Înscrie-te acum

Web Design

Your content goes here. Edit or remove this text inline.

Logo Design

Your content goes here. Edit or remove this text inline.

Web Development

Your content goes here. Edit or remove this text inline.

White Labeling

Your content goes here. Edit or remove this text inline.

VIEW ALL SERVICES 

GTS International Romania Srl General data protection framework policy

PREAMBLE

GTS INTERNATIONAL ROMANIA SRL, hereinafter referred to as GTS, commits to maintaining the confidentiality of personal data obtained during its activities and to comply with applicable laws and regulations regarding the processing of such data (“Personal Data”), including sensitive data (“sensitive data”). These include, but are not limited to, Romanian Law no. 677 of 21 November 2001 on the protection of individuals regarding the processing of personal data and the free movement of such data, the EU Data Protection Directive 95/46/EC, and the Data Protection Regulation (“GDPR”) 2016/679.

GTS has decided to adopt a General Data Protection Framework Policy that establishes appropriate technical and organizational measures to prevent unauthorized and unlawful processing of personal data and to prevent accidental loss, destruction, or damage of such data.

Questions regarding applicable legislation or procedures involving the collection or use of special categories of personal data may be addressed to the Data Protection Officer (DPO), responsible for overseeing compliance with this General Data Protection Framework Policy.

GTS reserves the right to update this General Data Protection Framework Policy at any time without prior notice, to ensure compliance with the most appropriate standards.

 

ARTICLE I – DEFINITIONS

The following terms, when capitalized, shall have the meanings defined below:

“Article 29 Working Party” means the body consisting of representatives of data protection authorities from each EU Member State, the European Data Protection Supervisor, and the European Commission. The working party is independent and acts as an advisory body.

“GTS Steering Committee” means a special committee dedicated to data protection, consisting of representatives from GTS management and the DPO.

“GTS Employee” means any employee of GTS, including managers, project managers, executive employees, interns, as well as permanent or temporary collaborators with the status of authorized natural persons.

“Data Controller” means any natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data or is so designated by law.

“Data Processor” means any natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

“Data Protection Authority” means the National Supervisory Authority for Personal Data Processing (ANSPDCP), the official administrative authority responsible for personal data protection in Romania, including any replacement or successor of ANSPDCP.

“Data Protection Officer” or “DPO” means the person responsible for overall supervision of compliance with Data Protection Policies through a network of Data Protection Ambassadors.

“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

“Processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage (keeping on any medium), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Regulated Jurisdiction” means the EU Member States and the European Economic Area (EEA). As of the effective date of this Policy, it includes Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. The regulated jurisdiction also includes Switzerland. Transfers of personal data to Switzerland do not require authorization from ANSPDCP.

“Data Subject from a Regulated Jurisdiction” means any person who was resident in a regulated jurisdiction at the time of collection of their personal data.

“Special Categories of Data” means the data referred to in Article 9 of GDPR.

“Third Party” means any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons authorized to process personal data under the direct authority of the controller or processor.

ARTICLE II – PURPOSE

The purpose of the General Data Protection Framework Policy is to define key rules to ensure the highest appropriate level of protection for personal data applicable within GTS and to guide GTS in establishing data protection programs and complying with applicable data protection regulations.

 

ARTICLE III – SCOPE

Territorial scope

This General Data Protection Framework Policy applies to the processing of personal data collected in Romania, regardless of whether processing takes place in Romania or not.

 

Material scope

This data protection policy applies to processing activities carried out by GTS.

All types and categories of personal data processed by GTS during their activities fall within the scope of this General Data Protection Framework Policy. These include personal data collected from clients, potential clients, visitors, GTS employees, job applicants, agents, suppliers, and other third parties (list provided for illustration only).

The Policy covers both automated and manual types of processing.

 

ARTICLE IV – PRINCIPLES OF PROCESSING

General principles

 

Processing of personal data under GTS control will be carried out in accordance with applicable laws and this General Data Protection Framework Policy, particularly observing the following minimum rules:

Data protection impact assessments, incorporating the principles of “Privacy by Design” and “Privacy by Default,” must be performed by GTS for any data processing.

Personal data must be obtained fairly and lawfully with respect for the data subject’s right to be informed, unless an exception provided by law applies, and processed only if the data subject has given unequivocal consent or if there is another lawful basis for processing.

Personal data must be collected for specific, explicit, and legitimate purposes and not processed in a way incompatible with those purposes. Personal data will be made available to third parties only for these purposes or other purposes provided by law.

Appropriate technical and organizational controls and procedures must be implemented to ensure the security of personal data and to prevent unauthorized access, disclosure, alteration, accidental or unlawful destruction or loss, or any other unlawful processing. Security measures should be proportional to the risks and nature of the personal data.

Collection of personal data must be adequate, relevant, and not excessive relative to the purposes for which data are collected and/or further processed.

