Privacy and personal data protection policy applicable within the group companies

TAKT

Respective

TAKT RECRUITMENT SRL

registered at the Trade Register under number J40/6390/2020, tax code RO42631473, with registered office at 17 Finland Street, Bucharest, RO-011776, email office@taktrecruitment.ro

Coupons

Chapter 1 – General provisions

Chapter 2 – Personal data we process. Management of their processing and security

Chapter 3 – Basic rules applicable to TAKT employees processing personal data

Chapter 4 – Keeping records of activities and categories of personal data processing activities

Chapter 5 – Compliance with obligations relating to the processing of personal data

Chapter 6 – Exercise of data subjects’ rights

Chapter 7 – Selection of technical and organisational measures related to the processing and security of personal data

Chapter 8 – Data security incident procedure

Chapter 9 – Liability for data protection breaches

Chapter 10 – Final provisions

Chapter 1 – General provisions

  1. The Privacy and Personal Data Protection Policy (hereinafter referred to as the Policy) applicable within the TAKT Group companies sets out the rules on the processing and protection of personal data within the Company in accordance with the requirements of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR).
  1. By drafting and internally applying this document, TAKT Recruitment SRL (hereinafter “TAKT”, “the Company”), a company operating under Romanian law, registered with the Trade Register under no. J40/6390/2020, tax registration code RO42631473, with registered office at 17 Finland Street, Bucharest, RO-011776, email office@taktrecruitment.ro, fulfils the obligation referred to in Article 24 para. 2 of the GDPR.
  2. The policy applies to personal data processed in TAKT in the course of its business, both in paper and electronic form. The scope of the Policy covers the processing of personal data by TAKT both as a controller and as a processor for data it processes on behalf of and for the account of other controllers.
  3. In terms of data subjects, the Policy refers to all employees involved in the actual processing of personal data within TAKT. The obligation to protect personal data processed applies to all persons who have access to them, regardless of their position, place of work and the basis on which they work at TAKT.
  4. Persons who have access to personal data are obliged to take note of the Policy, procedures and internal regulations indicated in its content and apply them.
  5. TAKT approves and adopts the Policy and its amendments in accordance with internal regulations. The Policy is supplemented by specific Annexes, which will be made available to interested persons upon written request, being internal regulations.

The terms used in this Policy have the following meaning:

  1. RGPD – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L. of 2016, No. 119, p. 1);
  2. LPDCP – Law 190/2018 on measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;
  3. controller– controller within the meaning of Article 4(7) of the GDPR, i.e. a natural or legal person, public authority, establishment or other body which alone or jointly with others determines the purposes and means of the processing of personal data;
  4. personal data – personal data within the meaning of Article 4(1) of the GDPR, i.e. any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of an identifier, such as the name, national identification number, location data, internet identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person;
  5. sensitive personal data – special categories of personal data referred to in Article 9 of the GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data, biometric data, processed to identify an individual; data concerning health, sex life or sexual orientation; and personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR;
  6. Data Protection Officer (DPO) – if applicable, the person designated by the company to act as DPO under the GDPR with data protection responsibilities within TAKT; if not designated as DPO, any person within the company who, in the course of his/her activities, processes personal data and thus has duties/responsibilities regarding their protection.
  7. director/head of a department – the person who manages a department in accordance with the organisational regulations in force in TAKT;
  8. department – a separate organisational unit functioning within the organisational structure in accordance with the organisational regulations in force in TAKT;
  9. personal data processing area – areas where personal data are processed on paper and electronically;
  10. recipient – recipient within the meaning of Article 4(9) of the GDPR, i.e. a natural or legal person, public authority, establishment or other body to whom personal data are disclosed, whether or not it is a third party;
  11. processor – the entity processing within the meaning of Article 4(8) of the GDPR, i.e. the natural or legal person, public authority, establishment or any other body processing personal data on behalf of the controller;
  12. employee – any person who performs work for TAKT under an employment relationship within the meaning of the Labour Code;
  13. processing – processing within the meaning of Article 4(2) of the GDPR, which means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  14. ANSPDCP – National Supervisory Authority for Personal Data Processing in Romania;
  15. consent – consent within the meaning of Article 4(11) GDPR, any freely given, specific, informed and unambiguous expression of will by the Data Subject whereby he or she accepts, by a statement or an unambiguous action, that personal data relating to him or her may be processed.

