Personal data processing policy
Current version of the policy
Previous version of the policy (valid until 12.03.2023)
1. WHO WE ARE
AXES SOFTWARE S.R.L., having its headquarters in Bucharest, Sector 3, 36 Matei Basarab Street, registered under the Trade Register no. J40 /21580/2005, having the fiscal code RO 18238677, (hereinafter referred to as “the Company”) is a data controller.
The purpose of this Policy is to inform the data subjects about the conditions under which personal data are processed by the Controller, in accordance with Article 13 of the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’ or ‘GDPR’).
The services offered by the Company can only be used after acknowledging this Policy.
This site is not intended for minors under the age of 16.
2. DEFINITIONS
Under this Policy, the terms mentioned will have the meanings specified below in accordance with Article 4 of the GDPR:
a) “Personal data of the data subject” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
b) “Data subject” means the natural person whose personal data is processed by the Controller;
c) “Supervisory Authority” means an independent public authority established by a Member State, having the competence to supervise the protection of personal data in the EU in the jurisdiction where the entity that processes data as Controller has its seat;
d) “Processing” means any operation or set of operations performed upon personal data or personal data sets, with or without the use of automated means, such as: collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use,
disclosure by transmission, dissemination or otherwise, alignment or combination, restriction, deletion or destruction;
e) “Controller” means the legal person or the natural person who, alone or jointly with others, determines the purposes and means of processing personal data. Under this Policy, the Controller is the Company;
f) “Consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, agree to the processing of personal data relating to them.
g) “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
h) “Regulation” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).
3. GENERAL PROVISIONS
As we value the confidentiality of your information, we undertake, as the Controller, to comply with the provisions of this policy, as well as the provisions set out in the Regulation and the national laws regarding the processing of personal data, their security and confidentiality.
If we change this Policy, we will notify you on this page and publish an updated version.
4. PURPOSE, DURATION, NATURE, PURPOSE, TYPE OF PERSONAL DATA PROCESSED
Personal data means any data or information that helps us to identify you directly (e.g. your surname, forename) or indirectly (e.g. data collected through cookie technology). Some information is less obvious (such as your computer’s IP), but associated with your person and corroborated with other personal data can help us, at least in theory, to identify you. Thus, all these are limited to the notion of “personal data”.
Sensitive data refer to data that include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade-union membership, health-related information, and genetic and biometric data. We do not collect any information about beliefs, sex life or sexual orientation, political opinions, trade-union membership, health, genetic or biometric or crime-related data.
The personal data we process in accordance with the purposes and means presented below is obtained directly from you or from third sources as mentioned.
The purposes for and the conditions under which we process your personal data are the following:
– Contacting the Company through the forms available on the website
When you contact us via the contact form on the site, we will process the following data:
- surname and forename;
- e-mail address;
- telephone number;
- the represented entity.
The legal basis for data processing is Art. 6 para. (1) let. (f) of the GDPR – the legitimate interest of the Controller to facilitate communication with potential clients through the website.
The data retention period is 12 months calculated from 1 January of the year following collection.
– Concluding contracts between the Company and the entity you represent
When you are the legal representative of a contracting entity of the Company, such as a client or service provider, we will process your personal data for the conclusion and performance of the contract between the two entities. In such situation we shall process the following data:
- name, surname;
- role;
- represented entity;
- electronic or holograph signature.
The legal basis for data processing is Art. 6 para. (1) let. (f) of the GDPR – the legitimate interest of the Controller to enter into contractual relationships.
The retention period applicable will be the Company’s duration of operation.
– Ensuring communication in order to conclude and perform commercial contracts
If you are the contact person or the legal representative of a contracting entity of the Company, such as a client or service provider, we will process your data in order to ensure the communication indispensable for the performance of contractual relations. For this purpose we will process the following data:
- name, surname;
- role;
- phone number and/or e-mail address;
- employer or represented entity.
The legal basis for data processing is Art. 6 para. (1) let. (f) of the GDPR – the legitimate interest of the Controller to ensure the communication indispensable for the performance of contractual relations.
The retention period shall be determined in accordance with the specifics of the contractual relationship.
– Subscribing to our newsletters
When you subscribe to our newsletters, we may periodically send you promotional messages. For this purpose we will process the following data:
- e-mail address;
- name and surname.
The legal basis for data processing is Art. 6 para. (1) let. (a) of the GDPR – the consent of the data subject. You have the right to withdraw your given consent any time without affecting the lawfulness of the processing based on consent before its withdrawal.
The data will be retained until your consent is withdrawn.
