CONFIDENTIALITY AND DATA PROTECTION POLICY
This Privacy and data Protection Policy establishes the relationship between “Social spot” S.R.L (hereinafter referred to as the Company) and you (the customer or other subjects whose data is processed), as well as other interested parties, regarding the use of personal data.
All subjects whose personal data will be processed, as well as any other interested parties are obliged to take note of this Privacy and data Protection Policy, In order to know the ways in which the company collects and processes personal data according to the activities carried out according to the object of activity of the company, as well as the security measures that are applied.
In the course of its activity, the company complies with all the conditions and requirements provided by the current legislation of Romania, the European legislation, Including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Hereinafter referred to as GDPR).
PREAMBLE
The European data Protection Regulation 2016 (GDPR) replaces the 1995 EU data Protection Directive and replaces the laws of each Member State that have been developed in accordance with the provisions of the data Protection Directive 95/46/EC.
The purpose of this Regulation is to protect the “rights and freedoms” of individuals and to ensure that personal data is not processed without their knowledge, and whenever possible, processed with their consent.
n collecting and using personal data, the Company is subject to legislation and controls how such activities can and do, as well as the measures to be implemented in order to protect personal data.
The purpose of this policy is to establish the relevant legislation and to describe the steps the company takes to ensure that it acts in accordance with the legal norms.
This policy applies to all employees of the company, contractors, interested parties and all other subjects who participate directly or indirectly in the processing of personal data, including the data subjects who visit the website of the company “Social spot” S.R.L. – socialspot.ro, (hereinafter referred to as “users”) within the activities of the company.
CHAPTER I definitions
During the processing of personal data, the terms used will have the following meaning:
a.. Personal data – any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more specific elements, specific to its physical, physiological, genetic, psychological, economic identity, cultural or social;
b.. Special categories of personal data (sensitive data) – personal data revealing race or origin, political opinion, religious or philosophical beliefs or trade Union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data on a natural person’s sexual life or sexual orientation.
c.. Controller – the natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of processing personal data; Where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law;
d.. Processing – any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
it’s Processor – the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
f.. Recipient – the natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether or not it is a third party. However, public authorities to whom personal data may be communicated in the course of a particular investigation in accordance with Union or national law shall not be considered as recipients; the processing of such data by those public authorities complies with the applicable data protection rules, in accordance with the purposes of the processing;
g.. Third party – natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
h.. Consent of the data subject – any manifestation of the free, specific, informed and unambiguous will of the data subject by which he or she accepts, by a statement or by an unequivocal action, that personal data concerning him or her be processed;
i.. Personal data breach – a breach of security that leads, accidentally or unlawfully, to the unauthorized destruction, loss, modification, or disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to them;
j.. Genetic data – personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information on the physiology or health of that person and which results in particular from an analysis of a sample of biological material collected from that person;
k.biometric data – personal data resulting from specific processing techniques relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or dactyloscopic data;
l.. Health data – personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status;
m.. Profiling – any form of automated processing of personal data consisting of the use of personal data to assess certain personal aspects relating to a natural person, in particular to analyze or foresee aspects of performance at work, economic situation, health, personal preferences, interests, the reliability, behavior, location or movements of the natural person concerned;
n.. Pseudonymisation – the processing of personal data in such a way that it can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organizational measures ensuring that such personal data are not attributed to an identified or identifiable natural person;
o.. Automation of decision-making is an ability to make decisions through technological means without human involvement.
p.. Personal data breach – a breach of security that leads, accidentally or unlawfully, to the unauthorized destruction, loss, modification, or disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to them.
q. Child: Any individual under the age of 14 The processing of a child’s personal data is only possible if the consent of the parents or guardian is obtained. The operator must make every effort to verify in such cases whether consent is given or authorized by the child’s parent or guardian.
