The purpose of this regulation on personal data management is to provide ADVANCED ROBOTICS INDUSTRIES S.R.L. (hereinafter referred to as ARI or the company) employees and collaborators with a summary of the most important information related to the data management activities carried out by ADVANCED ROBOTICS INDUSTRIES S.R.L.

However, this document is not considered as an individual consultation and replaces the data protection audit. The purpose of this document is internal regulation and to provide general assistance and guidance to ARI staff and collaborators to ensure compliance with data protection requirements.

Throughout the course of its business ARI handles various personal data of different groups of individuals such as:

– job applicants

– its employees

– former employees

– delegates of suppliers with whom ARI carries out business activities, other than entitled persons

statutory representatives customers participating in certain company promotions

– individual customers who use ARI’s services through retail and/or web-shop sales

– associates/investors/representatives of associates/investors.

With regard to the collection and management of data of these individuals, ARI must comply with European and national legislation on the protection of personal data. At the same time it must take into account its own business interests, operational conditions, technical and organisational opportunities and the interests of its employees and customers.

The purpose of this Regulation is to outline the applicable law and the measures the Company takes to comply with the law. ARI’s aim is to always ensure that GDPR is complied with in a clear and verifiable manner.

This regulation applies to all systems, persons and processes that constitute ARI’s information system, including management, employees, suppliers and other third parties who have access to the Company’s system.

  1. General Data Protection Regulation

The General Data Protection Regulation 2016/679/EU (GDPR) is the most important piece of legislation influencing the conduct of our data management business. The EU Regulation has effects in all EU Member States, therefore it applies in Romania without implementation.

1.1 Data management and processing

Given the activity of ARI, the Data Protection Regulation applies to it. As it is clear from the following concepts of the GDPR, the company and its staff carry out data management and processing activities.

a. Definition of “personal data”:

Personal data is any information relating to an identified or identifiable natural person (“data subject”). A data subject is a person who can be identified, directly or indirectly, in particular by reference to a name, identification number, location data, online ID or one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Personal data is therefore any information that ARI records about a person identified by the person’s various attributes (e.g. telephone number, e-mail address, birthday, etc.), and therefore not only the data that allow the person to be identified.

As ARI is a company, in its daily activity it deals with personal data, mainly through direct sales (retail and online) and indirectly as delegates, representatives of legal entities partners.

b. Definition of “management of personal data”:

Data management means any operation that is performed on personal data, by automatic or non-automatic means, such as collection, recording, organisation, storage, modification, retrieval, consultation, use, disclosure to third parties by transmission, limitation or deletion.

Accordingly, in the course of its business ARI manages personal data.

c. Definition of “controller”:

Data controller refers to any natural or legal person who determines the purpose and means of processing personal data.

ARI determines the purpose and means of data management of employees and other persons and therefore considers itself a data controller. Staff employed by the company become data controllers through the exercise of their function in the course of the work carried out within the company.

d. Definition of “data processor”:

The data processor is a natural or legal person who processes personal data on behalf of the data controller.

1.2 Data management principles

The legislation establishes binding principles on data management and processing, valid erga omnes.

The following principles shall be taken into account and respected when managing personal data:

  1. Personal data:

– Personal data shall be managed in accordance with the law, in a fair and transparent manner (“lawfulness, fairness and transparency”);

– collection is only for well-defined, explicit and legitimate purposes, and data will not be handled in ways incompatible with these purposes; further processing of data for statistical purposes is not considered incompatible (“well-defined purpose”);

– must be adequate and relevant for the management of the data and must be limited to what is absolutely necessary (“economy”);

– be accurate and, where necessary, kept up to date; inaccurate personal data must be deleted or corrected as soon as possible, as far as possible (‘accuracy’);

– storage must be in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for longer periods in so far as they will be processed solely for archiving purposes in the public interest or for statistical purposes, subject to the implementation of appropriate technical and organisational measures provided for in this Regulation to safeguard the rights and freedoms of the data subject (“storage restrictions”);

– must be managed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organisational measures (“integrity and confidentiality”).

– Compliance with these principles must also be acknowledged by the data controller (“accountability”).

