PERSONAL DATA PROCESSING POLICY

www.plus-auto.ro

Last updated: May 10, 2024


NOTICE REGARDING THE PROCESSING OF PERSONAL DATA FOR USERS OF OLD AUTO ROLLING S.R.L. SERVICES


1. GENERAL INFORMATION

This Privacy Policy governs your use of various products, services, content, features, technologies, as well as websites, mobile applications, and other online offerings that we collectively refer to as the "Services".

We collect your personal data when you interact with us, accessing the products and services provided by the platform/website www.plus-auto.ro. These situations are described below, along with details regarding the processing of your data.


2. WHO WE ARE AND HOW TO CONTACT US?

The company OLD AUTO ROLLING S.R.L., registered with the Trade Registry under no. J40/7843/2023, having VAT ID RO48054390, headquartered in Bucharest, Soseaua Nordului Nr. 96G, 1st floor, apartment no. 3, Sector 1 (hereinafter referred to as the Company or We), processes your personal data when you access the website: www.plus-auto.ro as a Data Controller.

For any information or requests regarding the processing of your personal data by OLD AUTO ROLLING S.R.L. or to exercise your rights as a data subject with respect to us, you can use the following contact details:

Data Protection Officer:

Mailing address: Soseaua Nordului nr. 96G, sector 1, Bucharest – Attention: DPO

Email address: office@oldauto.ro


3. WHAT PERSONAL DATA WE PROCESS, FOR WHAT PURPOSES, AND ON WHAT LEGAL BASIS?

Depending on the choices you make during authentication for our Services or during the contracting process of our Services, you will provide the following personal data:


Purpose of Processing Personal Data Legal Basis for Processing
a. For the provision of services offered by the company: creating a user account within the platform/website www.plus-auto.ro, access to available functionalities Identification data: name and surname
Contact details: email address, phone number
Representative status in case of a Seller account of a legal entity or Dealer type
Processing is necessary for the performance of a contract to which you are a party or for taking steps at your request prior to entering into a contract, pursuant to Article 6(1)(b) of the GDPR.
This includes processing the necessary data for creating and managing your account, as well as displaying your contract data to other users interested in the products you sell through the platform.
b. For contacting the company without being a user with a created user account on the platform Identification data: name and surname
Contact details: email address, phone number
Content of the transmitted message/Requests
Processing is necessary for the performance of a contract to which you are a party or for taking steps at your request prior to entering into a contract, pursuant to Article 6(1)(b) of the GDPR.
This includes processing the necessary data to respond to your request.
c. For the transmission of transactional messages
Transactional messages are informational responses, of direct utility, delivered to Users. Unlike promotional messages, these messages are necessary, not optional. Examples of messages transmitted by the company: password reset messages, account validation, user account updates, publication confirmations of advertisements, etc.
Identification data: name and surname
Contact details: email address, phone number
Our legitimate interest in optimizing the services provided to users and keeping them constantly informed about the status of services, pursuant to Article 6(1)(f) of the GDPR.
d. For the fulfillment of the company's legal obligations in tax matters such as generating invoices, legal reports imposed on the company. Identification data: Name and Surname
Address details including County, Locality, Street.
Processing is necessary for compliance with a legal obligation to which the controller is subject, pursuant to Article 6(1)(c) of the GDPR.
This includes processing the necessary data for issuing invoices and other legal reporting required by the company.
e. For optimizing the services offered to users in the area of payments and contracting of services
To maintain a history of transactions/payments made by users of the services.
Information regarding payment methods, Payment history, Transaction history Our legitimate interest in optimizing the methods of contracting services, pursuant to Article 6(1)(f) of the GDPR.
We use an external payment processor to optimize the services offered.
For more details regarding the processing carried out by Netopia Payments, the payment processor used by the company, please visit: https://netopia-payments.com/politica-de-confidentialitate/
f. For facilitating communication between users using the Message functionalities available within the client account.
When you use the messaging feature to communicate with other users, we collect and process the content and information you choose to provide us through this feature.
* The Company does not use automated models for analyzing inappropriate language
* The platform provides a function to block users who use inappropriate or annoying language.
Any information contained in the message Our legitimate interest in optimizing communication methods between users of the services, pursuant to Article 6(1)(f) of the GDPR.
* In case of a dispute or complaint related to inappropriate language, the company may specifically examine the content of conversations to assess the situation and take necessary measures in its legitimate interest, pursuant to Article 6(1)(f) of the GDPR.
g. To ensure compliance with our security and confidentiality standards, we use a combination of automated and manual techniques to analyze the content of the advertisements you want to publish. These techniques include text recognition algorithms, images of people, and any inappropriate or offensive content.
In addition, our human review teams examine complex or uncertain cases to ensure a comprehensive and fair assessment, thereby protecting confidentiality and complying with legal data protection regulations. These measures are essential to maintain a safe and respectful environment for all users of our platform.
Any information contained in the advertisement Our legitimate interest in not publishing inappropriate content on the platform, pursuant to Article 6(1)(f) of the GDPR.
h. For fraud detection
To ensure the integrity of our Services and prevent fraudulent activities, we use advanced technologies, including algorithms, to identify suspicious behaviors or fraudulent actions. These algorithms analyze various information, such as platform activity and content published by users. When an account poses a high-risk level according to automated analysis, it may be automatically suspended. In less clear situations, cases are manually reviewed by our security specialists, who operate with strictly limited access rights. This automated approach is part of our ongoing effort to prevent fraud and ensure a safe environment for all users. If you believe that the suspension of your account was unjustified, we invite you to contact us via email or through the Contact Form (https://plus-auto.ro/contact/) for a reassessment of the situation.
Identification data: name and surname
Contact data: email address, phone number
Role as a representative/ in the case of a Dealer Seller account
Any information contained in the advertisement
Our legitimate interest in not publishing inappropriate content on the platform, pursuant to Article 6(1)(f) of the GDPR.
i. For sending commercial communications (personalized or general) for marketing purposes Identification and contact data (name, surname, phone, email, county)
Vehicle model of interest, mileage, age, or similar.
Your consent expressed through our website, pursuant to Article 6(1)(a) of the GDPR.
You can withdraw your consent at any time through the means indicated in the form or in the commercial communications received, or by using the contact details provided in this document.
j. For optimizing the services offered, by participating in satisfaction surveys regarding the products and services provided Contact data: email address and phone number.
Company name you represent
Satisfaction level.
Our legitimate interest in optimizing the services offered, pursuant to Article 6(1)(f) of the GDPR.
*Surveys can also be conducted anonymously, and if you do not agree with this processing, you can object at any time by submitting a request to this effect.
k. When monitoring the open rate of transmitted commercial communications. Open rate of messages sent via email/SMS
Web addresses (URLs) accessed from the messages sent
Our legitimate interest in optimizing marketing campaigns, pursuant to Article 6(1)(f) of the GDPR. We use this information in aggregate form to improve the planning of future campaigns.
l. Managing complaints/requests from Users:
- Identifying applicants/complainants and keeping correspondence
- Receiving and resolving complaints and requests related to the company's products and services.
Identification data: Name, surname
Contact data: Email address, phone number
Details regarding the addressed request
Our legitimate interest in managing and responding to complaints and requests received, pursuant to Article 6(1)(f) of the GDPR.
Processing is necessary for compliance with a legal obligation to which the controller is subject, pursuant to Article 6(1)(c) of the GDPR, especially requests regarding the processing of personal data.