– Defending rights in court
When we defend our rights in court to recover sums due or when we protect our interests against unjustified claims / complaints, we will process your data (provided to us by you) necessary to file lawsuits, other specific requests and documents.
The legal basis for data processing is Art. 6 para. (1) let. (f) of the GDPR – our legitimate interest in defending the interests of the Company.
The data retention period will be determined according to the nature of the dispute subject to resolution.
– Recruitment
When we recruit, we come into possession of CVs that are provided to us directly by the potential recruits or by our recruitment service providers. The data processed are those contained in your CV , such as:
- name, surname;
- phone number, e-mail address;
- education and professional training;
- professional experience;
- interview data, labour conditions.
- The legal basis for data processing is Art. 6 para. (1) let. (b) of the GDPR – in order to take steps at the request of the data subject prior to entering into a labour contract.
The data retention period is 5 years calculated from January 1 of the following year in which we came into possession of your data.
– Realization of statistics, identification of preferences, tracking of interaction with the website and marketing
When you visit our website as a visitor, we also collect data obtained, with the help of cookies, from your computer, phone, tablet or other device (” the device”) you have used, information by which we can identify you online (“online identifiers”):
- IP address;
- the internet browser you are using and the version of the device operating system;
- HHTP / HTTPS protocol data;
- the duration of your visit / activity on the website;
- the general location of the device (if geo-location is enabled) from which you connect to the Company’s website.
It is very important to know that most devices give you the option to disable geo-location services right from the settings of that device.
The data collected through cookies and similar technologies used through the website and the purposes for which they are processed correspond to your selections in the cookies banner.
“Cookies” are files that are placed on a website or sent by a server to your device. The way in which we process cookies is detailed in the Cookie Policy, in accordance with the permissions granted by you through the cookie banner .
The legal basis for data processing is Art. 6 para. (1) let. (a) of the GDPR – your consent. You have the right to withdraw your consent at any time through the means presented in the Cookies Policy, without affecting the lawfulness of the processing prior to the withdrawal of consent .
– Ensuring the security and maintenance of the website
We normally use the following online identifiers to maintain and secure the Company’s website:
- IP address;
- the internet browser you are using and the operating system version of the device you are connecting with;
- HHTP / HTTPS protocol data.
These data are processed to ensure the proper functioning of the website, respectively:
- the correct display of content;
- the improvement of the Company’s website;
- the configuration of the device from which you connect to the requirements of the Company’s website;
- ensuring the security of the website and the protection against fraud or any IT security breach with regard to the website;
- the identification and solving of issues that prevent the use of our site.
The legal basis for data processing is Art. 6 para. (1) let. (f) of the GDPR – our legitimate interest in implementing, setting up and maintaining security measures of the Company’s website.
5. TO WHOM WE CAN DISCLOSE DATA
i. Your personal data may be transmitted to and processed by our trusted partners in order to provide you with services.
When we outsource certain activities to our trusted partners, we make all reasonable efforts to verify in advance that they ensure the protection of your data through strict data security measures and we will enter into data processing agreements with each of them, in accordance with the legal requirements. The categories of recipients to whom we may disclose your data are hosting or software/hardware maintenance service providers, IT service providers, software or hardware product providers, subcontractors, training and education service providers, payment processors, banking institutions , accounting service providers.
ii. Transmission of data to public authorities and institutions or judicial bodies
We may transmit some of your personal data to the competent public authorities or institutions when required to do so by law (e.g. fraud investigation, money laundering prevention, filing of returns and financial statements with tax authorities, etc.) or we may transmit such data to the courts when defending ourselves in court or before other public authorities.
iii. Access of auditors and consultants
We may pass on some of your personal data to providers of accounting, legal, human resources, auditing, banking and other services.
6. INTERNATIONAL TRANSFERS
As a rule, your data is not transferred to countries outside the European Union or the European Economic Area (“EEA”).
If we transfer your data to other categories of partners / suppliers of the Company which are located in states that do not ensure an adequate level of protection of the transmitted data, we undertake to
take all necessary measures to ensure that those partners / suppliers comply with the terms and conditions set out in this Policy. These measures may include the implementation of data protection standards (e.g. ISO 27001), standard contractual clauses adopted by the European Union Commission and systems of direct control of these mechanisms.
7. DATA SECURITY
The Company has implemented appropriate security measures to prevent your personal data from being accidentally lost, used or accessed, altered or disclosed in an unauthorized manner. We also limit access to your personal data to those employees, agents, contractors and other third parties who have a commercial need to know those data. They will process your personal data at our instruction and are subject to confidentiality obligations.
We have implemented procedures to deal with any breach of personal data and we will notify you and any competent regulatory authority of the breach when we are legally obliged to do so.
