Privacy Policy

Privacy Policy

INFORMATION NOTE AND DATA CONFIDENTIALITY POLICY (GDPR)

Protecting your personal data is important for SC Agev Automation SRL.

According to EU Regulation no. 679/2016 (hereinafter referred to as “GDPR”), SC Agev Automation SRL - hereinafter referred to as “the Company” - provides the following information regarding the processing by the Company of the personal data of its Suppliers (hereinafter referred to as “the Data”) , as listed below, as a representative of the Supplier or its employees (hereinafter "the Supplier").

Additional information can be provided if required when requesting a specific service.

Art. 1. Object of the Information Note

1. Personal data to be processed by the Person empowered by the Operator on behalf of the Operator, as well as other information regarding their processing. The data processed by the Power of Attorney and the purpose of their processing are those specified in the contract between the parties.

2. The object of the data processing will be considered as a processing instruction.

3. Any modification of the object of processing requires a written (or electronic) instruction from the Operator.

4. The data processed by the Company may include (but are not limited to):

For most of our services:

contact details (name, home and / or professional address, personal and / or professional address, telephone number, email address) and financial information (tax code and bank account).

data on the geo location of the place of loading, unloading, the position of the given trucks (driving license, name, authorizations and certificates, etc.) regarding drivers or manipulators of goods (cranes, forklifts, crane operators, load binders)

For some of our services, we may collect additional (but not limited to):

personal information (date of birth, nationality, photos, electronic identification data, such as cookies, IP addresses and passwords);

professional and employment information (education and training); any data collected as part of the third party conformity assessment / audit and any other data we process in the context of our business relationship, in accordance with the provisions of the applicable contract or the General Conditions

Art. 2. Data processing according to the Operators instructions

1. The company is responsible, as the controller for the lawfulness of the processing of data, as well as for responding to requests for the exercise of the rights of data subjects derived from the legislation on the protection of personal data processing.

2. Personal data shall be processed only at the written [or electronic] documented instruction of the Operator, including the transfer of personal data to a third country or an international organization. In describing the order indicated in each annex, the Operator reserves the full right to issue instructions on the type, object and procedures of data processing, which he may specify in detail in the individual instructions issued. The person authorized by the Operator will document and keep the instructions received and other permissions in a reasonable, clear way and will make the records available to the Operator, upon request. It will also allow and contribute to audits, including inspections, performed by the operator or another mandated auditor.

3. The person empowered by the Operator shall keep a record of all categories of processing activities carried out on behalf of the Operator, under the conditions provided in art. 30 para. (2) - (4) of the Regulation General Data Protection Regulation - GDPR. If the Data Controller is obliged to process or transfer data even without such an instruction being issued in accordance with national or European Union law, then he shall notify the Processor in writing before commencing the relevant processing activities with unless notification is prohibited for reasons of overriding public interest.

4. The person empowered by the Operator shall immediately notify the Operator if he considers that an instruction from the Operator violates any applicable data protection regulations.

5. The person authorized by the Operator will monitor the observance of the data confidentiality parameters based on this Additional Act and the instructions, as well as any other approvals from the Operator.

Art. 3. Maintaining data confidentiality

1. With regard to the processing of personal data, the Person empowered by the Operator shall maintain the confidentiality of the data, in particular in relation to all information collected and obtained on the basis of the results of the processing.

2. For any person responsible for the processing of personal data by the Data Controller, the Data Controller shall ensure that such persons have undertaken to maintain the confidentiality of the data before commencing such processing activities, unless that these persons are subject to adequate data protection obligations under the law.

3. In addition, the Person authorized by the Operator will oblige all persons involved in the processing of personal data subject to this Additional Act (employees, agents, etc.) to transfer such personal data only on the basis of instructions, unless this obligation already exists by law. The person authorized by the Operator will provide the employees concerned with appropriate information on the transfer instructions applicable to them and on the consequences of any breach of data confidentiality.

4. In accordance with this Article, the obligations of the persons empowered by the Data Controller to maintain the confidentiality of the data shall remain imposed on those persons even after the cessation of their activities and the cessation of services for the Data Controller.

Art. 4. Security of processing

1. Taking into account the current state of technology, as well as the risk with varying degrees of probability and seriousness for the rights and freedoms of individuals, the Operator shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The person empowered by the Operator will also support the Operator in the implementation of technical and organizational security measures, taking into account, at the same time, the nature of the processing and the information available. In order to assess the appropriate level of protection, particular account shall be taken of the risks associated with the processing, such as: - unauthorized destruction, alteration or disclosure or unauthorized access to such personal data - unintentionally or unlawfully.

