Personal data processing policy

Personal data processing policy

1. Identity and contact details of the Controller(s) who process the personal data and the contact details of the data protection officer

1.1.  The personal data will be processed by the “Donam Plasma” Association (named in this information note as the “Controller”), based in Corbeanca commune, Ostratu village, Paradisul Verde neighborhood, 20 Salciei street, Ilfov county, Registered in the Register of Associations and Foundations – Buftea Court under no. 113 PJ/08.11.2021, CIF, tel. 0376 203 669, email: gdpr@donamplasma.ro (referred to in this information note as the “Controller” or “Association”)

1.2. The contact details of the data protection officer can also be found on the website www.donamplasma.ro, insofar as a data protection officer has been (necessary to be) appointed within the Controller.

2. Purpose / Purposes of processing  –  Compatible purposes; Data subjects; Personal data

2.1. The controller will process the personal data (“personal data”) of any natural person (referred to in this information note and the “data subject”) which he / she discloses in connection with any entity that wishes to enter / is in – a legal relationship with the Controller (referred to in this information note as the “Partner”), regardless of whether the personal data is provided (in whole or in part) by the data subject and / or the Partner, in order to take steps to establish a legal relationship between the Controller and the Partner (e.g., performing certain selection procedures and / or performing certain steps in order to conclude a contract between the Controller and the Partner, including contacting the data subject in this regard, including if the data subject is involved from the Partner ) and / or for the purpose of executing a legal relationship (e.g., contracts) between the Controller and the Partner (including if the target is involved in this respect on behalf of the Partner), as the case may be and if applicable.

2.2. The controller will process the personal data regarding the data subject and for any other purposes for which the data subject has expressed their unambiguous consent as well as for any compatible, related and correlated purposes.

2.3. The controller will be able to process the personal data regarding the data subject and in any cases in which the processing is necessary for the purpose of the legitimate interests pursued by the Controller or by a third party, in case there will be such legitimate interests, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data are prevailing.

2.4. The Controller will process the personal data regarding the data subject for any purpose for which it is necessary for the fulfillment of the legal obligation incumbent on the Controller.

2.5. The controller will process in each case only the personal data regarding the data subject that are / will be adequate, relevant and limited to what it is necessary in relation to the purposes for which they are processed.

2.6. Personal data is to be collected, recorded, organized, structured, stored, consulted, used and disclosed by the transmission.

2.7. The controller will be able to process personal data for any compatible, related and correlated purposes, including the compatible, connected and correlated purpose of contacting you in order to confirm and / or update your personal data.

2.8. Data subjects

By way of example, the data subjects may be the following, but not limited to: i) the partners’ representatives and / or contact persons for the fulfillment (total or partial) of any of the aforementioned purposes; ii) any (other) persons whose personal data are mentioned in the documents and / or information provided by the Partners and / or any other persons for the Partners, including without limitation by the data subjects.

2.9. Personal data

2.9.1. The personal data that will be provided and processed in the case of the contacts will be mainly the contact data (provided) of the data subject (e.g., name, surname, position, email, telephone).

2.9.2. For other persons in connection with whom personal data are provided, the personal data to be provided and processed are all data mentioned in the documents and / or information made available by the Partners and / or any other persons for the Partners, including without limitation by the persons concerned (e.g., name, surname, domicile, PIN, etc.).

2.10. The partners

The partners represent any entity that wishes to enter / are in a legal relationship with the Controller (e.g., Sponsors, Transfusion Centers, institutes and / or public authorities, administrative-territorial units, etc.).

3. xLegal bases of data processing

The legal basis for the processing is / may be Article 6 (1) (a), (c) and (f) of (EU) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (referred to in this Information Note as the “Regulation” or “GDPR”), namely:

“(a) the data subject has given his or her consent to the processing of personal data for one or more specific purposes;

(c) the processing is necessary in order to fulfill a legal obligation incumbent on the controller;

(f) the processing is necessary for the legitimate interests pursued by the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail, which require the protection of personal data…. “

4. Recipients or categories of recipients of personal data

The recipients to whom the personal data concerning the data subject will be disclosed and transmitted are all those to whom information must be sent in order to fulfill the above mentioned purposes and include without limitation, as appropriate, all employees, collaborators, representatives, subcontractors and consultants of the Controller which are involved on the behalf of the Controller in carrying out the steps in order to establish a legal relationship between the Controller and the Partner (e.g., performing certain selection procedures and / or performing certain steps in order to conclude a contract between the Controller and the Partner, including contacting the data subject) and / or the execution of a legal relationship between the Controller and the Partner and / or the fulfillment of any (legal) obligations in connection with them, as the case may be.

