PRIVACY POLICY
OF PERSONAL DATA
Corporate Counselling Services Sarl (hereafter referred to as CCS, CCS Sarl, the Company) was established as a company to bring together the expertise of various professionals to provide a full service network to corporations and organizations in Europe and outside the E.E.S. to help them deal with human resources issues, in particular, preventive corporate health management. Managing health in the workplace is now an essential component of working life. People spend about 65% of their working lives at work. Creating a healthy, balanced working environment, where people can feel at ease, and where they will find the opportunity to develop their potential, is considered as important as providing the essentials for occupational hygiene and personal well-being. This has a substantial impact on employees’ personal lives.
Corporate Counseling Services Sarl is a Personal Data Controller, as defined under the GDPR, and the purpose of this Policy is to set out how the Company processes personal data in accordance with the applicable data protection legislation.
Depending on the relationships established by the clauses of the service provision contracts concluded between our Company and its partners, CCS Sarl may be both an independent controller of personal data in relation to its partners, employers of the users of the counseling services offered, and a processor or subcontractor of the counseling services, when the processing relationship is established between us and a processor of personal data.
This privacy policy sets out the manner of processing together with the purpose of processing personal data collected by CCS Sarl from data subjects,
The categories of personal data (representing any information that can lead to the identification of a data subject) that we process are detailed in section (4) below. Our intention is to provide sufficient information, presented in a user-friendly manner, to ensure that you understand the processing operations that Corporate Counseling Services Sarl carries out, while ensuring that the confidentiality and security of your personal data is respected.
For any details that may be necessary to understand this Policy or the procedures for processing personal data, we offer the possibility to communicate any queries or requests to data subjects, who may use the contact details indicated at the end of this Policy.
Corporate Counseling Services S.a.r.l, Rue du Kiem 2, L-8435, Steinfort, Luxemburg, e-mail: office@ccsint.com.
Corporate Counselling Services Sarl, has outsourced the services of Data Protection Officer (DPO) to The Insource Development Group, represented by Mr. Marius Medeleanu, e-mail address: dpo@ccsint.ro.
Personal data processed by CCS Sarl, by categories of data subjects:
a) Employees, candidates
Identification and contact details:
- Name and surname, e-mail addresses, home/residence address, telephone number (landline and/or mobile), correspondence address, date of birth; gender; age; Personal Numerical Code; ID document number and serial number; education data and data from certificates (if applicable);
- Financial-accounting data belonging to or necessary for the data subject;
- Legal data belonging to or necessary for the data subject;
Categories of special/sensitive personal data:
- biometric data – signature, voice (based on recordings of conversations with the consent of the data subject)
- health data – medical data, related to preventive health management, regular medical check-up/health and safety at work for company employees;
- video images (obtained from video recordings made on the premises of the Society, where video surveillance cameras are installed)
b)Representatives of business partners, service and utilities providers, public authorities, processors and/or subcontractors:
- Contact data: name and surname, e-mail addresses, home/residence address, telephone number (landline and/or mobile), correspondence address, date of birth; identity document number and serial number; Personal Identification Number;
- Financial-accounting data, belonging to or necessary for finalizing payments;
- Special/sensitive personal data: biometric data – signature, voice recordings,
- video images (obtained from video recordings made on the premises of the Society, where video surveillance cameras are installed)
c)Users of EAP services – data subjects (employees of CCS Sarl business partners or their relatives) who, on the basis of the rights they have written in their individual employment contract, apply for psychological/legal/financial counseling:
- The personal data that the data subjects (DATA SUBJECT) provide when making an appointment by telephone, e-mail or in the clinic (name, surname, telephone, e-mail, date of birth, symptoms, data on the analyses and investigations performed or that they wish to have performed) are recorded and processed by Corporate Counselling Services Sarl, only to the extent that this information has been provided by the data subjects without any compulsion and with prior information.
Corporate Counseling Services Sarl assumes no responsibility or liability for any inaccurate, incorrect or incomplete information/data/documents provided by data subjects to us. They (DATA SUBJECT) are obliged to inform us of any changes that occur to their personal data, so that their data is always accurate and up-to-date. If Corporate Counseling Services Sarl has suspicions about the authenticity of the documents or information provided, it is entitled to refer the matter to the public authorities/institutions responsible for investigation, monitoring and control.
