, the targeted person has the right to obtain the completion of incomplete personal data, including by offering additional statements.
The right to data deletion (‘the right to be forgotten’)
(1) The targeted person has the right to obtain personal data deletion from the operator, without unjust delays, and the operator has the obligation to delete personal data without unjust delays in the case one of the following motives is checked: (a) personal data is no longer necessary to fulfill the purpose for which it was collected or processed; (b) the targeted person withdraws their consent on which the processing is based, according to article 6, paragraph (1), letter (a) or with article 9, paragraph (2), letter (a) and there’s no other legal motive for processing; (c) the targeted person opposes the processing based on article 21, paragraph (1) and there’s no legitimate reason to prevail regarding processing or the targeted person opposes based on article 21, paragraph (2); (d) personal data was illegally processed; (e) personal data must be deleted to respect a legal obligation of the operator based on the right on the Union or the internal right under which’s incidence is the operator; (f) personal data was collected regarding offering services of the informational society mentioned at article 8, paragraph (1). (2) In the case the operator published the personal data; (e) personal data must be deleted to respect an operator’s legal obligation based on the Union right or the internal right the operator is obligated by; (f) personal data was collected in order to offer services of the informational society, mentioned on article 8, paragraph (1). (2) In case the operator has made personal data public and is obligated, based on paragraph (1), to delete them, accounting for available technology and implementation costs, to take reasonable measures, including technical measures, to inform the operators that process the personal data that the targeted person has asked for the deletion of any links to personal data or any copies or reproductions of the personal data by these operators. (3) Paragraphs (1) and (2a) don’t apply as long as the processing is necessary: (a) for practicing the right to free speech and information; (b) for respecting a legal obligation that provides the processing based on the right of the Union or the internal right that applies to the operator or for fulfilling a task that’s executed in the public’s interest or by manifesting an official authority that is invested in the operator; (c) out of public interest reasons regarding public health, in conformity with article 9, paragraph (2), letters (h) and (i) and with article 9, paragraph (3); (d) in the purpose or archiving for public interest, in the purpose of scientific, historical or statistical research, in conformity with article 89, paragraph (1), in case that the right mentioned at paragraph (1) is susceptible to hinder or obstruct fulfilling the objectives of the respective processing.; or (e) to ascertain, manifest or defend a right in the court of law.
The right to restrict processing
(1) The targeted person has the right to obtain the restriction of processing from the operator in one of the following cases: (a) the targeted person contests how exact the data is, which grants the operator time to verify the how exact the data is; (b) the processing is illegal, and the targeted person is opposed to the deletion of personal data, asking for the restriction of their use; (c) the operator no longer needs the personal data for processing but the targeted person requests them for ascertaining, manifesting or defending a right in the court of law; or (d) the targeted person was opposed to the processing in conformity with article 21, paragraph (1), for the time-frame in which the legitimate rights of the operator are being verified as taking priority over the ones of the targeted person. (2) In case the processing was restricted based on paragraph (1), so that personal data can, excepting storage, be processed only with the consent of the targeted person or to ascertain, manifest or defend a right in the court of law or for the protection of another physical or legal person’s rights or out of public interest motives that are important to the Union or a member state. (3) A targeted person that obtained the restriction of processing based on paragraph (1) is informed by an operator before lifting the processing restriction.
The right to data portability
(1) The targeted person has the right to receive personal data regarding himself or herself that was supplied to the operator in a structured format, currently used and that can be automatically read and has the right to transmit this data to another operator, without obstacles from the operator to which the personal data has been supplied, in the case: (a) the processing is based on consent based on article 6, paragraph (1), letter (a) or on article 9, paragraph (2), letter (a) or on a contract based on article 6, paragraph (1), letter (b); and (b) the processing is done through automated means. (2) While manifesting the right to data portability based on paragraph (1), the targeted person has the right to have personal data be directly transmitted from one operator to another where it’s technically feasible. (3) Manifesting the right mentioned on paragraph (1) from the present article doesn’t affect article 17. The aforementioned right does not apply to data processing in order to fulfill a public service task or in the case of manifesting official authority invested in the operator. (4) The right mentioned at paragraph (1) doesn’t influence the rights and freedoms of others.
The right to be notified regarding the rectification, deletion or restriction of personal data processing
The right to retreat your consent for processing when the processing is based on consent, without affecting the lawfulness of the processing done up to that point;
The right to opposition
The targeted person has a right to oppose, for legal reasons related to particular situation of the processing based on article 6, paragraph (1), letter (e) or (f), of personal data related to them, including creating profiles based on respective provisions.
The right to not make the object of a decision based exclusively on automated processing, including the creation of profiles
The targeted person has the right to not make the object of a decision based exclusively on automated processing, including the creation of profiles, which produces juridical effects that relate to the targeted person or affect it similarly in a significant measure;
You have the right to file a complaint to the surveillance authority regarding the processing of your personal data. In Romania, the contact info for the surveillance authority for data protection is: The National Authority of Personal Data Processing Surveillance Boulevard G-ral. Gheorghe Magheru number 28-30, Sector 1, postal code 010336, Bucharest, Romania Phone: +40.318.059.211 or +40.318.059.212; E-mail: firstname.lastname@example.org Without affecting your right to contact the authority in any moment, you can contact us beforehand (email@example.com) and we’ll make every effort to solve any problem.