CHAPTER 1. PURPOSE
The purpose of this policy is to establish the necessary measures and responsibilities of MasterDieselSystem employees to fulfill their obligations regarding the guarantee and protection of the fundamental rights and freedoms of individuals, in particular the right to privacy, family and private life, regarding the processing of personal data. .
CHAPTER 2. SCOPE:
This policy applies to all MasterDieselSystem employees with personal data processing responsibilities and / or, as the case may be, to the authorized persons.
CHAPTER 3. TERMS AND DEFINITIONS:
ANSPDCP = National Authority for the Supervision of Personal Data Processing;
Personal numerical code (CNP) = a significant number that uniquely individualizes a natural person, constituting a tool to verify its marital status and to identify in certain computer systems by authorized persons;
Personal data = any information relating to an identified or identifiable natural person; an identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity;
Personal data with identification function of general applicability (special data) = numbers by which a natural person is identified in certain record systems and which have general applicability, such as: personal numerical code, series and document number identity, passport number, driving license number, social or health insurance number;
Anonymous data – data that, due to its specific origin or method of processing, cannot be associated with an identified or identifiable person
Operator – any natural or legal person, private or public law, including public authorities, institutions and their territorial structures, which establishes the purpose and means of processing personal data; if the purpose and means of processing personal data are determined by a normative act or on the basis of a normative act, the controller is the natural or legal person, of public or private law, who is designated as controller by that normative act or based on that normative act;
Person authorized by the controller – a natural or legal person, private or public law, including public authorities, institutions and their territorial structures, who process personal data on behalf of the controller;
Person responsible for the personal data security policy – the person responsible for the proper functioning of the complex information protection system containing personal data, as well as for the elaboration, implementation and monitoring of compliance with the provisions of the security policy of the personal data holder personal;
Processing of personal data – any operation or set of operations performed on personal data, by automatic or non-automatic means, such as collecting, recording, organizing, storing, adapting or modifying, extracting, consulting, using, disclosing to third parties by transmission, dissemination or in any other way, joining or combining, blocking, deleting or destroying;
Storage – storage of any personal data collected on any medium;
User – any person acting under the authority of the operator, the authorized person or the representative, with a recognized right of access to personal databases.
CHAPTER 4. REFERENCE DOCUMENTS:
• Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data, as subsequently amended and supplemented;
• Order of the People’s Advocate no. 52 of 18/04/2002 regarding the approval of the Minimum Security Requirements for the processing of personal data
• ANSPDCP decision no. 52/2012 on the processing of personal data through the use of video surveillance
• ANSPDCP decision no. 90 of 18/07/2006 on establishing the cases in which it is not necessary to notify the processing of personal data
• ANSPDCP decision no. 100 of 23/11/2007 on establishing the cases in which it is not necessary to notify the processing of personal data
• ANSPDCP decision no. 132 of 20/12/2011 regarding the conditions of processing the personal numerical code and other personal data having a function of identification of general applicability
CHAPTER 5. SPECIFICATIONS:
5.1. GENERAL RULES
Minimum security requirements are considered a complex of technical, IT, organizational, logistical measures, procedures and security policies to ensure the minimum level of security provided in art. 20 of Law no. 677/2001, in accordance with the minimum security requirements for the processing of personal data, approved by Order 52 of April 18, 2002 of the People’s Advocate.
MasterDieselSystem has taken appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access. In this sense, at the level of MasterDieselSystem, persons responsible for compliance with the provisions of Law no. 677/2001 have been appointed.
MasterDieselSystem has taken steps to secure the storage of personal data so as to ensure an adequate level of protection and security within the meaning of Law 677/2001.
In order to fulfill the related legal provisions and in order to satisfy the requirements of keeping data and information safe, the institution has elaborated and implemented organizational and technical measures oriented on certain directions of action:
– User identification and authentication
– Type of access
– Data collection
– Execution of backups
– Computers and access terminals
– Access files
– Staff training
5.2. SPECIFIC PROCEDURES
5.2.1 User identification and authentication
In order to gain access to personal data, users must log in to MasterDieselSystem’s computer systems. The authentication within the computer systems of MasterDieselSystem is done by introducing the unique and non-transferable authentication credentials acquired as a result of the process of enrollment and management of the electronic identity, governed by the security policies in force.