The data of the data subjects obtained from their employer refers to the data of employees who have the capacity of representatives. They sign documents on behalf of the Data Controller, or maintain contact with our business partners, in order to fulfill the subject matter of the contracts concluded between the parties, the processing of their identification and contact data is necessary for this purpose.
Please note that, in principle, there is no obligation for data subjects to provide us with the personal data indicated in this Policy. However, to the extent that he/she does not provide us with the personal data described, we will not be able to provide him/her with the requested services and he/she will not be able to benefit from all the facilities that Corporate Counselling Services Sarl offers him/her (for example: not providing us with his/her telephone number/email address will not allow us to communicate with the user regarding the confirmation or possible changes to appointments, or to send him/her the results of the medical services performed, in which case the communication or collection of the results will be done at the reception desks of our partner clinics).
If, in the context of the services that Corporate Counselling Services Sarl provides to users, they provide us with personal data about other people (such as possible medical conditions that have been encountered in the family), we will treat this information as confidential and use it only for the purpose of providing the services offered.
At the same time, we will take all necessary measures to ensure that this information is adequately protected, taking into account Corporate Counseling Services Sarl’s obligation of professional secrecy.
In accordance with the provisions of reason 61 of the General Data Protection Regulation, we mention the following:
- Obtained directly from the data subject,
- Obtained from the data subject’s employer,
- Obtained from public sources,
- If personal data are obtained from another source, we will inform the data subject within a reasonable period, depending on the circumstances of the case.
The processing of personal data is carried out under optimal security conditions and for legitimate purposes, mainly related to the provision of medical/psychological services, financial and/or legal counseling, specific to the activities of the controller, as well as to related financial-accounting activities, to those related to human resources or necessary in the relationship established by the service contract concluded with the employer of the data subjects. Whenever we request the collection, further processing and eventual transfer of personal data, the processing will be done only for the purposes mentioned, for other purposes your consent will be required.
The personal data indicated in section 5 below will be processed for the following purposes:
- Provision of psychological/financial/legal counseling services through the EAP service:
Provision of psychological/financial/legal counseling services requested by data subjects, establishing a diagnosis/financial/legal diagnosis/situation, registration of services provided, communicating with the data subject about the services provided, informing users about the services provided, activating and/or adjusting the user’s subscription to our services, appointments, identification of the user and the services accessed. The Controller provides EAP Services (EAP Service = “Employee Assistance Program”) to the employees of the Beneficiaries for whom it provides these services (hereinafter referred to as: “Patients” or “Users”) in order to study, prevent, reduce or eliminate the Users’ exposure to psychosomatic risks in the workplace and in their personal environment.
Patients/Users use the EAP service voluntarily, at their own discretion, after interpreting and accepting the terms of the privacy notice and this privacy policy.
The contractual relationship is established between the Controller and the Employers, while the Users are the employees of the Beneficiaries or close relatives of the patients/users.
- Medical statistics:
Processing for this purpose shall be carried out only at the written request of the institutions of the Staff Regulations responsible for statistics. Personal data will remain secure and confidential and will not be disclosed to third parties.
- Meeting legal obligations:
Processing to fulfill various legal obligations of our Company (such as: financial, health, safety, security, human resources, record keeping or other obligations imposed by applicable laws).
- Improving services:
Identifying problems or possible relevant issues related to existing services in order to improve them, implementing new services or improvements to existing ones, dealing with your complaints.
- Dispute resolution:
Formulating various requests/claims in case of disputes arising in connection with the services rendered to the data subject and/or in relation to the relationship between the data subject and our Company.
Our Society is not responsible for processing carried out, in any form, outside the coordinates mentioned in this Policy (including through the exchange/recording of personal information/data in conversations between psychologists and patients).
Definitions
- Telework: is “the form of work organization whereby the employee, on a regular and voluntary basis, performs the duties specific to the function, occupation or trade that he or she holds, in a place other than the workplace organized by the employer, at least one day a month, using information and communication technology”. This is the definition that we find in Law no. 81/2018 on the regulation of teleworking.
