Privacy Statement
Introduction
Principal33 SRL, headquartered in Brasov, 13A Garii Blvd., Nine Building, 3rd floor, Brasov County, having the sole registration code 42574513 and the number of registration at the Romanian Trade Register J8/2455/2021 (hereinafter referred to including as we or us or Principal) complies with the legal provisions in force in the context of processing of Your personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR).
We are committed to protecting and respecting your privacy. This Privacy Statement outlines how we use any personal information you provide to us through our website (https://www.principal33.com/)
As the controller, we are responsible for determining the purposes and means of the processing of your personal data, either alone or jointly with others.
When a third party (a natural or legal person, agency or other body) process personal data on our behalf, they act as a processor, as defined by GDPR. We will promptly provide updated information about any entity acting as a processor by disclosing its identity, contact details, as well as its obligations and responsibilities, according to GDPR and any other applicable rule or judicial or administrative regulation that is binding to them and also to us. Moreover, we will promptly inform You about Your rights regarding the processing activities that concern You and we will obtain your consent when required by law.
Definitions
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as name, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Principles that guide us according to GDPR
- Principles relating to processing of personal data
We adhere to the following principles when processing personal data: (a) Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly and in a transparent manner in relation to You;
(b) Purpose Limitation: Personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes, in accordance with Article 89(1) of GDPR;
(c) Data Minimization: Personal data will adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
(d) Accuracy: Personal data will be accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that are inaccurate, considering the purposes for which they are processed, are erased or rectified without delay;
(e) Storage Limitation: Personal data will be kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1) of GDPR, subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of the data subject;
(f) Integrity and Confidentiality: Personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Lawfulness of processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) You have given consent to the processing of Your personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which You are party or to take steps at Your request prior to entering a contract;
(c) processing is necessary for compliance with a legal obligation to which we are subject;
(d) processing is necessary to protect Your vital interests or those of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
(f) processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by Your interests or fundamental rights and freedoms that require protection of personal data, in particular if You are a child.
- Conditions for consent
Where processing is based on Your consent, we shall be able to demonstrate that You have consented to processing of Your personal data.
If Your consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of GDPR shall not be binding.
You shall have the right to withdraw Your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, You shall be informed thereof. Withdrawing consent shall be as easy as giving consent.
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
- Conditions applicable to child’s consent
The processing of the personal data based on the consent of a child shall be lawful where the child is at least 16 years old. Where the child is under the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
We will make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
- Processing of special categories of personal data
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
The prohibition shall not apply if one of the following applies:
(a) You have given explicit consent to the processing of those personal data for one or more specified purposes;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights (Your rights or our rights) in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for Your fundamental rights and interests;
(c) processing is necessary to protect Your vital interests or those of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing relates to personal data which are manifestly made public by You;
(e) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(f) processing is necessary for reasons of substantial public interest, based on Union or Member State law, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard Your fundamental rights and interests;
(g) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in GDPR;
(h) processing is necessary for reasons of public interest in public health, such as protecting against serious cross-border threats against health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, based on European Union or Member State law which provides for suitable and specific measures to safeguard Your rights and freedoms, in particular professional secrecy;
(i) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR based on European Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard Your fundamental rights and the interests.
- Processing of personal data relating to criminal convictions and offences
Processing of personal data relating to criminal convictions and offences or related security measures shall be carried out only under the control of official authority or when the processing is authorised by European Union or Member State law, providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
- Processing which does not require identification
If the purposes for which we process personal data do not or no longer require Your identification, we shall not be obliged to maintain, acquire or process additional information solely to identify You for the sole purpose of complying with GDPR.
Where, in cases referred to in paragraph below, we will be able to demonstrate that we are not in a position to identify You, we shall inform You accordingly, if possible.
Purposes and the legal ground of the processing
We will process Your personal data only when there is a valid legal ground for doing so. Where Your consent is the legal ground for processing the personal data, it must be given through a clear affirmative act that indicates Your freely given, specific, informed and unambiguous agreement to the processing of personal data relating to You. This may be done via a written statement, including by electronic means, or possibly an oral statement. Examples include ticking a box when visiting our website, selecting technical settings or performing other actions that clearly indicate Your acceptance of the processing of Your personal data. Silence, pre-ticked boxes or inactivity do not constitute consent under GDPR. Consent must cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent must be given for each of them. If Your consent is requested electronically, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
In line with our business activity, we process Your personal data to present our products and services, team, values and other relevant aspects that may help us in providing our services and establishing or developing a business or employment relationship with You.
We also use personal data collected through cookies for the purposes detailed within our Cookies Policy. Please note that we may include using data from cookies for internal and commercial purposes, ensuring website functionality, improving your navigation experience and enhancing the services we offer to our customers. Furthermore, we may process personal data to better understand Your needs, interests or preferences or to gather Your feedback on the website functionality, on our services or related to what is important to You in connection with our products and services.
