INFORMATION NOTE 

on the processing of personal data by
Corporate Counseling Services Sarl 

Introduction

Corporate Counselling Services Sarl. with registered office at Rue du Kiem 2, L-8435, Steimfort, Luxembourg, tel. +352 – 26 97 60 32, fax: +352 – 26 10 87 34, website: www.ccsint.com, email: office@ccsint.com, hereby informs you about the processing of your personal data and the rights you have in accordance with REGULATION (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as GDPR) and national legislation on the protection and security of personal data in force. 

Contact details of the person in charge of data protection (also referred to as Data Protection Officer – “DPO”) within our Company, whom you can contact in relation to any issues concerning the protection of your personal data: Mr. Marius Medeleanu; E-mail dpo@ccsint.ro    

1. Purposes and legal basis of processing

In accordance with the national and European legislation in force, Corporate Counseling Services Sarl is obliged to manage the personal data provided to it securely and only for the specified purposes.

Corporate Counseling Services Sarl processes your personal data in accordance with the GDPR as data controller. The purpose of processing personal data is mainly to provide emotional health services, namely medical psychology activities (clinical psychology, psychological counseling, psychotherapy) and to offer the employees of the employer and close relatives (Users-data subjects) of the service “Employee Assistance Program” (EAP), in order to study, prevent, reduce or eliminate the exposure of Users to psychosomatic risks at work and in their personal environment.

In accordance with the GDPR requirements for the protection of individuals with regard to the processing of personal data and the free movement of such data, as well as international regulations on the subject, Corporate Counseling Services Sarl, is obliged to manage in secure conditions and only for the specified purposes, the personal data you provide us with about yourself, a member of your family or another person.

We would like to point out that, in principle, there is no obligation for you to provide us with the personal data indicated in this information notice. However, to the extent that you do not provide us with your personal data as described, we will not be able to provide you with the requested services and/or you will not be able to benefit from all the facilities that de Corporate Counseling Services Sarl. offers you

2. Data processing principles

 The dates are: 

  • Processed lawfully, fairly and transparently vis-à-vis the data subject (“lawfulness, fairness and transparency”)
  • collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes 
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”) 
  • Accurate. Where it is necessary to update them, every reasonable step will be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”) 
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed 
  • Processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or accidental damage, by taking appropriate technical or organizational measures (“integrity and confidentiality”) 
3. Legal basis for data processing

Personal data are processed in accordance with:  

  • Article 6 para. 1(a) of the GDPR, in order to provide the services Users request, in line with: 
  • Article 6 para. 1 letter b) for the purpose of carrying out employment contracts of employees or service contracts of authorized persons- natural persons and according to: 
  • Article 6 para. 1 letter f), Law no. 333/2003, GD no. 301/2012, GD no. 1002/2015 based on the legitimate interest of the Controller in order to monitor the access of persons to the Company, to ensure the security of the premises and property of the Company, as well as the safety of persons on the premises and premises belonging to the Company 

To the extent that special categories of personal data are required, Corporate Counseling Services Sarl will ask for your consent in accordance with the provisions of Art. 9 para. (2) lit. (a) of the GDPR. 

4. Types of personal data we process

Corporate Counseling Services Sarl’s policy on the protection and security of personal data is to collect only the personal data necessary for the purposes mentioned and to require data subjects to communicate to us only those personal data strictly necessary for the fulfillment of those purposes. 

The categories of personal data (classic or digital) subject to processing at the level of the services / offices / departments within Corporate Counseling Services Sarl are as follows: 

