Internal regulations

regarding the protection of individuals with respect to the processing of personal data and the free movement of such data in accordance with the provisions of EU Regulation 2016/679

CHAPTER I: GENERAL PROVISIONS

Purpose and scope:

Art. 1 ANTEL SRL is a private Romanian legal entity, located in Alba Iulia, Str. Gheorghe Sincai nr.12, Alba County, registered with the Trade Register under no. J01/1603/1991 and having VAT number 1755296. It has fully adopted the norms regarding the protection of individuals established by EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data, which became applicable starting May 25, 2018.

This Regulation aims to guarantee and protect the fundamental rights and freedoms of individuals, especially the right to private, family, and personal life, concerning the processing of personal data by ANTEL SRL, hereinafter referred to as the operator. The exercise of the rights provided by this Regulation may only be restricted in cases expressly and limitatively provided by law.

CHAPTER II: FIELD OF APPLICATION

Art. 2. – This Regulation applies to the processing of personal data, carried out, in whole or in part, by automatic means, as well as to the processing by other than automatic means of personal data that are part of a system of evidence or that are intended to be included in such a system. This regulation ensures the protection of the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

CHAPTER III: DEFINITION OF TERMS

Art. 3. – The terms used are defined as follows: (they have the meanings defined by EU Regulation 2016/679 regarding the protection of individuals with regard to the processing of personal data and the free movement of such data and include only those legal definitions of the company’s activity)

a) personal data – any information relating to an identified or identifiable natural person; an identifiable person is that person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, psychological, economic, cultural or social identity;
b) processing of personal data – any operation or set of operations performed on personal data, by automatic or non-automatic means, such as collection, registration, organization, storage, adaptation or modification, extraction, consultation, use, disclosure to third parties by transmission, dissemination or in any other way, joining or combining, blocking, deleting or destroying;
c) storage – keeping on any kind of support the collected personal data;
d) personal data record system – any organized structure of personal data, accessible according to certain criteria, regardless of whether this structure is organized in a centralized or decentralized manner or is distributed according to functional or geographical criteria;
e) operator – any natural or legal person, under private or public law, including public authorities, institutions and their territorial structures, which establishes the purpose and means of personal data processing; if the purpose and means of personal data processing are determined by a normative act or on the basis of a normative act, the operator is the natural or legal person, under public or private law, who is designated as the operator by that normative act or based on that normative act;
f) person authorized by the operator – a natural or legal person, under private or public law, including public authorities, institutions and their territorial structures, who process personal data on behalf of the operator;
g) third party – any natural or legal person, under private or public law, including public authorities, institutions and their territorial structures, other than the data subject, the operator or authorized person or the persons who, under the direct authority of the operator or the person empowered, are authorized to process data;
h) recipient – any natural or legal person, under private or public law, including public authorities, institutions and their territorial structures, to whom data is disclosed, whether or not it is a third party; the public authorities to whom data is communicated within a special investigative competence will not be considered recipients;
i) anonymous data – data that, due to the origin or specific method of processing, cannot be associated with an identified or identifiable person;
j) consent – any manifestation of free, specific, informed and unambiguous will of the data subject by which he accepts, through a statement or through an unequivocal action, that the personal data concerning him be processed;

Art.4 Other terms:

a) the data subject – the natural person whose personal data is processed for the following purposes: 1) staff employed, delegated and seconded to SCOLARO PROMO; 2) the person who is a party or takes steps before concluding a contract with the operator; 3) the person applying to the job offer issued by the operator; 4) the person who participates in the promotions and contests organized by the operator in order to promote its products and services, 5) the person who legally represents the business partner signatory of any act concluded between professionals and who is directly or indirectly a party to this act.
b) to collect – collect, gather, receive personal data from the persons referred to in letter a) from this article, through the sales and marketing department, the procurement department, the secretarial department, the human resources department, the legal department and the financial-accounting department;
c) disclose – transmit, distribute, make available in any other way personal data, outside the operator;
d) to use – to use personal data by and within the operator;