ic criteria, whether centralized, decentralized or distributed according to functional or geographical criteria;
s.. The company – “Social spot” S.R.L., legal entity legally registered in accordance with the laws of Romania.
t.. Website – the socialspot.ro website, which is owned by the company.
u.. Clients – natural / legal persons, who use the services of the company.
v.. Partners – legal entities whose personal data may be transferred for the purpose of processing them in the interest of the Company. Thus, these partners may act as processors as well as sub-processors, depending on the circumstances.
z. Services – services provided by the Company through the use of the Software and the main conditions that are mentioned on the website.
x.. Supervisory authority – an independent public authority established by a Member State in accordance with the provisions of the GDPR.
CHAPTER 2 – DECLARATIONS
2.1 “Social spot” S.R.L., (hereinafter referred to as “Social spot”, Romanian legal entity based in Bucharest, Plaiul Mmount Str. No. 57, Registered under CUI 44987516 undertakes to comply with all relevant European and Romanian laws regarding personal data and to protect the “rights and freedoms” of individuals while collecting and processing personal data in accordance with the GDPR.
2.2. The Privacy and data Protection Policy sets out how the Company uses, processes and stores the personal information of the recipients. The Company may obtain this information from you or your partners in order to fulfill its contractual obligations. In other cases, the Company will receive this information from you with your permission and consent, or we will receive your personal information from third parties to whom you have consented to the transmission of this information.
2.3 this policy describes the main steps that the company has taken to comply with the GDPR, therefore, other compliance conditions together with related processes and procedures may be described by other relevant documents that recipients and any other interested persons may find in the appropriate reference links mentioned in this policy.
2.4. Users have the right to notify the Company or the competent data Protection Authority in case of personal data breach, if they know this fact before the Company.
CHAPTER III – APPLICABLE PRINCIPLES ON DATA PROTECTION
3.1. While performing the collection and processing of personal data, the Company complies with the principles provided by the GDPR. The Company’s policies and procedures are designed to ensure compliance with the principles.
3.1.1. Legality, fairness and transparency
Legal – the controller will identify a legal basis before processing personal data. This will often be referred to as “processing conditions”, such as consent.
In order to process correctly, the controller must make certain information available to the data subjects as practically as possible. This applies if the personal data were obtained directly from the data subjects or from other sources.
Transparency – any information and communication relating to the processing of personal data is easily accessible and understandable and clear and simple language is used.
3.1.2. Limitation of purpose
Personal data must be collected for specified, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes; Further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) of the GDPR shall not be considered incompatible with the original purposes.
3.1.3. Data minimization
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
3.1.4. Accuracy
Personal data must be accurate and, if necessary, up-to-date; all reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay.
3.1.5. Limitation of storage
Personal data must be kept in a form that allows the identification of data subjects for a period not exceeding the period necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, To the extent that personal data will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89(1) of the GDPR, As well as the organizational measures imposed by the GDPR to protect the rights and freedoms of the data subject.
3.1.6. Integrity and confidentiality
Personal data must be processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
CHAPTER IV – DATA COLLECTION AND PROCESSING BY THE COMPANY
4.1. During the course of its activity, the company collects and processes the following data:
4.1.1. Personal data of recipients: E-mail address, first name, last name, date of birth, gender, Country, Postal Code, Password, PayPal, Bank details, Phone, address, age, mouse activity on the socialspot.ro page, session duration and IP as defined on the socialspot.ro website, according to the technical specifications of the device used (such as hardware model, operating system version).
The Company does not collect more personal data than is necessary for the purpose of processing as set out in this document.
While collecting and processing the personal data of the recipients, the Company acts as the controller, thus, it will have the rights and responsibilities of the controllers under the GDPR.
The Company collects and/or processes the following sensitive data in the course of its activities: Such as the sex of the recipients.
4.1.2. Personal data of users
IP address, username, first name, address, telephone number (fixed or mobile), e-mail address, company name, country, e-mail address, usage data, data about interaction with external social networks or platforms, information about registration and notification on the socialspot.ro website, geographical position.