2. In addition, the Person empowered by the Operator will consider the adoption of the following measures, as appropriate:

(a) Pseudonymization (defined according to Art. 4 point 5 of the General Data Protection Regulation - GDPR) and encryption of personal data;

(b) Ability to ensure the confidentiality, integrity, availability and continued resilience of processing systems and services;

(c) Rapid restoration of the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) Implement a process of periodic verification and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.

3. The data controller shall assist the controller in documenting the taking and compliance with the technical and organizational measures adopted by the data controller in respect of the processing of personal data subject to this Additional Act.

4. The controller shall verify the measures implemented and adjust them where necessary to ensure that the processing is carried out in accordance with data privacy regulations and that the rights of the data subjects concerned are respected at all times.

Art. 5. Obligations to provide support

1. The person empowered by the Operator shall provide the Operator with all possible support regarding his obligation to respond to requests from data subjects and issues related to the exercise of the rights of data subjects. If the Operator cannot deal with the rights of the data subjects himself, then the Person empowered by the operator will follow the relevant instructions from the Operator within the limits of this obligation to support the assertion of the rights of data subjects without undue delay. Thus, in order to make all the necessary information available to the Operator in an appropriate format for this purpose, when the data subjects request the exercise of certain specific rights, the Person empowered by the Operator will respond to the Operator within the following terms:

In terms of exercise

(a) the right to rectification within one week,

(b) the right to be erased ("right to be forgotten") within one week,

(c) the right to restrict processing within one week,

(d) the right to data portability within two weeks,

(e) the right to information within two weeks,

(f) the right of access within two weeks

(g) the right to object within one week,

from the moment of notification by the Operator in each case.

These deadlines may be modified according to those indicated by the supervisory authority.

The Data Controller shall notify the Operator without delay if any data subject contacts the Data Controller directly to exercise his / her data subject rights.

2. In the event of a personal data breach (eg "personal data breach" as defined in Article 4 (12) of the General Data Protection Regulation - GDPR), the controller shall notify the controller of this. in writing, without delay, at the latest within 24 hours of becoming aware of the infringement, stating:

(a) a description of the nature of the breach of personal data protection, including, if possible, the categories and approximate number of data subjects concerned, the categories affected and the approximate number of records of personal data,

(b) a description of the likely consequences of the breach of personal data security, and

(c) a description of the measures taken or proposed to remedy the breach of personal data security and, if necessary, the measures to mitigate any adverse effects thereof.

The data controller shall assist the controller in drawing up notifications of personal data breach to the supervisory authority, as well as notifying the data subjects affected by that breach.

3. When conducting a data protection impact assessment and any prior consultation of the supervisory authority, the controller shall support the controller, if requested, taking into account the type of processing and within the limits of the information available to the controller.

Art. 6. Cooperation with supervisory authorities

1. The controller shall facilitate the proper verification and supervision of data processing by the competent supervisory authority and shall provide the supervisory authority with accurate, complete and timely information on the processing activities that are included in the object, in order to allow any audits and control measures and immediately comply with the instructions issued by that authority.

2. The controller shall notify the controller without delay if a supervisory authority contacts the controller directly about the processing activities that are part of the object under his control and supervision in accordance with the provisions of this Additional Act.

Art. 7. Information obligations and inspection rights

1. The Operator has the right at any time to be persuaded to comply with the terms and conditions of this Additional Act, either in person or through a representative appointed by the Operator. The person empowered by the Operator will offer the Operator and / or the representative appointed by him immediately access to the important premises where the processing activities take place.

5. If any personal data held by the controller is compromised by pledge or confiscation, insolvency proceedings or any other third party events or measures, the controller will notify the controller accordingly, without delay. The person authorized by the operator will notify the third parties involved in this regard, without delay, of the right of control and ownership of the personal data of the operator.

Art. 8. Recruitment of other persons authorized by the operator (subcontractors)

1. Where the person empowered by the operator intends to appoint a subcontractor, he shall notify the Operator of his name and the planned activities and shall appoint that subcontractor only with the prior written consent of the Operator.

2. Upon termination of the contractual relationship with the subcontractor, the Person empowered by the Operator shall ensure that the subcontractor returns to the Person empowered by the Operator the personal data processed in the course of its activities, followed by the deletion of such data.

3. The person authorized by the Operator shall notify the Operator without delay of any imminent change in the relationship with a subcontractor. The Operator may raise an objection to such a change with a good reason, in which case the Person empowered by the Operator must modify or terminate the relationship with the subcontractor, in accordance with the objection.