To the extent permitted by applicable law, we use your personal data for various purposes, such as to carry out analytics and market research and internal reporting to enable us to plan, develop and improve our website, our products, services and marketing activities and to prevent and detect unlawful behaviour, and protect or enforce our legal rights, for example defending us in case of legal disputes.
With Your Prior consent, we may provide You with valuable information and deliver targeted content and advertisements, including through marketing cookies stored on Your device directly by us or by our partners.
Please note that the list of purposes for which we process Your personal data is not exhaustive. You will be fully informed in a timely manner, of any specific purpose for the processing of Your personal. We will always comply with the legal requirements and take all reasonable measures to ensure that all Your rights are fully respected.
Categories of data that we process
We may process various categories of personal data, including but not limited to:
- name,
- citizenship,
- date and place of birth,
- age,
- personal identification number / personal numeric code / social security number,
- identity card series, number or other details contained,
- identification document (e.g., passport, national identification document),
- place of residence,
- e-mail address,
- telephone number,
- workplace and occupation,
- educational background,
- information related to the acquisition of products and services from us,
- information related to Your navigation on our website (frequency, parts of interest, device, network, browser, operating system, applications installed on Your device, IP address),
- financial or payment details related to Your cards or bank accounts,
- information provided by You when contacting us via mail, forms on our website, phone, or chat
- information received through the cookies stored on Your device when accessing our website.
For more information, please consult our Cookies Policy
Please note that this list is not exhaustive.. Any of Your personal data will be processed strictly in accordance with all legal and ethical requirements and Your consent will always be required if necessary.
Source of the personal data
We collect Your personal data when You navigate on our website, fill in forms or chat with us through our website. Additionally, We may collect personal data, subject to Your consent, when necessary, by phone or by e-mail, whenever we interact with You to offer You information related to our products and services. Moreover, we may process personal data collected through the cookies stored on Your device when accessing our website. Please note that these may be stored by us or by our partners.
As our website might use external services from our partners, be aware that their cookies may also be placed on your device. The cookies placed by our partners are known as third-party cookies. To get prompt and complete information related to these type of cookies, please consult at any time the third party’s Cookies Policy or Privacy Policy by accessing their websites. For details related to cookies and how they are related to You, please read our Cookies Policy.
In compliance with all legal requirements, we may process Your personal data received from public registers or any third parties, such as Courts, public institutions, accountants, attorneys, engineers or any other natural person or company and any other legal persons.
Categories of recipients of the personal data personal
Your personal data will always be processed by us in compliance with applicable legal provisions. With your consent, and in full compliance with legal requirements and binding judicial or administrative decisions, we may share Your personal data with third parties.
We will not sell Your personal information to any third party outside our group of companies. However, we may need to disclose your personal information to third parties for the purpose of establishing or developing a business or employment relationship, we may share Your personal data with our contracting parties, individual professionals (e.g., accountants, bank clerks, couriers, medical professionals, engineers, lawyers, notaries) or various public entities (institutions, authorities) or administrators of public registries. The list is not exhaustive.
Please note that we will not transfer Your personal data to third countries or international organisations. If such a transfer becomes necessary, You will be priorly informed, including details about the applicable conditions, legal grounds, guarantees and safeguards, according to Your rights and interests.
Retention period of personal data
As a rule, we will process and store your personal data only for the period necessary to achieve the purposes for which it was collected.. Exceptions to this rule will be made in accordance with applicable law, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
Security of the processing
Personal data will be processed in a manner that ensures appropriate security and confidentiality of the personal data, including measures to prevent unauthorised access to or use of personal data and the equipment used for its processing.
We will take all reasonable legal and technical measures to ensure the security of your personal data processing . We are committed to mitigating risks associated with personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data which could result in physical, material or non-material harm.
We will continuously implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
We will ensure that any individual acting under our authority who has access to personal data does not process it except under our instructions , unless required to do so by European Union or Member State law.
Your rights and how to exercise them
- Right of access
You have the right to obtain a confirmation as to whether personal data concerning You are being processed, and, where this is the case, to access the personal data and receive the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request rectification or erasure of personal data, restriction of processing or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected directly from you, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of GDPR and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
If personal data are transferred to a third country or to an international organisation, You have the right to be informed of the appropriate safeguards relating to the transfer.
You also have the right to receive a copy of the personal data undergoing processing free of charge. For any further copies requested, we may charge a reasonable fee based on the administrative costs that will previously be communicated to you upon Your request.
If You make requests by electronic means, and unless otherwise requested by You, the information shall be provided in a commonly used electronic form.
- Right to rectification
You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning You. Considering the purpose of the processing, You will have the right to have incomplete personal data completed, including by providing a supplementary statement.
- Right to erasure (“right to be forgotten”)
You have the right to obtain from us the erasure of personal data concerning You without undue delay and we have the obligation to erase Your personal data without any delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) You withdraw consent on which the processing is based and where there is no other legal ground for the processing;
(c) You object to the processing pursuant to Article 21(1) of GDPR and there are no overriding legitimate grounds for the processing, or You object to the processing pursuant to Article 21(2) of GDPR;
(d) the personal data have been unlawfully processed;
(e) the personal data must be erased for compliance with a legal obligation under European Union or a Member State law to which we are subject;
(f) the personal data have been collected in relation to the offer of services to a person under 16 years old.