5. Transfer of personal data to a third country

5.1. At the time of this briefing, no personal data will be transferred to a third country.

5.2. A possible transfer or set of transfers of personal data to a third country or an international organization may take place under one of the following conditions: (a) the data subject has explicitly agreed to the proposed transfer, after being informed of the possible risks that such transfers may entail for the data subject as a result of the lack of a decision on the adequacy of the level of protection and of adequate safeguards; (b) the transfer is necessary for the performance of a contract between the data subject and the Controller for the application of pre-contractual measures taken at the request of the data subject; (c) the transfer is necessary for the conclusion of a contract or for the performance of a contract concluded in the interest of the data subject between the Controller and another natural or legal person; (d) the existence of a decision on the adequacy of the level of protection in accordance with or adequate safeguards in accordance with the Regulation; (e) any other situation permitted by the applicable law.

6. The period for which the personal data will be stored / The criteria used to establish this period.

Personal data will be stored by the Controller throughout the period in which steps are taken in order to establish a legal relationship between the Controller and the Partner (e.g., performing certain selection procedures and / or performing certain steps in order to conclude a contract between the Controller and the Partner, including contacting the data subject in this regard) and / or throughout the execution of the legal relations between the Controller and the Partner and / or in order to fulfill any legal obligations in relation to them as well as for tax and legal purposes (e.g., archiving and / or fulfillment of the obligations in the field of prevention and sanctioning of money laundering), as the case may be, and until the expiration of the prescription periods for the recovery of any debts from the Partner(s), but not less than the period provided by the legal regulations in force.

If the data has been collected (and) for other purposes and / or on other grounds, personal data will be stored (further) for the period set for these purposes and / or on such grounds, if this period is longer than the one mentioned above.

7. The obligation to provide personal data and the possible consequences of non-compliance with this obligation. Updating personal data

7.1. The provision of personal data was not / is not a legal obligation [unless personal data was collected (and) on other grounds.

7.2. The provision of personal data is / may be a necessary obligation to take steps in order to establish a legal relationship between the Controller and the Partner (e.g., to perform certain selection procedures and / or to take certain steps in order to conclude a contract between the Controller and the Partner, including contacting the data subject in this respect) and / or executing a legal relationship between the Controller and the Partner and / or fulfilling any obligations in relation to them, as the case may be and if applicable.

7.4. The refusal to provide and / or update the data (personal) may lead (as a consequence of non-compliance with the obligation to provide and / or update those data) to the refusal and / or impossibility of taking steps in order to establish a legal relationship between the Controller and the Partner (e.g., performing certain selection procedures and / or performing certain steps in order to conclude a contract between the Controller and the Partner, including contacting the data subject in this regard) and / or refusal and / or impossibility (performing steps in order) execution of the legal relations between the Controller and the Partner and / or in order to fulfill any legal obligations in connection with them, as the case may be.

If your (contact) personal data has changed since their last provision and / or you wish to update them, please send us a request to update them, on any communication channel, including the email referred to in point 1 of this information note.

8. Access rights of the data subject

8.1. The data subject has the right to obtain a confirmation from the Controller that personal data concerning him or her are being processed or not and, if so, the access to the respective data and to the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom personal data have been or are to be disclosed, in particular recipients from third countries or international organizations;

(d) where possible, the period for which personal data are expected to be stored or, if this is not possible, the criteria used to determine this period;

(e) the existence of the right to request the Controller to rectify or delete personal data or to restrict the processing of personal data concerning the data subject or the right to oppose the processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where personal data are not collected from the data subject, any available information on their source;

(h) the existence of an automated decision-making process including the creation of profiles, referred to in the Regulation, as well as, at least in those cases, relevant information on the logic used and, on the importance and expected consequences of such processing for the data subject.

8.2. If personal data are transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards regarding the transfer.

8.3. The controller shall provide a copy of the personal data that is being processed. For any other copies requested by the data subject, the Controller may charge a reasonable fee, based on administrative costs. If the data subject submits the application in electronic format and unless the data subject requests another format, the information shall be provided in a commonly used electronic format.

8.4. The right to obtain a copy referred to in point 8.3 is without prejudice to the rights and freedoms of others.

9. The right to correction

The data subject has the right to obtain from the Controller, without undue delay, the correction of inaccurate personal data concerning them. Taking into account the purposes for which the data were processed, the data subject has the right to obtain the completion of personal data which are incomplete, including by providing an additional statement.