  • Contact data, such as: name and surname, home/residence address, telephone number (landline and/or mobile) and/or fax number, e-mail address, correspondence address; 
  • Personal data, such as: date of birth; gender; age; identity card series and number; personal identification number; other information included in the identity card; video images (obtained from video recordings made in our premises, where video surveillance cameras are installed); voice (based on the recordings of calls made through the call center of Corporate Counseling Services Sarl.); signature; 
  • Medical (mental – including special data) data, such as: health data related to the services provided (such as: services you access in our partner clinics; diagnosis; results of tests you provide us with; treatment we prescribe or administer; psychologist you access; medical recommendations; symptoms; symptoms; medical history; previous illnesses; information you provide us with about your family members, if applicable); physical characteristics (various conditions); genetic data (only if applicable); biometric data; biological samples; 
  • The personal data that you provide us with when making an appointment by telephone, e-mail or in the clinic (name, surname, telephone, e-mail, date of birth, symptoms, data on the tests and investigations you have undergone or wish to undergo) are recorded and processed by Corporate Counselling Services Sarl, only to the extent that this information has been provided without any constraint and with prior information. 
  • Financial-accounting data belonging to or necessary for the data subject; 
  • Legal data belonging to or necessary for the data subject; 
  • Data on your employment situation, such as: your future or current employer; your occupation/position; other details provided by your employer in relation to your employment relationship; 
  • Data relating to your relationship with Corporate Counselling Services Sarl, such as: the history of your relationship with Corporate Counselling Services Sarl; any suggestions or other such opinions that you may have, either directly or through other means of communication (which may include social networking or other public communication channels). 

We reserve the right to request other data necessary for the fulfillment of the duties of the departments within Corporate Counseling Services Sarl, strictly in accordance with the legal provisions.

5. Source of personal data

The source of personal data is the data subject, and/or any public sources. 

6. Categories of recipients of personal data

Your personal data are intended for use by the controller (CCS Sarl) or the authorized person (psychologist) and are communicated to the following recipients, if applicable: 

  • The general identification data are processed by the controller, and some of them (number of therapy sessions, dates on which psychological counseling sessions are held, etc.) are reported to the employer of the data subject; 
  • Data of a special nature, specific to psychological counseling, diagnoses, etc., are known only by the psychologist and the person concerned; 
  • Of course, the controller will use the data subject’s data for the fulfillment of its legal and fiscal obligations, including for forwarding them to the competent public authorities or institutions, but always making sure that we put in place adequate safeguards to protect your data. 
  • Disclosure of data to third parties is made in accordance with the legal provisions for the categories of recipients specified above. 
7. Data security

Corporate Counselling Services Sarl shall implement appropriate technical and organizational measures to ensure a level of security appropriate to this risk, including, as appropriate, inter alia: 

  • encryption of personal data; 
  • the ability to ensure the confidentiality, integrity, availability and continued availability and resilience of processing systems and services; 
  • the ability to restore the availability of and timely access to personal data in the event of a physical or technical incident; 
  • a process for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing 

In case some of the employees of CCS Sarl, will perform their work duties by telecommuting, our company has prepared a document called Telecommuting Policy, a document that regulates the performance of the employees’ work in this way.  

Telework is “the form of work organization whereby the employee, on a regular and voluntary basis, performs the duties specific to the function, occupation or trade that he/she holds, in a place other than the workplace organized by the employer, at least one day per month, using information and communication technology”. This is the definition that we find in Law No. 81/2018 on the regulation of the activity of telecommuting. The transfer of data from the Company to the teleworkers, and from the teleworkers to the Company, will be done through secure channels and verified by the IT Administrator of CCS Sarl. 

8. Storing personal data

Your personal data is stored for as long as necessary to carry out all the steps taken to support the activities of Corporate Counseling Services Sarl. We have implemented technical and organizational measures for the organization of the process and specific criteria for the retention of your personal data, through our own Personal Data Retention Policy (including according to our archiving procedures). 

We will cease processing personal data when it is no longer reasonably necessary for the permitted purposes, or when you withdraw your consent (if applicable) and:

(i) there are no longer compelling legitimate grounds for further processing by Corporate Counselling Services Sarl (including the legal obligation of Corporate Counselling Services Sarl to continue to store the data concerned) which override your interests, rights and freedoms; or
(ii) if they are no longer necessary for us to establish, exercise or defend a right in court. 

The duration of storage of data obtained through the video surveillance system is proportional to the purpose for which the data is processed, so that the images are stored for a period not exceeding 30 days – Law 190/2018, Art. 5. 