4. DO WE COLLECT DATA FROM MINORS?

Our services are not intended for children under the age of 18, and we do not knowingly collect personal data from anyone under the age of 18. If we become aware that a person under the age of 18 has provided us with personal data, we will promptly delete this data.


5. SOURCE OF PERSONAL DATA

We collect your personal data mentioned above from the following sources:

  1. Through interaction with the platform/website www.plus-auto.ro.
  2. Additionally, data collection may also occur directly in the context of the relationships/interactions you have with us (e.g., direct requests for information, offers, complaints, etc.).
  3. Through interaction with our pages on social networks.

6. TO WHOM DO WE DISCLOSE PERSONAL DATA?

Personal data may be disclosed, strictly to the extent necessary for the purposes detailed above or as required by law, or when we have a legitimate and well-founded interest, to the following categories of recipients who may act as independent operators/associated operators or authorized persons, as follows:

6.1. Service Providers used by the Operator, as follows:

  • development services and technical support and maintenance of IT systems, networks, and equipment;
  • cybersecurity services;
  • security auditing services and securing IT infrastructure;
  • electronic communication services;
  • telephony and internet services;
  • archiving services;
  • software solutions, platforms, or other IT systems, such as those for managing information collected through websites, marketing platforms, etc.;
  • satisfaction survey services;
  • cloud/hosting services;
  • marketing services (e.g., media agency);
  • provider of the IT system managing activity and records regarding expressed options for commercial communications (direct marketing) and surveys, as well as other providers of platforms or IT systems;
  • payment services providers, such as Netopia Payments, may receive your personal data for the purpose of transmitting information and communications;
  • SMS transmission service providers;
  • billing solution provider for issuing invoices;
  • financial, accounting, and auditing services;
  • anonymization services or detection of inappropriate language/content;
  • other services necessary for internal operations;
  • social media platforms, in case you interact with us through them;
  • external consultants collaborating with the Operator (e.g., lawyers, notaries, accountants, financial advisors, and other types of consultants).