- Tele employee: The employee who has subscribed to a way of performing work, in whole or in part and on a regular basis, outside the employer’s premises, using information and communication technology, has been referred to in Law no. 81/2018 as a “tele employee”, but if the worker can in turn hire labor, if he participates in profits and losses, if he invests capital – then he is not an employee. CCS Sarl uses processors with whom it signs Service Contracts, but applies all legal provisions regarding telework, when the work activities are not carried out in the premises (work premises) belonging to it. These contracts also contain a Data Processing Agreement. In this Agreement, the obligations of the parties related to data processing in conditions of confidentiality and security in teleworking conditions, where applicable, will also be highlighted. The Processor, who is the Data Controller in relation to his employees, will implement the provisions of the Agreement in their work.
- Home office: generic name for the place(s) of work, agreed with and approved by the employer.
- Agreement to process data by telecommunication: The legislator stipulates that the employer and the employee must establish by an additional act to the employment contract (Agreement) the places where telework will be performed; the employer will be obliged to ensure occupational health and safety measures in the places where telework is performed.
Telework is a form of work organization whereby the employee, on a regular and voluntary basis, performs the specific duties of his/her function, occupation or trade in a place other than the place of work organized by the employer, at least one day a month, using information and communication technology.
Since the minimum limit for teleworking is 1 day per month, the teleworker works most of the time from a workplace other than the one provided by CCS Sarl.
The location of the telework must be agreed by the parties. The employee shall not have the right to unilaterally decide on the choice of a place to carry out his activities by telework which has not been agreed and approved in advance.
CCS Sarl understands that the provisions of Law 81/2018 impose the following obligations:
- the obligation to expressly provide in the individual employment contract or in the additional act to it, that the work is performed on a telework basis;
- the obligation to have the employee’s consent to telework;
- the obligation to have the consent of the full-time teleworker if he/she works overtime at his/her request;
- the obligation to include in the employee’s employment contract all the 10 clauses set out in Art. 5 para. (2);
- the obligation to provide the means of information and communication technology and/or safe work equipment necessary to perform the work;
- the obligation to install, check and maintain the necessary work equipment;
- the obligation to ensure that the teleworker receives sufficient and appropriate training in occupational safety and health, in particular in the form of information and work instructions specific to the place of teleworking.
At the time of drafting this Policy, CCS Sarl employees do not telework. However, taking into account the current conditions, determined by the Coronavirus pandemic, our Company considered it necessary that our Privacy Policy also refers to this way of carrying out the activity, and if necessary, this chapter will be revised in the future, depending on the changes that will be required.
The legal grounds for the processing of Personal Data by CCS Sarl are the following:
1) Grounds for processing personal data that do not fall into the category of special personal data.
Personal data that do not comprise special categories of personal data (as defined under Article 9 of the GDPR) are processed by Corporate Counseling Services Sarl on the following legal grounds:
1.1) Based on the provisions of Art. 6, para. 1, letter a, of the GDPR, the consent of the data subjects – this consent is required: Prior to the User’s initial telephone call with our Call center Operator. With this call, the data subject requests the Call center Operator for an appointment for psychological/financial/legal assessment/counseling. Before the call with our Call center Operator starts, the User will hear a message which is a brief information about our data processing policy. In the case of acceptance, the data subject will press a telephone key indicated in the message, which represents his/her consent expressed by a positive and unequivocal action to the processing of personal data by the controller. The data collected by our Call center Operator will be minimal, such as name, surname, employer, mental/financial/legal problems, expressed in the simplest way. Based on this data, the User will receive an appointment.
b) Prior to the User’s initial telephone call with our Call center Operator. Through this call the data subject requests a psychological/financial/legal assessment/counseling from the Call center Operator by telephone. Before starting the call with our Call center Operator, the User will hear a message briefly informing him/her about our data processing policy. In the case of acceptance, the data subject will press a telephone key indicated in the message, which represents his/her consent expressed by a positive and unequivocal action to the processing of personal data by the controller. The data collected by our controller will be sufficient and enlightening for the controller to make an assessment on the basis of the data collected and to provide the requested advice. The user will receive the requested advice from our specialist, online, over the phone.
