Within the processing activity performed on the XCODES DEVELOPMENT`s website, a variety of personal data is used, such as customer`s data or data from users of the website.
The processing activity of these personal records is governed by General Data Protection Regulation:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR", "GDPR legislation") which explicitly covers the processing activities of personal data, to what extends do entities process personal data and their roles and responsibilities.
The general data protection regulation (“GDPR”)
General Data Protection Regulation (GDPR) is the most important piece of legislation which directly affects the means by which XCODES DEVELOPMENT S.R.L. (hereinafter referred to as "Company") is processing personal data.
The present policy includes the main rules and procedures used by the Company in its processing activities developed within the website. It governs all the processing activities done on the website and provides a clear image of all GDPR requirements applied.
Any legislation, decree, decision, resolution, regulation or secondary legislation from the European/National authorities and/or National Supervisory Authority concerning the processing, confidentiality and use of personal data, including:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Legislation provided by the National Supervisory Activity.
Any European and/or local piece of legislation mentioned above, any guidelines, codes of conduct, certification mechanism approved by The National Supervisory Authority and/or European Data Protection Board throughout the period in which they are in force and also any legislative act which amend or replace them over the time.
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
“The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.
“A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
National Supervisory Authority
“An independent public authority which is established by a Member State”.
More information about National Supervisory Authorities from EU member states are available on https://edpb.europa.eu/about-edpb/board/members_en.
Principles on processing personal data
The personal data principles impose that the processing of personal data shall be made accordingly.
The principles of processing are detailed in Art. 5 GDPR as follows:
Lawfulness, fairness and transparency. The processing of personal data shall be “lawfully, fairly and in a transparent manner in relation to the data subject;”
Purpose limitation. Personal data shall be “collected for specified, explicit and legitimate purposes;”
Data minimization. Personal data shall be “adequate, relevant and limited to what is necessary;”
Storage limitation. Personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;”
Integrity and confidentiality. Personal data shall be “processed in a manner that ensures appropriate security of the personal data;”
Accountability. The controller shall be responsible for the compliance with all of the above principles, and he will be able to demonstrate this compliance with GDPR.
Data subject’s rights
The data subject, whose personal data is processed by the Company under the GDPR, have the following rights:
The right to be informed
Under the GDPR personal data subjects have the right to be informed about: the identity and contact details of the Controller and Processor and Personal Data Officer, if applicable, hence the entities which are processing the personal data, how the Company collects and uses his/her data, for how long will they retain the data and with whom they will share their information
The right of access
Implies that data subjects know which of their personal information is processed by the Company, for which purposes and how it is stored and used;
The right to rectification
Data subjects can modify their shared data, complete it and correct it, if necessary;
The right to erasure (right to be forgotten)
This means that a data subject can at any time request the Company to permanently delete they information, without any further inconveniences. However, this right isn`t applicable if the processing activity is based on the compliance with a Company’s legal obligation;
The right to restrict processing
The data subject has the legal right to forbid the Company to share his/her personal data in certain circumstances. In this way the data subject may restrict the processing only to the minimum mandatory information in order for the Controller to fulfil its tasks.
The right to data portability
Data subjects can request their personal data transfer to another entity, therefore they can legally request the Company to share their information to a third party in specific conditions and applying strong security safeguards.
The right to object
Individuals can disagree to the processing of their personal data for different activities, such as direct marketing.
Rights in relation to automated decision making and profiling
This right implies that data subjects can request the processing of their data to be made by a living person, rather than an automated generated decision. In this case, the Company has the obligation to inform the data subject that his/her data are processed in this manner.
All the above rights are supported by distinct procedures elaborated within the Company in compliance with the GDPR`s strict requirements and deadlines.
