Personal Data Processing Policy

PERSONAL  DATA PROCESSING POLICY

1. WHO WE ARE

AXES SOFTWARE S.R.L., with its registered office in Bucharest, sector 2, Str. Nada Florilor, Bl. 2, Sc. 3, Et. 8, Ap. 120, registered with the Trade Register Office under no. J40 / 21580/2005, having fiscal code RO 18238677, (hereinafter referred to as “the Company” is a data controller.

The purpose of this Policy is to inform data subjects about the conditions under which personal data are processed by the Controller.

The use of the services offered by the Company can be made only after acknowledging this Policy.

This site is not intended for and may not be used by minors under the age of 16.

2. DEFINITIONS

Under this Policy, the terms mentioned will have the meanings specified below:

a) “Personal data of the data subject” means any information relating to a person who can be identified directly or indirectly, in particular by reference to an identifier (such as a surname, forename, e-mail address, bank account);

b) “Data subject” means any natural person whose personal data is processed by the Controller;

c) “Supervisory Authority” means an independent public authority established by a Member State, having the competence to supervise the protection of personal data in the EU in the jurisdiction where the entity that processes data as Controller has its seat;

d) “Processing” means any operation or set of operations performed upon personal data or personal data sets, with or without the use of automated means, such as: collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise, alignment or combination, restriction, deletion or destruction;

e) “Controller” means the legal person, as the Company is at present, or the natural person who, alone or jointly with others, determines the purposes and means of processing personal data;

f) “Consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, agree to the processing of personal data relating to then.

g) “Personal data breach“ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

h) “Regulation” – means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

3. GENERAL PROVISIONS

As we value the confidentiality of your information, we undertake, as the Controller, to comply with the provisions of this policy, as well as the provisions set out in the Regulation and the national laws regarding the processing of personal data, their security and confidentiality.

If we change this Policy, we will notify you on this page and publish an updated version.

4. PURPOSE, DURATION, NATURE, PURPOSE, TYPE OF PERSONAL DATA PROCESSED

Personal data means any data or information that helps us to identify you directly (e.g. your surname, forename) or indirectly (e.g. data collected through cookie technology). Some information is less obvious (such as your computer’s IP), but associated with your person and corroborated with other personal data can help us, at least in theory, to identify you. Thus, all these are limited to the notion of “personal data”.

Sensitive data refer to data that include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade-union membership, health-related information, and genetic and biometric data. We do not collect any information about beliefs, sex life or sexual orientation, political opinions, trade-union membership, health, genetic or biometric or crime-related data.

Data we receive directly from you

– When you contact us via the website or by e-mail for collaboration

When you contact us via the contact form on the site, we will process the following data:

• surname and forename;
• e-mail address;
• telephone number.

The basis for data processing is the establishment of a contractual relationship.

The data retention period is 12 months calculated from 1 January of the year following collection.

 – When you pay an invoice for our services

Each time you make a payment to us, we may process the following data:

• surname and forename;
• address;
• bank account.

The basis for data processing is the performance of the contract.

In case of refunds, we collect and process data related to:

• the IBAN number and bank where you opened your bank account

in order to refund the money.

The basis for data processing is the performance of the contract.

The data retention period is 5 years calculated from 1 January of the year following collection.

– When you subscribe to our newsletters

When you subscribe to our newsletters, we may periodically send you promotional messages.

The basis for data processing is the consent.

The data retention period is until your consent is withdrawn.

– When you visit our locations

In order to ensure the security of people and property, to verify compliance with work procedures, monitor the operation of equipment, prevent accidents at work and ensure safety, we carry out video surveillance of common areas, which is why we will process your image.

The data retention period is a maximum of 30 days from the date of data collection.

– Accounting and reporting

We process your data (those indicated on tax invoices) for bookkeeping purposes, for annual financial audits and for filing tax and accounting returns with the tax authorities.

The basis for data processing is the contractual relationship and the legal obligation.

The data retention period is 5 years calculated from 1 January of the year following collection.

– Defending rights in court

When we defend our rights in court to recover sums due or when we protect our interests against unjustified claims / complaints, we will process your data (provided to us by you) necessary to file lawsuits, other specific requests and documents.

The basis for data processing is our legitimate interest in defending the interests of the Company.

The data retention period is 5 years calculated from 1 January of the year following the end of the (contentious or non-contentious) proceedings.

– Proceedings before authorities

When we are obliged by law to do so, we will provide the competent authorities and institutions with the data we hold and which have been lawfully requested of us.

The basis for data processing is the legal obligation.