c) By filling in a form in the clinics of the persons empowered by us, or in the offices of psychological specialists, after an information note will be brought to the User’s attention, the provisions of our data processing policy and the preservation of their confidentiality, in conditions ensuring their full security.
d) Call-center calls are recorded on the basis of the consent expressed in advance by the caller, the purpose of the processing is to prevent misinterpretation of information transmitted by any of the participants in the call, to clarify situations exposed in the telephone communication in case of doubts or confusion, to manage situations where the calls contain indications of harm that may be caused to the security and integrity of the person and property.
1.2) Taking into account the other purposes for which we process personal data, the basis of such processing may be the fulfillment of the Company’s legal obligations – art. 6, para. 1, lit. c of the GDPR (including in relation to archiving, health, security, record-keeping, requesting a public authority and other obligations that the law imposes);
1.3) In certain situations, we will process personal data on the basis of a legitimate interest of Corporate Counseling Services Sarl – art. 6, para. 1, lit. f of the GDPR, or of a third party (such as: compiling the records of medical services; keeping track of appointments in our electronic system; dealing with requests and complaints received from Users; providing emergency specialist assistance; concluding and executing contracts for the provision of medical/psychological services with partner clinics in order to provide the widest possible territorial coverage and range of services offered; surveillance by the video camera system to ensure the security of goods and persons (see CCS video surveillance policy).
The processing is necessary to enable the establishment, exercise or defense of a right in a court of law, given that, in the course of the relationship established with our Company, it cannot be excluded that such situations may arise in the context of the services provided (to the extent that such disputes are referred to the courts).
1.4) In view of certain situations in which the User may find him/herself (physically or legally) and which may make it difficult for him/her to consent to the processing (for example: emergency situations), his/her personal data will be processed in order to protect the vital interests of the User or of another data subject – Art. 6, para. 1(d) GDPR;
2) Grounds for the processing of personal data falling within the category of special data (according to Art. 9 GDPR)
Considering the specificity of the activity/services provided by Corporate Counseling Services Sarl, we will process personal data that fall into the category of special data (as defined under Art. 9 of the GDPR) on the following legal grounds (grounds that will apply in addition to the grounds detailed in Art. 6 of the GDPR):
a) Processing pursuant to the data subject’s consent
According to Art. (2)(a) of the GDPR, the processing of health data is permitted where “the data subject has given his or her explicit consent to the processing of those personal data for one or more specified purposes, unless Union or national law provides that the prohibition provided for in paragraph 1 cannot be lifted by the data subject’s consent.
The processing is necessary for purposes related to preventive or occupational medicine, the assessment of the employee’s ability to work, the establishment of a medical diagnosis, the provision of medical or social care or medical treatment or the management of health systems and services , on the basis of Union or national law or on the basis of a contract concluded with a health professional and subject to compliance with the conditions and safeguards set out in paragraph 3″ – Art. 9 para. (2) lit.( h) of the GDPR. Processing by a professional subject to the obligation of professional secrecy in the context of healthcare services
b) Processing is necessary to protect the vital interests of the data subject or of another data subject where the data subject is physically or legally incapable of giving consent; Art. 9(2)(c) GDPR
c) The processing is necessary for reasons of public interest in the fie Processing pursuant to the data subject’s consent
d) ld of public health (such as: protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care, under EU or national law); and/or health or social care services; – 9, paragraph 2, lit(i) of GDPR
Essentially, Corporate Counseling Services Sarl processes your personal data that fall within the category of special data on the basis of those provisions that allow the processing of patients’ health data in the context of the provision of healthcare services, both where such processing is required by law and where the provision of healthcare services is contractually agreed. However, the processing can and shall be carried out only by or under the responsibility of a professional subject to the obligation of professional secrecy or by another person also subject to an obligation of confidentiality under Union or national law or rules established by competent national bodies.
In principle, personal data will only be processed by Corporate Counseling Services Sarl.
