Privacy policy

Security of personal data

In REGULATION (EU) 2016 / 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF THE EUROPEAN UNION of 27 April 2016 the personal data are defined in art. 2 as follows:
any information regarding an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, identification number, location data, an online identifier, or to one or more many specific elements, their own physical, physiological, genetic, psychological, economic, cultural or social identity;

Data processing is defined in the same article as:
"Processing" means any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, extraction, consultation, use, disclosure by transmission, dissemination or making available in any other way, alignment or combination, restriction, deletion or destruction;

The operator of the personal data is the company ICCO-Systems SRL, with the address:
507075 Ghimbav, Strada Hermann Oberth 23, Hall 1(C1), Industrial Park Brasov. 

The website www.icco-systems.ro respects all the specifications of the aforementioned regulation regarding the processing of personal data.
The personal data, as defined above, that the site collects, only with the consent of the users, are:
• Name;
• Phone number;
• Email Address.
They are used at:
1. Client identification for delivery of correspondence.
2. Possible advertising emails sent if the user agrees to be included in the newsletter list.

The personal data are used legally, fairly and transparently to the data subject as specified in Art. 5 par. 1 a of Regulation (EU) 2016 / 679. They do not communicate in any form to a third party.
According to art. NO paragraph 6 b, from the aforementioned Regulation, the personal data are used as follows:
a) The name for the commercial correspondence;
b) The phone number and the email address will be used to provide product information.

Upon completing the contact form on the site, the data subject provides the personal data and implicitly gives his consent in accordance with art. NO paragraph 7 of Regulation (EU) 1 / 2016. The consent can be withdrawn by:
a) Email message to systems@icco.ro with the request for deletion of personal data.
b) Written address sent by post to the operator of personal data.
The data used when preparing invoices for the delivered goods will remain archived in accordance with the legal provisions, in force, regarding the accounting records of the company.

The site does not process special categories of personal data.
We do not have any other means of collecting personal data besides those mentioned above.
The period in which personal data is available on the site is determined by the data subject.

The operator guarantees the data subject that access to personal data is only allowed to employees authorized and trained for this purpose.

Policy for the processing of personal data

Protection of personal data

To those interested,

Ladies and gentlemen,

ICCO SYSTEMS knows the importance of your data and is committed to protecting their privacy and security. Therefore, it is important for us to provide you, in an integrated structure and practice the information related to the processing of your personal data as data subjects (users of the site www.icco-systems.ro, clients and potential clients , business partners, employees and potential employees) within the framework of this Policy for the processing of personal data.
ICCO SYSTEMS manages in a safe manner and only for the specified purposes, the personal data you provide about us.
We consider that it is our duty to respect the different legal regulations for the collection and processing of personal data. For us, protecting the personal rights and privacy of each individual is the foundation of trust in our business relationships.
Please follow this Policy and send us any request for details at the contact details mentioned below.

MARIUS COZMA

Chief Officer Corporate Data Protection

UMBRA Defense & Security
EXTERNAL PDO

office@umbradefense.com

+40 737 435 600

CONTENTS

I. Purpose of the data protection policy

II. Scope of data protection policy

III. Application of national legislation

IV. Principles of personal data processing

V. Reliability of data processing

1. Data about clients and partners

1.1 Processing of personal data in contractual relations
1.2 Data processing for marketing purposes
1.3 Consent to data processing
1.4 Processing of personal data and national legislation
1.5 Data processing based on a legitimate interest
1.6 Extremely sensitive data processing
1.7 Automatic processing decisions
1.8 User data and the Internet

2. The personal data of the employees

2.1 Employee data processing
2.2 Data processing at the request of the legal authorities
2.3 Collective processing of personal data
2.4 The employee's consent
2.5 Data processing in pursuit of a legal legal interest
2.6 Processing of sensitive data
2.7 Automatic processing decisions

VI. Transfer of personal data

ARE YOU COMING. Processing of personal data in commercial contracts

VIII. Rights of the data subject

IX. Processing confidentiality

X. Security of processing

XI. Control of the processing of personal data

XII. Data protection incidents

XIII. Responsible for the protection of personal data

I. Purpose of the data protection policy

As part of its social responsibility, ICCO SYSTEMS undertakes to comply with national and international data protection laws. This data protection policy is applied by ICCO SYSTEMS and is based on the basic principles accepted at European level regarding data protection. Providing technical and procedural data protection measures is the foundation of reliable business relationships and ICCO SYSTEMS reputation as an employer.
The policy of protection of personal data is a framework condition necessary for the conduct of our activity. This ensures the adequate level of data protection according to the GDPR and national laws for the management of personal data.

