Starting with May 25, 2018 the new EU GDPR regulation has come into effect. Accordingly with the new law, processing personal data (also named hereby as Personally Identifiable Information or PII) must now be carefully handled and monitored.
Our company will cooperate in good faith with you and the appropriate local authorities in order to ensure fulfillment of all our obligations according to EU GDPR law, regarding personal information processing and respecting your rights. In this scope, our company uses advanced technical measures like: Cookie-less systems on our websites (target: zero cookies), stored data minimization, encrypted storage with key managed by our firm (not provided to third parties), time-limited processing, automated deletion of data when storage period expires, using data processors that comply with GDPR regarding personal data processing, insulating the data against the processors wherever possible, websites with minimal attack surface, and other measures of security and data protection.
(A) IDENTITY AND CONTACT INFORMATION.
Your personal data is processed by our company, EMSAI INDUSTRIAL S.R.L. located in Bucharest, Registered Adress: Str. Spatar Milescu 60, Sector 2, Bucharest Romania. Registered with "Registrul Comertului" no. J40/10162/2000, fiscal registration number 13506540.
(B) EXPRESSING CONSENT FOR PERSONAL DATA PROCESSING
Websites with newsletter: Also you have the possibility to subscribe to newsletter through checking the second checkbox. By doing so, you will express your consent to receive through your email, our newsletter, news and special offers. Afterwards you will also receive a confirmation email and you need to confirm your option through the confirmation email (double opt-in). In the email you will also always find the Unsubscribe option through which you can withdraw your consent anytime. By unsubscribing, you will no longer be emailed about our news and special offers.
(C) PURPOSE OF PROCESSING YOUR PERSONAL INFORMATION
- I. INVOICING:
a) Electronic data collection of personal data
In order to complete an order, it is necessary to provide us with the following personal data types: Name, surname, email address, phone number(s), invoicing address, delivery address, orientation information for locating the delivery address. Furthermore, depending on your choices, the name and surname and phone number(s) of certain persons delegated by you might be required (such as transporters) in order to collect the order items. All this PII is subsequently stored in our databases and processed in order to perform the following operations: Preparing and sending of quotes and offers upon request; generating pro-forma invoices, processing orders, issuing invoices and performing delivery through couriers and/or transporters depending on case. For this service the following information are supplied to couriers and transporters: Name, surname, phone number(s), delivery address.
b) DIRECT COLLECTION OF PII
Furthermore, in order to issue an invoice there is also the possibility of collecting personal data directly from you, when you are present in person at our headquarters and placing an order in person.
II. NEWSLETTER SUBSCRIPTION (optional)
Any interested person can optionally subscribe to our newsletter, and if you intend to do so you will supply us with your name, surname and e-mail address. Our company uses a double opt-in method, accordingly with local regulations and this means that our news and offers will be emailed only to those persons who have explicitly given consent in this matter. Important: Our company does not send spam and we do not tolerate spam at all.
IV. OUR SERVERS
The servers that host our websites automatically collect certain pieces of information in the format of log files (like any other average website or server). These log files contain the IP address of our visitors, they are used for security measures, and the processing is described below in tis document.
(D) TARGET OF PERSONAL DATA
If you have opted for sending the ordered items through a courier/transporter, your personal information will be communicated to the courier/transporter in order to ensure the delivery of your order and for the duration of it. In Romania, we use the services of FAN Courier Express S.R.L., but there is also the possibility that you might opt for a different courier or transporter, where this is technically possible.
Upon delivery of your orders, the courier / transporter will delete your personal data.
(E) DURATION OF PERSONAL DATA STORAGE
Our company respects our right to privacy regarding personal information as provided in order to perform the services requested, this being the sole purpose of processing.
The information collected through online orders on our websites through the shopping cart are temporarily stored in an order database for 30 days. After this term expires, your personal data is automatically deleted from this temporary database.
The emails you send to us in order to place and order and/or to request an offer are stored for 3 years from completion. When this term expires, your emails are permanently deleted.
Furthermore, your personal data used for invoicing are processed by our financial department for accounting and legal compliance purposes, being stored in both electronic and/or paper format for 10 years, starting with the end of current fiscal year. When this term expires, your personal data is deleted and the paper documents are securely destroyed.
(F) MEASURES TAKEN TO PREVENT SECURITY INCIDENTS
We perform activities to review and delete unnecessary personal data periodically. Consequently we only ask you to provide the data needed for fulfilling your order and/or issuing an invoice.
Our shopping cart(s), as any other system we have that collects personal data is secured by SSL encryption (https://) and therefore your data is safe in transit.