CHAPTER V – PURPOSE OF PROCESSING
5.1. GDPR requirements
5.1.1. Under the GDPR, one or more specific purposes for which personal data is to be processed should be mentioned. Therefore, it is illegal to collect and process personal data that does not correspond to the aforementioned purposes.
5.2. Personal data of recipients/users
5.2.1. The personal data of the recipients / users are collected and processed for the following purposes:
The execution of the services established according to the contracts concluded between the recipient and the company.;
Improving customer service (allows a more efficient response to customer requests);
Personalizing the recipient/user experience;
Maintaining the contact with the recipient / user by sending marketing or promotional materials and other information that includes company news, information about services, with the remark on instructions on how the recipient / user can refuse such notifications;
Performing statistical research and other types of analysis based on anonymous data;
Providing recipients/users with certain personalized services;
Participation of the recipient / User in various projects implemented by the Company through the site, answers to the questions of the recipient / User addressed to the Company through the site, research, maintenance of accounts, registration and promotion of services.
CHAPTER VI – THE LAWFULNESS OF THE PROCESSING OF PERSONAL DATA
6.1. GDPR requirements
6.1.1. According to Article 6 of the GDPR, there are six alternative ways in which data processing can be done legally. This policy has been developed to identify the appropriate grounds for processing in accordance with the rules set out in the GDPR.
6.2. Personal data of recipients
6.3. The personal data of the recipients are collected through the conclusion of contracts between the recipient and the company. The personal data thus collected will be processed with the consent of the recipient, expressed in accordance with the GDPR requirements.
6.4. The consent of the recipient will be expressed by signing a consent request form to be provided to the recipient by the company.
6.5. Together with the consent request form, the Company will provide the User with the Privacy Notice, which contains, but is limited to, precise information on the purpose of the processing and information on the processing methods, as well as the period for which such personal information must be stored.
6.6. Consent is considered to be given when the recipient has completed the consent request form.
6.7. By giving consent, the recipient acknowledges and accepts all the terms and conditions specified in the Privacy and consent notification form, as well as all the conditions specified in this Policy.
6.3. Personal data of users
6.3.1. Users’ personal data is collected while the user accesses the socialspot.ro website.
6.3.2. The Company will collect and process personal data on the basis of the consent that it will be obtained from the User in accordance with the GDPR. In this way, the consent will be granted by filling in the form of the requested consent that the company will make available to the user.
6.3.3. Together with the consent request form, the Company provides the User with the Privacy Notice, which contains, but is limited to, precise information on the purpose of the processing and information on the processing methods, as well as the period for which such personal information must be stored.
6.3.4. Consent is deemed to be provided after the user has pressed the “accept” button on the consent request form provided by the Company through the website for each separate purpose of processing personal data, as mentioned in the respective form.
6.3.5. By giving consent, the recipient acknowledges and accepts all the terms and conditions specified in the Privacy and consent notification form, as well as all the conditions specified in this Policy.
CHAPTER VII – AGE OF THE USER/USER
7.1. GDPR requirements
7.1.1. The processing of personal data of a child is legal if he is at least 16 years old If the child is under 16 years of age, such processing is legal only if and to the extent that consent is granted or authorized by the holder of parental responsibility over the child.
7.1.2. To this end, Member States may by law provide for a lower age for these purposes, provided that that lower age is not less than 13 years
7.2. Personal data of recipients/users
7.2.1. The Company collects personal data on the basis of the consent obtained from individuals (data subjects) who have reached the age of 16 years
7.2.2. When the person is under the age of 16, the processing of his or her personal data is lawful only if and to the extent that the consent is given or authorized by the holder of parental responsibility over the child.
7.2.3. By registering on the site and giving the consent of the company, the recipient / user confirms that he has reached the age of 16 years and has all rights to provide the company with consent for the processing of his personal data. Therefore, the Company is not liable for any consequences if it becomes clear that the User has not reached the age of 16 at the time of granting the Agreement.
