PERSONAL DATA PROCESSING POLICY
Last Updated: October 1, 2023
In the course of its activity, OLD AUTO ROLLING S.R.L., a company registered with the Trade Register under no. J40/7843/2023, with VAT ID RO48054390, headquartered in Bucharest, Soseaua Nordului No. 96G, 1st floor, apartment No. 3, Sector 1 (hereinafter referred to as the Company), processes your personal data when you access the website: www.plus-auto.ro.
The Company ensures the continuous compliance with all principles and legislation regarding the protection of personal data, regarding the processing, collection, processing, storage, and transfer of personal data, as regulated by the current legislation, as well as the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR").
This policy sets out the key principles regarding data protection and how the Company manages the personal data you provide to us when accessing the website. The Company will ensure the updating of this policy and will publish the most recent version on the website.
The following definitions of the terms used in this document are extracted from Article 4 of the GDPR:
- Personal Data: means any information relating to an identified or identifiable natural person ("Data Subject") that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Processing: means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of data.
Categories of Personal Data
We understand the importance of your personal data and are committed to protecting their confidentiality and security. Therefore, it is important for us to inform you about the processing of your personal data as a user of the website www.plus-auto.ro, through this policy.
The categories of personal data processed by the Company vary depending on the interaction and relationships you register on the website. Thus, your personal data can be provided by you in various sections of it, especially in the following situation: when you fill out the website's contact form;
Categories of Data that may be processed:
At the time of completing the contact form available on the website: name, first name, phone number, email address;
The data provided by you must be real, correct, and up to date, and you must have the right to provide it. The data mentioned in the previous point are provided by you voluntarily when interacting with the Company according to your transmitted purpose.
You are therefore responsible for the data you provide on the website, both towards us and towards any third party that may be prejudiced by providing the data.
Also, the website may collect certain information about your navigation and interactions with its various sections. We will store or access information and cookie files on your terminal equipment (computer, phone, tablet, etc.) only under the conditions described in the Cookies Policy section. The categories of personal data processed concern the time and date of accessing the site, as well as the IP address of the terminal from which the website was accessed.
The Company may process the data mentioned above, for the following purposes:
(i) In an attempt to fulfill any orders that you, as a visitor, may place through the website www.plus-auto.ro, the processing of these personal data is carried out based on your registration as a visitor;
(ii) Marketing: sending marketing communications to subscribers through means of communication such as name, first name, email, phone number; the processing of this personal data is carried out based on your consent;
(iii) For the purpose of managing requests, complaints, and suggestions: processing data to complete the contact form; the processing of this personal data is carried out based on your consent, as well as the legitimate interest of the Company in resolving complaints, improving services, managing suggestions, and requests submitted to the Company;
(iv) In the context of processing visitor data for the purpose of ensuring the proper functioning of the website; the legal basis for processing is the legitimate interest of the Company in improving its services;
Basic Principles Regarding the Processing of Personal Data
The processing and management of your personal data are carried out in accordance with the following principles:
- It is open and transparent about what it does with the data and why it uses them;
- It keeps the data safe;
- It ensures that it always has a legal basis for managing the data;
- It collects and uses the minimum necessary data, thus respecting the principle of minimization;
- It keeps the data up-to-date, accurate, and complete;
- It does not keep the data longer than necessary, ensuring the implementation of data retention periods, where there is no mandatory period provided by law;
- It respects the legal rights of data subjects regarding their personal data;
- It does not transfer data abroad without taking the measures provided for data transfer, and not before informing the data subjects in this regard.
Fairness and Transparency
Personal data are processed in a lawful, fair, and transparent manner with respect to the data subject. This is the basic principle, which means that personal data are only used to the extent that the individuals who entrust them to the Company have been informed in advance about how they will be used.
At any time, you can request from the Company information about the following main aspects:
- What kind of data will be collected;
- For what purpose they will be used;
- With whom they will be shared (if applicable);
- If they will be transferred to other countries;
- How long they will be kept;
- What rights individuals have regarding their personal data. Indication of the contact channels through which data subjects can exercise these rights.
Personal data will only be processed for the purpose communicated to the data subject. Subsequent changes in the purpose of processing will be communicated to the data subject prior to the use of their personal data.
The Company undertakes to carry out all processing activities both for a well-determined purpose and related to its activity, but also circumscribed by a corresponding legal justification, as well as for the purpose of fulfilling the legitimate interests of the Company in the context of carrying out its object of activity, as follows:
- managing relationships with customers, partner merchants, and users of products and services, through the "My Account" sections and as a result of orders placed as a visitor;
- providing responses in the case of completing the contact form;
Consent of the Data Subject
Obtaining the consent of the person whose data we are to collect and process is another legal basis provided by the GDPR, and the Company will process personal data only based on your explicit and unequivocal consent, in all situations where it is necessary.
Personal data will be used only when absolutely necessary and relevant for a specific processing task or project. If the use of personal data cannot be avoided, the Company will use only the minimum data necessary to achieve that purpose.
Data protection legislation requires that personal data be kept accurate, complete, and up-to-date. The Company will ensure the correction, supplementation, updating, or deletion, as applicable, of inaccurate or incomplete data.