10. The right to delete data (“the right to be forgotten”)

10.1. The data subject has the right to obtain from the Controller the deletion of personal data concerning them, without undue delay, and the controller has the obligation to delete personal data without undue delay, if one of the following reasons applies:

(a) personal data are no longer necessary for the purpose for which they were collected or processed;

(b) the data subject withdraws the consent on the basis of which the processing takes place, if the processing takes place on the basis of the data subject’s consent to the processing of his personal data for one or more specific purposes, and there is no other reason legal processing;

(c) the data subject opposes the processing, for reasons related to the particular situation in which he is, according to the Regulation, and there are no legitimate reasons prevailing in terms of processing or the data subject opposes the processing of personal data for marketing purposes directly, and there is no other legal basis for processing;

(d) personal data have been processed unlawfully;

(e) personal data must be deleted in order to comply with a legal obligation incumbent on the Controller under Union or national law under which the Controller is subject;

(f) personal data have been collected in connection with the provision of information society services to a child in accordance with the Regulation;

10.2. If the Controller has made personal data public and is obliged, under point 10.1., to delete them, the Controller, taking into account the available technology and the cost of implementation, shall take reasonable measures, including technical measures, to inform controllers which processes the personal data as the data subject has requested the deletion by these controllers of any links to the respective data or of any copies or reproductions of these personal data.

10.3. Points 10.1. and 10.2. does not apply to the extent that processing is required:

(a) for the exercise of the right to freedom of expression and information;

(b) to comply with a legal obligation which provides for the processing under Union or national law applicable to the Controller or for the performance of a task performed in the public interest or in the exercise of an official authority with which the Controller is invested;

(c) for reasons of public interest in the field of public health, in accordance with the Regulation;

(d) for archiving purposes in the public interest, for the purpose of scientific or historical research or for statistical purposes, in accordance with the Regulation, in so far as the right referred to in point 10.1., it is likely to make it impossible or to seriously affect the achievement of the objectives of that processing;

or

(e) for the establishment, exercise or defense of a right in court.

11. The right to restrict processing

11.1. The data subject has the right to obtain from the Controller the restriction of the processing, in case one of the following cases applies:

(a) the data subject disputes the accuracy of the data, for a period that allows the Controller to verify the accuracy of the data;

(b) the processing is illegal and the data subject objects to the deletion of personal data, requesting in return the restriction of their use;

(c) The controller no longer needs the personal data for the purpose of processing, but the data subject requests them for the establishment, exercise or defense of a right in court; or

(d) the data subject has objected to the processing for reasons related to the particular situation in which they are, according to the Regulation, for the period of time in which it is verified whether the legitimate rights of the Controller prevail over those of the data subject.

11.2. Where processing has been restricted pursuant to paragraph 11.1., such personal data may, except in the case of storage, be processed only with the consent of the data subject or for the establishment, exercise or defense of a right in court or for the protection of the rights of another natural or legal persons or for reasons of important public interest of the Union or of a Member State.

11.3. A data subject who has obtained the processing restriction pursuant to paragraph 11.1. is informed by the Controller before lifting the processing restriction.

12. Obligation to notify regarding the rectification or deletion of personal data or restriction of processing

The controller shall inform each consignee to whom the personal data have been disclosed any correction or deletion of personal data or restriction of the processing carried out in accordance with point 9, point 10.1. and point 11, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject of the respective recipients if the data subject so requests.

13. The right to data portability

13.1. The data subject has the right to receive personal data concerning him and which they have provided to the Controller in a structured, commonly used and automatically readable format and has the right to transmit this data to another controller, without obstacles from the controller to whom the personal data were provided, if:

(a) processing is based on consent or contract; and

(b) processing is carried out by automatic means.

13.2. In exercising his right to data portability under point 13.1, the data subject has the right to have personal data transmitted directly from one controller to another where this is technically feasible.

13.3. Exercise of the right mentioned in point 13.1. of this Article is without prejudice to Article 17. That law shall not apply to the processing necessary for the performance of a task performed in the public interest or in the exercise of official authority with which the Controller is vested.

