PERSONAL DATA PRIVACY POLICY
The privacy of personal data is one of the main concerns of the Operator. As such, we want to ensure the highest standards of confidentiality and transparency regarding the personal data we process in our current activity.
Since we want to launch the waiting list as soon as possible, this Data Processing Policy strictly concerns the reservation procedure, which will generate the waiting list for contracting YellowGrid equipment, and because for this purpose it is necessary to process a series of personal data, we want to provide assurances that the processing will take place in compliance with the principles of transparency and security of personal data.
This privacy policy is intended to help you understand what data we collect, why we collect it and what we do with it.
Section I. Information about the operator and the principles of processing:
The personal data controller is YELLOWGRID PROD SRL, a company based in Cluj-Napoca, 4 Freziei Street, Cluj County, registered with the Trade Register Office attached to the Cluj Tribunal under no. J2024043498000, with CUI no. 50925976.
In accordance with art. 32 of Regulation 679/2016 (hereinafter referred to as "GDPR"), we have taken appropriate technical, physical and organizational security measures to protect personal data against unauthorized/illegal access, modification, deletion, damage, loss or access.
We will comply with the principles of personal data processing as mentioned in art. 5 of the GDPR, respectively we will process your personal data:
Lawfully, fairly and transparently;
For specified, explicit and legitimate purposes and not in a manner incompatible with the purposes stated at the time of collection of the personal data;
Ensuring their adequacy, relevance, limiting the processing to what is necessary in relation to the purposes of the processing;
Ensuring that personal data that are inaccurate are erased or rectified without delay;
Storing the data in a form which permits identification of data subjects for a period not exceeding the period necessary for the fulfilment of the purposes of the processing;
In a manner which ensures adequate data security, including protection against unauthorized or unlawful processing or against accidental loss, destruction or damage, by taking appropriate technical and organizational measures.
Section II. Data subject to processing, purpose, legal basis and retention period:
1. Surname and first name:
The purpose of processing these data is to be able to offer you the reservation of our Equipment and to be able to contact you in order to honor the reservation made.
The basis for processing is art. 6 letter b of the GDPR, the processing being necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract;
Regarding the duration of data retention, we will store this data as long as you have an account created for the reservation or purchase of the Equipment.
Regarding the duration of data retention, we will store this data as long as you have an account created for the reservation or purchase of the Equipment. In case of deactivation of the account, the data will be deleted or anonymized within a maximum of 30 days.
2. Telephone number:
The purpose of processing this data is mainly to be able to contact you in order to honour the reservation, but we will also use this data to provide additional protection to your account through the 2FA process.
The basis for processing is art. 6 lit. b of the GDPR, the processing being necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract;
Regarding the duration of data retention, we will store this data as long as you have an account created for the reservation or purchase of the Equipment. In the event of deactivation of the account, the data will be deleted or anonymized within a maximum of 30 days.
3. Email address:
The purpose of processing this data is to be able to apply for a reservation of our Equipment and to be able to contact you in order to honor the reservation made.
The basis for processing is art.6 letter b of the GDPR, the processing being necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract;
Regarding the duration of data retention, we will store this data as long as you have an account created for the reservation or purchase of the Equipment. In the event of deactivation of the account, the data will be deleted or anonymized within a maximum of 30 days.
4. Location and Geolocation of Equipment Installation:
The purpose of processing this data is to assess the possibility of installing Yellowgrid equipment in the location indicated by the Client.
The basis for processing is art.6 letter b of the GDPR, the processing being necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract;
Regarding the duration of data retention, we will store this data as long as you have an account created for the reservation or purchase of Equipment. In the event of deactivation of the account, the data will be deleted or anonymized within a maximum of 30 days.
Section III. How we collect and use your personal data:
We collect your personal data directly from you when you create an account to book our equipment.
If you choose to provide us with the personal data of other people, such as when you make a reservation on behalf of another person or open a customer account on behalf of another person, you assume responsibility for the way in which you obtained this data, but also for the existence of a legal basis for its processing, and we cannot be held liable for the violation of the rights of those persons.
We do not use personal data for automated processing or profiling. We never make automated decisions about you. We use technical means to store data in secure conditions. We do not process data for secondary purposes incompatible with the purposes for which we collected it.
Section IV. Use of cookies:
The site contains cookies (very small files that we send to the users' computer or other access device).
These cookies are of two types, namely:
Functionality cookies, with the role of improving the experience of site users. They allow users to benefit from various functionalities;
Performance cookies, used to measure and analyze how the site is used. Through these cookies, the way the site operates and the experience of site users can be continuously improved.
The cookies indicated above do not and cannot lead to the unique identification of the person, because any person can use a computer/device to access the site, without the operator/authorized person being able to know his/her identity through cookies. Therefore, the cookies we use do not lead to the processing of your personal data.
Section V. To whom do we disclose personal data?