CHAPTER VIII – WITHDRAWAL OF CONSENT BY THE RECIPIENT / USER
8.1. The recipient/user has the right to withdraw consent at any time. The withdrawal of consent is considered to be carried out properly after the recipient / user has completed the appropriate form and sent it to the e-mail address: management@socialspot.ro or completed the appropriate form on the socialspot.ro website.
8.2. The personal data of the recipients/users collected by the Company are processed in accordance with the GDPR principles. The Company takes all appropriate measures to ensure compliance with the GDPR requirements while processing the personal data of recipients/users.
8.3. The corresponding request for withdrawal of consent will be examined within 72 hours of receipt of the respective form of withdrawal, and the appropriate decision will be taken by the company
CHAPTER IX – PERIOD OF STORAGE OF PERSONAL DATA
9.1. GDPR requirements
9.1.1. Article 5(1)(e) of the GDPR provides that personal data must be kept in a form that allows the identification of data subjects for a period that is no longer than necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, to the extent that personal data will be processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89(1), subject to the implementation of techniques and organizations, the measures imposed by this regulation to protect the rights and freedoms of the data subject (“storage limitation”).
9.2. Personal data of recipients
9.2.1. The Company processes and stores the personal data of the recipients for the period necessary to achieve the processing purposes specified above The storage period may be longer than the processing period.
9.2.3. Taking into account the purposes of the processing, the retention period of the personal data of the recipients (retention period) does not exceed 12 months from the date on which the consent to the processing of the data is obtained properly from them, Taking into account all legal rules that the Company must comply with for processing.
9.3. Personal data of users
9.3.1. The Company processes and stores the personal data of users for the period necessary to achieve the processing purposes specified above The storage period may be longer than the processing period.
9.3.2. Taking into account the purposes of the processing, the retention period of the personal data of the recipients (retention period) does not exceed 12 months from the date on which the consent to the processing of the data is obtained properly from them, Taking into account all legal rules that the Company must comply with for processing.
9.4. General provisions
9.4.1. After the expiry of the storage period, the Company is obliged to delete personal data or to ask the recipients/users to provide the Company with a new consent if the need for processing remains necessary for the Company or another processing purpose occurs.
9.4.2. The Company has the right not to store more and to delete the personal data of the recipients / users at any time, if such personal data is not necessary for a longer period. In this situation, the company is obliged to notify the recipient / user that his personal data is deleted.
9.4.3. The Company may continue the storage of personal data if further processing is provided for by law and is considered relevant for a purpose that is not compatible with the original purpose of processing mentioned in this Policy. For purposes that are not compatible, we mean purposes relating to archiving in the public interest, scientific, statistical or historical use.
CHAPTER X – DISTRIBUTION OF PERSONAL DATA
10.1. Personal data of recipients/users
10.1. The Company shall not sell or market the personal data of the recipients / users of other legal persons, natural persons or third parties, except in cases where they are processors or sub-processors of the Company.
CHAPTER XI – RIGHTS OF RECIPIENTS
11.1. GDPR requirements
11.1.1. The data subjects, whose personal data are processed by the Company, have the rights provided by the GDPR for the data subjects, namely:
The right of access of the data subject. The data subject shall have the right to obtain from the controller a confirmation that personal data concerning him or her are being processed or not and, if so, access to that data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or are to be disclosed, in particular recipients in third countries or international organizations;
(d) where possible, the period for which the personal data is expected to be stored or, where this is not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller the rectification or erasure of personal data or the restriction of the processing of personal data relating to the data subject or the right to object to the processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where personal data are not collected from the data subject, any available information on their source;
(H) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in those cases, relevant information on the logic used and on the significance and expected consequences of such processing for the data subject.