13.4. The right mentioned in point 13.1. does not affect the rights and freedoms of others.

14. The right to object

14.1. At any time, the data subject has the right to object, for reasons related to his / her particular situation, to the processing for the legitimate interests pursued by the Controller or to a third party of personal data concerning him / her, including the creation of profiles based on those provisions. The Controller no longer processes personal data, unless the Controller demonstrates that they have legitimate and compelling reasons justifying the processing and prevailing over the interests, rights and freedoms of the data subject or that the purpose is to establish, exercise or defend a right in court.

14.2. When the processing of personal data is for the purpose of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning him for this purpose, including the creation of profiles, insofar as it is directly related to marketing, respectively.

14.3. If the data subject opposes the processing for the purpose of direct marketing, the personal data will no longer be processed for this purpose. If the data subject opts for the processing of personal data for the purpose of direct marketing, separately and unrelated to any other action, including by activating any acceptance button regarding the processing of personal data for the purpose of direct marketing, the latest data staff provided in any way will be processed for direct marketing purposes.

14.4. At the latest at the time of the first communication with the data subject, the right mentioned in points 14.1. and 14.2. it is explicitly brought to the attention of the data subject and is presented clearly and separately from any other information.

14.5. In the context of the use of information society services and notwithstanding Directive 2002/58 / EC, the data subject may exercise their right to object by automatic means using technical specifications.

14.6. If personal data are processed for the purpose of scientific or historical research or for statistical purposes in accordance with the Regulation, the data subject, for reasons related to his or her particular situation, has the right to object to the processing of personal data which concerns them, unless the processing is necessary for the performance of a task for reasons of public interest.

15. The right to individual decision-making automated process, including profiling

15.1. The data subject has the right not to be subject to a decision based solely on automatic processing, including the creation of profiles, which produces legal effects concerning the data subject or similarly affects them to a significant extent.

15.2. Point 15.1. does not apply if the decision:

(a) is necessary for the conclusion or performance of a contract between the data subject and a data controller;

(b) is authorized by Union or national law applicable to the Controller and also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or

(c) is based on the explicit consent of the data subject.

16. The right to lodge a complaint with a supervisory authority

16.1. Without prejudice to any other administrative or judicial remedies, any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which they have habitual residence, place of employment or in which the alleged infringement took place, in case they consider that the processing of personal data concerning them violates the Regulation.

16.2. The supervisory authority to which the complaint was lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of bringing a judicial remedy under Article 17.

17. The right to an effective judicial remedy against a supervisory authority

17.1 Without prejudice to any other administrative or non-judicial remedies, each natural or legal person has the right to pursue an effective judicial remedy against a legally binding decision of a supervisory authority.

17.2. Without prejudice to any other administrative or non-judicial remedies, each data subject shall have the right to pursue an effective judicial remedy if the supervisory authority which is competent under the Regulation does not deal with a complaint or inform the data subject. within three months of the progress or settlement of the Article 16 complaint.

17.3. Actions brought against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

17.4. Where actions are brought against a decision of a supervisory authority which has been preceded by an opinion or a decision of the committee under the mechanism to ensure consistency, the supervisory authority shall forward that opinion or decision to the court.

18. The right to an effective judicial remedy against a controller or a data operator

18.1. Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority under the Regulation, each data subject shall have the right to pursue an effective judicial remedy if he or she considers that the rights who benefit under the Regulation have been infringed as a result of the processing of his personal data without complying with the Regulation.

18.2. Actions brought against controller or a data operator shall be brought before the courts of the Member State in which the controller or the data operator is established. Alternatively, such an action may be brought before the courts of the Member State in which the data subject has their habitual residence, unless the controller or the data operator is a public authority of a Member State acting in the exercise of its public powers.

19. Representation of data subjects

19.1. The data subject has the right to mandate a non-profit body, organization or association, which has been duly constituted in accordance with national law, whose statutory objectives are in the public interest, which are active in the field of protection of rights and freedoms of data subjects in respect of the protection of their personal data, to lodge a complaint on their behalf, to exercise on their behalf the rights referred to in Articles 16, 17 and 18, and to exercise the right to receive compensation referred to in the Regulation on behalf of the person, if this is provided for in national law.

19.2. Member States may provide that any body, organization or association referred to in point 19.1. of this Article, regardless of the mandate of a data subject, has the right to lodge a complaint in that Member State with the supervisory authority competent under Article 16; to exercise the rights referred to in Articles 17 and 18, if they consider that the rights of a data subject have been infringed as a result of the processing.

20. The right to compensation and liability

20.1. Any person who has suffered material or moral damage as a result of a breach of the Regulation has the right to obtain compensation from the Controller or from the data operator for the damage suffered.