1.3 Management of special categories of personal data

Under the legal grounds detailed in Article 9 of the GDPR the company sometimes manages special categories of data (e.g. health data). The management of these categories of data is done on preventive grounds in relation to health or health at work (e.g. management of the results of an employee’s capacity analysis or the provision of benefits to disabled persons).

If the need arises to manage a special category of data other than the above, a preliminary examination of the legal basis is required.

1.4 Data subjects’ rights

With regard to personal data managed by the company, the GDPR provides data subjects with a number of privileges that appear as an obligation for the company.

These rights are as follows:

  1. Right to information

The data subject has the right to be informed about the source of the personal data, the purpose, the duration of storage, the lawful basis of the processing, the identity of the processor, the kind of legitimate interest, the transfer of data to third countries, the recipients of the data and the categories of recipients in case of legitimate interests.

  1. Right of access

The data subject has the right to receive full information from the data controller about the purpose and manner of the processing of his or her personal data and, where such processing takes place, has the right to have access to the data and intrinsic information of his or her personal data and to the related information it manages.

  1. Right to rectification

The data subject shall have the right to obtain from the controller, without undue delay, rectification of inaccurate personal data relating to him or her. Taking into account the purposes for which the data have been processed, the data subject shall have the right to obtain the completion of personal data which are incomplete, including by providing an additional statement.

  1. Right to erasure

The data subject has the right to request the controller to erase his or her personal data without undue delay, and the data controller is obliged to execute the erasure (in some special cases – Article 17 of the GDPR) if the purpose or lawful basis of the data processing has ceased, the data processing has taken place without any lawful basis.

  1.   Right to restrict data processing

In specific cases provided for in Article 18 of the GDPR, the data subject may request restriction on data processing. The restriction means that the controller will store the data concerned further, but may only manage them with the consent of the data subject or in order to validate rights of the data subject or of the controller in relation to the data subject.

  1. Obligation to notify rectification or erasure of personal data or restriction of processing

The controller shall notify each recipient to whom personal data have been disclosed of any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1) and 18 of the Regulation, unless this proves impossible or involves disproportionate efforts. The controller shall inform the data subject of the recipients if the data subject so requests.

  1. Right to data portability

The data subject shall have the right to request that his or her personal data be issued by the Controller in a readable and/or accessible form for the purpose of porting, and shall have the right to transfer this information to another data controller, without the interests or information belonging to a third party being harmed by such porting.

  1. Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data relating to him or her, including profiling on the basis of such provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The right to object and the conditions of processing shall be brought to the attention of the data subject at the latest at the time of the first communication with the data subject.

  1. Rights related to profiling and automated decision-making

The data subject shall have the right not to be subject to a decision based solely on automated processing including profiling which produces legal effects concerning the data subject or otherwise significantly affects him or her.

The GDPR also sets deadlines for the Company’s obligations arising from the data subject’s rights listed in 4.1. In the course of carrying out the procedures, the responsible employees of the Company must also take these deadlines into account.

The Company must take all reasonable steps to satisfy itself as to the identity of the data subject who wishes to request access or to exercise data subject rights.

1.5 Legal grounds applied in ARI’s data management activities

In the management of personal data in relation to the needs of ARI’s business the most common legal grounds for data management are consent, performance of contract, interest of the company and obligation arising from legal provisions. In all data management processes, the legal basis for data management must be identified in advance.

Consent

For online sales and marketing activities of the company (newsletter, telephone campaign, SMS information, etc.), the prior consent of the data subject is required. In the case of children under 16 years of age, the permission of their legal representative is required.

Prior to receiving consent, transparent information must be provided to data subjects about how their personal information is handled, their rights in this regard, in particular the right to withdraw the consent given, must be presented. This information should be provided in an accessible form, in plain language and free of charge.

If the personal data are not obtained directly by the company, this information should be provided to the data subject as soon as possible after obtaining the data, but no later than one month.

Consent, including details of the data subject’s data, i.e. where and when consent was given, must always be recorded and retained by the company in accordance with the Data Storage and Erasure Regulation.

