top of page

​PRIVACY AND SECURITY POLICY FOR THE PROCESSING OF PERSONAL DATA

The protection of your personal data is very important for AMDA PROPERTIES S.R.L.

 

AMDA PROPERTIES  S.R.L. is a company legally domiciled in Romania, based in Street, Nerva Traian, no.3, room no. 36A, 11th floor, Bucharest registered with the Trade Registry under no.  J40/11852/2015, tax id. 35063389 (hereinafter „the Operator”), represented by Yellow Tree Services S.R.L., Romanian legal person, based in Bucharest, 3 Nerva Traian Street, 11th Office, 11th Floor, registered with the Trade Registry under no. J40/14412/29.10.2020, tax id. RO43258870.

We want you to be properly informed about the ways and purposes the Operator processes your personal data.

Purpose

 

The purpose of Personal Data Protection Policy (or GDRP Policy) is to outline the principles of personal data processing of the Operator and to establish appropriate technical and organizational measures and the responsibilities of the Operator’s employees (also referred as ”the Operator”) that are tasked with the processing of personal data, and/or, as the case may be, of the persons empowered by the Operator to fulfil the obligations regarding the guarantee and protection of the fundamental rights and freedoms of natural persons, in particular the right to, protection of their personal data during processing.

The principles of personal data processing

 

  1. Personal data is processed by the Operator in good faith, fairly, in a transparent manner in relation to the data subject and in accordance with the legal provisions in force.

  2. Personal data is collected by the Operator for well-defined, explicit and legitimate purposes, and further processing will not be incompatible with these purposes.

  3. Personal data is appropriate, relevant and non-excessive in relation to the purpose for which it is collected and subsequently processed.

  4. Personal data is not to be stored by the Operator for a longer period than is necessary to achieve the purposes for which it was collected.

  5. The Operator has taken appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of illegal processing, as well as the erasure or rectification of inaccurate or incomplete data with regard to the purpose for which they are collected and for which they will be further processed.

Types of data and the purpose of using personal data

  1. The personal data referred to in this policy includes identification information such as first and last name, surname and forename of legal representatives, gender, date and place of birth, age, nationality, telephone / fax, home address / residence, e-mail address, personal identification number, identity card / passport serial number, job, profession, training - diplomas - studies, banking data and/or data that can serve to identify a natural person.

  2. The Operator will collect, use, process and provide personal data on a lawful basis for purposes such as contracting professional services, business purposes, marketing,

  3. advertising, statistics, organizing events (including but not limited to delegations, conferences and fairs), for educational purposes, for organizing training programs, issuing any financial accounting documents, concluding contracts or any other necessary documents in the activity of the Operator.

  4. Personal data is intended for use by the Operator and is collected by designated persons.

  5. Some of this data may be transferred to the contractual partners of the Operator.

  6. The collection and processing of personal data of underage persons by the Operator will be performed only with the explicit consent of the parents or other legal representatives.

General Rules

  1. The GDPR Policy sets out the technical and organizational measures implemented by the Operator to meet the obligations regarding confidentiality and security of the processing carried out during its business.

  2. Minimum security requirements are considered a complex of technical, informational, organizational and logistical measures and procedures that ensure a minimum level of processing security, according to all national and European legal frameworks on the matter.

  3. The Operator has adopted appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of illegal processing. In this respect, a person responsible for complying with the provisions of Romanian Law no. 190/2018, the provisions of GDPR 679/2016 and with the provisions of other relevant regulations is designated on behalf of the Operator – DPO – Data Protection Officer.

  4. To meet the legal provisions and requirements on safety of information, the Operator has developed and implemented organizational and technical measures focused on certain courses of action:

  • User identification and authentication;

  • Type of access; o Data collection;

  • Backup execution;

  • Computers and access terminals;

  • Access files;

  • Staff training;

  • Telecommunication systems;

  • Computer usage;

  • Data printing.

Specific procedures​

User identification and authentication

  1. By user it is meant any person acting under the authority of the Operator or a person authorized by the Operator, with a recognized right to access personal data.

  2. To gain access to personal data, users need to identify themselves.

  3. In the case of automated processing, the identification is done by authentication in the IT systems of the Operator. Authentication is done by entering unique login data, consisting of a username and a password.

  4. Passwords are security strings that are appropriate in terms of length, composition and operational behaviour, in accordance with   DIHK in-force security procedures.

  5. Any user that receives access to the personal information database is informed that he / she must maintain the confidentiality of the authentication data and hold accountability to the Operator in this regard. 

  6. User access to manually managed personal information databases is done strictly based on a list approved by the Operator 's management.

Type of access

  1. Users can only access the personal data required to fulfil the tasks assigned by the Operator.

  2. Developers of personal data processing systems have access to personal data under a strict privacy agreement signed with the Operator, exclusively where required, each transaction being documented.

  3. The technical support department may have access to personal data in order to resolve incidents and problems encountered in the use of IT systems.

  4. Computers and servers containing databases with personal information are located in controlled access rooms. Documents containing personal data of the type considered as special categories of data are kept in restricted access rooms.