When disclosing your personal data to service providers acting as processors under GDPR, the disclosed data is limited to the information necessary for the provision of these services. We contractually require these third-party service providers not to use your personal data for any other purpose.

6.2. Authorities and public bodies, including research bodies and courts of law or institutions with competence in conducting inspections and controls over the operator's activities and assets, to the extent that the transmission of data to them is required by law and/or necessary in case of litigation or dispute resolution, as well as in the event of controls where we are obligated to provide them (e.g., the National Supervisory Authority for Personal Data Processing).

6.3. Persons expressly indicated by you;

6.4. Third-party acquirers, to the extent that our business would be transferred (in whole or in part), and User data would inherently be linked to the assets subject to such a transaction.


7. RETENTION PERIOD FOR PERSONAL DATA

Personal data will be retained by the Operator for a period of time that will not exceed what is necessary for the purpose for which they are processed, subject to longer legal storage requirements.

We estimate that the processing activities detailed above will require the retention of personal data for the following periods:

  1. When you create an account on our platform/website, we will process personal data related to the user account, published advertisements, and messages received/exchanged with other users until you delete the account yourself.
  2. If an account is inactive for a year, meaning no advertisements are posted within a calendar year, the company will send an email notification to inform the user about the existence of their account on the platform. The user will have the option to confirm access details to continue using the account or to delete it. If an individual user account remains inactive for 2 years and the user does not expressly confirm the desire to continue the contractual relationship with the company, the user account will be automatically deleted.
  3. When you submit a request to us, we will process your data to handle your request, as well as to compile statistics on the volumes of requests received by the company, and subsequently archive them for a period of up to 3 years from the date of the last interaction, to defend ourselves in case of disputes.
  4. When you give consent to receive commercial communications, the consent is valid for a period of 5 years from the date of expression or until you decide to withdraw it (whichever comes first). Evidence of the expressed consent and its validity period, as well as the communications made and data used for this purpose, will be stored for an additional 3 years from the expiration/withdrawal of consent, based on our legitimate interest to demonstrate compliance with applicable data processing and electronic communication requirements. As the expiration date of expressed preferences approaches, we may contact you to request an update.
  5. e. In the case of satisfaction surveys, we will keep your data and the data uploaded to the survey management platform for a period of 6 months from the completion of each satisfaction survey to analyze satisfaction levels and implement service improvement measures. Subsequently, we will delete or anonymize personal data from our systems and records, and/or take measures to anonymize them so that you cannot be identified, and we will also request that data recipients take these actions.
  6. When you interact with our social media pages, interactions, posts, and comments on our page will be retained until you choose to delete them.
  7. Regarding data collected through cookies, they are retained for the defined duration, in each case, as detailed in the Cookie Policy section (https://plus-auto.ro/politica-de-cookie/).
  8. Regarding audits, checks, and reports, we will retain personal data included in relevant documentation for the entire duration of these activities, plus applicable limitation periods (e.g., the general limitation period of 3 years, limitation periods imposed by special legislation, such as financial-accounting legislation, for data relevant from an accounting perspective, which will be kept according to the storage periods provided by financial-accounting legislation; specifically, a 5-year retention period for legal compliance under Article 25 (1) of Accounting Law no. 82/1991, republished, with subsequent amendments, adding an additional 5-year period in consideration of Article 28, paragraph (21) of the same legislative act, in the legitimate interest of the entity to keep evidence of accounting records that formed the basis of data in the balance sheet and income statement of the financial year and for archive management analysis.).
  9. Personal data processed in the context of disputes, litigation, or conciliation will be retained beyond the durations mentioned above, until their resolution, and subsequently, in accordance with applicable limitation periods.

*Except where necessary to protect our legitimate interests or where legislative changes affect legal retention obligations. In such cases, we will act in accordance with the law, including informing you accordingly.

Once the processing period indicated above expires and we no longer have legal or legitimate reasons to process your personal data, the data will be deleted/destroyed in accordance with the law and our internal procedures, which may involve anonymized archiving or destruction.


8. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

Generally, we process your personal data within the European Economic Area (EEA) and do not transfer or disclose personal data to third parties outside the EEA.