Chapter 2 – Personal data we process. Management of their processing and security

  1. The Company is responsible for the processing and protection of personal data within the Company in accordance with the provisions of the GDPR and common law.eptului comun.
  2. The company processes information containing personal data about individuals in various ways, such as: through online means and social media channels; at events, by telephone, fax and email; through job applications and in connection with personal recruitment; through and in connection with interactions with customers and suppliers. All of these methods are carried out in fulfilment of the company’s purpose. In accordance with its activity relating to recruitment and job placement and other related activities, the company may process, as appropriate, personal data of individuals, such as: signature, contact data (telephone, email, accounts on social/communication networks), data existing in civil status documents, i.e. passport data (name, surname, date and place of birth, address, document series and number, picture, father’s name, mother’s name, wife’s name), professional conduct, criminal record (number and date of issue), educational and professional documents, CVs, photos, medical documents (exclusively in connection with official restrictions imposed by the transport of persons and/or employment in a specific function) and any other official evidence necessary for the implementation of the activity for the benefit of the person concerned, who, being interested in an offer of employment promoted by the Company, applies to the Company on his/her own initiative with an application for employment, an application for a residence permit, an application for an extension of a residence permit, an application for a residence permit, a residence permit for a

The Company may also process data of individuals representing legal entities with which the Company interacts, such as personal data that may be contained in documents provided by legal entities such as e-mail data, registration certificate, tax certificate, certificate of tax attestation, certificates from authorities involved in the immigration process, job description for staff, criminal record.

  1. TAKT’s management may appoint a Data Protection Officer either a third party, an employee or another person within the Company to carry out the duties in the field of personal data protection within the Company in accordance with the signed contract, this Policy, the instructions in the Principles of Cooperation with the Data Protection Officer (Annex 1) and the internal provisions in force within TAKT.
  2. If applicable, the Data Protection Officer – hereinafter referred to as DPO – shall make a declaration that there is no conflict of interest within the meaning of Article 38 of the GDPR in the performance of his/her duties/tasks as DPO within TAKT. The confirmation shall be made in writing once a year..
  3. The DPO is obliged to inform the TAKT management of the occurrence of any conflict of interest within the meaning of Article 38 of the GDPR in the period after the submission of the declaration referred to in paragraph. 3 above.

Directors/Heads of Departments are responsible for the management of personal data processing in their departments. Their responsibilities include, in particular:

  1. the management of personal data processing activities within the framework of the tasks carried out by that department;
  2. allowing departmental employees to participate in training on processing and personal data protection rules;
  3. performing tasks relating to securing the personal data processing area of the department they lead;
  4. reporting to the DPO the intention to start a new personal data processing operation or to make a change in the personal data processing activities carried out within the department;
  5. in case of collection of personal data, consulting the DPO as to the legal basis for the processing of personal data, including the collection and storage of consents at the time of processing of personal data in case of processing based on consent;țământ;
  6. implementation of processes related to the transmission of personal data by TAKT to other entities – in accordance with personal data processing agreements and this Policy;
  7. implementing and informing employees of specific obligations regarding the processing and storage of personal data (including by amending internal rules, amending employment contracts, etc.)

Chapter 3 – Basic rules applicable to TAKT employees processing personal data

The person responsible for the processing of personal data in TAKT is obliged in particular to:

  1. be aware of the applicable personal data protection laws and personal data protection documentation in force in TAKT;
  2. participate in training on the principles of personal data protection;
  3. process personal data only for the purpose for which they were collected and in the premises resulting from the imposed service obligations;
  4. to exercise caution when processing personal data, in particular sensitive personal data, in order to protect the interests of Data Subjects;
  5. apply the procedures and means of processing and securing personal data in force in TAKT;
  6. comply with the instructions of the TAKT Management, the Data Protection Officer and the directors/heads of department regarding the processing and protection of personal data;
  7. keep confidential personal data and the arrangements for securing them, as well as data that constitute business secrets or are subject to professional secrecy;
  8. protect personal data against loss, damage, destruction, unauthorised modification or unauthorised disclosure;
  9. to comply with the procedures for the correct use of the information systems by means of which personal data are processed, including not disclosing his/her login data to other users;
  10. transfer personal data over the Internet using appropriate security features (including data encryption and the use of secure transmission channels);
  11. not to e-mail personal data to private addresses;
  12. not to copy data to external media without a reasonable business need;
  13. exercise caution when transporting documents and computer media containing personal data, especially outside the personal data processing area;
  14. do not leave documents containing personal data on multifunctional devices (printers, copiers);
  15. not to leave the workplace without securing paper documents containing personal data (clean desk principle) and without securing access to data processed in the computer system (clean screen principle);
  16. report any suspected personal data security incident in accordance with the Personal Data Security Incident Management Procedure;
  17. to stop processing personal data after termination of the employment relationship;
  18. to delete personal data not requested by the Company, but communicated on their own initiative by the data subject, unless the data subject consents to their processing or if the data are closely related to information necessary for the performance of the Company’s activity.