CHAPTER IV GENERAL RULES

Characteristics of personal data during processing
Art. 5. – The personal data intended to be the object of processing must be:

a) processed in good faith and in accordance with the legal provisions in force;
b) collected for specific, explicit and legitimate purposes. The subsequent processing of personal data for statistical purposes will not be considered incompatible with the purpose of collection if it is carried out in compliance with the provisions of the law, including those regarding the notification to the supervisory authority, as well as in compliance with the guarantees regarding the processing of personal data , provided by the rules governing statistical activity;
c) adequate, relevant and not excessive in relation to the purpose for which they are collected and subsequently processed;
d) accurate and, if necessary, updated, for this purpose the necessary measures will be taken so that inaccurate or incomplete data from the point of view of the purpose for which they are collected and for which they will be subsequently processed, are deleted or rectified;
e) stored in a form that allows the identification of the targeted persons strictly for the duration necessary to achieve the purposes for which the data are collected and for which they will be subsequently processed. The storage of data for a longer period than that mentioned, for statistical purposes, will be done in compliance with the guarantees regarding the processing of personal data, provided for in the rules governing this field, and only for the period necessary to achieve these purposes.
SCOLARO PROMO as an operator has the obligation to comply with the provisions of paragraph 1 and to ensure the fulfillment of these provisions by authorized persons.

  1. Legitimacy conditions regarding data processing
    Art. 6. – Any processing of personal data can only be carried out if the data subject has given express and unequivocal consent for that processing.

 

The data subject’s consent is not required in the following cases:

a) when the processing is necessary in order to execute a contract or pre-contract to which the person concerned is a party or in order to take some measures, at his request, before concluding a contract or pre-contract;
b) when the processing is necessary in order to protect the life, physical integrity or health of the person concerned or of another threatened person;
c) when the processing is necessary in order to fulfill a legal obligation of the operator;
d) when the processing is necessary in order to carry out measures of public interest or aimed at exercising the prerogatives of public authority vested with the operator or the third party to whom the data is disclosed;
e) when the processing is necessary in order to achieve a legitimate interest of the operator or of the third party to whom the data are disclosed, provided that this interest does not prejudice the interest or fundamental rights and freedoms of the person concerned;
f) when the processing concerns data obtained from documents accessible to the public, according to the law;
g) when the processing is done exclusively for statistical purposes, and the data remain anonymous throughout the processing.
The provisions of paragraph 2 do not affect the legal provisions that regulate SCOLARO PROMO’s obligation, as an operator, to respect and protect intimate, family and private life.

2. Termination of processing operations
Art. 7. – At the end of the processing operations, if the data subject has not expressly and unequivocally given his consent for another destination or for further processing, the personal data will be:

a) destroyed;
b) transferred to another operator, provided that the initial operator guarantees that the subsequent processing has similar purposes to those in which the initial processing was done;
c) transformed into anonymous data and stored exclusively for statistical purposes.
(2) In the case of processing operations carried out under the conditions provided for in art. 7 para. (1) lit. c), the operator can store personal data for the period necessary to achieve the specific goals pursued, provided that appropriate measures are taken to protect them, after which they will proceed to their destruction if the legal provisions regarding the preservation of archives are not applicable.

CHAPTER V SPECIAL RULES REGARDING THE PROCESSING OF PERSONAL DATA

  1. Processing of special categories of data

    Art. 8. – The processing of personal data related to racial or ethnic origin, political, religious, philosophical or similar beliefs, trade union membership, as well as personal data regarding health or sexual life is prohibited.

    2. Processing of personal data with an identification function

    Art. 9. – The processing of the personal numerical code or other personal data having an identification function of general applicability can only be carried out if:

    a) the person concerned has expressly given his consent;
    b) the processing is expressly provided by a legal provision.
    Processing of personal data regarding health status

    Art. 10. – The processing of the personal numerical code or other personal data having an identification function of general applicability does not apply to the processing of health data in the following cases:

    a) if the processing is necessary for the protection of public health;
    b) if the processing is necessary to prevent an imminent danger, to prevent the commission of a criminal act or to prevent the result of such an act or to remove the harmful consequences of such an act.

