In order to align to the Regulation (UE) 2016/679 on protection of natural persons with regard to the processing of personal data on the free movement of such data, the National Bank of Romania Printing Works established internal implementation rules, as the Regulation states.
This policy aims at informing you about the way National Bank of Romania Printing Works (RAIBNR) (hereinafter referred to as the controller or RAIBNR) processes your personal data according to the Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and according to the applicable national law. RAIBNR is concerned about ensuring a high level of protection for your personal data, processing it under the provisions of the applicable law.
2. Our activity
Personal data – refers to all the information regarding an identified or identifiable natural person (hereinafter referred to as the data subject). An identifiable natural person is a person that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identificator or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing – means any operation or set of operations, performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Special categories of personal data – are those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sexual orientation.
Controller – is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (in the present case: RAIBNR).
Data subject – represents the natural person whose personal data is collected, held or processed.
The site – represents the means of communication and is reachable at the following address: www.imprimeriabnr.ro.
4. How and when we process your personal data?
RAIBNR, as a controller, processes data that are voluntarily provided or that automatically enters in its possession, by either of the methods: verbal, written, visiting the website www.imprimeriabnr.ro, by e-mail communication or other methods, according to GDPR and national law provisions, compatible with the purpose for which the personal data were initially collected.
5. Legal basis
RAIBNR processes personal data:
a) for compliance with the legal obligations of the controller according to the aplicable national law regarding data protection (Law no.190/2018 regarding implementing measures of GDPR, Law no. 333/2003 regarding the safeguarding and protection of objectives, goods, values and persons, labour law, accounting and financial law, security law, labour health and social protection law) and applicable european law (GDPR, Directive 2016/680/CE, Directive 2002/58/CE). We must mention here the possibility of processing your personal data whenever the legislation referring to emergency or lock down situations will require it in Romania.
b) for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
c) for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
d) after obtaining the consent of the data subject for processing the personal data for one or more purposes
e) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – which means that we can process personal data for the purposes of the prevention, detection or prosecution of criminal offenses.
f) to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (for example – a medical emergency). We would like to inform that in some cases, your refusal to submit personal data could result in failure to concluding the contract.
6. Purposes of the processing
We process your personal data (including the video images) for the purposes of carrying out the obligations and exercising specific rights, for the purpose of the prevention, investigation, detection of facts which are such a nature as to prejudice the security of natural persons, the patrimony of the organisation and the public and private properties, as well as for compliance with the adopted internal rules. We also process your personal data for the purpose of carrying out our activity regarding the supply of products, the conclusion and performance of contracts, labour contracts, recruitment, compliance with the obligations and for our legitimate interest.
7. Categories of personal data
We process data such as: name, surname, address, personal identity code, ID serial number, date
and place of birth, job, occupation, profession, civil status, criminal record, image (photo, video), phone number, email address, professional qualification, salary, work schedule, payments, benefits, bank details, health information, signature, employment information, used browser, operation system, moment and type of accessed document on internet pages and other technical information.
RAIBNR processes special personal data in compliance with the provisions of art. 9. alin (2), under the obligation to maintain professional confidentiality and by adopting adequate security measures in the following situations:
a) if processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection;
b) if processing is necessary for the purpose of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, on the basis of Union or Member State law or pursuant to contract with a health professional subject.
The collection of information is made using the following methods: directly from you (voluntarily or automatically) or from external sources.
RAIBNR carries out video monitoring system processing activities that exist inside and outside of our premises. If a visitor refuses to provide the requested information or to have his image processed by us, RAIBNR reserves the right to refuse the person’s access in the premises.
8. The source of the personal data
The data come either directly from you, voluntarily or automatically, or are transmitted from other external sources.
9. Data subject categories
We process personal data of our collaborators, partners/legal representative or delegates, employees, visitors and any other persons coming into contact with RAIBNR by specific means which imply processing of personal data.
10. Recipients of the personal data
The recipients of personal data are: the General Manager and the employees of RAIBNR, depending on the purpose of the processing. External recipients are (but without limitation): taxation authorities, service providers, our clients, meal tickets providers, medical benefits providers, auditors, various authorities and public institutions, etc.
RAIBNR safely keeps the entrusted data and does not reveal or transfer them to third parties, unless the situations are expressly laid down by law or whenever this is necessary for the collection purpose.
11. Storage period
RAIBNR processes personal data no longer than is necessary for the purpose for which the personal data were collected. In some cases, data needs an extened storage period, taking into account various legal obligations or the ones stated in the Archive Nomenclature of the organisation. Also, the data will be kept for an extended period of time in the case of a dispute for whose resolution the data are required. In this case, the data will be deleted when they will not be necessary anymore.
12. The transfer of personal data
We do not transfer your data to states inside or outside the Union, except for the situations expressly provided by law or whenever this is necessary for the purpose of the collection. We will keep you informed of any changes that may arise on this aspect, by renewing the present policy.
13. Technical measures and organizational arrangements
RAIBNR is involved in your personal data protection, by implementing technical measures and organisational arrangements in order to ensure an appropriate level of security against unauthorised access, illegal or accidental destruction or damage, revealing, inappropriate use or loss of your personal data. RAIBNR employees have committed themselves to confidentiality by signing non-disclosure agreements.
