INFORMATION NOTICE
on the processing of personal data carried out by Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
– ANSPDCP –
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (National Supervisory Authority for Personal Data Processing), with the premises in 28-30 G-ral. Gheorghe Magheru Boulevard, 1st district, Bucharest, tel. +40.31.805.9211, fax: +40.31.805.9602, website: www.dataprotection.ro, email: anspdcp[at]dataprotection.ro, hereby informs you of the processing of your personal data and your rights in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter GDPR) and with the national legislation on data protection and data security in force.
Purposes and the legal ground of the processing
Pursuant to the national legislation (Law no. 102/2005, republished, Law no. 190/2018, Law no. 506/2004) and the European legislation (Regulation 2016/679/UE, Directive 2016/680/EC, Directive 2002/58/EC) in force, ANSPDCP has the obligation to use the personal data provided to it in a safe way and only for the specified purposes.
ANSPDCP processes your personal data in accordance with the GDPR provisions as a data controller through the services/offices/compartments, in accordance with the applicable specific provisions, in order to carry out the following activities:
- public relations/petitioning/formulating the points of view at the request of individuals
- formulating actions and the representation in court
- organising/rollout events
- fulfilling the legal competences of control and investigation
- handling complaints
- registering and handling the personal data breach notifications
- registering the forms for declaring the data protection officer
- performing contracts for providing goods/services.
If you do not agree with the provision of personal data, ANSPDCP through the services/offices/compartments from its structure can not take legal action to respond to petitions/ respond to the requested point of views etc.
Legal ground of the data processing
Yours personal data are processed for complying with the legal obligation to which the data controller (ANSPDCP) is subject, in accordance with Article 6 (1) letters c) and e) of GDPR.
To the extent that special categories of personal data are required, ANSPDCP will request your consent in accordance with the provisions of Article 9 (2) letter a) of GDPR.
The legislation that governs, in principal, the activities of the services/offices/compartments within ANSPDCP is the following:
- Regulation 2016/679/EU, Directive 2016/680/EC, Directive 2002/58/EC
- Law no. 102/2005, modified and amended, Law no. 190/2018, Law no. 506/2004
- Law no. 544/2004, Government Ordinance no. 27/2002
- Code of civil procedure
Categories of data that we process
ANSPDCP’s Policy on the data protection and data security is to collect only personal data that is necessary for the purposes mentioned and to require the data subjects to communicate only those personal data strictly necessary for the fulfilment of these purposes.
The categories of personal data (classical or digital) subject to processing at the level of services/offices/compartments within ANSPDCP are as follows:
For public relations/petitioning/formulating the points of view at the request of individuals
- name, surname,
- signature,
- contact details – personal phone number, email address, domicile/residence address etc.,
Exceptionally:
- series and number of the ID card
- personal identification number
For formulating actions and the representation in court
- name, surname,
- signature,
- contact details – personal phone number, email address, domicile/residence address etc.,
- series and number of the ID card
- personal identification number
For organising/rollout events
- name, surname,
- function, profession
- name of the employer
- contact details – personal/office phone number, email address, postal address
For the forms of declaring the DPO:
- name, surname,
- function,
- name of the employer
- contact details – personal/office phone number, email address, postal address
- IP address from where the form is filled
- the type of browser used
For handling personal data breach notification forms:
- name, surname,
- function,
- name of the employer
- contact details – personal/office phone number, email address, postal address
For handling complaints/notices:
- name, surname,
- signature,
- contact details – personal phone number, email address, domicile/residence address etc.,
- series and number of the ID card
- personal identification number
For performing contracts for providing goods/services:
- name, surname,
- function,
- name of the employer
- contact details – personal/office phone number, email address, postal address
We reserve the right to request other data necessary for the performance of the tasks of the services/offices/ compartments within the ANSPDCP, strictly in accordance with the legal provisions.
Source of the personal data
ANSPDCP through the services/offices/compartments collects personal data directly from you or from third parties (such as other institutions or entities that address the Authority or other data subjects) or from public documents.
If we have to process personal data obtained from third-party legal entities, the latter have the obligation to provide you with the necessary information regarding the use of the personal data transmitted.
Categories of recipients of the personal data personal
Your personal data is intended for use by the data controller (ANSPDCP) and communicated to the following recipients, as the case may be:
- other central/local institutions/authorities to redirect, according to the law, the misdirected petitions;
- the courts for the purpose of formulating actions and representation in court;
- in the framework of the activities of organising/rollout the events of the data controller;
- in the framework of the activities of investigation/control.
The disclosure of data to third parties is made in accordance with the legal provisions for the categories of recipients specified above.
Retention period of personal data
Your personal data is stored for as long as necessary to carry out all activities undertaken in order to support the activities of ANSPDCP’s services/offices/compartments of public relations, petitioning, formulating points of view , organizing events, rollout events, solving actions by competent courts, fulfilling the legal control and investigation tasks, handling complaints, registration and handling the personal data breach notification forms, as well as the registration the forms for declaring the data protection officers, after which they will be archived according to the applicable legislation.
Your rights and how to exercise them
According to the applicable legal provisions, you have the right of access, the right of rectification, the right of erasure, the right to restriction of processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.
In order to exercise your rights, please contact the ANSPDCP’s Data Protection Officer directly at dpo[at]dataprotection.ro or in writing at ANSPDCP’s premises.
Processing of special categories of personal data or based on consent
Where processing is based on Article 6 (1) letter (a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” or 9 (2) letter (a) “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject” for the GDPR, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing under consent prior to its withdrawal. You may change or remove your consent at any time and we will act immediately, unless there is a legal ground or legitimate interest in not doing so.