    The processing of health data can only be carried out by, or under the supervision of, a medical professional, provided that professional secrecy is respected, unless the data subject has given his consent in writing and unequivocally as long as this consent does not has been withdrawn, as well as unless the processing is necessary to prevent an imminent danger, to prevent the commission of a criminal act, to prevent the production of the result of such an act or to remove its harmful consequences.

    Personal health data can only be collected from the data subject.

    3. Processing of personal data related to criminal acts or contraventions

    Art. 11. – The processing of personal data related to the commission of crimes by the data subject or to criminal convictions, security measures or administrative or contraventional sanctions, applied to the data subject, can only be carried out by or under the control of public authorities, in the limits of the powers conferred on them by law and under the conditions established by the special laws that regulate these matters.

CHAPTER VI: RIGHTS OF THE DATA SUBJECT

  1. Information of the Data Subject

    Art. 12 – If personal data is obtained directly from the data subject, ANTEL SRL, as the data controller, is obligated to provide the data subject with at least the following information, unless the data subject already possesses this information:

    a) the identity of the data controller and, if applicable, their representative; b) the purpose of the data processing; c) additional information such as: the recipients or categories of recipients of the data; whether providing all requested data is mandatory and the consequences of refusing to provide it; the existence of rights provided by this law for the data subject, especially the right of access, data rectification, and objection, as well as the conditions under which these rights can be exercised; d) any other information required by the supervisory authority, considering the specifics of the processing.

    If the data is not obtained directly from the data subject, the data controller is obligated, at the time of data collection or, if the data is intended to be disclosed to third parties, at the latest by the time of the first disclosure, to provide the data subject with at least the following information, unless the data subject already possesses this information:

    a) the identity of the data controller and, if applicable, their representative; b) the purpose of the data processing; c) additional information such as: the categories of data concerned, the recipients or categories of recipients of the data, the existence of rights provided by this law for the data subject, especially the right of access, data rectification, and objection, as well as the conditions under which these rights can be exercised; d) any other information required by the supervisory authority, considering the specifics of the processing.

    The provisions of paragraph 2 do not apply if the data processing is for statistical purposes, or in any other situations where providing such information proves impossible or would involve a disproportionate effort relative to the legitimate interest that could be compromised, as well as in situations where data recording or disclosure is expressly provided by law.

    Right of Access to Data

    Art. 13 – Any data subject has the right to obtain from the data controller, upon request and free of charge for one request per year, confirmation as to whether or not data concerning them is being processed. If the data controller processes personal data concerning the requester, they are obligated to provide the requester with, along with the confirmation, at least the following:

    a) information regarding the purposes of the processing, the categories of data involved, and the recipients or categories of recipients to whom the data are disclosed; b) communication in an intelligible form of the data being processed, as well as any available information regarding the source of the data; c) information on the principles of operation of any automated data processing mechanism affecting the data subject; d) information regarding the existence of the right to data rectification and the right to object, as well as the conditions under which these rights can be exercised; e) information about the possibility to consult the register of personal data processing, to file a complaint with the supervisory authority, and to address the courts to challenge the data controller’s decisions, in accordance with the provisions of EU Regulation 2016/679.

    The data subject may request the information specified in paragraph 1 through a written, dated, and signed request. In the request, the data subject may specify if they want the information to be sent to a particular address, which may include electronic mail, or through a correspondence service ensuring that delivery will be made personally.

    The data controller is obligated to communicate the requested information within 15 days of receiving the request, respecting any preference of the requester expressed according to paragraph 2.

    For personal data related to health, the request specified in paragraph 2 may be submitted by the data subject directly or through a medical professional who will indicate in the request the person on whose behalf it is made. At the request of the data controller or the data subject, the communication specified in paragraph 3 may be made through a medical professional designated by the data subject.

    Right to Rectify Data

    Art. 14 – Any data subject has the right to obtain from the data controller, upon request and free of charge:

    a) where applicable, the rectification, updating, blocking, or deletion of data whose processing is not compliant with this law, especially incomplete or inaccurate data; b) where applicable, the transformation of data into anonymous data if the processing is not compliant with this law; c) notification to third parties to whom the data have been disclosed of any operation carried out according to letters a) or b), if such notification is not impossible or does not involve a disproportionate effort relative to the legitimate interest that could be compromised.

