Information notice on the processing of personal data of data subjects
1. About us
The undersigned company APUSENI MOUNTAINS RESEARCH CO SRL, a Romanian legal entity with registered office in village BorΘ, com. BorΘ, nr.82A, Bihor county, registered at the Trade Register Office of the Bihor Court under no.J05/1250/2015, CUI RO34860301, legally represented by POJOCA VIRGIL-SORIN, as Controller under Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data processes personal data collected directly from the data subject, for whose authenticity the Controller is not responsible.
2. Definitions
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
"Processing" means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
"Restriction of processing" means the marking of stored personal data for the purpose of limiting their further processing;
"Creating profiles" means any form of automatic processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular in order to analyse or predict aspects relating to that natural person's work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
"Pseudonymisation" means the processing of personal data in such a way that they can no longer be attributed to a specific data subject;
"Operator." means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law;
"Processor" means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
"Recipient" means the natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a tetra party;
"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject signifies his or her unambiguous agreement, by way of a statement or action, to the processing of personal data relating to him or her;
"Personal data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed;
"Cross-border processing" means: (a) either the processing of personal data taking place in the context of the activities of establishments in more than one Member State of a controller or of a processor in the territory of the Union, if the controller or processor has establishments in at least two Member States; or (b) the processing of personal data taking place in the context of the activities of a single establishment of a controller or processor in the territory of the Union, but which significantly affects or is likely to significantly affect data subjects in at least two Member States;
3. Categories of personal data processed
The operator collects, processes, stores and transmits the following personal data belonging to data subjects: first name, surname, date of birth, e-mail address, billing/delivery address (country, city, county/sector, street, number, block, staircase, apartment), postal code, bank account, bank account holder, telephone number, gender, IP address, internet browser used by the data subject and version of the operating system of the device, length of visit to the website, products viewed, Facebook account, Google user account, device location, order awb number, amount paid by way of refund.
4. Personal data of minors
The operator does not process personal data of persons under the age of 18. Data subjects are required to confirm before creating an account, placing an order and subscribing to the newsletter that they have reached the age of 18 years, otherwise the data subject cannot subscribe to the newsletter, cannot generate a customer account or place an order.
5. Personal data in case of payment by 3 D Secure card
In case the customer opts for card payment of the placed order, the card details for 3D Secure payment consisting of card number, card holder, card expiry date, card type, security code will not be accessible or collected by the Operator.
6. Purpose of processing personal data
The operator processes personal data belonging to the data subjects for the purpose of the completion and execution of the sale-purchase contract, order processing, preparation of the tax invoice, delivery of products, creation of profiles, direct marketing, customer loyalty, promotional campaigns, contests, raffles, promotions, return of ordered products, refund of payment, complaint settlement, customer assistance and support, reviews, implementation and maintenance of website security, preparation of financial-accounting documents in the framework of control procedures carried out by state institutions, defence of the operator's rights in judicial and extrajudicial proceedings, in order to negotiate or conclude collaborations or contracts with third parties, in order to carry out the commercial/contractual/collaboration activity of the operator, managing relations with commercial partners, commercial communication with customers/suppliers/collaborators by any means of communication, communication with public or public interest bodies/authorities/institutions in accordance with legal provisions, audit and control/supervision activities, for monitoring website traffic and access history, for the creation of content hierarchy and identification of the most relevant content for the user.
7. Lawfulness of the processing of personal data
The controller processes personal data of data subjects under the following conditions: (a) the data subject has consented to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation incumbent on the controller; (d) processing is necessary to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject require the protection of personal data, in particular where the data subject is a child.
8. Duration of processing of personal data
The Trader will process personal data of the data subjects during the execution of the sale-purchase contract, processing of orders, preparation of financial-accounting documents, delivery of orders, settlement of complaints, publication of reviews on the website.
9. Length of storage of personal data
The operator will store personal data belonging to data subjects in this way: for a period of 2 years data on order history, unless the data subject withdraws his/her consent or deletes his/her customer account, 1 year in case of complaints, unless the data subject withdraws his/her consent, 4 years in case of reviews posted on the website, 10 years in relation to the preparation of tax invoices for orders placed, 10 years in relation to newsletter subscription, unless the data subject withdraws his/her consent.In the event that legislative changes require other retention periods, the Operator will comply with the legal provisions.