Given both the complexity of the services made available to the data subject by our Company, the need for Corporate Counseling Services Sarl to call upon certain external partners who provide support in the performance of our activity, we wish to mention that personal data may be transmitted to other natural or legal persons, to be processed for the purposes detailed in this Policy.
Taking into account the context of the relationships established by Corporate Counselling Services Sarl with its partners, as well as the possibility of changes in these relationships, it is not feasible to identify all these partners by name, but they will be mentioned generically, according to the established/potential relationship with Corporate Counselling Services Sarl
In this regard, personal data may be transmitted to:
- Processors – collaborating psychologists and accredited psychological service providers.
- Psychological services can also be offered through accredited specialized service providers – collaborating psychologists and partner clinics of Corporate Counseling Services Sarl – in the country or abroad.
In this regard, we note that data/information on the health status of data subjects, regardless of their content or volume, may be communicated to accredited health care providers in the country or in other countries (whether in the European Union or outside the European Union), in accordance with the applicable legal provisions.
Corporate Counseling Services Sarl makes every effort to ensure that its collaborating psychologists and other accredited providers comply with the provisions of the legislation on the protection of personal data. Prior to performing the offered service, where required by law, data subjects will receive the Consent form informing them of the data and information about the Company’s partner, and the context of the processing of personal data of the users by it.
- Judicial, investigative, supervisory and control institutions and/or authorities
To the extent that, in accordance with the legal provisions in force, personal data/information is requested from our Company by various bodies and/or institutions (for example: criminal investigation bodies, police, financial, tax, social security, social security, court and any other supervisory and control institutions and/or authorities), Corporate Counselling Services Sarl is obliged to provide the requested data/information without prior consent of the data subject, including in the event that the data subject objects or does not express his/her point of view. In addition, it may be necessary in certain situations for such data / information to be made available without a prior request from these institutions, bodies and/or authorities, in which case Corporate Counselling Services Sarl will provide the necessary data / information as required by law.
- Other natural/legal persons who have access to your data.
Other natural/legal persons have access to the personal data of data subjects, such as: providers of IT support services or technical and organizational services in connection with activities related to the maintenance of medical equipment, payment services, archiving services, legal advisors, auditors, financial-accounting consultants or to other advisors of the Company in connection with extraordinary business operations (e.g. in the case of mergers, acquisitions and the like), with whom the Company will enter into confidentiality agreements, as appropriate (to the extent that certain legal and/or statutory confidentiality requirements/guarantees will not be applicable to them). Personal data may also be transmitted to other individuals or legal entities in Romania or abroad in the context necessary for the establishment, exercise and/or defense of a right of Corporate Counseling Services Sarl.
The Company will exercise due diligence in the selection of its service providers and/or partners and will require that these providers/partners maintain appropriate technical and organizational security measures to protect the personal data to which they have access and to process it in accordance with applicable legal provisions.
In the event that the personal data processing operations will be carried out by Corporate Counseling Services Sarl, through its processors, our Company will ensure compliance with the specific requirements imposed by the provisions of Article 28 of the GDPR, ensuring, among other things, that:
- the personal data processing operations concerned are carried out on the basis of a contract/agreement regulating the specific issues of the controller-processor relationship, in accordance with the GDPR and
- the processor will process the personal data on the basis of instructions from Corporate Counseling Services Sarl.
In certain specific situations, the personal data of data subjects may be transferred to entities located in other states within the European Union and/or the European Economic Area.
There are also situations where personal data may also be transferred to entities outside the European Union and/or the European Economic Area (e.g. Canada, Australia, New Zealand). In such cases we will ensure that adequate safeguards are in place to allow the transfer to be properly carried out in accordance with the requirements of the data protection legislation (safeguards may include: the application of standard contractual data protection clauses or the existence of a European Commission decision to that effect).
In each case, in order to carry out the actual transfer, the data subjects will fill in the Consent Form in order to express their explicit consent to the situation required by the service, health condition, etc.
We keep data subjects’ personal data accurate and up to date. We also strive to keep personal data no longer than necessary to fulfill the purposes listed in this Policy or as required by applicable law.