The right to rectification
According to Article 16 of the GDPR, the data subject has the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes for which the data were processed, the data subject has the right to obtain the completion of personal data that are incomplete, including by providing an additional statement.
Right to erasure (“right to be forgotten”)
The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller has the obligation to erase personal data without undue delay, If any of the reasons set out in Article 17 of the GDPR occur.
Right to restriction of processing
The data subject has the right to obtain from the controller the restriction of processing if one of the cases referred to in art. 18 of the GDPR.
The right to be informed.
The Company is obliged to inform the data subjects about the data collected, how they are used, how long they will be kept and whether they will be communicated to other third parties. This information must be communicated in a concise manner and in plain language.
The right to data portability
The data subject has the right to receive personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format and has the right to transmit such data to another controller, without hindrance from the controller to whom the personal data have been provided, where:
(a) the processing is based on consent;
(b) the processing is carried out by automated means.
The right to opposition
Data subjects have the right to object to the processing of personal data that are processed by the Company. The Company must stop the processing of the data, unless the Controller demonstrates that it has legitimate and compelling reasons justifying the processing and which override the interests, rights and freedoms of the data subject or that the purpose is to establish, exercise or defend a right in court.
Automated individual decision-making, including profiling
The data subject has the right not to be the subject of a decision based solely on automated processing, including profiling, which produces legal effects which concern the data subject or similarly significantly affect him or her. Data subjects have the right to have their personal data processed with human involvement.
11.2. Personal data of recipients/users
11.2.1 in order to achieve any of the rights mentioned above, the recipient / user must fill in the company form that can be accessed at socialspot.ro / contact.
11.2.2. The time periods in which the recipients / users can realize their rights provided above are:
Right of recipient/User – time frame
Right of access of the data subject – One month
Right to rectification – One month
Right to erasure (“right to be forgotten”) – Without undue delay
Right to restriction of processing – without undue delay
Right to be informed – when data is collected (if provided by the data subject) or within one month (if not provided by the data subject)
Right to data portability – One month
Right to object – at the time of objection
Automated individual decision-making, including profiling – not specified
CHAPTER XII – DATA PROTECTION OFFICER
12.1 according to the GDPR, the controller and the processor designate a data protection officer whenever:
(a) the processing is carried out by a public authority or body, with the exception of courts acting in the exercise of their judicial function;
(b) the main activities of the controller or processor consist of processing operations which, by their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the main activities of the controller or processor consist in the large-scale processing of special categories of data.
12.2. The data protection officer may be a Member of the staff of the controller or processor or may perform his duties under a service contract.
12.3. Taking into account this aspect, the company will have a data protection officer, and the information on it will be found on the company’s website: Socialspot.ro.
CHAPTER XIII – SECURITY
13.1. GDPR requirements
13.1.1. Having regard to the state of the art, the costs of implementation and the nature, purpose, context and purposes of the processing, as well as the risk of variation in the likelihood and seriousness of the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
13.2. Personal data of recipients/users
13.2.1. The Company is responsible for ensuring that all personal data that the Company holds and for which it is responsible are kept secure and not disclosed in any way to a third party, Unless this third party has been specifically authorized by the Company to receive this information and have entered into a confidentiality agreement.
13.2.2. All personal data will be accessible only to those who need to use it and access can be granted only in accordance with the access control policy, which is available on the socialspot.ro website. The personal data of the recipients / users will be kept secure and must be kept:
in a room with controlled access; and/or
in a closed drawer or in a closet; and/or
If computerized, password protected in accordance with the corporate requirements of the access Control Policy and/or
stored on (removable) computing environments that are encrypted.
13.3.3. Recipients/users have the right to ask the Company to clarify what security measures are applied during the processing of their personal data.
CHAPTER XIV – NOTIFICATION OF PERSONAL DATA BREACH
14.1. GDPR requirements
14.1.1. Personal data breach means a breach of security leading to the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed, accidentally or unlawfully.