Retention Period and Data Storage
We will keep your personal data for a period not exceeding the time necessary to achieve the purposes for which the data is processed, except in cases where legal provisions require or oblige us otherwise.
- regarding the Company's marketing communications, we will keep your email address and phone number in the database as long as your subscription is active; from the moment we receive your request to unsubscribe, we will deactivate the sending of newsletters or SMS communications to your email address and/or phone number; at which point, your email address and/or phone number will be deleted from the database regarding subscribers to the Company's marketing communications;
- regarding the contact form, we will keep your personal data for the period necessary to provide responses to your messages and requests and to prove the correspondence with you, but not more than 1 year from receiving them;
- regarding the conduct of analyses regarding website navigation and user interactions with the website, we will keep data regarding your interactions for a period of up to 3 years.
The Company may delete your personal data when it considers that they are no longer necessary for the purposes for which they were collected.
We do not store information and do not access stored information on your terminal equipment (computer, phone, tablet, etc.) except with your prior consent or when these operations are carried out exclusively for the purpose of transmitting a communication through an electronic communications network, or are strictly necessary for the provision of an information society service expressly requested by you (for example, for storing information about activities carried out by you on the website www.plus-auto.ro, so that you can use them easily).
For the use of cookie files for which your prior consent is necessary, the website will request your consent through a banner displayed on the website when you access them. This banner contains a link to the Data Protection Policy and offers you the option to accept or refuse cookie files. If you give your consent but change your mind later, you can use the settings of your internet browser application to delete the stored information or to refuse cookie files.
The Company ensures and implements the technical and organizational security measures required by law and industry standards to protect your personal data against accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access, as well as against any other form of illegal processing. Additionally, we take measures to ensure that we use your personal data exactly as described in this Policy and to respect the choices you make regarding the processing of your personal data.
Disclosure to Third Parties
Except in the situations presented below, we will not disclose any information regarding your data without authorization. Based on your express and unequivocal consent, provided in this way and only within the limits of applicable law or for the purpose of fulfilling a legal obligation and/or protecting a legitimate interest, we may transmit your personal data to:
- Service providers in the following areas: marketing, administrative services, and transaction processing;
- Other service providers, all of whom have signed confidentiality agreements.
- Organizations or companies that coordinate specific studies and agree to maintain the confidentiality of the information received;
- State, governmental agencies, if the legislation requires it;
- Other authorities and bodies, for the purpose of fulfilling our legal obligations and/or protecting our legitimate interests;
- Other companies with which we may develop joint programs to offer our products and services on the market;
The transmission of your personal data to the aforementioned recipients will only be done under a commitment of confidentiality and ensuring an adequate level of security on their part, guaranteeing that personal data is kept safe.
Rights of Individuals
According to current legal provisions, data subjects have the following rights:
- The right to be informed about how and why personal data is used;
- The right to request copies of the personal data held by an entity (including information contained in emails, instant messages, notes, etc.);
- The right to request the correction of any inaccuracies in their personal data;
- The right to order the deletion of personal data (including permanent deletion from the Company's systems and from any outsourcing provider's systems that the Company has allowed access to);
- The right to request the Company to cease processing personal data;
- The right to object to the use of their personal data for direct marketing purposes;
- The right to have any personal data provided to the Company transferred to another party (e.g., another banking service provider) in a "structured, commonly used, and machine-readable format";
- The right not to be subject to a decision based solely on automated processing (i.e., a decision generated by a system without human involvement), if the result has a legal or similarly significant effect on the person concerned;
- The right to withdraw consent when it has been given for processing purposes;
- The right to address the National Supervisory Authority for Personal Data Processing if deemed necessary.
If the Company receives a request from you exercising any of the rights mentioned above, we will respond to the request within 30 days, with the possibility of extending this period, only after informing the data subject and provided there is a valid reason justifying the impossibility of providing a response within the initial 30-day period.
In case personal data is lost, damaged, stolen, compromised, or as a result of a complaint regarding how the Company has handled personal data, the Company will report the breach to the National Supervisory Authority for Personal Data Processing within 72 hours of discovering the breach and will promptly notify relevant individuals if they are likely to be affected by the incident. In addition, the Company will make reasonable efforts to limit the damage caused by the data breach.
Protection of Personal Data belonging to Minors
The website www.plus-auto.ro is not dedicated/intended for minors. In the event that a parent or legal guardian notifies the processing of personal data belonging to individuals under the age of 18, the Company will immediately delete/destroy this data from the processing and storage means.
If Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data applies with regard to the offering of information society services directly to a child, the processing of personal data of a child is lawful if the child is at least 16 years old. If the child is under the age of 16, such processing is lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility for the child.
We recommend parents/guardians to regularly check and monitor the use of the email address, as well as the online activities carried out by children. Please ensure that, before sending us personal data online, your child has previously requested your permission.
Organization and Responsibilities
The responsibility for ensuring adequate processing of personal data lies with any person working for or collaborating with the Company who has access to the processed personal data.
If you have a question regarding the exercise of any of your rights mentioned above or any request to address, you can contact us at the following email address: firstname.lastname@example.org. You can also address requests in writing to the Company's correspondence address detailed in the introductory part of this policy.