    To exercise the right specified in paragraph 1, the data subject will submit a written, dated, and signed request to the data controller. In the request, the data subject may specify if they want the information to be sent to a particular address, which may include electronic mail, or through a correspondence service ensuring that delivery will be made personally.

    The data controller is obligated to communicate the measures taken under paragraph 1, and, where applicable, the name of the third party to whom the personal data concerning the data subject have been disclosed, within 15 days of receiving the request, respecting any preference of the requester expressed according to paragraph 2.

    Right to Object

    Art. 15 – The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of data concerning them, unless there are legal provisions to the contrary. In the case of a justified objection, processing of the data concerned must cease.

    The data subject has the right to object at any time, free of charge and without justification, to the processing of data concerning them for direct marketing purposes, on behalf of the data controller or a third party, or to the disclosure of such data to third parties for such purposes.

    To exercise the rights provided in paragraphs 1 and 2, the data subject will submit a written, dated, and signed request to the data controller. In the request, the data subject may specify if they want the information to be sent to a particular address, which may include electronic mail, or through a correspondence service ensuring that delivery will be made personally.

    The data controller is obligated to communicate to the data subject the measures taken under paragraphs 1 or 2, and, where applicable, the name of the third party to whom the personal data concerning the data subject have been disclosed, within 15 days of receiving the request, respecting any preference of the requester expressed according to paragraph 3.

    Right Not to Be Subject to Automated Individual Decision-Making

    Art. 16 – Every person has the right to request and obtain:

    a) the withdrawal or annulment of any decision producing legal effects concerning them, taken solely based on automated data processing intended to evaluate certain aspects of their personality, such as professional competence, credibility, behavior, or other similar aspects; b) the reassessment of any other decision affecting them significantly, if the decision was taken solely based on data processing meeting the conditions specified in letter a).

    Subject to other guarantees provided by this law, a person may be subject to a decision of the nature referred to in paragraph 1 only in the following situations:

    a) the decision is taken within the framework of entering into or performing a contract, provided that the request to enter into or perform the contract, made by the data subject, has been satisfied or that appropriate measures, such as the possibility of expressing their point of view, ensure the protection of their legitimate interest; b) the decision is authorized by a law specifying measures that guarantee the protection of the legitimate interest of the data subject.

CHAPTER VII: CONFIDENTIALITY AND SECURITY OF PROCESSING

  1. Confidentiality of Processing

    Art. 17 – Any person acting under the authority of the data controller or the authorized person, including the authorized person, who has access to personal data, may process it only based on the instructions of the data controller, except where acting under a legal obligation.

    Security of Processing

    Art. 18 – The data controller is obligated to implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access, especially if the processing involves data transmission within a network, as well as against any other form of unlawful processing.

    These measures must ensure, according to the state of the art and costs involved, an adequate level of security considering the risks presented by the processing and the nature of the data to be protected. Minimum security requirements will be developed by the supervisory authority and updated periodically in line with technological progress and accumulated experience.

    Processing carried out by authorized persons must be conducted based on a written contract, which must include:

    a) the obligation of the authorized person to act only on the instructions received from the data controller; b) the fact that the responsibilities outlined in paragraph 1 also apply to the authorized person.

CHAPTER VIII: NOTIFICATION TO THE SUPERVISORY AUTHORITY

Art. 19 – The data controller is required to notify the supervisory authority, either personally or through a representative, before carrying out any processing or any set of processing operations with the same or related purposes.

Notification is not required if the processing has the sole purpose of maintaining a register required by law for public information and is open for consultation by the public at large or by any person demonstrating a legitimate interest, provided that the processing is limited to data strictly necessary for maintaining the mentioned register.

The notification must include at least the following information:

a) the name or designation and address or registered office of the data controller and their designated representative, if applicable; b) the purpose or purposes of the processing; c) a description of the category or categories of data subjects and the data or categories of data to be processed; d) the recipients or categories of recipients to whom the data is intended to be disclosed; e) the safeguards accompanying the disclosure of data to third parties; f) how data subjects are informed of their rights; the estimated date for completion of the processing operations, as well as the subsequent destination of the data; g) any data transfers intended to be made to other countries; h) a general description allowing for a preliminary assessment of the measures taken to ensure processing security; i) the specification of any personal data filing system related to the processing, and any links to other data processing or personal data filing systems, whether or not they are located within Romania;

If the notification is incomplete, the supervisory authority will request its completion.