Chapter 4 – Keeping records of activities and categories of personal data processing activities

  1. On behalf of TAKT, the DPO keeps a Register of personal data processing activities, as provided for in Article 30 para. 1 of the GDPR and a Register of categories of processing activities, referred to in Art. 30 para. 2 of the GDPR.
  2. The detailed rules for keeping these Registers together with their templates can be found in the Procedure for keeping a register of processing activities and a register of categories of personal data processing activities within TAKT.

Chapter 5 – Compliance with obligations relating to the processing of personal data

5.1

  1. Employees who collect personal data in the course of their duties are obliged to exercise due diligence in collecting such data, including:
    1. check whether there are legal grounds for collecting personal data in accordance with Articles 6, 9 and 10 of the GDPR;
    2. collect personal data only for the specific and legitimate purposes pursued by TAKT;
    3. collect personal data exclusively for the purpose for which they will be processed.
  1. Where the processing is based on consent, the management of the company or the responsible employees must ensure that the data subject gives freely given consent and that the data subject is informed of the right to withdraw consent.
  2. The Company’s manager or responsible employees are obliged to use the model consent forms adopted under TAKT and to report to the DPO the possible need for additional model forms, if a model form required for a specific processing operation has not been adopted within the Company.
  3. The Director/Head of Department responsible for that processing is responsible for the proper use of the consent forms at the time of data collection.

5.2

  1. The head of the company or employees who, in the course of their duties, carry out personal data processing activities, are responsible for fulfilling the information obligations referred to in Articles 13 and 14 of the GDPR.
  2. The Company’s management or employees involved in the protection of personal data are obliged to use the model information clauses adopted within TAKT and to report to the DPO the possible need for additional model information clauses if a specific model clause applicable to a particular processing operation has not been adopted within the Company.
  3. The Director/Head of Department responsible for that processing is responsible for the proper fulfilment of the information obligation.

5.3

  1. Personal data are processed for the duration required by applicable law and TAKT’s internal regulations.
  2. Personal data for which the duration of processing does not result from the legal provisions in force and for which it is not possible to determine such a duration in advance through TAKT’s internal regulations, will be processed as long as the basis and purpose of the processing exists, in accordance with the principles of personal data protection.
  3. Personal data processed solely on the basis of the Data Subject’s consent shall be deleted or destroyed immediately upon withdrawal of consent by the Data Subject.
  4. The head of the company or the responsible employees of each department of TAKT responsible for the processing of personal data must carry out, at least once a year, the verification of paper and electronic documentation, including:
  1. check whether personal data for which the retention period resulting from the provisions of the law and TAKT’s internal regulations has expired have been deleted or destroyed;
  2. verify whether, with regard to personal data whose retention period has not been established by the relevant provisions of the legislation and internal rules of TAKT, the legal basis and the purpose of the processing still exist.
  3. If it is found during the verification provided for in paragraph 1 that 4 above, that the duration of the processing of personal data has expired or that there is no longer any legal basis for the processing, the personal data must be erased or permanently destroyed from paper, electronic media and computer systems.

5.4

  1. Persons who make personal data (on paper or in electronic format) available to a third party on behalf of TAKT are obliged to check whether there is a legal basis for doing so before making them available.
  2. In case of doubt as to whether there is a legal basis for making the data available, the Data Protection Officer or the person in charge of data protection at TAKT should be consulted.

5.4

  1. In the case of processing of personal data by an external entity (processor), a Personal Data Processing Agreement referred to in Article 28 (2) must be concluded with the processor. 3 of the GDPR. The agreement must be concluded by agreement of the parties, and may use the model agreement adopted under TAKT (Annex 2).
  2. In the process of selecting a processor, it is necessary to assess whether it provides sufficient safeguards and has in place adequate technical and organisational measures to meet the requirements laid down in the GDPR and to protect the rights and freedoms of Data Subjects.
  3. In the event of further processing of personal data, which TAKT processes as processor, the rules referred to in paragraph 1 shall apply. 1 and 2 above, subject to the obligation to obtain the approval of the controller for further entrustment of personal data to a processor by TAKTternicite de către TAKT
  4. The selection referred to in paragraph. 2 above shall be carried out in accordance with the Instruction on the assessment of authorised representatives (Annex 3) and using the Questionnaire for the assessment of an authorised representative (Annex 4).
  5. If the need arises to transfer personal data to an entity located in a third country (e.g. outside the European Economic Area), the transfer is preceded by a consultation with the Data Protection Officer or the person performing these duties within TAKT.

