-->
The terms used in this policy have the meanings set out below:
2.1. The purpose of this Policy is to establish the basic principles of the processing of personal data and how they are implemented in order to ensure compliance with the rules in the processing of personal data by Motric Recovery S.R.L. (the „Company”).
2.2. The Company undertakes that, in carrying out its professional activities, to proceed with caution, comply with applicable law, protect its clients and other Data Subjects, as well as its own rights and interests.
2.3. This Policy will be considered general in nature and will apply to all processing of personal data by the Company. This document sets out how the personal data that the Company holds and processes in the performance of its professional activities will be protected.
2.4. The scope, basis and purposes of the processing of personal data
2.4.1. The Company processes the following categories of personal data:
a. personal data of Employees;
b. personal data that are related to its partners, legal entities;
c. personal data of individuals processed by the Company as controller.
2.4.2. The Company declares and understands that, regardless of the types or purposes of the processing of personal data, the profiling is not among the objectives or reasons for its activities.
2.4.3. Employees data
2.4.3.1. C The Company collects and uses the personal data of its (current or former) employees in the development of employment relationship context, including obligations arising from them under the law, and only for the purposes of performance of the employment contract and compliance with applicable law.
2.4.3.2. The Company recognizes and complies with the privacy rights of its Employees, limiting the collection, access and use of personal data related to employment. The Company shall take further precautionary measures before disclosing to any legitimate third party the information of any Employee. Such disclosures may take place only if the Company makes it very clear that access to and use of the data is limited to the purpose for which it was disclosed and that the data must be protected.
2.4.3.3. In the case of Employees' image processing, if the image processing takes place in a context in which only a part of the data subjects have given their consent, the Company must identify solutions to avoid processing for the data subjects whose consent is missing. For example: it can identify on the basis of a colored bracelet the people who can appear in the pictures, it can blur the image of the people for whom there is no consent within a larger ensemble etc
2.4.3.4. The same rules and principles apply to individuals who apply for a position within the Company, regardless of how they intend to transmit their personal data to the Company.
2.4.4. Partner data
2.4.4.1. Within the contracts that the Company concludes with its partners (customers or suppliers), personal data of the representatives of the two parties and, sometimes, of the contact persons (other than the legal representative) appear.
These personal data are processed exclusively for the execution of the respective contract.
2.4.4.2. Aceste date cu caracter personal sunt prelucrate exclusiv în vederea executării contractului respectiv.
2.4.5. Data processed for marketing purposes
2.4.5.1. Based on the marketing policy, the Company obtains personal data of potential customers/partners.
2.4.5.2. The processing of such personal data is always based on the consent of the data subject, providing the data subject with all rights conferred by the GDPR and applicable law.
3.1.1. In order to comply with the GDPR, the Company has adopted several organizational solutions in terms of compliance with the principles of data processing:
i. the technical aspects of data security are the responsibility of the data center storage service provider and must be managed both on the basis of defined guidelines, processes and procedures and through controls performed at the level of computer systems;
ii. responsibility for the processing of data in accordance with this policy rests with all Employees,
iii. The Company provides training to Employees so that they comply with the rules on the processing of personal data;
iv. there is a data protection officer at the level of the Company;
v. Employees' failure to comply with this Policy, as well as with the processing of personal data has been classified as "serious disciplinary misconduct", with all its consequences.
3.1.2. The Company will transmit personal data to third parties if required by law or in the performance of a contract, but will also state that such entities must take precautions to ensure compliance with Applicable Law.
3.1.3. The processing of personal data is done only by the Company's Employees who have the necessary skills to perform such processing. In the event that the Employee does not know or considers that he/she needs another level of access to personal data, can address directly to the manager.
3.2.1. In carrying out the current activity of the Company, the processing of personal data by Employees is subject to the following principles:
i. the data are processed lawfully, fairly and transparently;
ii. the data are collected for specific, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for the purpose of scientific or historical research or for statistical purposes is not considered incompatible with the original purposes;
iii. the data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
iv. the data is accurate and, if necessary, updated; all necessary measures shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
v. the data shall be kept in a form which permits identification of data subjects for a period not exceeding the period necessary for the purposes for which the data are processed; personal data will be stored for longer periods insofar as they will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes;
vi. the data shall be processed in a manner that ensures adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures.
4.1. The Company recognizes and takes into consideration the rights of data subjects, understanding that they can exercise them at any time.
4.2. According to the GDPR, data subjects have the following rights:
i. The right to be informed
ii. The right of access
iii. The right to rectification
iv. The right to erasure
v. The right to restrict processing
vi. The right to data portability
vii. The right to object to the processing
viii. The right not to be the subject of an individual decision based exclusively on automatic processing
ix. The right to go to court or to lodge a complaint with the personal data supervisory authority.
4.3. If the data subject exercises one of his/her rights, the specific manner, the activities carried out regarding the rights of the data subjects, respectively the flow in the controlled reception and dissemination of the answers, are provided in the Response Policy regarding the exercise of the data subjects' rights.
5.1. In order to fully comply with the provisions of the GDPR, even in the absence of a request from data subjects, the Company pays special attention to the erasure of personal data, in compliance with the following principles:
i. data processed based on consent will be automatically erased in the event of the withdrawal of that consent, whether motivated or not;
ii. data the processed based on a legal obligation or the performance of a contract shall be erased as soon as those obligations have been fulfilled or, on expiry of the term laid down by law for the storage of those types of personal data;
iii. data processed on the basis of legitimate interest will be erased based on the internal decision of the Company, but not later than 4 years from the date of last use;
5.2. Notwithstanding the above, every 12 months, the Company will analyze the personal data processed (especially the databases) and will erase all personal data for which there is no basis for processing, from the category of grounds provided for in the GDPR.
By „ erasing personal data ”, the Company means the complete and total erasure of data from any media found or the complete and total restriction of access to such data.