If the information you provide to us will be disclosed to providers or other third parties (according to the categories indicated above) from countries outside the EEA, we will take appropriate measures to ensure that your personal data is used in accordance with this notice and that necessary security measures are taken. Such measures may include, where applicable, the guarantee provided by an adequacy decision issued by the European Commission (EC) or the conclusion of standard contractual clauses approved by the European Commission, or other similar instruments, in accordance with applicable law.


9. WHAT HAPPENS IF YOU REFUSE TO PROVIDE YOUR PERSONAL DATA

Processing of personal data according to this notice is necessary for the purposes detailed in section 3 above.

Refusal to provide personal data will result in the non-creation of a user account on the platform/website www.plus-auto.ro.

In cases where your personal data is processed based on your consent, refusal to give consent does not affect your ability to benefit from the requested products and services.


10. AUTOMATED PROCESSING OR PROFILING

We do not use automated processes to create specific user profiles.

To ensure the integrity of our Services and prevent fraudulent activities, we use advanced technologies, including algorithms, to identify suspicious behaviors or fraudulent actions. These algorithms analyze various information, such as platform activity and user publication content. When an account presents a high risk according to automated analysis, it may be automatically suspended. In less clear situations, cases are manually reviewed by our security specialists who operate with strictly limited access rights. This automated approach is part of our ongoing effort to prevent fraud and ensure a safe environment for all users. If you believe that the suspension of your account was unjustified, we invite you to contact us via email or through the Contact Form (https://plus-auto.ro/contact/) for a reassessment of the situation.

To ensure compliance with our security and confidentiality standards, we use a combination of automated and manual techniques to analyze the content of advertisements you wish to publish. These techniques include text recognition algorithms and computerized imagery to detect and filter personal data, images of individuals, and any inappropriate or offensive content.

Additionally, our human review teams examine complex or uncertain cases to ensure a comprehensive and fair evaluation, thus protecting confidentiality and complying with legal data protection standards. These measures are essential to maintaining a safe and respectful environment for all users of our platform.


11. SECURITY OF PERSONAL DATA PROCESSING

We continually assess and update the security measures implemented to ensure safe and secure processing of personal data in accordance with GDPR. We continuously make reasonable efforts to protect personal data in our possession or under our control by establishing reasonable security measures to prevent unauthorized access, collection, use, disclosure, copying, modification, or deletion of data, as well as other similar risks.


12. YOUR RIGHTS AS A DATA SUBJECT REGARDING DATA PROCESSING

  • Right to be informed: You will be informed through this Policy about how we process personal data according to articles 13 and 14 of the GDPR.
  • Right of access to data: According to article 15 of the GDPR, you can verify if and how your personal data are processed by accessing this information through any preferred communication method (mail, email, etc.).
  • Right to rectification: You have the right to correct or complete inaccurate or incomplete personal data. Please contact us immediately if you discover such errors.
  • Right to erasure ("right to be forgotten"): You can request the deletion of personal data under certain conditions, such as when the data is no longer necessary or if you withdraw consent. There are situations where we may refuse deletion, such as the need to retain data for legal compliance or litigation defense. Data deletion can also be performed directly by you from your user account.
  • Right to restriction of processing: This right allows you to limit the processing of personal data, excluding storage, under certain circumstances, such as disputing data accuracy or objecting to processing.
  • Right to object: You can object to the processing of personal data based on our legitimate interests or for direct marketing purposes. In the case of marketing communications, you can unsubscribe using the provided link in the received communications.
  • Right to data portability: You have the right to receive personal data in a structured format and to transfer it to another controller.
  • Right not to be subject to automated decision-making: You can object to decisions based solely on automated processing, such as profiling, which have legal effects on you.
  • Right to withdraw consent: You can withdraw your consent for the processing of personal data at any time without affecting the lawfulness of processing prior to withdrawal. Requests can be sent by email or mail to the indicated addresses.
  • Right to lodge a complaint:

    Without affecting your right to contact the Data Protection Authority at any time, please contact us first regarding the exercise of your rights mentioned above. If you believe we have not resolved all your requests or you are dissatisfied with our responses, you can contact the National Authority for the Supervision of Personal Data Processing – ANSPDCP, to file a complaint using the following contact details:

Please note the following aspects regarding the exercise of your rights:

  • Timeframe: We will aim to process your request within one month, which can be extended to two months for specific reasons related to the complexity of the request. In all cases, if this timeframe is extended, we will inform you of the extension duration and the reasons for it.
  • Identification: Please provide us with the necessary information for your identification (name, surname, email address), noting that if we cannot identify you solely based on this information, we will ask you to provide additional information to facilitate your identification.

***

Top