10. Rights of data subjects
According to Regulation 679/2016, data subjects have the following rights:
Right to information the data subject has the right to receive information about the controller's data, the personal data that are processed, the purpose for which and the manner in which the personal data are processed.
Right of access to data the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed and, if so, access to those data and to the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the period for which personal data are expected to be stored or, if this is not possible, the criteria used to determine this period; (e) the existence of the right to request the controller to rectify or erase personal data or to restrict the processing of personal data concerning the data subject or the right to object to processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of an automated decision-making process including profiling, as well as relevant information on the logic used and on the significance and expected consequences of such processing for the data subject.
If personal data are transferred to a third country or an international organisation, the data subject has the right to be informed of the appropriate safeguards.
The controller shall provide a copy of the personal data undergoing processing. For any other copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject submits the request in electronic format and unless the data subject requests another format, the information shall be provided in a commonly used electronic format.
Right to rectification The data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes for which the data have been processed, the data subject shall have the right to obtain the completion of personal data which are incomplete, including by providing an additional statement.
Right to erasure of data ("right to be forgotten") the data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if one of the following grounds applies: (a) the personal data are no longer necessary for the purposes for which they were collected or processed; (b) the data subject withdraws the consent on the basis of which the processing is carried out; (c) the data subject objects to the processing; (d) personal data have been unlawfully processed; (e) personal data must be deleted in order to comply with a legal obligation incumbent on the controller under Union law or the national law to which the controller is subject; (f) personal data were collected in connection with the provision of information society services
The right to restrict processing the data subject shall have the right to obtain from the controller the restriction of processing if one of the following applies: (a) the data subject disputes the accuracy of the data for a period allowing the controller to verify the accuracy of the data; (b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use; (c) the controller no longer needs the personal data for the purpose of processing but the data subject requests them for the establishment, exercise or defence of legal claims; or (d) the data subject has objected to the processing
Right to data portability the data subject shall have the right to receive personal data relating to him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format and shall have the right to transmit such data to another controller, without hindrance on the part of the controller to whom the personal data were provided, if: (a) processing is based on consent; (b) processing is carried out by automatic means.
The right to object at any time, the data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data relating to him or her, including the creation of profiles on the basis of those provisions. The controller shall no longer process personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
The right not to be subject to automated decisions, including profiling The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or otherwise significantly affects him or her. This right cannot be exercised by the data subject if the decision: (a) is necessary for the conclusion or performance of a contract between the data subject and a data controller; (b) is authorised by Union law or national law applicable to the controller which also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or (c) is based on the explicit consent of the data subject.
The right to address the National Supervisory Authority for Personal Data Processing or the courts regarding the processing of such data the data subject has the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing or with the court concerning the processing of his/her personal data.
Right to withdraw consent to the processing of personal data the data subject has the right to withdraw consent to the processing of personal data, withdrawal of consent does not affect the lawfulness of the processing of personal data on the basis of the consent given before the withdrawal of consent.
The data subject may exercise these rights by sending a written request to the Operator by e-mail to office@synergytherm.com or at the Operator's working point in Mun. Oradea, str. M. KogΔlniceanu, nr.49A, Bihor county.
The operator undertakes to respect the confidentiality of the data and to ensure internally a process for maintaining confidentiality for all persons who come into contact with this information, and enter into an agreement with third parties who have access to this information regarding the use and processing of the data in accordance with the provisions of the EU Regulation 679/2016 on the protection of individuals with regard to the processing of personal data.
In order to prevent the creation of fictitious customer accounts, the operator will communicate to the data subject an e-mail for confirmation of the generated customer account after the creation of the customer account.
Access to the data subject's account is only possible by entering the chosen password, to which the Operator has no access because it is stored in encrypted form.
The operator reserves the right to terminate, without prior notice, the accounts and access of members who violate the Terms and Conditions, who engage in fraudulent, defamatory or otherwise offensive activities or who attack the security and privacy of information on the website or the website operator.