In order to fulfill the processing purposes, we may disclose your personal data to:
a. Employees and collaborators of the operator/processor, who have signed a confidentiality agreement with the operator/processor regarding the personal data subject to processing.
b. Public institutions and authorities – to the extent that the operator has a legal obligation to disclose personal data to them (e.g. police bodies, courts, MIA, ANAF, National Office for the Prevention and Combating of Money Laundering).
The operator or processor may disclose your data whenever the law requires it or in the event that this is necessary to allow the exercise of rights provided by law and/or to be able to take legal action against any illicit activity.
c. Third parties, to the extent that the disclosure of personal data is necessary for the performance by the operator or the processor of the obligations assumed by the concluded contracts or for the performance of legal obligations (for example: outsourced accounting service, IT/website maintenance service provider, marketing service provider, lawyers, etc.)
In the event that the third parties mentioned above do not have a legal obligation to maintain confidentiality regarding the personal data disclosed by the operator or the processor, the data will be disclosed to them only to the extent of the conventional assumption of the confidentiality obligation.
Section VI. Your rights in relation to the processing of personal data:
Right to be informed
The data subject has the right to be fully, correctly and accurately informed about the personal data to be processed, the purpose of the processing, the persons who will carry out the processing operation and the period until which the personal data will be processed or stored; The information is provided through this privacy policy.
Right of access, rectification, erasure, restriction of processing and objection to processing:
(1). The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where so, access to those data and to the following information: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or are to be disclosed, in particular recipients in third countries or international organisations, where possible, the period for which the personal data are expected to be stored or, where that is not possible, the criteria used to determine that period, the existence of the right to request the controller to rectify or erase personal data or to restrict the processing of personal data concerning him or her or to object to processing, the right to lodge a complaint with a supervisory authority;
(2). The controller shall provide a copy of the personal data which are the subject of the processing. Where the data subject submits the request in electronic format and unless the data subject requests another format, the information shall be provided in a commonly used electronic format.
(3). The data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes for which the data were processed, the data subject shall have the right to obtain the completion of incomplete personal data, including by providing a supplementary statement.
(4). The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase personal data without undue delay where one of the grounds set out in Article 17(1) of the GDPR applies.
(5). The data subject has the right to obtain from the controller restriction of processing where one of the following applies: the data subject contests the accuracy of the data, for a period enabling the controller to verify the accuracy of the data, the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, the controller no longer needs the personal data for the purposes of the processing, but the data subject requests them for the establishment, exercise or defence of legal claims, the data subject has objected to processing pursuant to Article 21(1) of the GDPR, for the period of time during which it is verified whether the legitimate rights of the controller override those of the data subject.
(6). The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where: the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the Regulation and the processing is carried out by automated means.
(7). The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, including profiling based on those provisions, based on Article 6(1)(e) or (f) or Article 6(1). The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Right to lodge a complaint with the Supervisory Authority:
Without prejudice to any other administrative or judicial remedy, any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of alleged infringement, if he or she considers that the processing of personal data concerning him or her infringes the GDPR.
Right to be informed of a personal data breach:
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject without undue delay of the personal data breach.
Where a personal data breach occurs, the controller shall notify the personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless it is likely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, it shall be accompanied by a reasoned explanation.
The said notification shall include at least:
the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned;
the name and contact details of the data protection officer or another contact point from which further information can be obtained;
the likely consequences of the personal data breach;
the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The controller shall keep records of all personal data breaches, including a description of the factual circumstances in which the personal data breach occurred, its effects and the remedial measures taken.
Section VII. Security of your personal data:
We work hard to protect our website and users, as well as all personal data collected under this Privacy Policy, from any unauthorized access, but also from the modification, unauthorized disclosure or destruction of the information we hold.
In this regard:
We certify that we meet the minimum requirements for personal data security, the data being processed in a way that ensures protection against unauthorized processing, loss, destruction or accidental damage, by taking appropriate technical and organizational measures;
We restrict access to our employees and contractors to data strictly necessary for the performance of their activities, and contractual relationships with these persons are subject to strict rules regarding confidentiality obligations.
We periodically review the policies for collecting, storing and processing information, as well as security measures, to prevent unauthorized access to systems;
Section VIII. Additional obligations imposed on controllers:
The controller shall provide the data subject with information on the action taken following a request concerning the data subject's rights without undue delay and in any event not later than one month from the receipt of the request. This period may be extended by two months where necessary, taking into account the complexity and number of requests.
The controller shall inform the data subject of any such extension within one month of the receipt of the request, giving reasons for the delay. Where the data subject submits a request in electronic format, the information shall be provided in electronic format where possible, unless the data subject requests another format.
If the controller does not take action on the request of the data subject, it shall inform the data subject, without undue delay and no later than one month from receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and of bringing a judicial remedy.
The controller shall keep records of the processing activities carried out under its responsibility. The records shall be drawn up both in writing and in electronic format.
If you wish to exercise any of the rights indicated above, please contact the person responsible for the protection of personal data designated by the controller (email: [email protected]). If you are dissatisfied, you may contact the ANSPDCP.