Within the limits of its investigative powers, the supervisory authority may request additional information, particularly concerning the origin of the data, the technology used for automated processing, and details on security measures. The provisions of this paragraph do not apply where the data processing is solely for journalistic, literary, or artistic purposes.

If it is intended for the processed data to be transferred abroad, the notification must also include the following elements:

a) the categories of data that will be subject to transfer; b) the destination country for each category of data.

The notification must be submitted within 15 days of the entry into force of the regulation establishing the obligation and must include only the following elements:

a) the name and address of the data controller; b) the purpose and legal basis of the processing; c) the categories of personal data being processed.

CHAPTER IX: SUPERVISION AND CONTROL OF PERSONAL DATA PROCESSING

Supervisory Authority

Art. 20 – The supervisory authority monitors and controls the legality of personal data processing operations that fall under the scope of Regulation (EU) 2016/679.

CHAPTER XI: HANDLING OF COMPLAINTS

Complaints to the Supervisory Authority

Art. 21 – To defend their rights under the regulation, individuals whose personal data is subject to processing covered by the regulation may submit a complaint to the supervisory authority. The complaint can be made directly or through a representative.

The affected person may empower an association or foundation to represent their interests.

A complaint to the supervisory authority cannot be submitted if a court action with the same subject and parties has been previously initiated.

Except in cases where a delay would cause imminent and irreparable harm, a complaint to the supervisory authority cannot be made until 15 days have passed from the submission of a similar complaint to the data controller.

To resolve the complaint, the supervisory authority may, if deemed necessary, hear the data subject, the data controller, and, if applicable, the data processor or the association or foundation representing the data subject’s interests. These parties have the right to submit requests, documents, and statements. The supervisory authority may order expert assessments.

If the complaint is found to be well-founded, the supervisory authority may decide to temporarily suspend or cease data processing, partially or fully delete the processed data, and may refer the matter to criminal prosecution authorities or initiate legal action. Temporary prohibition of processing may only be imposed until the reasons for such a measure are resolved.

The decision must be reasoned and communicated to the interested parties within 30 days of receiving the complaint.

The supervisory authority may order, if deemed necessary, the suspension of some or all processing operations until the complaint is resolved under the conditions of paragraph 5.

At the request of the data subjects, for justified reasons, the court may order the suspension of processing until the supervisory authority resolves the complaint.

Appealing Decisions of the Supervisory Authority

Art. 22 – Against any decision issued by the supervisory authority under the provisions of this law, the data controller or the data subject may file an appeal within 15 days from the communication, under the sanction of forfeiture, to the competent administrative court. The request is examined urgently, with the parties being summoned. The decision is final and irrevocable.

Right to Seek Justice

Art. 24 – Without affecting the possibility of filing a complaint with the supervisory authority, data subjects have the right to seek justice to defend any rights guaranteed by this regulation that have been violated.

Any person who has suffered damage as a result of illegal processing of personal data may seek redress from the competent court.

The competent court is the one in whose territorial jurisdiction the defendant resides.

Final Provisions

This Regulation was adopted today, 21.05.2018, by the associates of ANTEL SRL. The legal basis for the adoption of this Regulation is Regulation (EU) 2016/679.

Annex 1: MINIMUM SECURITY REQUIREMENTS for the Processing of Personal Data

These minimum security requirements for the processing of personal data must serve as the basis for the adoption and implementation by the operator of the necessary technical and organizational measures to maintain the confidentiality and integrity of personal data.

The minimum security requirements for the processing of personal data cover the following aspects:

User Identification and Authentication

By “user” is meant any person acting under the authority of the operator, the authorized person, or the representative, with recognized access rights to personal data databases. Users must identify themselves to gain access to a personal data database. Identification can be done through several methods, such as: entering an identification code via the keyboard (a string of characters), using a barcode card, using a smart card, or a magnetic card.