20.2. Any controller involved in processing operations shall be liable for damage caused by his processing operations in breach of the Regulation. The data operator is liable for the damage caused by the processing only if they have not complied with the obligations of the Regulation which are specifically incumbent on the data operator or acted outside or contrary to the legal instructions of the controller.

20.3. The controller or the data operator is exonerated from liability under point 20.2. if they prove that they are not liable in any way for the event which caused the damage.

20.4. If several controllers or several data operators, or one controller and one data operator are involved in the same processing operation and are liable under points 20.2. and 20.3., for any damage caused by the processing, each controller or data operator is liable (responsible) for the entire damage to ensure the effective compensation of the data subject.

20.5. If a controller or a data operator has paid, in accordance with point 20.4., in full, the compensation for the damage caused, that controller or the data operator has the right to claim from the other controllers or other data operators involved in the same processing operation recovery of that part of the compensation corresponding to their part of liability for damage, in accordance with the conditions set out in point 18.2.

20.6. Actions for the exercise of the right to recover compensation shall be brought before the competent courts in accordance with the law of the Member State referred to in point 18.2.

21. Right of withdrawal of consent

When the processing is based on: i) the consent of the data subject given for the processing of his / her personal data for one or more specific purposes; or ii) with the consent of the data subject given for the processing of certain special categories of personal data for one or more specific purposes, unless Union or national law provides that the prohibition on processing special categories of personal data is cannot be withdrawn by the consent of the data subject, the data subject has the right to withdraw his consent at any time, without affecting the legality of the processing carried out on the basis of the consent before its withdrawal; For the avoidance of doubt, the withdrawal of consent does not affect the processing of personal data on other grounds.

22. The (general) right to information

The data subjects have the right to receive certain information regarding the processing of their personal data:

22.1. Information to be provided to the data subject if personal data are collected from the data subject

22.1.1. If the personal data concerning a data subject are collected from them, the Controller, when obtaining these personal data, provides to the data subject, usually through an information note, all the following information: a) identity and the contact details of the Controller and, as the case may be, of his representative; b) the contact details of the data protection officer, as the case may be; c) the purposes for which the personal data are processed, as well as the legal basis of the processing; d) the recipients or categories of recipients of personal data; e) if applicable, the intention of the Controller to transfer personal data to a third country or an international organization and the existence or absence of a Commission decision on the adequacy or a reference to the appropriate safeguards and the means to obtain a copy of them, if they have been made available, as the case may be; f) the period for which the personal data will be stored or, if this is not possible, the criteria used to establish this period; g) the existence of the right to request from the Controller, regarding the personal data regarding the data subject, access to them, their rectification or deletion or restriction of the processing or the right to oppose the processing, as well as the right to data portability h) the existence of the right to withdraw the consent at any time, without affecting the legality of the processing carried out on the basis of the consent before its withdrawal; i) the right to lodge a complaint with a supervisory authority; j) the existence of an automated decision-making process including the creation of profiles, as well as, at least in the respective cases, pertinent information regarding the logic used and regarding the importance and the expected consequences of such processing for the data subject.

22.1.2. If the Controller intends to further process personal data for a purpose other than that for which they were collected, the Controller shall provide the data subject, prior to such further processing, with information on that secondary purpose and any additional relevant information, in in accordance with points f) – j) of 22.1.1.

22.1.3. The provisions of art. 22.1.1. and 22.1.2. does not apply if and to the extent that the data subject already holds that information.

22.2. Information to be provided to the data subject if personal data have not been obtained from the data subject

22.2.1. If the personal data concerning a data subject have not been obtained from the data subject, the Controller will provide to the data subject, usually by means of an information note, all the following information: a) the identity and contact details of the Controller and, as the case may be, of his representative; b) the contact details of the data protection officer, as the case may be; c) the purposes for which the personal data are processed, as well as the legal basis of the processing; d) the categories of personal data concerned; e) the recipients or categories of recipients of personal data; f) where applicable, the intention of the Controller to transfer personal data to a third country or an international organization and the existence or absence of a Commission decision on the adequacy or a reference to the appropriate or appropriate safeguards and the means to obtain a copy of them, if they have been made available, as the case may be; g) the period for which the personal data will be stored or, if this is not possible, the criteria used to establish this period; h) the existence of the right to request from the Controller, in connection to the personal data regarding the data subject, the access to them, their rectification or deletion or the restriction of the processing or the right to oppose the processing, as well as the right to data portability; i) the existence of the right to withdraw the consent at any time, without affecting the legality of the processing carried out on the basis of the consent before its withdrawal; j) the right to lodge a complaint with a supervisory authority; k) the source from which the personal data come and, if applicable, if they come from publicly available sources; l) the existence of an automated decision-making process including the creation of profiles, as well as, at least in the respective cases, pertinent information regarding the logic used and regarding the importance and the expected consequences of such processing for the data subject.