II. Scope of data protection policy

The data protection policy is created in agreement with the External Data Protection Officer. This data protection policy may be in accordance with the defined procedure for policy changes. The changes will be communicated immediately to ICCO SYSTEMS partners, using the policy modification process. Changes that have a major impact on compliance with the data protection policy will be reported to the authorities involved.
The latest version of the data protection policy can be accessed along with the data confidentiality information on the ICCO SYSTEMS website (www.icco-systems.ro).

III. Application of national legislation

The data protection policy includes the principles of confidentiality accepted internationally, without replacing the existing national laws. The relevant Romanian law will take precedence if it is in contradiction with this data protection policy or has stricter requirements than this policy. The content of this data protection policy must be respected in the absence of the corresponding national legislation. The reporting requirements for data processing will be complied with according to the national legislation.

IV. Principles of personal data processing

1. Fairness and legality
2. Restriction on a specific purpose
3. Transparency
4. Reduction of processing and data economy
5. Accuracy and updating of data
6. Confidentiality and data security

V. Reliability of data processing

The collection, processing and use of personal data is allowed only on the basis of the necessity of carrying out the company's activities. Any other processing that exceeds the area of ​​activity of the company is forbidden.
What kind of data do we process?
Data about clients and partners

1.1 Processing of personal data in contractual relations
The personal data of potential customers, collaborators and partners can be processed to establish, execute and terminate a contract. It also includes consulting services for the partner in the contract, if this is related to the contractual purpose. Before concluding the contract - during the initiation phase of the contract - personal data may be processed to prepare offers or purchase orders or to meet other requirements from the perspective relating to the conclusion of the contract. The data subjects can be contacted during the contract preparation process, using the information they have already provided. Any processing restrictions imposed by European or national legislation are complied with. For advertising activities we undertake to comply with the requirements of V.1.2.

1.2 Data processing for marketing purposes
If a natural person contacts ICCO SYSTEMS to request information (for example, the request to receive informative materials about a product), the processing of the data to respond to this request is allowed insofar as it corresponds to the purpose of the request.
The agreement (consent) regarding the processing of personal data in the loyalty or advertising activities of clients is mandatory. Personal data may be processed for advertising purposes or in market and opinion research, provided that this is compatible with the purpose for which the initial data was collected. The data subject is informed about the use of his data for advertising purposes. If the data is collected for advertising purposes only, the disclosure by the data subject is voluntary. The data subject is informed that the provision of data for this purpose is voluntary. When communicating with the data subject, prior consent is obtained to process the data for advertising purposes. When granting consent, the data subject has the opportunity to choose between available contact forms, such as regular mail, E-mail and telephone (Consent, see V.1.3).
If the data subject refuses to use his data for advertising purposes, they may no longer be used for these purposes and must be blocked from being used for these purposes.

1.3 Consent to data processing
Personal data may only be processed with the consent of the data subject. Prior to giving consent, the data subject must be informed in accordance with IV.3. from this data protection policy. The approval statement must be obtained in writing or in electronic format for the purpose of documentation and testing. In certain circumstances, such as telephone conversations, consent may be given verbally. The consent must be tested.

1.4 Processing of personal data and national legislation
The processing of personal data on the territory of Romania is carried out in accordance with the law 677 / 2001 and other laws, orders and decisions relevant in this regard. We acknowledge the competence of ANSPDC on the verification of the legality of the procedures of the processes and measures belonging to the scope of the protection of personal data. The type and extent of data processing must be necessary for the legal activity of data processing and comply with the relevant legal provisions.

1.5 Data processing following a legitimate interest
Personal data may also be processed if necessary for a legitimate interest of ICCO SYSTEMS. Legitimate interests are generally legal (for example, collection of outstanding receivables) or commercial (for example, avoiding the possibility of breach of contract provisions). Personal data cannot be processed for the purpose of a legitimate interest if, in individual cases, or if there is evidence that the interests of the data subject deserve protection and that it has priority. Before processing the data, it is necessary to determine if there are interests that need to be protected.

1.6 Extremely sensitive data processing
Highly sensitive personal data can only be processed if the law requires this or the data subject has given his / her express consent. This data may also be processed if it is mandatory for the affirmation, exercise or defense of legal claims regarding the data subject. If there is an intention to process highly sensitive data, the person responsible for the protection of personal data is informed in advance.