Execution of the contract

Personal data provided at the conclusion of the contract are necessary for the performance of the contract by the company. This interest is a sufficient legal basis for the management of personal data. The interest remains valid until the legitimate interests related to the performance of the contract can be enforced – i.e. until the expiry of five years after the performance of the contract, according to the Civil Code. At the same time, it is important that this consent relates only to the personal data necessary for the performance of the contract and that these data (telephone number, email, etc.) are deleted from the company’s registers and records.

            Fulfilment of the Company’s legal obligation

The fulfilment of the data controller’s legal obligations may require the management of personal data (e.g. as an employer it has to manage certain information about employees, such as name, address, tax identification number and personal number code etc. in order to fulfil its obligations related to the filing of tax returns and the payment of taxes, salaries etc.).

        Tracking the company’s own legitimate rights or rights belonging to third parties

The legal basis for data processing may also be the need to ensure that the legitimate interests of the Company or of a third party are respected. In the case of data management based on a legitimate interest, the ratio of the legitimate interest to be applied shall be assessed over and above the obligation and purpose of personal data protection. The Company is obliged to provide the relevant assessment. Such an interest is implicated in the employer’s decision to monitor its employees and customers with a surveillance camera to prevent or detect possible theft/fraud. In this case an appropriate assessment must be made of the rights of the employees and customers concerned, and adequate safeguards must be provided for the protection of the privacy of employees, with the data subjects being informed of the existence, location of the cameras and the manner and location of data storage. Furthermore, after an assessment of the balance of interests, in justified cases, the employer may access the employer’s correspondence in the electronic mail used for the performance of work tasks, if there is a suspicion of a breach of the obligations undertaken by the employee, i.e. if the information whose retrieval is sought belongs to the employer or has the potential to produce legal effects concerning the employer in any respect. In this case, it is necessary to ensure that employees can be present when their email account/internet or telephone use is checked during an audit.

        Integrated data protection

According to the GDPR regulations, the data management process must include basic principles and adequate protection of the rights of data subjects. In addition to the creation of appropriate data management conditions, these conditions will be subject to periodic review in line with the actual needs imposed on society, adapted to the evolution of the technologies used, changes in data management and new data management processes. Depending on the evolution of science and technology and the costs of implementation, as well as the nature, purpose, circumstances and objectives of data management, and the risks to the rights and freedoms of individuals, the data controller shall take appropriate technical and organisational measures, both in defining the manner of data management and during management – such as pseudonymisation – for the effective implementation of data protection principles, such as data economy and the inclusion of safeguards necessary to meet the requirements of this Regulation and to protect the rights of data subjects. The data controller shall take appropriate technical and organisational measures to ensure that only personal data that are necessary for the specific purpose of the data management are processed. This obligation shall relate to the amount of personal data collected, the extent of management, the duration of storage and their availability. In particular, these measures must ensure that personal data are not made available to an indeterminate number of persons by default without the intervention of a natural person.

The company is aware of the integrated data protection principle and ensures that it pays due attention to data protection, carries out data protection impact assessments in case of implementation of changes to data storage sites (upgrades) and/or new systems that collect or manage personal information.

In addition, the Company will periodically review the operation of data management systems to ensure that they correspond to the current needs for which they were created, i.e. the legal rules applicable at the time are complied with.

In order to properly implement the GDPR provisions on data management, the Company ensures, that:

– all staff members involved in the management of personal data understand their responsibility regarding the monitoring of good data protection practices

– all staff members receive data protection training

– data subjects are provided with easily accessible contact details should they wish to exercise their rights in relation to personal data, and handle such requests effectively

1.6 Transfer of personal data

The transfer of personal data outside the European Union must be carefully checked before transmission so that the transfer takes place within the limits set by the GDPR. This depends in part on how the European Commission assesses the compliance of personal data safeguards in the country of destination, which may change in the course of implementation.

1.7 Data processors

The GDPR provides that own data storage and processing needs can be met through those data processors that provide sufficient safeguards to introduce technical and organisational measures that meet the requirements of the GDPR, ensuring data security and traceability of data exchange in their systems. In the case of data processors from outside the European Economic Area, such as third parties providing cloud or other data storage, it is essential that such contracts with such third parties include General Terms and Conditions for data management, in line with the specific rules laid down by the company for the management of such data.