Each user has their own identification code (username). The same ID code is never assigned to multiple users, and it cannot be shared by multiple people.
Unused identification codes (or user accounts) for a longer period of time are deactivated and destroyed after prior checking.
Any user account is accompanied by a way of authentication, by entering an authentication key such as a password, a digital certificate or a response generated by a token.
Passwords are strings of security, appropriate in terms of security in length and composition. When entering passwords, they are not clearly displayed on the monitor. Passwords are changed periodically according to the MasterDieselSystem (Information Security Policy – Logical Security) security policies. Periodically changing passwords is done only by authorized users.
Any user who receives an identification code and a means of authentication is obliged by the job description to maintain their confidentiality and to be accountable to the operator.
An own procedure for managing and managing user accounts is established. Certain users are authorized to revoke or suspend an identification and authentication code if their user resigned or was fired, terminated their contract, transferred to another service, and new tasks do not require access to personal data, has abused the codes received or will be absent for a long period established by the entity.
5.2.2. Type of access
Users should only access the personal data necessary for the performance of their duties. For this, the types of access must be established by functionality (administration, input, processing, saving, etc.) and by actions applied to personal data (write, read, delete), as well as the procedures for these types of access.
The department that provides technical support may have access to personal data to resolve incidents and problems with the use of computer systems.
Other specific measures implemented for access control are:
– burglar alarm systems are installed in the spaces intended for the activity of the institution;
– video surveillance systems are installed in the space related to the entrance to the institution;
– monitoring and intervention in case of alarm is provided by a protection and security company.
5.2.3. Data collection
MasterDieselSystem designates authorized users for the collection and input of personal data into information systems.
Any modification of personal data must be made only by designated authorized users.
MasterDieselSystem will arrange for information systems to record who made the change in personal data, the date and time of the change. For better management, measures will be put in place to keep information systems from deleting or altering data.
5.2.4. Execution of backups
MasterDieselSystem has set the time frame for backing up databases containing personal data as well as the programs used for automated processing.
Users who perform these backups are called by MasterDieselSystem in a limited number.
The backups are stored in a safe box with restricted access to IT personnel, located in a different location than the one where the backup is performed.
Access to backups must be monitored.
Systems that manage personal data must be protected by the process of periodic backup against loss, or destruction of data or the computer system.
5.2.5. Computers and access terminals
Computers and other personal data access terminals located in the MasterDieselSystem premises will be installed in rooms with restricted access.
Where these conditions cannot be met, the computers will be installed in lockable rooms. If personal data that does not act for a certain period of time, set by the MasterDieselSystem, appears on the screen, the work session will close automatically. The length of this period is determined by the operations to be performed.
The access terminals used in relation to the public, on which personal data appear, will be positioned so that they cannot be seen by the public and after a short period, established by MasterDieselSystem, in which they are not acted upon, they will be hidden or the work session will be closed.
Servers that host personal data can only be accessed in a controlled manner, based on access rights, according to the group’s security policies and adopted by MasterDieselSystem;
Mobile storage media (CD / DVD, USB Stick, Portable HDD) containing personal data is not permitted outside the institution, except with the prior approval of the institution’s management.
5.2.6. Access files
MasterDieselSystem makes sure that any access to the personal database is recorded.
For automatic processing, this information is stored in a general access file or in separate files for each user. Any unauthorized access attempt will also be recorded.
MasterDieselSystem will keep the access files for at least 2 years to be used as evidence in case of investigations. If investigations continue, these files will be kept for as long as deemed necessary.
The access files make it possible for the MasterDieselSystem or the authorized person to identify the persons who have accessed personal data without a specific reason, in order to apply sanctions or notify the competent bodies.
5.2.7. Telecommunication systems
MasterDieselSystem periodically reviews user accounts and privileges for malfunctioning information systems.
Information systems will be designed so that personal data cannot be intercepted or transmitted from anywhere.
Through telecommunications systems, personal data will be transmitted through a secure channel. Personal data transferred to external or insecure security zones will be encrypted. All the provisions of the document Information Security Policy – Network and Firewall are applicable.
5.2.8. Staff training
The staff of MasterDieselSystem is informed about the provisions of Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data, the minimum security requirements for the processing of personal data, as well as the risks involved in the processing of personal data.