Each user has their own identification code. Multiple users must never share the same identification code. Identification codes (or user accounts) that are unused for a prolonged period must be deactivated and destroyed after a prior internal check by the operator. The period after which codes should be deactivated and destroyed is determined by the operator. Each user account is accompanied by an authentication method. Authentication can be done by entering a password. Passwords are strings of characters. The longer the string of characters, the harder the password is to guess. Passwords must not be displayed clearly on the monitor when entered. Passwords must be changed periodically according to the security policies of the entity (operator or authorized person). Periodic password changes are done only by users authorized by the operator.

The operator must require the implementation of an information system that automatically denies access to a user after 5 incorrect password attempts. Any user who receives an identification code and an authentication method must maintain their confidentiality and be accountable to the operator.

Each entity will establish its own procedure for managing and administering user accounts. Operators authorize certain users to revoke or suspend an identification and authentication code if the user resigns, is dismissed, completes their contract, is transferred to another service and the new duties do not require access to personal data, abuses the received codes, or will be absent for a prolonged period determined by the entity.

User access to manually processed personal data databases will be based on a list approved by the entity’s management.

Type of Access

Users must access only the personal data necessary for fulfilling their job duties. To achieve this, operators must establish access types based on functionality (e.g., administration, entry, processing, saving, etc.) and actions applied to personal data (e.g., writing, reading, deleting), as well as procedures regarding these types of access.

System programmers for personal data processing will not have access to personal data. The operator will permit access to personal data to programmers only after it has been anonymized. The technical support department may access personal data for resolving exceptional cases. Anonymized data will be used for user training or presentations.

The operator will establish strict methods for destroying personal data. Authorization for this personal data processing must be limited to a few users.

Data Collection

The operator designates authorized users for collecting and entering personal data into an information system. Any modification of personal data can only be made by authorized users designated by the operator.

The operator will take measures to ensure that the information system records who made the modification, the date, and the time of the modification. For better management, the operator will ensure that the information system maintains deleted or modified data.

Backup Execution

The operator will establish the interval for executing backups of personal data databases and the programs used for automated processing. Users who perform these backups will be appointed by the operator, in a limited number.

Backups will be stored in separate rooms, in metal cabinets with applied seals, and, if possible, in rooms in another building. The operator will take measures to ensure that access to backups is monitored.

Computers and Access Terminals

Computers and other access terminals will be installed in rooms with restricted access. If such conditions cannot be ensured, computers will be installed in lockable rooms or measures will be taken to control access to computers using keys or magnetic cards.

Access Files

The operator is obliged to take measures to ensure that any access to the personal data database is recorded in an access file or a register for manually processed personal data, established by the operator. The information recorded in the access file or register will be:

  • Identification code (user name for manually processed personal data databases);

  • Name of the accessed file (or sheet);

  • Number of entries made;

  • Type of access;

  • Operation code executed or program used;

  • Date of access (year, month, day);

  • Time (hour, minute, second).

For automated processing, this information will be stored in a general access file or separate files for each user. Any attempt of unauthorized access will also be recorded. The operator is obliged to retain access files for at least 2 years to be used as evidence in investigations. If investigations are extended, these files will be kept as long as deemed necessary. Access files must allow the operator or authorized person to identify individuals who accessed personal data without a specific reason, for the purpose of applying sanctions or notifying the competent authorities.

Telecommunication Systems

The operator is obliged to periodically control authentications and types of access to detect any malfunctions in the use of telecommunication systems.

Personnel Training

During user training courses, the operator is obliged to inform users about the provisions of Regulation (EU) 2016/679 regarding the protection of individuals concerning the processing of personal data and the free movement of such data, the minimum security requirements for the processing of personal data, and the risks associated with processing personal data, depending on the user’s specific activity.

Users with access to personal data will be trained by the operator on confidentiality. Users are required to log off when leaving their workplace.

Use of Computers

To maintain the security of personal data processing (especially against computer viruses), the operator will take measures including:

a) Prohibiting users from using software programs from external or dubious sources; b) Informing users about the risks of computer viruses; c) Implementing automated virus protection and information system security systems; d) Disabling, if possible, the “Print screen” key when personal data is displayed on the monitor, thereby preventing printing.