14.1.2. There are three different types of breaches under the GDPR:
“breach of confidentiality” – where there is unauthorized or accidental disclosure or access to personal data.
“breach of integrity” – where there is an unauthorized or accidental modification of personal data.
” distance violation” – where there is an accidental or unauthorized loss of access to or destruction of personal data.
14.2. Personal data of recipients/users
14.2.1. The Company takes all reasonable steps to minimize the risk of personal data breach during the processing of personal data.
14.2.2. In the event of a personal data breach, the Company shall notify the competent supervisory authority in accordance with Article 55 of the GDPR without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless it is likely to pose a risk to the rights and freedoms of recipients/users.
14.2.3. The risk assessment that the company must carry out will determine whether the risk to the rights and freedoms of the affected data subjects is considered high enough to justify their notification.
14.2.4. Also, in the event of a personal data breach, which may result in a high risk to the rights and freedoms of recipients/users, the Company will notify without delay the appropriate recipient/user whose personal data has been violated.
14.2.5. However, if further steps have been taken to mitigate the high risk for recipients/users, so that the risk no longer exists under the GDPR, then notification to recipients/users is not required.
14.2.6. The Company records all personal data breaches, including the facts relating to the personal data breach, its effects and the remedial measures taken. This documentation must enable the supervisory authority to verify compliance with the GDPR.
14.2.7. According to the GDPR, the Supervisory Authority may impose a number of fines on the company, if it does not act according to the rules provided by the GDPR.
14.2. The data processor is obliged, without undue delay, to notify the company about the violation of the personal data of the recipients / users, during the processing of these data according to the company’s instructions.
CHAPTER XV – DATA TRANSFER
15.1. GDPR requirements
15.1.1. Any transfer of personal data which is subject to processing or which is intended for processing after transfer to a third country or an international organization takes place only if, subject to the other provisions of the GDPR, the conditions set out in Chapter 5 of the GDPR are complied with by the controller, including for future transfers of personal data from the third country or from an international organization to another third country or to another international organization. All provisions of Chapter 5 of the GDPR will be applied to ensure that the level of protection of individuals guaranteed by the GDPR is not undermined.
15.1.2. The European Commission has the power to determine, on the basis of Article 45 of the GDPR, whether a non-EU country offers an adequate level of data protection, either through its domestic law or through the international commitments it has made. According to the corresponding decision of the European Commission, personal data may come from the EU (and Norway, Liechtenstein and Iceland) in that third country without any further safeguard measures being required.
15.2. Personal data of recipients/users
15.2.1 the Company may transfer the personal data of the recipients/users to their processors, which are registered in the European Union, but the data transfer will be in accordance with the GDPR rules and the adequacy decision, if necessary.
15.2.2. Personal data are transferred for the purposes defined in this document and under the other processing conditions provided by this Policy and specified in other documents, in particular in the personal data transfer policy, which can be found on the socialspot.ro website.
CHAPTER XV – COMPLIANCE WITH THE GDPR
16.1. The following actions are taken to ensure that the Company complies at all times with the GDPR’s liability principle:
The legal basis for the processing of personal data is clear and unequivocal;
All employees involved in the processing of personal data understand their responsibilities for compliance with good data protection practices;
Training for data protection has been provided to all staff;
The rules on consent are followed;
routes are available to data subjects who wish to exercise their rights with regard to personal data and such inquiries are handled effectively.
Regular reviews of procedures involving personal data are carried out;
Privacy by design is adopted for all new or changed systems and processes.
16.2. These actions are reviewed periodically as part of the data protection management process.
16.3. The company has developed all internal documents to define the roles among staff in relation to the processing of personal data within the company.
16.4. The Company may review this Policy from time to time. If the Company makes substantial changes to this Policy, we will notify you by email or by posting a notice on the Site before the effective date of the changes. By continuing to access or use the website after these changes become effective, you agree to the revised Policy.