Chapter 6 – Exercise of data subjects’ rights

  1. TAKT examines and acts upon requests from Data Subjects in accordance with the GDPR, including with regard to the exercise of the following rights:
  1. the right of access to data, including the right to be provided with a copy of the personal data undergoing processing (Article 15 GDPR),
  2. the right to rectification of personal data (Article 16 GDPR),
  3. the right to erasure of personal data (Article 17 GDPR),
  4. the right to restrict the processing of personal data (Article 18 GDPR),PD),
  5. the right to portability of personal data (Article 20 GDPR),
  6. the right to object to the processing of personal data (Article 21 GDPR),
  7. the right not to be subject to a decision based solely on automatic processing (Article 22 GDPR).
  1. The detailed rules for dealing with requests for the exercise of rights by Data Subjects are specified in the Procedure for the exercise of rights by Data Subjects in the case of data processing carried out within TAKT.
  2. The data subject has the right to lodge a complaint with the supervisory authority regarding the processing of personal data, namely with the National Supervisory Authority for Personal Data Processing, located at B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania, Telephone: +40.318.059.211; +40.318.059.212, Fax: +40.318.059.220, E-mail: anspdcp@dataprotection.ro, Web: www.dataprotection.ro
  3. For the exercise of rights and for suggestions and complaints regarding the processing of personal data, as well as for the withdrawal of consent, the data subject may contact the Company using the contact details in the preamble.

Chapter 7 – Selection of technical and organisational measures related to the processing and security of personal data

7.1

  1. The selection of technical and organisational measures related to the processing and security of personal data in TAKT is based on the assessment of the risk of violation of the rights and freedoms of the Data Subjects.
  2. In selecting the security features, the risk of adverse consequences for both the Data Subject, in particular discrimination, deprivation of rights, harm and damage, and for TAKT if appropriate measures are not taken for the processing of personal data in accordance with personal data protection legislation is assessed.

7.2

  1. The planning of the implementation of new processes related to the processing of personal data, in particular new IT systems serving the processing of personal data, takes into account the principles of data protection by design and data protection by default.
  2. The rules on the implementation of privacy by design and privacy by default requirements are set out in the Rules on the principle of data protection by design and privacy by default.

7.3

  1. In the case of processes implementing the processing of personal data which, by virtue of their nature, purpose, context and objectives, have a high likelihood of causing a data security incident through a breach of the rights and freedoms of Data Subjects, prior to the start of the processing, the impact of the effects must be assessed in accordance with Article 35 of the GDPR.
  2. The rules for assessing the impact of processing on the protection of personal data and for consultation with the ANSPDCP are specified in detail in the Procedure for carrying out the personal data protection impact assessment.

Chapter 8 – Data security incident procedure

  1. TAKT takes organisational and technical measures to prevent personal data security incidents, to minimise the risk of their occurrence and to reduce the negative effects in case of such incidents.
  2. The Company’s management or responsible employees are obliged to take any measures permitted by the applicable legislative framework and TAKT’s internal regulations to prevent personal data security incidents, in particular by proceeding in accordance with the personal data protection principles in force within the Company.
  3. TAKT shall report personal data security incidents to the ANSPDCP in accordance with Article 33 of the GDPR and the procedure referred to in para. 5 below.
  4. TAKT informs the Data Subject about the personal data security incident in accordance with Article 34 of the GDPR and the procedure referred to in paragraph. 5 below, if it may cause a risk of breach of his/her rights or freedoms.
  5. Detailed rules for managing personal data security incidents are specified in the Personal Data Security Incident Management Procedure.

Chapter 9 – Liability for data protection breaches

  1. Violation of the general provisions of the personal data protection legislation is punishable by the sanctions provided for in the GDPR and in Articles 12, 13 and 14 of the GDPA.
  2. In addition to the liability laid down in the legal provisions referred to in paragraph 1, the following shall apply. 1 above, breach of the personal data protection rules in force within TAKT may:
  1. be considered as a serious violation of the basic rights of employees and give rise to liability on the part of the Company under the provisions of labour law, or
  2. give rise to liability in tort or contract.

Chapter 10 – Final provisions

10.1

  1. This policy is published on the TAKT website and the specific annexes can be made available to authorized persons based on a written request to the Company.
  2. Directors/Heads of Departments are required to familiarize employees with the provisions of this Policy.

10.2

  1. The general provisions of the applicable law apply to situations that are not regulated by this Policy, in particular the RGPD and LPDCP, as well as the relevant internal regulations within TAKT
  2. Persons who become aware of these provisions are obliged to strictly comply with the rules established in the Policy.

TAKT RECRUITMENT SRL

By Cosmin Serban Alexandru

logo

We will call you back if the call is received outside business hours. Calls may be recorded.

logo

We will call you back if the call is received outside business hours. Calls may be recorded.