Printing Data

Printing of personal data will be carried out only by users authorized for this operation by the operator.

Operators are obliged to approve specific internal procedures for using and destroying such materials. Each entity will approve its own security system, taking into account these minimum security requirements for the processing of personal data and, depending on the importance of the personal data processed, will impose additional security measures.

Annex 2 – CODE OF CONDUCT

Preamble

Considering the significant importance of safeguarding the right to private, family, and personal life as provided in Article 26 of the Romanian Constitution, and acknowledging the necessity to protect this fundamental right within the activities of personal data processing regulated by Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as well as by Law no. 682/2001 regarding the ratification of the Convention for the protection of individuals with regard to automatic processing of personal data, adopted in Strasbourg on January 28, 1981.

CHAPTER I General Provisions

Article 1. – Purpose and Scope

The purpose of this code of conduct is to establish standards of conduct to ensure an adequate level of protection for processed personal data.

The conduct standards define the exercise of rights and obligations in the field of personal data protection concerning ANTEL SRL’s relations with data subjects (as beneficiaries of the provided services, users, etc.).

Article 2. – Definition of Terms

The terms used in this code of conduct have the following meanings:

a) Data subject – the natural person whose personal data is processed;

b) To collect – to gather, collect, or receive personal data by any means and from any source;

c) To disclose – to transmit, disseminate, or make available personal data in any manner outside the operator;

d) To use – to utilize personal data by and within the operator;

e) Consent – the unambiguous agreement of the data subject to have their personal data processed, which must always be explicit and unequivocal;

f) Adequate level of protection and security of personal data processing – the level of security proportional to the risk posed by processing relative to the personal data and the rights and freedoms of individuals, and in accordance with the minimum security requirements for personal data processing, established by the supervisory authority and updated according to technological advancements and the costs of implementing these measures;

g) Direct marketing – the promotion of products and services directly to clients, natural persons, through means such as mail, including electronic mail, or other forms of distance marketing, other than traditional promotional methods (advertising).

Terms such as: personal data, processing of personal data, storage, operator, third party, recipient, anonymous data, supervisory authority, right to information, right of access, right to rectification, right to object, have the meanings defined by Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data.

Article 3. – Legal Framework of Codes of Conduct

Legal provisions related to the protection of the right to private, family, and personal life concerning the processing of personal data will be observed. Special consideration will be given to the provisions of Regulation (EU) 2016/679 and Law No. 682/2001.

CHAPTER II Principles of Personal Data Processing by ANTEL SRL

Legality and Transparency

Art. 5. – ANTEL SRL acknowledges and respects the right to private, family, and personal life.

The processing of personal data is carried out in accordance with current legal provisions.

ANTEL SRL is obligated to ensure transparency in the processing of personal data.

Responsibility

Art. 6. – ANTEL SRL is responsible for the personal data under its control, as well as for data transferred to third parties.

ANTEL SRL will appoint individuals responsible for ensuring compliance with legal provisions regarding the protection of personal data and the principles outlined in this code of conduct.

Legitimacy of Collection Purpose

Art. 7. – Collection of personal data through fraudulent, unfair, or illegal means is prohibited.

ANTEL SRL will communicate the purposes for which personal data is collected either before or at the latest at the time of collection.

The purposes can be stated in writing, orally, or electronically, in a language easily accessible to the data subjects.

Consent

Art. 8. – Consent from the data subjects is required for the processing of personal data, unless otherwise provided by law.

ANTEL SRL will use non-deceptive methods, requiring reasonable financial costs, to inform data subjects about the processing of personal data and to obtain their consent at the time of data collection.

The data subject may withdraw their consent at any time, provided that the operator is notified in advance. The operator will inform the data subject about the procedure and effects of withdrawing consent.

Legitimacy of Disclosure

Art. 9. – ANTEL SRL will process personal data only for the purposes for which it was collected, unless the data subject consents to processing for other purposes or in other cases permitted by law.

Access to processed data will be granted only to employees of the company responsible for this purpose and in the fulfillment of their duties.