  5. The Operator has established strict ways to destroy personal data.

Data collection

  1. the Operator designates authorized users for the collection, input and processing of personal data in a computer system or in a manual system.

  2. Any changes to personal data may only be made by authorized users designated by the Operator.

  3. The Operator has taken steps to ensure that the information system records who has made the change, the date and time of the change. For better management, the Operator has implemented measures so that the information system maintains deleted or modified data.

Backup execution

  1. The computer system automatically performs back-up of the databases daily for an eventual data recovery in case of loss, destruction or malfunction.

  2. The Operator sets the timeframe for the backups of personal information databases as well as the programs used for automated processing. The users executing these backups are designated by the Operator in a limited number. Backups are stored in locations with restricted access, situated in a different room from where the backup is made.

Computers and access terminals

  1. Computers and other access terminals are installed in lockable, restricted access rooms. If the computers are on without any input for a certain period of time, set by the Operator, the session closes automatically.

  2. Users are trained so that personal information databases are closed when unauthorized persons are nearby.

  3. Servers hosting databases can only be accessed in a controlled manner based on access rights

Access files 

  1. The Operator takes steps to ensure that any access to the personal information database is recorded in an access file (called a log, for automated processing) or in a register in case of manual personal data processing, that is set by the Operator. 

  2. For automated processing, this information will be stored in a general access file or in separate files for each user.

  3. The Operator is required to keep access files for at least 2 years to be used as evidence for investigations. If the investigations are prolonged, these files will be kept until investigations and any actions related to them are completed. 

  4. Access logs must provide information to identify persons who have accessed personal data and the respective performed operations.

Telecommunication systems

  1. The Operator, through authorized users, periodically checks authentication and access types to detect malfunctions in the use of telecommunication systems. Only personal data strictly necessary will be transmitted through the telecommunication systems.

Staff training

  1. Users who have access to personal information databases are trained on the national and European legal provisions, regarding the provisions of the IT security policy of the Operator, as well as the importance of maintaining their confidentiality and the risks involved in the processing of personal data.

  2. Users who have access to personal data will be notified by messages that will appear on monitors. Users are forced to close their work session when they leave the workplace.

Computer use: to maintain security of the processing of personal data (especially against computer viruses), the following measures are mandatory

  1. Use of software from unsafe sources has been forbidden;

  2. Users do not have administrative privileges on computers;

  3. Only licensed software is being used;

  4. Computers are protected through antivirus software;

  5. The user's activity may be monitored in limited cases, when justified by a legitimate interest of the Operator according to the provision of this policy.

Data Printing

  1. Personal data shall only be printed by the designated users and only for the purposes specified in these Rules.

  2. User access to printers is restricted.

The rights of persons whose personal data are being collected and/or processed

  1. The right to information: any individual has the right to be provided by the Operator, at least the following information

  2. The identity of the Operator and its representative;

  3. The purpose of personal data being processed;

  4. Additional information, such as: recipients or categories of data recipients; whether the provision of all required data is mandatory and the consequences of the refusal to provide them;

  5. Any other information of which disclosure is required by authorities.

 

The right of access to data: the individuals have the right to obtain from the Operator, according to the law, upon request, confirmation as to whether or not personal data concerning him or her are being processed and to receive, free of charge a copy of the personal data undergoing processing and access to the following information:

  1. the purposes of processing;

  2. the categories of personal data concerned;

  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, including, in case of transfer to a third country or to an international organization, a description of the appropriate safeguards in place;

  4. the envisaged storage period or the criteria used to determine this period, as possible;

  5. the right to request from the Operator rectification, erasure, restriction of processing of personal data or to object such processing;

  6. the right to lodge a complaint with the National Supervising Authority (ANSPDCP);

  7. any available information regarding the source of the personal data, if it was not collected directly from the data subject.

For any further copies requested by the data subject, the Operator may charge a fee to cover the administrative costs.

  1. The right to rectification: the individuals have the right to obtain from the Operator the rectification of inaccurate personal data concerning him or her.

  2. The right to erasure: the individuals have the right to obtain from the Operator the erasure of personal data concerning him or her in any of the following cases:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  • the individual withdraws consent on which the processing is based and there is no other legal ground for the processing;

  • the individual objects to the processing and there are no overriding legitimate grounds for the processing;

  • the personal data have been unlawfully processed;

  • the personal data have to be erased for compliance with a legal obligation in EU or Romanian law to which the Operator is subject.

 

The right to restriction of processing: the individuals have the right to obtain from the Operator restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the individual, for a period enabling the Operator to verify the accuracy of the personal data;

  2. the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead;

  3. the Operator no longer needs the personal data for the purposes of the processing, but they are required by the individual for the establishment, exercise or defence of legal claims;

  4. the individual has objected to processing pending verification whether the legitimate grounds of the Operator override those of the data subject. 

Contact

For questions or other queries please contact the Operator using the contacts details provided on the the Operator’s website.

 

Final provisions 

This document is filled with the whole set of security procedures for the processing of personal data approved by the Operator’s management, including the Operator’s Information Security Policy.

 
bottom of page