Last revised: 02.11.2020
General Data Protection Regulation (GDPR) – means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Personal data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Restriction of processing – means the marking of stored personal data with the aim of limiting their processing in the future;
Controller- means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
The National Supervisory Authority for Personal Data Processing (ANSPDCP) – means independent public authority established Romania, competent in the field of monitoring compliance with GDPR;
Terms in this policy that have not been defined above will be interpreted in accordance with the GDPR unless they are given a distinct meaning.
LAB36SOLUTIONS, as a Controller, processes the personal data of employees, partners, natural persons, and other persons who interact with the company and/or are involved in contractual relations.
This policy describes how personal data should be processed, in accordance with the GDPR, the principles of personal data processing, as well as the rights and obligations of employees involved in the process of processing personal data. The good faith and quality conduct that LAB36SOLUTIONS has and promotes in contractual and labor relations is based on the quality standard protecting the rights to privacy and the processing of personal data.
Compliance with the GDPR and good practices regarding the protection of personal data;
Protection of the rights of the data subjects;
Transparency on how personal data is protected;
Protection against risks of breach of security of personal data.
This policy applies to:
To all LAB36SOLUTIONS employees;
All-natural or legal persons who carry out the processing of personal data, for the purpose and the means established by LAB36SOLUTIONS (eg persons authorized by the company);
Other data subjects whose data are processed by LAB36SOLUTIONS.
5. Principles of personal data processing
Personal data are:
Processed legally, fairly and transparently to the data subject;
Collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes;
Appropriate, relevant and limited to what is necessary for relation to the purposes for which they are processed;
Accurate and updated in time;
Retained in a form that allows the identification of the data subjects for a period not exceeding the period necessary to fulfill the purposes for which the data are processed;
Processed in a manner that ensures the adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures.
6. Types of personal data processed
LAB36SOLUTIONS, depending on the purpose and the legal basis, mainly collects the following types of personal data:
For employees and authorized persons
Identity card details (name, first name, home address, date and year of birth, NOC, gender, series and number Identity card)
Data from the Curriculum Vitae
Medical data (eg medical leave)
For data subjects from the U.E. or outside (US, Asia):
Name and surname
Personal identification number
E-mail (if applicable)
User login details
7. The legal basis of the processing
The company operates on the basis of the Companies Law no. 31/1990 and operates in accordance with it, as follows:
I. The data processed for LAB36SOLUTIONS employees have as legal basis:
The Law of companies no. 31/1990,
The Labor Code and the legislation related to the work, for the aspects related to the activity of the employees,
Accounting Law no. 82/1991, for the financial – accounting aspects,
Government Emergency Ordinance 158/2005 on the holidays and social insurance benefits,
GEO no. 96/2003 regarding the protection of motherhood at workplaces,
GD 905/2017 on the general register of employees’ records,
Law 16/1996 of the National Archives, regarding the obligations to keep the documents,
Fiscal Procedure Code, for reporting issues,
The Code of Civil Procedure and the Civil Code for other aspects such as the exercise of rights or disputes.
Express consent for certain specific cases (e.g. pictures of employees).
II. The data of the authorized persons will be processed based on the conclusion and execution of contracts and collaboration protocols.
III. Data of the persons concerned from the U.E. or from outside it (US, Asia) are processed based on on the conclusion and execution of contracts and collaboration protocols or explicit consent.
8. Data transfer
LAB36SOLUTIONS transfers personal data to third parties on the basis of the contractual obligations assumed, offering guarantees of protection of personal data, their security, non-disclosure, and confidentiality, to: accounting service providers, hosting providers, maintenance services etc.
In addition to the above, LAB36SOLUTIONS transfer personal data when required by law: e.g., ITM, public institutions, or courts.
9. Protective measures and guarantees
LAB36SOLUTIONS implements appropriate technical and organizational measures to ensure a high level of security and protection of personal data. We use security methods and technologies, together with policies applied to employees and work, control, and audit procedures, to protect personal data collected in accordance with the legal provisions in force. At LAB36SOLUTIONS level, there are security procedures that apply across the network and for all types of data.
10. Duration of processing
Personal data are stored for processing for the duration necessary to achieve the processing purposes mentioned in this policy and, subsequently, according to legal requirements.
Each employee of LAB36SOLUTIONS is responsible, in accordance with his duties, for the protection of personal data. Moreover, the following persons carry out specific tasks:
Management – is responsible for ensuring that LAB36SOLUTIONS fulfills its obligations regarding the protection of personal data provided by the GDPR.
The data protection officer, has the following tasks:
Informing and advising the management as well as the employees involved in the processing of their obligations under the GDPR;
Informing the Management in a timely manner about all aspects of data protection (eg risks);
Regular updating of the procedures and policies for the protection of personal data;
Initiate and monitor the training of employees in the field of personal data protection;
Providing on-demand advice on data protection impact assessment and monitoring of its operation;
Cooperation with ANSPDCP – contact point regarding processing issues;
Solving the requests of the data subjects, when they refer to the exercise of a right provided by the GDPR.
12. Rights of the data subject
Any data subject may exercise the following rights, as provided by the GDPR:
The right of access;
The right of rectification;
The right to delete, after the expiry of the storage period or once the initial purpose of the processing has been reached;
The right to restrict processing;
The right to portability;
The right to oppose processing;
The right not to be the subject of a decision based solely on automatic processing, including profiling.
The right to address ANSPDCP and the courts;
The requests for the exercise of the rights provided by the GDPR will be written, signed, and dated and submitted to our Data Protection Officer.
13. Transparency of information
LAB36SOLUTIONS aims to inform all data subjects that their personal data are being processed and that they are aware of:
The mode and type of data processing;
Purposes and legal grounds for processing:
Exercise of rights in connection with processing.
In this regard, as well as in order to comply with the obligations stipulated by the GDPR, has appointed a Data Protection Officer who can be contacted at firstname.lastname@example.org .