We currently do NOT use persistent cookies. We have been using cookies in the past (before May 25, 2018), specifically the "cart_id" cookie used for identification of shopping cart contents, as well as in statistics and navigation. This cookie is no longer used starting with May 25, 2018. If your browser still holds it, when revisiting our site the website system will try to automatically delete this cookie, and anyway it will no longer be used.
We have a general "cookie-less" implementation in order to meet the data protection need of our clients. We perform website reviews periodically in order to prevent the appearance of any unwanted cookies.
Statistical data (visitor count, traffic count and so on) is being anonymized before storage, and therefore it does no longer contain PII.
Our web server logs are stored for security purpose and to identify technical errors, for 5 years and then they are deleted, with the exception of cases when longer storage is needed for justified reasons, and in this case they can be stored for 7 years max.
The server logs contain your IP addresses, browser signature, url, date and time as well as the referer of the page being visited. These log are processed strictly as a security measure adn/or in order to identify technical errors.
Our clients' data is stored in servers hosted by OVH, one of the world leaders in the field. You can find more information here: (OVH DPA). OVH is a GDPR compliant host. Furthermore, they make use of a full virtualization system (KVM) that offers a high degree of data insulation between our databases and the host. OVH also certifies their compliance with EU-US Privacy Shield.
Our databases containing PII are fully encrypted, and we store our own encryption keys. In this way, the data is insulated against the host/processor, and they have no direct access to it.
Our clients' data is also saved in automated backup systems that comply with GDPR, such as CrashPlan (CrashPlan DPA) and iDrive (iDrive DPA), as well as on our own servers. Both backup systems mentioned earlier are certified as in compliance with the EU-US Privacy Shield for transfers in third-party countries. Furthermore the data is stored in encrypted format, and we hold our own encryption keys. As a result, the data is insulated against these data processors and they do not have direct access to the data.
(G) YOUR RIGHTS AND WAY TO ENFORCE THEM
i) Your rights to access the data: the right to request a copy of your own personal data being stored and processed by our company, but also, if possible and reasonable, information such as: the categories of data being processed, available information regarding the source of the data, commercial purposes of processing, retention period (or the criteria to establish the retention period), third party categories of receivers of PII, as well as information regarding the logical mechanism applied and potential negative consequences it might have against you, information regarding the existence of the right to intervene on the data and the right to opposition, as well as the contitions in which they can be exerted;
ii) Right to opposition: the right to, in any moment, oppose for reasons related to your particular situation, against the processing of your personal data by our company. The right to opposition gives you the possibility to request our company to stop processing your personal data. In the event of you deciding towards exerting this right of yours, our company will no longer process your PII in the specified purpose. Exerting this right does not incur any cost for you. This right might be invalidated, specifically of processing of your personal data is necessary for the formalities regarding entering a contract or fulfilling an existing contract;
iii) Right to porting data: the right to transmit your personal data we stored, in a structured format, a common one that can be read by devidces and the right to transmit this data to another entity without objection from our part;
iv) Right to withdraw your data processing consent: you have the right to withdraw your consent you offered us for your personal data processing, at any given time and in a way as simple as the one used to give consent. Withdrawing consent does not have to be justified by you;
v) Right to data correction: the right to request our company to correct your incorrect persinal data, as well as the right to complete your incomplete personal data whenever necessary;
vi) Right to data erasure ("rigth to be forgotten"), with certain exceptions: In the cases when our company has a legal obligation to continue retaining your PII; in the cases when your data is used for archiving purposes for a public interest or statistic reasons; in the cases when the data is needed in order to verify, exert or defend a right in court;
vii) Right to restrict the processing: the right to request restriction of processing your personal data. In such case, your PII will be marked and processed by us only for some specific reasons;
viii) The right to complain to our authority "Autoritatea de Supraveghere a Prelucrarii Datelor cu Caracter Personal In Romania" (A.N.S.P.D.C.P.), address: B-dul G-ral Gheorghe Magheru nr. 28-30, Sector 1, cod postal 010336, Bucuresti, Sector 1, Romania - under the formats of a written request, at the autority headquarters, or electronically via the email address: email@example.com.
The rigths mentioned above from i) to vii) can be exerted through sending us a request, either in person at our headquarters, or through electronic means, by using the email address gdpr
.ro , while providing sufficient identity information to allow us to securely identify you.
Any request or complaint regarding your personal data processing should be transmitted in writing by email, to the address gdpr
.ro , in the attention of the company's data protection officer or assigned person.
We continously commit to respect and to improve the privacy of our clients. Any suggestion to do so and to improve our processing and privacy are welcome.
[ End of Document ]