4. If the person empowered by an operator recruits another person empowered to perform specific processing activities on behalf of the operator, the same data protection obligations set out in this addendum shall apply to the subcontractor. To this end, at the time of the appointment of a subcontractor, the Person empowered by the Operator will conclude a contract with that subcontractor to ensure that he is subject to the same data confidentiality obligations as set out in this addendum between the Operator and the Person empowered by the Operator. Adequate evidence to this effect must be provided to the Operator without undue delay.

5. The Data Controller shall ensure that each subcontractor provides adequate safeguards to ensure that appropriate technical and organizational measures are taken to ensure that the processing is carried out in accordance with the applicable data privacy regulations. If evidence is requested, the Operator must notify the Operator immediately.

6. If the subcontractor fails to comply with its data protection obligations, the person empowered by the controller shall remain fully liable to the controller for the fulfillment of the subcontractors obligations.

Art. 9. Liability and regressive actions

1. The controller shall be liable for damage caused by his processing operations in breach of legal provisions.

2. The person empowered by the controller shall be liable for damage caused by his processing operations only if he has failed to fulfill obligations which, under the relevant legislation, are specifically incumbent on the persons empowered by the controller or have acted outside or contrary to the instructions. of the Operator.

3. The Operator or the Person empowered by the operator is exonerated from the responsibility incumbent on him pursuant to par. 1 and 2 above, if it proves that it is not responsible in any way for the event that caused the damage.

4. If both the Processor and the Processor are involved in the same processing operations and are liable for loss or material or non-material damage caused by the processing activities which do not comply with the legal provisions, the parties involved shall be liable for for the entire damage, in order to ensure the effective compensation of the data subject.

5. If a claim is made by a data subject against a party involved as a result of loss or damage caused by processing activities in breach of legal provisions and if one of the parties has paid full compensation for the loss or damage suffered, then it shall be entitled to claim compensation from the other Contracting Party in proportion to its liability for such loss or damage.

6. The person empowered by the Operator is liable to the Operator for compliance with the obligations regarding data protection protection and for compliance with the obligations of the subcontractor to be agreed by Contract, which he appoints for the performance of his tasks. Any fault on the part of the subcontractor must be attributed to the Person empowered by the operator as his own fault.

Art. 10. Legal consequences of termination

1. Upon termination / termination of a contract or upon termination of processing services, the Person empowered by the controller shall return to the Operator, at his choice, all results of the processing of personal data and records containing personal data, within a time limit set by him. and / or destroy or delete any such material, in accordance with the law on data confidentiality, unless the Data Controller is obliged, under national or European Union law, to continue to retain such data. personal. If requested, the Data Controller will provide the Operator with written evidence of deletion or destruction of the data.

2. If the Operator does not make a selection on or before the date of termination of the Contract, all personal data, results and processing records containing personal data must be returned to the Operator initially.

3. If the person empowered by the operator has appointed subcontractors, then points 10.1 to 10.2 shall apply to them by analogy. The person empowered by the controller shall remain fully liable to the controller for the termination of the processing service contracts concluded with the subcontractors appointed by him.

4. Records for documentary purposes which serve as proof of the lawful processing of personal data in accordance with orders placed or instructions issued shall be kept by the Data Controller in accordance with the legal retention periods and after the cessation of processing activities, and children of these records will be delivered to the Operator, at his request. After the delivery of these copies, the person authorized by the operator will dispose of the existing copies

Article 11. Miscellaneous

1. The Contracting Parties have the right to assign all rights and obligations arising from this Additional Act, including this obligation to process personal data on behalf of the Operator, to their universal and universal legal successors, but only after notification in written by the other party.

2. All amendments and additions, as well as the termination of this Agreement and its annexes, are valid only if made in writing.

3. The invalidity, illegality or inapplicability of any provision of this Additional Act or its annexes shall not affect the legality and applicability of the other provisions of this Additional Act in any way. Any such invalid, unlawful or unenforceable provision of this Additional Act shall be deemed to be replaced by a valid, lawful and enforceable provision which is as close as possible to the legal and economic intent of the Parties and the purpose of the invalid, unlawful or unenforceable provision. applicability that has been removed

4. This Additional Act is supplemented by the provisions of EU Regulation 2016/679 - General Data Protection Regulation, as well as other applicable legal provisions.

5. This Additional Act is regulated by the legislation of Romania; conflict-of-law rules under private international law are excluded.

6. If you have any questions or comments regarding this Notice, please contact us.