1.7 Automatic processing decisions
The automatic processing of personal data that is used to evaluate certain aspects (for example, the client's goodness) cannot be the only basis for decisions that have negative legal consequences or could significantly affect the data subject. The data subject should be informed about the facts and results of the individual automated decisions and about the possibility of responding. In order to avoid wrong decisions, an employee must perform a test and a plausibility check.

1.8 User data and the Internet
If personal data is collected, processed and used on websites or applications, the data subjects are informed about it in a privacy statement and, if applicable, information about cookies. The privacy statement and any information regarding the cookies will be integrated so that they are easily identifiable, directly accessible and consistently available to the data subjects.

2. The personal data of the employees

2.1 Employee data processing
In the labor relations, the personal data can be processed, if necessary, for the initiation, execution and termination of the employment contract. When initiating a work report, the personal data of the applicants can be processed. If the candidate is rejected, his / her data should be deleted according to the required retention period, unless the applicant has agreed that the data will be kept for a future selection process. Also, consent is required for the use of data for additional application processes.
In the existing employment report, data processing must always refer to the purpose of the employment contract if none of the following circumstances apply for the processing of authorized data.
If during the application procedure it should be necessary to collect information about an applicant from a third party, the requirements of the corresponding national laws must be respected. In case of doubt, an agreement must be obtained from the data subject.

2.2 Data processing at the request of the legal authorities
The processing of the personal data of the employees is also allowed if the national legislation requests, imposes or authorizes this. The type and extent of data processing must be necessary for the legal activity of data processing and must comply with the relevant statutory provisions. If there is a certain legal flexibility, the interests of the employee deserving to be protected must be taken into account.

2.3 Collective processing of personal data
If a data processing activity exceeds the purpose of performing a contract, it may be permitted if it is authorized by a collective agreement (agreement). Collective agreements are wage agreements or agreements concluded between employers and employees' representatives, to the extent permitted by labor law. The agreements must cover the specific purpose of the data processing activity and must be drawn up within the parameters of the national data protection legislation.

2.4 Employee consent
The employee's data may be processed according to the consent of the person concerned. Consent statements must be submitted voluntarily. The involuntary agreement is void. The approval statement must be obtained in writing or in electronic format for documentation purposes. In certain circumstances, consent may be given verbally, in which case it must be properly documented. In the case of the informed and voluntary provision of data by the relevant party, the consent may be obtained if the national legislation does not require the express consent. Prior to giving consent, the data subject must be informed in accordance with IV.3. from this data protection policy.

2.5 Data processing in pursuit of a legal legal interest
Personal data may also be processed if it is necessary to impose a legitimate interest in ICCO SYSTEMS. Legitimate interests are generally legal (for example, filing, applying or defending against legal claims) or financial (for example, evaluating companies).
Personal data cannot be processed on the basis of a legitimate interest if, in individual cases, there is evidence that the employee's interests deserve protection. Before processing the data, it must be determined whether there are interests that are worth protecting.

2.6 Processing of sensitive data
Highly sensitive personal data can only be processed under certain conditions. ICCO SYSTEMS does not process data on racial and ethnic origin, political beliefs, religious or philosophical beliefs, membership of trade unions and the health and sexual life of the data subject. In accordance with national legislation, other categories of data may be considered extremely sensitive or the content of the categories of data may be supplemented differently. Moreover, data relating to an offense can often be processed only in accordance with the special requirements of national law.
The processing of the data regarding the health status of the employees is allowed in order to fulfill some legal requirements. The employee is also obliged to expressly consent to the processing. If there are plans to process highly sensitive data, the person responsible for the protection of personal data must be informed in advance.

2.7 Automatic processing decisions
If personal data is automatically processed as part of the working relationship and specific personal data is evaluated (for example, in the selection of personnel or the assessment of competency profiles), this automatic processing cannot be the only basis for decisions that would have negative consequences or significant problems for the affected employee. In order to avoid wrong decisions, the automated process must ensure that a natural person evaluates the content of the situation and that this evaluation is the basis of the decision. The data subject must also be informed about the facts and results of the individual automated decisions and the possibility of responding.

VI. Transfer of personal data

The transmission of personal data to recipients from outside or inside ICCO SYSTEMS is subject to the authorization requirements for the processing of personal data according to section V. The data beneficiary must use the data only for the defined purposes.
In the unlikely cases where the data is transmitted to a recipient from outside the country or to a third country, this country must implement / agree to maintain a level of data protection equivalent to this data protection policy. It is necessary the consent of the data subject before the transfer activities. If the data is transmitted by a third party to ICCO SYSTEMS, it must ensure that the data can be used for the intended purpose.