Users who have access to personal data will be instructed in their privacy and will be notified by messages that will appear on the monitors during the activity.
Users are forced to log out when they leave work.
All the provisions of the document Information Security Policy – Proper Use of IT Systems are applicable.
5.2.9. Using computers
In order to maintain the security of the processing of personal data (especially against computer viruses), measures must be taken to:
– prohibiting the use by users of software programs that come from unverified sources;
– informing users about the danger of computer viruses;
– implementation of automated antivirus and malware protection systems and information systems security;
– disabling the possibility of copying or printing personal data displayed on the screen outside the normal business flows.
5.2.10. Data printing
Personal data will only be taken out to the printer by users authorized by MasterDieselSystem for this operation.
5.2.11. Manual processing of personal data
Documents containing personal data will be kept in locked files or lockers or with another security mechanism. Documents containing personal data, used for the performance of certain operations will be handed over to the competent persons or will be closed immediately after their completion.
5.3. PRINCIPLES BASED ON THE PROCESSING OF PERSONAL DATA
The processing of personal data is carried out in compliance with legal requirements and under conditions that ensure security, confidentiality and respect for the rights of data subjects.
The processing of personal data is done in compliance with the following principles:
• Notification: MasterDieselSystem is registered as an operator in the General Register of records of personal data processing with the numbers …………………., For the collection, processing and storage of personal data of customers / potential customers, beneficiaries of insurance, family members of the data subjects or their legal representatives, insurance agents for the purpose of insurance and reinsurance services, marketing activities, research studies, direct-mailing actions, as well as for their transfer to European Union countries, in order to carry out these activities.
• Legality: The processing of personal data is done on the basis and in accordance with legal provisions;
• Well-defined purpose: Any processing of personal data is done for well-defined, explicit and legitimate purposes, adequate, relevant and not excessive in relation to the purpose for which they are collected and subsequently processed;
• Confidentiality: The persons who process, on behalf of MasterDieselSystem, personal data have provided in the job description, the annex to the individual employment contract, a confidentiality clause;
• Consent of the data subject: Any processing of personal data, except for data processing of the categories strictly mentioned in Law 677/2001, can be performed only if the data subject has given his express and unequivocal consent to that processing;
• Information: The data subjects are aware that their personal data will be processed;
• Protection of data subjects: The rights of data subjects are set out in point 5.6.
• Security: The security measures of the personal data are established in such a way as to ensure an adequate level of security of the personal data processed.
5.4. THE PROCESSING OF PERSONAL DATA HAVING A GENERAL APPLICATION IDENTIFICATION FUNCTION, INCLUDING THE DISCLOSURE OF THESE THIRD PARTIES, IS DONE ONLY IN THE FOLLOWING CONDITIONS:
a) the data subject has expressly given his / her consent; or
b) the processing is expressly provided by a legal provision; or
c) in other cases, with the approval of the National Authority for the Supervision of Personal Data Processing and only with the condition of establishing adequate guarantees for the observance of the rights of the data subjects.
MasterDieselSystem respects the principle of adequacy, relevance and non-excess, as well as the confidentiality and security measures of the processing. In the case referred to in point c) above, the following aspects shall be taken into account:
• the purpose of the processing is to be determined, explicit and legitimate;
• establishing and applying measures to ensure the exercise of the rights of data subjects;
• the duration of data storage should be for the period strictly necessary to fulfill the purpose, after which the data will be deleted or destroyed, as the case may be;
• establishing the modalities of access to the evidence systems in order to collect the data, according to which the appropriate technical and organizational measures for data protection will be established and observed;
• use of data only within the established purpose;
• disclosure to other recipients is prohibited, unless there is the consent of the data subject or an express legal provision;
• the designation, in writing, of the person / persons who will / will process the data and who must assume the responsibility of maintaining their confidentiality, the list containing the evidence of these persons being updated whenever required;
• the appointment, in writing, of a person specialized in information security to ensure the processing of data, including the proper functioning of the computer systems used in this activity;
• establishing an information security plan that includes, mainly, the technical security on the IT plan and the security of the spaces where the data is processed, taking into account the minimum security requirements;
• establishing, in writing, the rights and obligations of the controller who transmits the data and of the controller who receives them.