Data collected from third parties

– Recruitment procedures

When we recruit, we come into possession of CVs that are provided to us by entities specialized in the collection and provision of CVs. The data processed are those contained in the CV that you have provided directly to the specialized entities.

The basis for data processing is our legitimate interest to expand our team and create a wide range of selection of suitable candidates.

The data retention period is 2 years calculated from January 1 of the following year in which we came into possession of your data.

– Procedures for verifying potential partners

When we intend to enter into a collaboration with a new partner, we may enter into possession of personal data as they are collected from public sources by specialized entities and provided to subscribers.

The basis for data processing is our legitimate interest in establishing contractual relationships with entities that have clean economic and fiscal records.

The data retention period is 5 years calculated from January 1 of the following year in which we came into possession of your data.

Data collected automatically

– Data collected via cookie technology

When you visit our website as a visitor, we also collect data obtained, with the help of cookies, from your computer, phone, tablet or other device (” the device”) you have used, information by which we can identify you online (“online identifiers”) and which we may use for profiling for direct marketing purposes:

• IP address;
• the internet browser you are using and the version of the device operating system;
• HHTP / HTTPS protocol data;
• the duration of your visit / activity on the website;
• the general location of the device (if geo-location is enabled) from which you connect to the Company’s website.

It is very important to know that most devices give you the option to disable geo-location services right from the settings of that device.

“Cookies” are files that are placed on a website  or sent by a server to your device. The way in which we process cookies is detailed in the Cookie Policy, available on the Company’s website.

The basis for data processing is the consent. It is important to note that you can withdraw your consent at any time.

– Security and maintenance of the website

We normally use the following online identifiers to maintain and secure the Company’s website:

• IP address;
• the internet browser you are using and the operating system version of the device you are connecting with;
• HHTP / HTTPS protocol data.

These data are processed to ensure the proper functioning of the website, respectively:

• the correct display of content;
• the improvement of the Company’s website;
• the configuration of the device from which you connect to the requirements of the Company’s website;
• ensuring the security of the website and the protection against fraud or any IT security breach with regard to the website;
• the identification and solving of issues that prevent the use of our site.

The basis for data processing is our legitimate interest in implementing, setting up and maintaining security measures of the Company’s website.

5. HOW LONG WE PROCESS YOUR DATA

The Company processes your data for the period necessary to fulfill the purposes for which it was collected and in accordance with our personal data retention policy as detailed in Chapter 4 above. In some cases, some legal provisions may require or allow us to retain data for a longer period.

The data retention period depends mainly on the following:

• the period during which we need your data is the period necessary to provide you with our services and fulfill our obligations to you and for the purposes mentioned above in this Policy;
• if you have given your consent to data processing for a longer period, we will keep the data for this period unless you withdraw your consent in the meantime;
• legal or contractual obligations require us to keep your data for a certain period of time, for example, the periods provided by law for the defence of our rights (generally, a period that covers the statute of limitation periods).

We will process your data for the purposes provided above until you withdraw your consent unless we are obliged to retain these data for a longer period of time, according to the law, for reporting to public authorities or to defend our rights in court.

6. TO WHOM WE CAN DISCLOSE DATA

i. Your personal data may be transmitted to and processed by our trusted partners in order to provide you with services.

We may share your data with our trusted partners. We carefully select partners and suppliers who perform, on our behalf, operations in support of our business. We share with them only the personal data necessary to carry out the specific tasks we entrust to them.

When we outsource certain activities to our trusted partners, we make all reasonable efforts to verify in advance that they ensure the protection of your data through strict data security measures and we will enter into data processing contracts with each of them. More specifically, we may in the future transmit some data to third parties (our suppliers and partners) to perform the functions and services necessary for the operation of the Company’s activities, such as:

• site hosting services,
• third party couriers authorized by us to deliver in our name and on our behalf.

ii. Transmission of data to public authorities and institutions or judicial bodies

We may transmit some of your personal data to the competent public authorities or institutions when required to do so by law (e.g. fraud investigation, money laundering prevention, filing of returns and financial statements with tax authorities, etc.) or we may transmit such data to the courts when defending ourselves in court or before other public authorities.

iii. Access of auditors and consultants

We may pass on some of your personal data to providers of accounting, legal, human resources, auditing, banking and other services.

7. INTERNATIONAL TRANSFERS

As a rule, your data is not stored in a country outside the European Union or the European Economic Area (“EEA”).

If we transfer your data to other categories of partners / suppliers of the Company which are located in states that do not ensure an adequate level of protection of the transmitted data, we undertake to take all necessary measures to ensure that those partners / suppliers comply with the terms and conditions set out in this Policy. These measures may include the implementation of data protection standards (e.g. ISO 27001), standard contractual clauses adopted by the European Union Commission and systems of direct control of these mechanisms.