If the personal data have been made public by us and we are obliged to erase the personal data, taking account of the available technology and the cost of implementation, we shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that you have requested the erasure of any links to, or copy or replication of, those personal data.
The two above paragraphs shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by European Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
(c) for reasons of public interest in public health in accordance with GDPR;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR in so far as the right to erasure (right to be forgotten) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
- Right to restriction of processing
You have the right to obtain from us the restriction of processing where one of the following applies:
(a) You contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data;
(b) the processing is unlawful and You oppose the erasure of the personal data and request the restriction of their use instead;
(c) we no longer need the personal data for the purposes of the processing, but they are required by You for the establishment, exercise or defence of legal claims;
(d) You have objected to processing (exercised Your right to object pursuant to Article 21(1) of GDPR) pending the verification whether our legitimate grounds override Yours.
Where processing has been restricted, such personal data shall, except for storage, only be processed with Your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
If You have obtained restriction of processing, You shall be informed by us before the restriction of processing is lifted.
- Notification obligation regarding rectification or erasure of personal data or restriction of processing
We shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon your request, We will inform You about these recipients.
- Right to data portability
You have the right to receive the personal data concerning You, which You provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, where:
(a) the processing is based on Your consent; and
(b) the processing is carried out by automated means.
In exercising Your rights to data portability, You have the right to have the personal data transmitted directly from us to another controller, where technically feasible.
The right to data portability does not affect the right to erasure (right to be forgotten) under Article 17 of GDPR and does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
The exercise of this shall not adversely affect the rights and freedoms of others.
- Right to object
You have the right to object, at any time and on grounds relating to your situation, to the processing of your personal data, including profiling, when the processing is based on:
(a) The performance of a task carried out in the public interest or in the exercise of official authority vested in us; or
(b) The pursuit of legitimate interests by us or a third party, except where such interests are overridden by your interests, rights, and fundamental freedoms, particularly where the data subject is a child.
Profiling, as defined by GDPR, refers to any form of automated processing of personal data to evaluate certain personal aspects of an individual, such as work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
If you exercise your right to object, We will cease processing Your personal data unless we can demonstrate compelling legitimate grounds for the processing that override Your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where Your personal data are processed for direct marketing purposes, You have the right to object at any time to the processing of Your personal data for such purposes, including profiling related to direct marketing.
If You object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
You may exercise Your right to object through automated means where applicable, by using technical specifications provided.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to GDPR, You have the right to object, on grounds relating to Your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You.
This right shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between You and us;
(b) is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard Yours rights and freedoms and legitimate interests; or
(c) is based on Your explicit consent.
In the cases referred to in points (a) and (c) of the above paragraph, we will implement suitable measures to safeguard Your rights and freedoms and legitimate interests. These measures include, at a minimum, the right to obtain human intervention, to express Your point of view and to contest the decision.
- Right to lodge a complaint
If you have any questions, require further information, or wish to exercise your rights under data protection laws, including if you believe your rights under GDPR have been violated or disregarded, please contact us, using the following contact details:
- e-mail: dataprotection@principal33.com
- postal address: Maestro Business Center (5ª floor), Boulevard 21 Decembrie 1989, Cluj-Napoca 400124, Romania
We strive to respond to Your request or complaint within 30 calendar days. If Your request or complaint requires a longer processing time, we will inform you within the initial 30 days and provide an estimated timeline for resolution.
Additionally, if you are not satisfied with our response, you have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing.
Their contact details are:
- 28-30 General Gheorghe Magheru Bld. District 1, post code 010336, Bucharest, Romania
- anspdcp@dataprotection.ro
- dpo@dataprotection.ro
- telephone number: +40.318.059.211
- fax number: +40.318.059.602
For more detailed information regarding Your rights under data protection laws, You can visit the website of the National Supervisory Authority For Personal Data Processing by accessing this link: https://www.dataprotection.ro/?page=contact&lang=en.
Changes of our Privacy Statement
We may update this Privacy Statement to reflect changes in legal requirements, instructions from authorities , technological advancements or other relevant factors.,
Any changes will be promptly published and the updated version of this statement will be made available on our websit
We kindly recommend that You read the Privacy Statement regularly to stay informed of any updates. The date of the last update will be clearly indicated.
Whether important changes will be made, we will notify You by using the contact details available to us.
Contact details
We are committed to upholding your data protection rights and complying with legal and ethical standards.. Therefore, should You need any additional information or clarification related to this Privacy Statement or have any observation or suggestion, please do not hesitate to contact us using the following contact details:
- e-mail: dataprotection@principal33.com
- postal address: Maestro Business Center (5ª floor), Boulevard 21 Decembrie 1989, Cluj-Napoca 400124, Romania