1.8 Notification of breach of rights

The Company is obliged to determine on the basis of the principles of fairness and proportionality, how and when it will notify data subjects in the event of a personal data breach (data protection incident).

In the event of a data protection incident that may result in effects on the rights and freedoms of individuals in the terms defined by the GDPR, the competent data protection authority must be informed within 72 hours.

The procedure to be followed is the one compliant with the provisions of the Incident Management Rules, setting out the whole process of information security incident management.

Breach of the personal data security rules attracts the sanction provided by the GDPR, the sanction imposed by the competent data protection authority consists of a fine of up to 4% of the total annual turnover or €20 million.

1.9 Limiting the storage period of personal data

ARI will devise its own procedure for establishing procedures for the storage and deletion of personal data received and used in accordance with its business purpose. In developing these procedures the general GDPR principles, in particular the principle of lawfulness, purpose and economy, will be respected.

1.10 Record-keeping obligations

The GDPR provides for the obligation to keep records related to personal data management activities in cases where data management is not occasional. The manner of keeping records of ARI activities involving personal data is governed by the Data Management Records.

The Data Management Log reflects how ARI complies with the principles laid down by the GDPR with reference to:

– the legal basis for the management of personal data is always clear and unambiguous

– the purpose of data management is well defined, the scope of the data managed is necessary to achieve the purpose

– the data subject has been adequately informed about the data management

– the duration of data management and erasure are regulated

– the storage of the data takes place in compliance with appropriate security measures

– data transfer takes place with appropriate safeguards in place

– the person responsible for data management has been designated.

Responsibility for data management

The security of personal data is a high priority in ARI’s work. In order to ensure the institutional framework for monitoring and control of compliance with the regulations and measures in place and their effectiveness, the company audits the following aspects: identification of possible sources of personal data, ways of receiving personal data, sorting of data, storage and management of data in accordance with the stated purpose for which the data subject’s consent was obtained, duration of processing and storage, disposal of data whose term or usefulness has expired. In order to ensure fair and lawful management, Impar designates responsible persons within the company for the supervision of data management procedures as well as the tasks that this supervisory responsibility entails.

This document should be read and applied in conjunction with other documents relating to data management activities within the company, such as:

– internal data management rules

– the procedure for notifying personal data breaches (data protection incidents)

– the procedure for handling the data subject’s request

The clear definition of roles and responsibilities, the appropriate regulation of relevant tasks aims at preventing the occurrence of personal data protection incidents and allows for effective and appropriate measures to be taken in the event of such incidents.

2.1 Data protection rules

In order to comply with the relevant legal rules and regulations, ARI will store and process the data necessary to achieve its objectives in a legal and fair manner, and the employees involved in these procedures will be involved in the following related capacities:

– Data operator

– Information Security Manager

– Compliance Officer

The specific responsibilities of each role are described later in this document.

All employees and partners of the Company who carry out data management activities are required to perform the tasks and obligations below to ensure the proper application of the general GDPR principles, such as the principle of legitimate, fair and transparent data management, the principle of well-defined purpose, the principle of data economy and accuracy, and the principle of integrity and confidentiality.

This Regulation sets out the responsibilities of each capacity within the GDPR procedures in the ARI organisation, without these capacities having any effect on the employee’s general function, duties or competences, which are not related to the GDPR and cannot be considered a complete job description.

2.1.1 Data controller

Under the GDPR, a data controller is a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of processing personal data.

The data controller has in principle the following responsibilities:

– Ensures compliance with the principles laid down in Article 5 of the GDPR of the way personal data are handled, ensuring that it is possible to verify and demonstrate how this is done. It therefore ensures that personal information:

o is handled lawfully, fairly and transparently,

o is collected for defined, factual and legitimate purposes,

o is limited to what is appropriate, relevant and necessary,

o is accurate and, where necessary, kept up to date,

o stored in a way that allows identification of data subjects only for as long as necessary,

o are managed with appropriate security.

– Ensures that the consent of the data subject is obtained for the management of personal data, including parental consent in the case of children.