The deadlines set out by GDPR within the Company gives effect to data subjects’ requests
or the answer can vary consequently:
|Data subject`s rights||
Timescale for providing an answer to data subjects’ requests |
regarding their rights
|The right to be informed||When the data is collected|
|The right of access to personal data||It can be exercised by data subject anytime within the processing period; the Company should follow up the request immediately; the Company has to provide an answer to the data subject within 30 calendar days from the request receipt date|
|The right to rectification personal data||It can be exercised by data subject anytime within the processing period; the Company should follow up the request immediately; the Company has to provide an answer to the data subject within 30 calendar days from the request receipt date|
|The right to erasure/delete personal data (“right to be forgotten”)||It can be exercised by data subject anytime within the processing period; the Company should follow up the request immediately; the Company has to provide an answer to the data subject within 30 calendar days from the request receipt date|
|The right to restrict processing of personal data||It can be exercised by data subject anytime within the processing period; the Company should follow up the request immediately; the Company has to provide an answer to the data subject within 30 calendar days from the request receipt date|
|The right to data portability||It can be exercised by data subject anytime within the processing period and the Company has to provide an answer or a solution/option to implement and follow up the request in a reasonable period of time (as soon as possible)|
|The right to object||It can be exercised anytime within the processing and it`s implemented by the Company immediately|
|Rights in relation to automated decision making and profiling||Timing and procedures to be followed up - no specific mandatory timing|
All the above rights can be exercised through a written request form that can be sent by the data subjects to the Company in order to settle any discomfort and/or to provide the data subject with a simple information or to reply to any other request. The request can be made by email at: [email protected], by completing the contact form at: https://xcodesdevelopment.com/contact or by the following postal address: Bănești, no. 521A, Gherghiceni Street, Prahova County, România.
Lawfulness of processing
The Company may process a person`s data within its website only if the processing falls under one of the following legal grounds provided by GDPR in Art. 6:
“The data subject has given consent to the processing of his or her personal data for one or more specific purposes;” – article 6, paragraph 1, letter a), GDPR
“Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;” – article 6, paragraph 1, letter b), GDPR
“Processing is necessary for compliance with a legal obligation to which the controller is subject;” – article 6, paragraph 1, letter c), GDPR
“Processing is necessary in order to protect the vital interests of the data subject or of another natural person;” – article 6, paragraph 1, letter d), GDPR
“Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;” – article 6, paragraph 1, letter e), GDPR
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. – article 6, paragraph 1, letter f), GDPR
Each processing activity, based on its sole purpose, usually has a distinct legal ground. In example, in order to register an order on a website, the processing of personal data is based on article 6, paragraph 1, point b), GDPR – performance of a contract, while the legal ground for direct marketing activities can be either article 6, paragraph 1, point a) GDPR – consent, or article, 6, paragraph 1, point f) – legitimate interest.
Nonetheless it is essential that the Company can identify, beyond any doubt, an explicit legal ground for each processing activity, without changing or harming it during the processing time, during audit activities and / or in the notices addressed to the data subjects.
Controllers and processors
If data processing is made by the Company through or together with a third-party, the Company will ensure at any moment that all the operations that target personal data processing activities are subject to GDPR and also, to a written contract between the Company and the third-party in scope.
From GDPR perspective, based on Roles and Responsibilities Policy, the contractual relationship between the parties can have different forms, as follows:
The Company can be an Independent Controller applicable when two or more controllers process personal data from the same data subject within a common activity, but for different purposes with possible different legal grounds and different means of processing.
The Company can be a Joint Controller applicable when two or more controllers jointly determine the purposes and means of processing; they shall in a transparent manner determine their respective responsibilities for compliance with the obligations under Regulation 679/2016.
The contractual relationship is Controller & Processor applicable when the processing is ruled by the Controller, which means that the Processor shall not process personal data except on instructions from the Controller, unless required to do so by Union or Member State law.
All the above-mentioned contractual relationships will comply with the appropriate requirements and express imposed terms laid down by GDPR.
Data protection officer (“DPO”)
A data protection officer is an appointed expert in data protection whose purpose is to monitor internal compliance with the GDPR, inform and advise the Company regarding its obligations, provide guidance upon Data Protection Impact Assessment and represent the Company in relation with The National Supervisory Authority.