The collection and processing of personal data having a function of identification of general applicability, including their disclosure, by making and retaining copies of the identity card or of the documents containing them, are prohibited, except for the situations provided in points a) , b) and c) above.
5.5. PROCESSING OF PERSONAL DATA THROUGH THE USE OF VIDEO SURVEILLANCE SYSTEMS
The processing of personal data through the use of video surveillance systems is carried out in compliance with the general rules provided by art. 4 of Law no. 677/2001, with subsequent amendments and completions.
Video surveillance cameras are mounted in visible places.
The processing of personal data by means of video surveillance is done in order to achieve legitimate interests, without prejudice to the fundamental rights and freedoms or the interest of data subjects. It is not allowed to process the personal data of the employees by means of video surveillance inside the spaces / offices where they carry out their activity at work, except for the situations expressly provided by law or the ANSPDCP approval.
MasterDieselSystem, as an operator that processes personal data by means of video surveillance is obliged to provide the information provided in art. 12 para. (1) of Law no. 677/2001, as subsequently amended and supplemented, including:
a) the existence of the video surveillance system and the purpose of data processing by such means;
b) the identity of the operator;
c) the existence of the image registration and the categories of their recipients;
d) the rights of the persons concerned and the manner of exercising them.
The above information must be made known to the data subjects clearly and permanently.
The existence of the video surveillance system is signaled by a pictogram containing a representative image with sufficient visibility and positioned at a reasonable distance from the places where the video surveillance equipment is located.
The processing of personal data by means of video surveillance may be carried out only by persons authorized by MasterDieselSystem (own personnel or persons authorized by the operator), trained in the legislation on the protection of personal data and obliged to comply with it.
The storage time of data obtained through the video surveillance system is proportionate to the purpose for which the data is processed, but not more than 210 days, except in situations expressly regulated by law or in duly justified cases.
At the end of the established period, the records are destroyed or deleted, as the case may be, depending on the medium on which they were stored.
5.6. THE RIGHTS OF PERSONS WHOSE PERSONAL DATA IS COLLECTED AND / OR PROCESSED
5.6.1. The right to be informed
1. Where personal data are obtained directly from the data subject, MasterDieselSystem shall provide the data subject with at least the following information, unless that person already has that information:
a) the purpose for which the data is processed;
b) additional information, such as: recipients or categories of recipients of the data; if the provision of all required data is mandatory and the consequences of refusal to provide them;
c) the existence of the rights provided by law for the data subject, in particular the right of access, intervention on the data and of the opposition, as well as the conditions under which they may be exercised;
d) any other information the provision of which is required by order of the supervisory authority, taking into account the specifics of the processing.
(2) Before completing the personal data, the consent of the data subjects is requested, for their processing;
(3) The registration registration number communicated by the National Supervisory Authority shall be mentioned in any document by which personal data are collected, stored or disclosed;
(4) The buildings that are video-surveilled will have, at the entrance, displayed in a visible place, the information regarding the taking and storage of images.
(5) The Privacy Policy is posted on the MasterDieselSystem website (www.masterdieselsystem.com);
5.6.2. The right to access data
Any data subject has the right to obtain from MasterDieselSystem (as an operator), upon request and free of charge for one request per year, confirmation that the data concerning him are or are not processed by him.
MasterDieselSystem is obliged, in the event that it processes personal data concerning the applicant, to communicate to him, together with the confirmation, at least the following:
a) information regarding the purposes of the processing, the categories of data considered and the recipients or categories of recipients to whom the data are disclosed;
b) the communication in an intelligible form of the data which are the object of the processing, as well as of any available information regarding the origin of the data;
c) information on the operating principles of the mechanism by which any automatic processing of the data concerning the respective person is performed;
d) information regarding the existence of the right to intervene on the data and the right of opposition, as well as the conditions under which they can be exercised;
e) information on the possibility to file a complaint to the supervisory authority, as well as to address the court to appeal the decisions of the operator, in accordance with the provisions of the law.
Note:
(1) The data subject may request from MasterDieselSystem the information provided by law, through a written request, signed and registered at the company’s registry. In the application, the applicant may indicate whether he / she wishes the information to be communicated to a specific address, which may also be by e-mail, or through a correspondence service to ensure that it is delivered only in person.