Legitimacy of Storage

Art. 10. – ANTEL SRL is required to keep personal data accurate, complete, and up-to-date for the purposes for which it is used.

Inaccurate or incomplete data will be deleted or corrected.

Personal data will be kept only for the period necessary to achieve the established purposes.

ANTEL SRL determines the necessary period for retaining collected data, only for the period required to achieve the purpose, while ensuring the respect for the data subject’s rights, especially the rights of access, correction, and objection.

Following periodic checks, personal data held by the operator that no longer serves the purposes or fulfilling legal obligations will be destroyed or transformed into anonymous data within a reasonable time frame, according to procedures established by law.

Security of Processing

Art. 11. – ANTEL SRL will take all necessary technical and organizational measures to ensure an adequate level of protection and security in personal data operations, for the following purposes: to limit access to databases, which is permitted only to authorized individuals; to prohibit copying data outside the locations where it is managed; and, in general, to prevent any uncontrolled circulation of data.

Right to Information

Art. 12. – The strategies and procedures used by ANTEL SRL regarding the processing of personal data will be made available to data subjects, in the form of information provided in an accessible language, through physical means (e.g., brochures), telephone, or electronic means.

ANTEL SRL will provide information, upon request, about the personal data it processes, the sources from which the personal data was collected, the purposes of processing, and if and to whom the data has been disclosed, unless prohibited by law.

If the disclosure of data is required by law (e.g., for the execution of a court order), ANTEL SRL will ensure that the third party requesting disclosure complies with applicable legal provisions and that the request pertains only to personal data that is not excessive in relation to the purpose of processing. The data subject will be informed about the disclosure only if permitted by law.

Right of Access

Art. 13. – ANTEL SRL will allow data subjects to access their personal data through the most convenient means available, within reasonable limits.

Access to personal data cannot be granted, except as provided by law, in the following situations: if data about another person is requested; if it could affect the life and safety of another person; if data might concern confidential commercial information; if it would interfere with the resolution of a dispute or a criminal process.

ANTEL SRL is obligated to justify the refusal to grant access to certain personal data.

Right to Rectification

Art. 14. – Data subjects have the right to request verification of the accuracy and completeness of their personal data and to request rectification of inaccurate or incomplete data by submitting complaints.

ANTEL SRL will keep a record of complaints regarding the accuracy or completeness of data that have not been resolved, and in the case where data is transferred to other operators, it will specify the data that has been rectified or regarding which unresolved complaints exist.

The provisions of paragraph 2 also apply to the disclosure of data to third parties, if applicable.

Database updates are made through information provided by data subjects and from any external sources authorized by law.

Cooperation with the Supervisory Authority

Art. 15. – Whenever requested, ANTEL SRL will present to the supervisory authority reports or summaries regarding complaints received and how they were resolved.

The reports and summaries mentioned in paragraph 1 may also contain other information regarding aspects of the activities of members in the field of personal data protection, as well as proposals for improving their activities.

Expenses Incurred by Data Subjects

Art. 16. – ANTEL SRL will take measures to ensure a reasonable level of expenses incurred in exercising the rights provided by law, expenses which are the responsibility of the data subject, unless these rights can be exercised free of charge.

CHAPTER III Final and Transitional Provisions

Application

Art. 17. – This Code of Conduct is supplemented by the legal provisions in the field of personal data protection.

Modification and Completion of the Code of Conduct

Art. 18. – Any modifications or additions to this Code of Conduct will be submitted in writing and with justification to the supervisory authority.

The supervisory authority will consider only relevant and conclusive proposals for the modification and completion of this Code of Conduct.

Read also: DECLARATION of consent regarding personal data protection

Subscribe to our Newsletter

Antel-print

Address

Alba Iulia, Str. Gheorghe Sincai nr.12

Privacy policy

Cookie policy

CONTACT

Phone:

0258 817 407

0358 101 028

 

Phone/Fax:

0258 817 407

 

Email:

antel@antel.com.ro

OPENING HOURS

Monday - Friday:

08:00 - 16:00

Privacy policy

Cookie policy

LTR
RTL
Primary Color
default
color 2
color 3
color 4
color 5
color 6
color 7
color 8
color 9
color 10
color 11
color 12