It is mandatory to appoint a DPO in the following scenarios:
The processing is made by a public authority or a public body, excepting courts that act in their judicial capacity;
The main activities performed by the Controller or the Processor consist of processing operations which by nature, field of application and/or their purposes require regular or systematic monitoring of data subjects on a large scale;
The main activities performed by the Controller or the processor consist of large-scale processing of special categories of data as mentioned at Article 9 GDPR or other data regarding criminal convictions or criminal offences as laid down in Article 10 GDPR.
If the Company will appoint a Data Protection Officer, in compliance with GDPR, it will have the roles and responsibilities laid down by the Regulation within article 39, as follows:
“To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;”
“To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;”
“To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35” (on “Data protection impact assessment”);
“To cooperate with the supervisory authority;”
“To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 (on “Prior consultation”), and to consult, where appropriate, with regard to any other matter.”
Furthermore, its name and contact details will be explicitly communicated to National Supervisory Authority and its contact details shall also be included within the Company`s website.
In order to contact the DPO and obtain any information on personal data processing, a data subject can send an email at the above mention address: [email protected], or sent a letter to the company`s head-office: Bănești, no. 521A, Gherghiceni Street, Prahova County, România.
Personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Even if GDPR does not include a specific definition and distinction between incidents and breaches, it is very important to understand that any infringement of data security registered/suffered by the Company should be treated and managed as a data security incident.
But if the incident, by his consequences and losses, falls under GDPR provisions regarding data breaches, the Company have to duly comply with GDPR requirements regarding data breaches investigation and notifications procedures.
In case of a security incident or breach, the Company:
Will investigate the occurred security incident immediately;
Will take appropriate actions in order to minimize the impact and consequences and any prejudice that may occur, as well as the reasonable measures to prevent this sort of incidents in the future;
Will develop and implement a reaction plan (Security Incident Procedure) in order to counter the security incident;
Will minimize the react time, therefore the period of time between the moment when the incident debuted and its detection has to be as short as possible in order to have a response as efficient as possible;
Will realize an Impact Assessment on Personal Data in order to detect de level of intrusion, the gravity of the incident and the possible risk that may occur;
Will appoint a team composed of at least one member from each department of interest, including Legal and IT.
Will notify the incident to the appropriate Authority within 72 hours from the moment it found out about the occurrence of the incident, if it is liable to create a risk on the rights and freedom of the data subjects.
If the Company has to notify the National Supervisory Authority, he will also inform the data subjects about the incident that affected their personal data, in clear and simple language upon the following:
The nature of the personal data breach;
The name and contact details of the Company's data protection officer or other contact point where more information can be obtained;
Description of the likely consequences of the personal data incident and a list of the personal data affected;
Description of the measures taken or proposed to be taken by the Company to combat the personal data incident, including, where appropriate, measures to mitigate its possible adverse effects;
If the Company notified the National Supervisory Authority.
Requirements in compliance to GDPR
The following actions will be used by the Company in order to be in compliance with GDPR. All of them will be frequently reviewed in order to meet the GDPR requirements:
In case of a security incident or breach, the Company:
The Company will frequently ensure that a justified legal basis is always used within the processing activities;
A DPO is appointed if it’s required by GDPR;
All the Company`s employees must comply with the GDPR principles;
The Company will develop constantly training sessions for its employees and/or third-parties involved in Company’s data processing activities;
All the Company`s employees have been instructed and are constantly instructed on personal data processing activities;
Explicit consent must be obtained from the consumer regarding his/her personal data processing, when consent is used as legal ground for data processing activity;
All compliance policies will be frequently audited in order to be updated to GDPR requirements;
The following elements are well documented within the processing of personal data activities:
Organization`s name as Controller;
The purposes on which personal data are collected;
The personal data categories that are collected;
The retention periods within personal data are kept;
Protection and security policies regarding the use of personal data.