We may store your data in physical or electronic format. In some circumstances, we may anonymize your personal data (so that it is no longer associated with you) for research or statistical purposes, in which case we may use this information indefinitely without informing you.
8. YOUR RIGHTS
In addition to those mentioned in this Policy, in certain circumstances, the data subject has certain rights in accordance with the personal data protection regulations. These include:
a. Right to be informed
You have the right to be informed regarding the processing of your personal data, as we are doing through this Privacy Policy.
b. Right to access
You have the right to obtain confirmation whether or not we process your personal data, as well as information on the specifics of the processing activities and a copy of that personal data.
c. Right to rectification
You have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
d. Right to erasure (“right to be forgotten”)
You have the right to ask us to delete your personal data, but only if one of the following grounds applies:
- they are no longer necessary for the purposes for which they were collected; or
- you have withdrawn your consent (when the data processing was based on consent); or
- as a result of a well-grounded right to object (see below, the Right to object); or
- they have been unlawfully processed; or
- a legal obligation to which the Company is subject must be complied with.
We are not obliged to respond to your request to delete your personal data if the processing of your personal data is necessary:
- for compliance with a legal obligation; or
- for the establishment, exercise or defence of certain rights in court.
There are several other circumstances in which we are not obliged to respond to your request for erasure.
e. Right to restriction of processing
You have the right to obtain the restriction of processing of your personal data (i.e keep your personal data without using them) only when:
- their accuracy is contested (see, above, the Right to rectification), in order to allow us to verify their accuracy; or
- the processing is unlawful, but you do not want to delete them; or
- they are no longer necessary for the purposes for which they were collected, but we still need them to establish, exercise or defend rights in court; or
- you have exercised your right to object and the verification of compelling reasons is pending.
We may continue to use your personal data following a request for a restriction if we have your consent; or
- for the establishment, exercise or defend rights in court; or
- for the protection of the rights of another natural or legal person.
f. Right to data portability
- the processing is based on your consent or on a contract with you; and
- the processing is carried out by automated means.
g. Right to object
You have the right to object to any processing of your personal data based on our legitimate interests if you believe that your fundamental rights and freedoms override our legitimate interests.
If the opposition is unjustified, the Controller is entitled to further process the personal data.
h. Right to object commercial communications
You have the right to object to processing of your personal data for direct marketing purposes at any time.
i. Right not to be subject to decisions based solely on automated processing
If the applicable legal provisions are met, you have the right not to be subject to a decision based solely on automatic processing, including profiling, which has legal effects on you or affects you similar to a significant extent.
j. Right to lodge a complaint with a Supervisory Authority
You have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing. Please try to resolve any issues by discussing them with us in the first instance, although you have the right to contact the supervisory authority at any time.
The Romanian National Authority for the Supervision of Personal Data Processing may be reached at the following contact details:
- Postal address: 28-30 G-ral. Gheorghe Magheru Boulevard, District 1, Bucharest, Romania, zip code 010336;
- e-mail: anspdcp@dataprotection.ro;
- website: dataprotection.ro.
k. Right to withdraw your consent
To the extent that we process your personal data on the basis of consent, you may withdraw your consent at any time, without affecting the lawfulness of the processing based on consent prior to its withdrawal.
The data subject will not pay a fee or any other charge to access their personal data or to exercise any of their other rights. However, the Company, as Controller, may charge a reasonable fee if the request made is manifestly unfounded, repetitive or excessive. Alternatively, the Company may refuse to comply with a request received in these circumstances.
The Company has the right to request certain information in order to confirm the identity of the data subject who made the request to exercise any rights. This is a security measure to ensure that
personal data is not disclosed to persons who are not entitled to receive them. We may contact you to request additional information regarding your request to expedite our response.
The company will make reasonable efforts to respond to all legitimate requests within one month. Occasionally, it may take longer than one month if the data subject’s request is very complex or the data subject has made several requests. In this case, the Company will notify you and keep you informed.
9. LET’S KEEP IN TOUCH
We have appointed a data protection officer. For all matters arising from this Policy, including requests for the exercise of the rights of the data subjects, you may contact the Data Protection Department:
- by e-mail at privacy@axessoftware.com;
- over the phone: +4 021 323 13 37; or
- by post, to: Axes Software SRL, Str. Vulturilor nr. 18, Etaj 3 (3rd Floor), Sector 3, Bucharest, Romania.
If you have a complaint or you are concerned about the way in which we use your personal data, please contact us in the first instance and we will try to resolve the issue as soon as possible.
We hope you enjoy browsing our website!
Last update: March 13, 2023