According to the provisions of Art. 9 cap. II of GD no. 301/2012, the closed-circuit television equipment must ensure the acquisition of images from the access area, both from the outside and from the inside, the working area with the public, the vehicle routes and access to the storage area of data, goods and valuables, ensuring the storage of images for a minimum period of 20 days. 

However, data may be kept for a longer period in two cases: for one year, for the purpose of proving the provision of services, if it is not possible to provide such proof by other means; in case of dispute of the services performed, until the dispute is settled. 

At the end of the storage period, the data are deleted automatically in the order in which they were recorded. 

In the event of a security incident, as well as in duly justified cases, the retention period of the relevant footage may exceed the normal limits depending on the time required for further investigation of the security incident. 

Retention is rigorously documented and the need for retention is reviewed periodically (every two months). 

9. Transfer of personal data to third countries

We may transfer your personal data to states that are part of the European Economic Area or to states that have been recognized by the European Commission as ensuring an adequate level of protection of personal data, if such transfer is necessary for processing in accordance with the permitted purposes described above. 

In exceptional circumstances, if it is necessary to provide Corporate Counselling Services Sarl services for the permitted purposes, we may transfer your personal data to third countries which have not been recognized by the European Commission as providing an adequate level of protection. 

We will ensure that these international transfers are carried out subject to appropriate safeguards (such as under Standard Contractual Clauses approved by the European Commission) as required by the General Data Protection Regulation (EU) 2016/679 or other applicable legal provisions. You can contact us at any time, using the contact details below, if you would like further information about these safeguards. 

10. Processing of special or consent-based data

Where the processing is based on Article 6(1)(a) “the data subject has consented to the processing of his or her personal data for one or more specific purposes” or on Article 9(2)(a) “the data subject has given his or her explicit consent to the processing of those personal data for one or more specific purposes, unless Union or national law provides that the prohibition set out in paragraph 1 cannot be lifted by the data subject’s consent” of the GDPR, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal of consent. Thus, you can change or remove your consent at any time, and we will act on it immediately, unless there is a legal ground or legitimate interest not to do so. 

Corporate Counseling Services Sarl does not process personal data belonging to minors without the express and unequivocal written consent of the holders of parental rights. 

11. Data subjects' rights and how to exercise them

In accordance with the provisions of the GDPR, data subjects whose personal data we process have the following rights: 

a) Right of information and access to personal data
b)
 the right to rectification of inaccurate data concerning him/her, completion of incomplete data, including by providing an additional statement
c) The right to erasure of data in the situations provided by law: 

  • the data are no longer necessary for the purposes for which they were processed, 
  •  in case of withdrawal of consent,  
  • where the data subject objects to data processing, 
  •  in case of unlawful processing of personal data, 
  • where there is a legal provision, etc. 

d) The right to restrict processing in the situations provided for by law
e) Right to data portability
f) Right to object. The data subject shall have the right to object at any time to the processing of personal data concerning him or her
g) Right to lodge a complaint to a supervisory authority

To exercise your rights, please contact the Data Protection Officer of Corporate Counseling Services Sarl directly at: dpo@ccsint.ro.  

If any of your details are incorrect, please inform us as soon as possible at the following address: 

Corporate Counseling Services Sarl, Rue du Kiem 2, Steinfort, Luxembourg, e-mail: office@ccsint.com. 

If you believe that your rights regarding the processing of your personal data under conditions of confidentiality have been violated, you may submit a complaint in writing to the ANSPDCP, Address. Gheorghe Magheru, Bucharest, Romania, telephone: +40.318.059.211/ +40.318.059.212; fax: +40.318.059.602, or by e-mail to: anspdcp@dataprotection.ro. 

ملفات تعريف الارتباط والخصوصية

يستخدم هذا الموقع ملفات تعريف الارتباط ليمنحك أفضل خدمة ممكنة. يمكن العثور على معلومات مفصلة في سياسة الخصوصية الخاصة بنا