14. Minor protection
15. Automated processing
16. Data subject rights
According to GDPR provisions, you have the following rights:
a) Right of access – you can request the controller:
– to obtain from confirmation as to whether or not your personal data are being processed
– access to a copy of your personal data
– to provide information about your personal data, such as: the categories of personal data, the purposes of the processing, the recipients or categories of recipients of your personal data, the period of time for which the personal data will be stored – or if that is not possible, the criteria used to determine that period- , your rights, how you can lodge a complaint, the source of your data.
b) Right to rectification – you can ask to have incomplete personal data completed.
c) Right to erasure (“right to be forgotten”) – You have the right to obtain from the controller the erasure of your personal data without undue delay where one of the following grounds applies:
– the personal data no that are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– you withdraw consent on which the processing in based on;
– you exercise your right to object;
– the personal data have been unlawfully processed;
– personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
We inform you that we do not have the obligation to erase the data if processing is necessary for:
– compliance with a legal obligation;
– the establishment, exercise or defence of legal claims;
– archiving or statistical purposes;
– reasons of public interest in the area of public – according to art. 9 (2) h) and i) GDPR.
These should be considered to be compatible lawful processing operations.
d) Right to restriction of processing – You have the right to obtain the restriction of the processing where one of the following applies:
– when you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
– when the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use;
– when we no longer need the personal data for the purpose of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
– when you have objected the processing pending the verification whether our legitimate grounds override your legitimate grounds.
e) Right to data portability – in case the personal data are processed in the context of a contract or based on your consent, you can ask us to transmit those data in a structured, commonly used and machine readable format to another controller.
f) Right to object – You have the right to object at any time to processing of personal data in the following situations:
– for the performance of a task carried out in the public interest or in the exercise of official authority;
– for the purposes of the legitimate interests pursued by the controller or by a third party;
In these cases, we shall no longer process your personal data, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise of defence of legal claims.
The right to object cannot be exercised relating to the personal data processed in the contrext of a contract.
g) The existence of automated decision-making – you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects. This should not be applied if the decision:
– is necessary for entering into, or perfomance of a contract;
– is based on your explicit consent;
– the decision is authorised according to the legal provisions , also offering appropriate measures to obtain human intervention from the controller, to express your opinion and contest the decision.
As mentioned at point 15, we are not in the presence of an automated decision-making system in the terms of art. 22 GDPR.
e) The right to lodge a complaint – We shall make reasonable effort to resolve the disputes that may arise in our activity. We inform you that you have the right to lodge a complaint with the supervisory authority “The National Supervisory Authority for Personal Data Processing”.
17. Links to external websites
Our website contains links to other websites, with their own privacy policies, thus RAIBNR not being responsible for the content of these sites and for other privacy policies.
The present policy shall apply only to RAIBNR website – www.imprimeriabnr.ro, so when moving to other site by any links, please refer to their specific policies. You are the only one responsible for transmitting personal data on other websites.
18. How you exercise your rights
For exercising your legal rights in relation to the processing of your personal data and in case you have any questions about this subject, you may contact the Data Protection Officer by email, at firstname.lastname@example.org, or at the address 198-202 Luica street, Bucharest, 4th district, Romania, 040994.
In order to identify you at the moment of the request, you should provide the proof of your identity (a copy of your identity card).
All the requests shall be processed with no payment, except for the cases when we shall consider these are repetitive, excessive or manifestly unfounded and we are allowed in these situations to charge a reasonable fee. This will be brought to your attention before processing the request. The response deadline is 1 month from the moment of the receiving of the request, with the mention that the time limit may be extended by up to 2 months if necessary, considering the complexity and the number of the requests.
What is a cookie?
A cookie, term known as “browser cookie” or “HTTP cookie”, is a small size file made up of letters and numbers, that is stored on the users’ computer, phone or other equipment used for accessing the internet. The cookie is sent by a request emitted by the host web-server of the site to the user’s browser (ex: Firefox, Internet Explorer, Chrome, etc) and it is completely “passive”, meaning that it does not contain software, viruses or spyware and it cannot access the information on the user’s hard drive.
Cookies do not request personal data in order to be used and, generally, cannot identify the internet users.
The site www.imprimeriabnr.ro is extremely restrictive regarding cookies use and it utilises only the following types of cookies:
– Session ID – temporary files that remain in the user’s terminal until the end of the session or the closing of the browser;
– Default size – files that remain in the user’s terminal for a defined period of time or until they are manually
deleted by the user.
While browsing through our website, the browser automatically generates information about your visit – only the needed ones for the displaying the content of the site, such as: used browser, operating system, moment of access, page, document and other technical information.
The use of the cookies
Generally, the browsers are by default preset to accept cookies, offering the user the possibility to change this option, usually from the menu Options/Settings or Preferences/Favorites of the browser. The enabling of the cookies is not strictly necessary for a site operation, but it can improve the browsing experience. The user has the option to selectively accept or block the cookies for certain sites or domains. The deactivation or refusal to receive cookies may turn the browsing into a cumbersome activity, certain sites becoming this way impracticable.