In this regard, we will store the Users’ personal data for the entire period of the relationship established with the Employers, and also for a certain period of time thereafter, in consideration of the applicable legal provisions. Thus, personal data will be kept for a period set out below:
Data of a special nature, collected by processors, specialists, psychologists, psychology clinics, psychological service providers, will be kept for a period of 2 years after the end of therapy, in order to analyze the therapeutic needs and the evolution of the User’s condition, in case of his/her subsequent return to the specialist. Only the persons concerned and the psychologist will have access to them. They will then be deleted, destroyed or anonymized, in accordance with the provisions of the CCS Sarl Data Storage Policy. During the period of storage by the authorized person, this will be done under conditions of maximum security in accordance with the relevant legislation and with the provisions of the appendix to the data processing agreement concluded with the CCS Data Controller.
To the extent that certain personal data are included in or also relate to certain accounting records of the Company, for which a specific retention period (e.g. 5 or 10 years) must be respected, such personal data will be retained for those applicable periods.
With regard to images obtained by means of video surveillance, they shall be kept for a maximum of 30 calendar days from the date of recording, unless a longer period is permitted or required by applicable law.
Minimum data, first name, surname, employer, number of therapy sessions completed, will be communicated by the data processor to Corporate Counseling Services Sarl. The data controller will use them for reporting on the services provided to the data subjects, their employer with whom CCS has a service contract. This data will not be used for any other purpose. Their retention period is determined according to the service reporting period stated in the contract, and may not exceed one year.
Consent forms will be archived and kept for a period of 3(three) years.
Personal data are processed by CCS Sarl in a manner that ensures appropriate security. The Data Protection Officer regularly carries out a risk assessment, taking into account all the circumstances of the processing operations carried out by the controller. In determining the security of the processing, the Data Protection Officer shall take into account the extent of possible damage or loss that could be caused to data subjects in the event of a breach of security. When assessing the appropriate technical measures, the Data Protection Officer shall consider the existence of the following security measures:
- Password protection;
- Automatically lock terminals (computer/laptop etc) when not in use;
- Remove access rights for USB and other memory media;
- Availability of virus checking software and firewalls;
- Regulate access rights according to roles, including those assigned to temporary staff;
- Encryption of devices leaving the Society’s premises, such as laptops;
- Local area network security;
- Existence of privacy-enhancing technologies such as anonymization;
In assessing the appropriate organizational measures, the Data Protection Officer also considered the following:
- Appropriate levels of training within the unit;
- That all employees/staff are responsible for ensuring that all personal data held by the Controller and for which the Controller is responsible is kept secure and not disclosed in any way to a third party unless that third party has been specifically authorized to receive that information and has entered into a confidentiality agreement
- That data protection measures are included in employment contracts;
- Disciplinary action is available for data breaches;
- Staff are monitored for compliance with relevant security standards;
- Physical access control to electronic and paper records shall be performed;
- Paper data is stored in secure cabinets;
- Use of portable electronic devices outside the workplace is restricted;
- Use of the employee’s personal devices in the workplace is restricted;
- Clear rules on passwords and their use are adopted;
- Regular back-ups of personal data are made;
- Contractual obligations are imposed on importing organizations to take appropriate security measures when transferring data outside the EEA.
- All personal data is accessible only to those who need to use it and access is granted only in accordance with the Access Control Policy.
- PC screens and terminals are visible only to authorized employees/staff of the Controller.
- Personal data is deleted or disposed of only in accordance with the record retention procedure. Records in physical format that have expired are shredded and discarded as ‘confidential waste’.
- Staff processing data off-site must be specifically authorized.
The processors assume responsibility for ensuring the security only for that information, personal data and sensitive data (physical and mental health data; genetic data; if applicable, biometric data) that are provided to them and are processed by their own staff (including psychologists) exclusively and by the accumulation of the following coordinates:
- in the clinic of our processors
- CCS Sarl’s computer and/or electronic systems/instruments/devices, hardware and software, records and forms; and
- as part of CCS Sarl.