8. DATA SECURITY

The Company has implemented appropriate security measures to prevent your personal data from being accidentally lost, used or accessed, altered or disclosed in an unauthorized manner. We also limit access to your personal data to those employees, agents, contractors and other third parties who have a commercial need to know those data. They will process your personal data at our instruction and are subject to confidentiality obligations.

We have implemented procedures to deal with any suspicious breach of personal data and we will notify you and any competent regulatory authority of the breach when we are legally obliged to do so.

We may store your data in physical or electronic format. In some circumstances, we may anonymize your personal data (so that it is no longer associated with you) for research or statistical purposes, in which case we may use this information indefinitely without informing you.

9. YOUR RIGHTS

In addition to those mentioned in this Policy, in certain circumstances, the data subject has certain rights in accordance with the personal data protection regulations. These include:

a. Right to access

You can ask us:

• to confirm if we process your personal data;
• to give you a copy of that data;
• to provide you with other information about your personal data, such as the data we have, what we use it for, to whom we disclose it, if we transfer it abroad and how we protect it, how long we keep it, what rights you have, how you can make a complaint, where we have taken your data from, and whether we have carried out any automated decision-making or profiling operations, if the information has not already been provided to you in this Policy.

b. Right to rectification

You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.

c. Right to erasure (“right to be forgotten”)

You can ask us to delete your personal data, but only if one of the following grounds applies:

– they are no longer necessary for the purposes for which they were collected; or

• you have withdrawn your consent (when the data processing was based on consent); or
• as a result of a well-grounded right to object (see below, the Right to object); or
• they have been unlawfully processed; or
• a legal obligation to which the Company is subject must be complied with.

We are not obliged to respond to your request to delete your personal data if the processing of your personal data is necessary:

• for compliance with a legal obligation; or
• for the establishment, exercise or defence of certain rights in court.

There are several other circumstances in which we are not obliged to respond to your request for erasure.

d. Right to restriction of processing

You can ask us to restrict processing of your personal data (i.e keep your personal data without using them) only when:

• their accuracy is contested (see, above, the Right to rectification), in order to allow us to verify their accuracy; or
• the processing is unlawful, but you do not want to delete them; or
• they are no longer necessary for the purposes for which they were collected, but we still need them to establish, exercise or defend rights in court; or
• you have exercised your right to object and the verification of compelling reasons is pending.

We may continue to use your personal data following a request for a restriction if we have your consent; or

• for the establishment, exercise or defend rights in court; or
• for the protection of the rights of another natural or legal person.

e. Right to data portability

You can ask us to provide you with your personal data in a structured, commonly used, machine-readable format or you can request that they be transmitted directly to another data controller, but in any case, only when:

• the processing is based on your consent or on a contract with you; and
• the processing is carried out by automated means.

f. Right to object

You may object to any processing of your personal data based on “our legitimate interests” if you believe that your fundamental rights and freedoms override our legitimate interests.

Once you have objected, we have the opportunity to demonstrate to you that we have compelling legitimate interests that override your rights and freedoms.

g. Right to make a complaint

You have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing. Please try to resolve any issues by discussing them with us in the first instance, although you have the right to contact the supervisory authority at any time.

h. Right to withdraw your consent

You have the right to withdraw your consent if the Company processes personal data on the basis of your consent.

The data subject will not pay a fee or any other charge to access their personal data or to exercise any of their other rights. However, the Company, as Controller, may charge a reasonable fee if the request made is manifestly unfounded, repetitive or excessive. Alternatively, the Company may refuse to comply with a request received in these circumstances.

The Company has the right to request certain information in order to confirm the identity of the data subject who made the request to exercise any rights. This is a security measure to ensure that personal data is not disclosed to persons who are not entitled to receive them. We may contact you to request additional information regarding your request to expedite our response.

The company will make reasonable efforts to respond to all legitimate requests within one month. Occasionally, it may take longer than one month if the data subject’s request is very complex or the data subject has made several requests. In this case, the Company will notify you and keep you informed.

10. LET’S KEEP IN TOUCH

We have appointed a data protection officer. For all matters arising from this Policy, including requests for the exercise of the rights of the data subjects, you may contact the Data Protection Department:

• by e-mail at office@axessoftware.com ; or
• by post, to: Axes Software SRL, Str. Matei Basarab nr. 36, Parter (Ground Floor), Ap. 1, Sector 3, Bucharest.

If you have a complaint or you are concerned about the way in which we use your personal data, please contact us in the first instance and we will try to resolve the issue as soon as possible.

We hope you enjoy browsing our website!