ARE YOU COMING. Processing of personal data in commercial contracts

Data processing by an authorized person / company means that a processor is committed to processing personal data on behalf of and for ICCO SYSTEMS and is obliged to assume responsibility for the related processing process. In these cases, an agreement regarding the processing of data regarding the processor (the authorized person) will be concluded and will be based on a contract for this purpose. The person empowered by us has full responsibility for the correct and legal processing of the data. The processor may only process personal data according to our instructions. When issuing the order, minimum security requirements must be met; the department placing the order must ensure that they are fulfilled.

VIII. Rights of the data subject

Each data subject has the following rights: (These will be respected immediately by our unit and cannot be a disadvantage for the data subject.)

1. The data subject may request information about the personal data that was stored, how the data was collected and for what purpose. If there are any other rights to view our documents (for example, the personnel file) for the employment relationship in accordance with the relevant employment laws, they will not be affected.
2. If personal data is transmitted to third parties, information about the identity of the recipient or the categories of recipients will be provided.
3. If the personal data are incorrect or incomplete, the data subject may request their correction or completion.
4. The data subject may challenge the processing of his data for publicity or market research / public opinion purposes. Data must be locked for these types of use.
5. The data subject may request that his data be deleted in case the processing of this data has no legal basis or if the legal basis is no longer valid. The same is true if the purpose behind the data processing has expired or has ceased to be applicable for other reasons. Existing retention periods and conflicting interests that deserve to be protected must be respected.
6. The data subject has, in general, the right to oppose the processing of his data and this must be taken into account if the protection of his interests takes precedence over the interests of the data operator due to a specific personal situation. This does not apply if a legal provision requires data to be processed.
In addition, each data subject may claim the rights under point III. Paragraph 2, IV, V, VI, IX, X and XIV. Paragraph 3 as a third party beneficiary if we, who have accepted to comply with the data protection policy, do not respect the requirements and violate the rights of the party.

IX. Processing confidentiality

Personal data is subject to the secrecy of data processing. Any unauthorized collection, processing or use of this data by employees is prohibited. Any data processing performed by an employee who has not been authorized to perform it as part of his or her legitimate duties is unauthorized. The "need to know" principle applies. Employees may have access to personal information only as appropriate for the type and purpose of the task in question. This requires careful breakdown and separation, as well as the implementation of roles and responsibilities.
Employees are forbidden to use personal data for private or commercial purposes, to disclose them to unauthorized persons or to make them available in any other way. We will train our employees at the beginning of the working relationship on the obligation to protect data secrecy. This obligation remains in force even after the end of the employment period.

X. Security of processing

Personal data is protected against unauthorized access and illegal processing or disclosure, as well as accidental loss, modification or destruction. This applies whether the data is processed electronically or on paper. Prior to the introduction of new methods of data processing, especially of new information systems, technical and organizational measures for the protection of personal data must be defined and implemented. These measures must be based on the technical stage, the processing risks and the need to protect the data (determined by the information classification process).

XI. Control of the processing of personal data

Compliance with the data protection policy and applicable data protection laws is regularly verified through data protection audits and other controls. The performance of these controls is the responsibility of the Data Protection Officer. The results of the data protection checks should be reported to the Director for personal data protection. The external DPO oversight company of ICCO SYSTEMS will have to be informed about the primary results as part of the related reporting tasks. Upon request, the results of the data protection controls will be made available to the data protection authority. The data protection authority may carry out its own controls in accordance with the regulations in this policy, as permitted by national law.

XII. Data protection incidents

All employees must immediately inform the External Data Protection Officer regarding the cases of breach of this Data Protection Policy or other regulations regarding personal data protection (data protection incidents).
In cases of improper transmission of personal data to third parties, inadequate access of third parties to personal data or the loss of personal data, the reports required by the company (Managing information security incidents) must be made immediately, so that to be able to comply with all reporting obligations in accordance with national legislation.

XIII. Responsible for the protection of personal data

From an organizational point of view, the External Data Protection Officer represents the ICCO SYSTEMS advisor for the operations of protection and processing of personal data. The departments responsible for business processes and projects must inform in due time about the introduction of new processes for the processing of personal data. For the data processing plans that may present special risks for the individual rights of the data subjects, the Data Protection Officer will be informed before the processing begins. This applies in particular to highly sensitive personal data. Managers must ensure that their employees are sufficiently trained in data protection.
Inappropriate processing of personal data or other violations of data protection laws may be penalized or contraventional.