In accordance with the provisions applicable to personal data, data subjects have the following main rights:
(1) The right of access to the personal data processed, meaning their right to obtain from the Company a confirmation as to whether or not personal data concerning them are processed and, if so, access to the data and the conditions under which they are processed (including the purpose of the processing, the categories of data processed, the recipients of the data).
(2) The right to request rectification of personal data, meaning the right of users/data subjects to request us to rectify inaccurate or outdated personal data or to complete incomplete data.
(3) The right to erasure of personal data which may be exercised in certain circumstances provided for by applicable law, including:
- the personal data are no longer necessary in relation to the purposes of the processing;
- where the data subject objects to the processing and there are no other legitimate interests prevailing for the processing;
- where personal data have been processed unlawfully.
(4) Right to request restriction of processing, meaning theright of the data subject to obtain from the Company the restriction of processing in the following cases:
- the data subject disputes the accuracy of the data (the restriction will last as long as it is necessary for the Company to verify the accuracy of the personal data);
- the processing is unlawful and the data subject opposes the erasure of the data, requesting instead the restriction of their use;
- the company no longer needs the personal data for the above-mentioned purposes, but the data subject requests the personal data for the establishment, exercise or defense of legal claims; or
- The data subject has objected to the processing, for the period of time during which the Company verifies whether the legitimate rights of the Company prevail over the rights of the data subject.
(5) The data subject’s right to object to processing, meaning the data subject’s right to object to processing on grounds relating to his or her particular situation when processing:
- is based on the legitimate interests of the Company or a third party, including in the case of profiling activities based on this basis, or
- to the extent applicable, is carried out for the purpose of direct marketing communications involving profiling.
(6) The right not to be subject to an automated decision, which means that, as a user of our services, data subjects will not be subject to a decision based solely on automated processing of their data (including profiling) which produces legal effects concerning the data subject, or which similarly affects them to a significant degree.
(7) The right to data portability, meaning the right of Users to request the moving, copying or transfer of their personal data existing in the Company’s database to another database, in a structured, commonly used and machine-readable format, where the processing is based on consent or on a contract and is carried out by automated means.
(8) The right to lodge a complaint before the National Supervisory Authority for Personal Data Processing and to apply to the competent courts.
Users/data subjects may exercise the rights referred to in points (1) to (7) above by a written request, signed and registered with Corporate Counseling Services Sarl using the following contact details (for the attention of the Data Protection Officer): e-mail dpo@ccsint.ro.
In the request, the data subject has the opportunity to indicate whether he or she wishes the information to be communicated to a specific address (which may be an e-mail address) or by a courier service which ensures that the information is delivered personally.
The requested information will be communicated within 1 (one) month from the date of receipt of the request, respecting your possible communication options. If it is not possible to comply with the above-mentioned deadline, the User will be informed of the reason for the postponement of the reply, as well as the procedure envisaged for the resolution of his/her request and the estimated deadline.
In the event of a security incident/breach, the Controller shall notify the competent Supervisory Authority without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to lead to a risk to the rights and freedoms of data subjects. If the notification to the Supervisory Authority is not made within 72 hours, it shall be accompanied by the reasons for the delay. Corporate Counseling Services Sarl has drawn up its own procedure applicable to security breaches, which can be consulted on request.
If we materially change our personal data processing practices or this Policy, we will issue a revised Policy and/or take other steps to notify you of those changes in accordance with applicable law.
If data subjects have any dissatisfaction with the way we process your data, we would prefer that you contact us directly so that we can resolve your concerns. However, if you still have any complaints, you can contact the National Supervisory Authority for Personal Data Processing (www.dataprotection.ro):
Address. Gheorghe Magheru, Bucharest, Romania; phone: +40.318.059.211/ +40.318.059.212; fax: +40.318.059.602; e-mail: anspdcp@dataprotection.ro .
The Controller will publish this Policy on its website (www.ccsint.com). In the event of a particular request by a data subject, the Controller will send this Policy directly to the data subject.
This Policy takes effect on the date of its publication.
The provisions of this Policy will also apply to data that is being processed at the time this Policy takes effect.
As of the Effective Date, this Policy replaces and repeals previous data processing policies in force at the Controller.