– Makes available to the data subject all information required by the GDPR in a concise, transparent, easily understandable and easily accessible form, in plain and clear language.

– Enables data subjects to exercise their rights under the GDPR and informs them of the processing of their request. In this regard, data subjects have the right to access the data collected about them and have the right to verify the lawfulness of data processing. They can also receive information about the duration of data processing, the consequences of data processing (such as profile identification), the logic of data processing.

– Ensures that they will only collaborate with data processors who provide appropriate guarantees that adequate technical and organisational measures will be taken to comply with GDPR and protect personal data

– Keeps records of personal data management activities, which is the responsibility of the data controller.

– Upon request cooperates with the supervisory authority in the performance of its tasks.

– Ensures that any person acting on behalf of the data controller who has access to personal data, manages the information only in accordance with the data controller’s instructions.

– Notifies the supervisory authority without undue delay of any breach of personal data rights, unless the personal data breach is unlikely to pose a risk to the rights and freedoms of individuals, in accordance with organisational procedures.

– Document any breach of personal data rights, including facts related to the personal data breach, its effects and corrective measures taken.

– Where appropriate, inform the data subject without undue delay of the breach of personal data rights.

– Carry out a data protection impact assessment, as appropriate, in accordance with procedures.

– He/she shall be supported in the performance of his/her tasks by the Compliance Officer who shall provide him/her with the necessary resources to carry out his/her tasks and access and manage personal data or assist him/her professionally.

– Personal data may be transferred to a third country or to an international organisation if the data controller or a data processor has provided adequate safeguards and provided that the rights of data subjects are respected and effective remedies are available.

2.1.2 Information Security Manager

The primary task of the Information Security Manager is to develop and maintain information security.

The responsibilities of the Information Security Manager are as follows:

– Develop and present to management the measures to be taken to ensure information security;

– Directs the implementation of decisions taken by management to ensure information security;

– Oversees the operation of the information security system;

– Identifies, quantifies and monitors the types, extent and impact of incidents and malfunctions and takes the necessary measures to prevent and resolve them;

– Report regularly and, as necessary as appropriate, to management on the management of all security matters;

– Collaborates with the Compliance Officer and carries out his/her instructions;

– Informs the data subject of the information security policy;

– Executes the provisions of the Information Security Regulation;

– Handles risk management related to access to services or systems;

– Ensures the application and documentation of security controls;

– Establishes development plans and objectives for the financial year;

– Monitors the implementation of development plans.

Data Protection Officer

The responsibilities of the Data Protection Officer are as follows:

– Provide information and professional advice to the data controller or data processor respectively to the employees responsible for data management on their obligations under applicable data protection legislation;

– supervise compliance with data protection legislation and the internal data protection regulation by the data controller or data processor;

– develops and maintains internal and external data protection regulations, information security regulations, objectives and plans;

– assigns responsibilities, contributes to raising staff awareness in data management operations, trains staff and conducts related audits;

– upon request, provides professional advice on data protection impact assessment and monitors the impact assessment;

– cooperate with the competent supervisory authority for data protection;

– is the person who liaises with the supervisory authority on data management issues and consults with it on any other issue as appropriate.

– Ensures that legal and information security requirements are established and met in order to minimise risk and use effective controls within the company in relation to customers;

– establishes resources for planning, implementation, oversight, review and development in terms of legal compliance, security and information management and takes steps to ensure these (e.g. hiring appropriate staff and managing staff turnover);

– oversee the management of risks affecting the organisation and its services;

– periodically carry out information security reviews in terms of suitability, compliance and effectiveness;

– review major information security incidents;

– ensure that access to information systems by external organisations is based on a formal agreement setting out all necessary legal and security requirements.

The Company will review on an ongoing basis the appropriateness and timeliness of appointing a Data Protection Officer and on the basis of these findings will appoint / or not appoint the Officer.

2.1.4 Employees

The main responsibilities of the employee are as follows:

– Knows and complies with all the organisation’s data protection regulations relevant to their role;

– Report any actual or potential data protection incidents:

– Contributes to data protection impact assessment if required.

Need Assistance?

We’d be delighted to help you. Please don’t hesitate to approach us!