(2) MasterDieselSystem is obliged to communicate the requested information, within 15 days from the date of receipt of the request, in compliance with the possible option of the applicant.
5.6.3. The right to intervene in the data
Any data subject shall have the right to obtain from the operator, upon request and free of charge:
a) as the case may be, the rectification, updating, blocking or deletion of data whose processing is not in accordance with the law, in particular incomplete or inaccurate data;
b) as the case may be, the transformation into anonymous data of the data whose processing is not in accordance with the law.
5.6.4. The right of opposition
The data subject has the right to object at any time, for good and legitimate reasons related to his or her particular situation, to data which is intended to be processed, unless otherwise provided by law. In the event of justified opposition, the processing may no longer target the data in question.
5.6.5. The right not to be subject to an individual decision
(1) Everyone has the right to request and obtain the withdrawal / annulment / re-evaluation of any decision having legal effect on him or her, taken solely on the basis of the processing of personal data by automatic means, intended to assess certain aspects of his personality, such as professional competence, credibility, his behavior or other such aspects.
(2) Respecting the other guarantees provided by law, a person may be subject to a decision of the nature referred to in para. (1), only in the following situations:
a) the decision is taken in the conclusion or performance of a contract, provided that the request for conclusion or performance of the contract, submitted by the data subject, has been satisfied or that some appropriate measures, such as the possibility to support his point of view , to guarantee the defense of its own legitimate interest;
b) the decision is authorized by a law specifying the measures that guarantee the protection of the legitimate interest of the data subject.
5.6.6. The right to go to court
(1) Without prejudice to the possibility of appealing to the supervisory authority, the persons concerned shall have the right to go to court for the defense of any rights guaranteed by law which have been violated.
(2) Any person who has suffered damage as a result of an unlawful processing of personal data may apply to the court competent for its repair.
5.7. COMMUNICATION OF PERSONAL DATA
(1) Personal data may be communicated between MasterDieselSystem and its proxies or between MasterDieselSystem or its proxies and other public institutions or bodies or entities governed by public or private law in one of the following situations:
a) if the data subject has given his / her express and unequivocal consent for the communication of his / her data;
b) without the consent of the data subject in the cases provided by law.
(2) The communication of personal data in the situations provided in par. (1) may be made if one of the following conditions is met:
a) the communication is made on the basis of a contract or, as the case may be, a cooperation document which must include at least: the registration number of the notification, the legal basis of the processing and its purpose, the maximum processing time, the rights and obligations of the parties, the modalities of ensuring the security of the processing and of respecting the rights of the data subject, as well as the mention that the data can be used only by the beneficiary structure and only for the purpose for which they were requested;
b) the communication is made on the basis of a written request, which must include the legal basis, the purpose of the processing and the requested data, as well as, if applicable, the number assigned to the beneficiary by the National Supervisory Authority.
(3) The communication of personal data can also be done online, in compliance with the provisions of par. (1) and (2) and ensuring the security of personal data communication systems.
(4) The personal data on which the data subjects have exercised and the right of opposition has been recognized may not be processed.
(5) Requests for the communication of personal data addressed to MasterDieselSystem must contain the identification data of the applicant, as well as the motivation and purpose of the request, according to the legal provisions.
(6) Requests that do not contain these elements shall be returned for completion, and those that do not fall under the conditions provided by law shall be rejected, stating the reasons why the communication of personal data is not possible.
7. Prior to the communication of personal data, MasterDieselSystem shall verify that they are accurate and, where appropriate, up-to-date.
(8) In case it is found that incorrect or outdated data have been transmitted, MasterDieselSystem has the obligation to inform the recipients of those data about their non-compliance, mentioning the data that have been modified.
(9) When communicating personal data, MasterDieselSystem warns the recipients of the prohibition on processing the data for purposes other than those specified in the communication request.
5.8. TECHNICAL MEASURES REGARDING THE PROCESSING OF PERSONAL DATA
All documents containing personal data are recorded and follow the rules of storage, processing, multiplication, transport, transmission, destruction and archiving established by the Law on National Archives and by internal procedures.
Note: This document is supplemented by the full set of security policies / procedures approved by the MasterDieselSystem management and in force.