22.2.2. The controller provides the information mentioned in art. 22.2.1 .: a) within a reasonable time after obtaining the personal data, but not longer than one month, taking into account the specific circumstances in which the personal data are processed; b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to the respective data subject; or c) if it is intended to disclose personal data to another recipient, at the latest on the date on which it is first disclosed.

22.2.3. If the Controller intends to further process personal data for a purpose other than that for which they were collected, the Controller shall provide the data subject, prior to such further processing, with information on that secondary purpose and any additional relevant information, in in accordance with points g) – l) of 22.2.1.

22.2.4. The provisions of art. 22.2.1. does not apply if and to the extent that: a) the data subject already holds the respective information; b) the provision of this information proves to be impossible or would involve disproportionate efforts, especially in the case of processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, or to the extent that the obligation mentioned in points a) -g) of article 22.2.1.is likely to make impossible or seriously affect the achievement of the objectives of the respective processing. In such cases, the Controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including making the information available to the public; c) the obtaining or disclosure of data is expressly provided for by Union or national law under the incidence of which the Controller enters and which provides for appropriate measures to protect the legitimate interests of the data subject; or d) where personal data must remain confidential by virtue of a statutory obligation of professional secrecy governed by Union or national law, including a legal obligation to maintain secrecy.

22.3. Information to be provided to data subjects under Articles 22.1. and 22.2. may be provided in combination with standardized pictograms to provide a meaningful overview of the intended processing in an easily visible, intelligible and clearly legible manner. If the icons are presented in electronic format, they must be readable automatically.

23. The right to be informed about the breach of personal data security

23.1. If the breach of personal data security is likely to pose a high risk to the rights and freedoms of individuals, the Controller shall inform the data subject without undue delay about such breach.

The information provided to the data subject shall include a clear description in plain and simple language of the nature of the personal data breach, as well as at least the information and measures concerning:

i) the communication of the name and contact details of the data protection officer or another contact point from where more information can be obtained;

ii) description of the probable consequences of the personal data breach;

iii) a description of the measures taken or proposed to be taken by the Company to remedy the problem of personal data breach, including, as the case may be, the measures to mitigate its possible negative effects;

23.2. The information of the data subject referred to above shall not be required if any of the following conditions is met:

a) The controller has implemented adequate technical and organizational protection measures, and these measures have been applied in the case of personal data affected by personal data breach, in particular measures to ensure that personal data become unintelligible to any person. who is not authorized to access them, such as encryption;

b) The controller has taken further measures to ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize;

c) would require a disproportionate effort. In this case, public information shall be provided instead or a similar measure shall be taken to inform the data subjects in an equally effective manner;

If the Controller has not already communicated the personal data breach to the data subject, the supervisory authority, after considering the likelihood that the personal data breach would pose a high risk, may request the data subject to do so or may decide that any of the above conditions are met.

24. Miscellaneous clauses

24.1. The data subject has all the rights provided by this information note as well as any other rights provided by the mandatory legal regulations in force regarding the processing of personal data.

24.2. The rights mentioned in this information note may be exercised in accordance with this information note, in accordance with the Regulations and any other applicable legal regulations in force.

24.3. Any requests and / or requests sent by the data subject to the Controller for the exercise of any of the rights may be made in writing, and submitted or sent to the Controller’s premises, including by registered letter, and / or by email to the Controller’s email mentioned in point 1 herein. the information note and / or by any other means provided / allowed by the legal regulations in force.

24.4. The data subject may request, in accordance with the above, and, where appropriate, obtain, free of charge, in particular, access to personal data, as well as their rectification or deletion, restriction of processing, data portability and exercise of the right to object. and the right not to be subject to a decision based solely on automatic processing, including profiling, which produces legal effects concerning the data subject or similarly affects him to a significant extent, but also on data breaches with personal character.

24.5. The terms used in this information note will have the meaning defined in the Regulation unless the context expressly states otherwise.

25. Cookies

The provider uses “cookies”. If you want to know more you can access the Cookies Policy.