Personal data must not be kept longer than necessary for the purposes for which they were obtained, except as otherwise provided by law.

Procedures must be in place to ensure prompt responses to data subject requests so they can properly exercise their rights of access, rectification, objection to processing, except where law provides otherwise.

Personal data should only be processed if there is a legitimate basis, such as:

  • the data subject has given clear consent;
  • processing is necessary for performance of a contract or pre-contractual measures;
  • processing is required to comply with a legal obligation;
  • processing is necessary to protect vital interests of the data subject or another person;
  • processing is necessary to perform a task carried out in the public interest or in the exercise of official authority;
  • processing is necessary for legitimate interests pursued by the data controller or a third party, except where overridden by the fundamental rights and freedoms of the data subject.

 

Sensitive data

Sensitive data include all personal data relating to:

  • Racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • Membership of a trade union;
  • Physical or mental health or sexual life of the data subject;
  • Biometric data;
  • Special categories defined by applicable law;
  • Criminal convictions or offenses, or related proceedings.
  • Processing of sensitive data is prohibited except where:
  • The data subject has given explicit consent, valid under applicable law;
  • Processing is necessary for specific labor law obligations or rights;
  • Processing is necessary to protect vital interests where the data subject cannot consent;
  • Processing is carried out by non-profit bodies with appropriate safeguards and only for members or persons in regular contact, and no disclosure to third parties without consent;
  • Processing relates to data made public by the data subject;
  • Processing is necessary for legal claims;
  • Processing is necessary for preventive medicine, diagnosis, care, or health service management, by healthcare professionals under confidentiality obligations.

 

Subcontracting

When processing is carried out by a subcontractor on behalf of GTS, GTS selects subcontractors providing adequate technical and organizational security measures, ensuring compliance through written contracts stipulating that the subcontractor acts only on GTS instructions.

 

Data transfers outside regulated jurisdictions

GTS must ensure that personal data transfers outside the EU are based on an approved mechanism by the competent data protection authority. These may include:

 

  • Standard contractual clauses with suppliers receiving personal data;
  • Binding corporate rules approved by the authority;

 

Transfer schemes like the EU-US Privacy Shield (noting regulatory uncertainty).

 

No personal data may be transferred to data importers outside the regulated jurisdiction unless the importer:

  • Signs a data processing agreement ensuring adequate protection, or
  • Provides other necessary guarantees under applicable law.

 

Accountability

GTS must demonstrate the measures taken to ensure GDPR compliance and the effectiveness of these measures (“accountability principle”).

 

ARTICLE V – INDIVIDUAL RIGHTS REGARDING PERSONAL DATA

Data protection legislation requires that data subjects be informed about processing at the time of data collection. Information includes:

  • Identity and contact details of the controller and, where applicable, its representative;
  • Contact details of the DPO;
  • Purposes and legal basis of processing;
  • Legitimate interests pursued by the controller or third party;
  • Recipients or categories of recipients of personal data;
  • Storage periods or criteria for determination;
  • Rights to access, rectification, erasure, restriction, objection, and data portability;
  • Right to withdraw consent at any time without affecting prior lawful processing;
  • Right to lodge complaints with supervisory authorities;

 

Whether provision of data is a statutory or contractual requirement and consequences of failure to provide data.

Explicit consent is the default for data processing without special categories, expressed by a clear affirmative action, which must be recorded for evidence.

Consent must cover all processing activities for the same purpose(s). For multiple purposes, consent must be given for each. Electronic consent requests must be clear, concise, and not disrupt service use.

If personal data will be processed for new purposes, data subjects must be informed prior to such processing.

 

Data subjects have the right to, upon written request:

 

  • Obtain a copy of their personal data;
  • Request information on personal data stored and how collected;
  • Obtain recipient lists;
  • Obtain information on the purposes of collection and transfers;
  • Rectify inaccurate data;
  • Object to processing for compelling legitimate reasons;
  • Request deletion where lawful and justified;

 

Receive personal data in a structured, machine-readable format and transfer to another controller.

 

ARTICLE VI – IMPLEMENTATION ACTIONS

Training program

GTS commits to implementing personal data protection training for employees involved in processing and developing tools used for processing, focused on the principles of this Policy.

GTS will define how to monitor training completion.

Training may include summaries of key concepts, criteria for lawful processing, reasons for processing, practical applications, relevant GTS policies, and interactive case studies. Training focuses on applicable data protection laws.

 

GDPR compliance

GTS maintains:

 

  • An approved data processing policy;
  • A Data Protection Officer at the GRR level;
  • A Data Protection Steering Committee (GTS Steering Committee).

 

The DPO establishes the data protection policy aligned with group strategic objectives and ensures compliance with applicable data protection rules.

 

GTS regularly aligns activities with DPO guidance but retains sole responsibility for data protection expertise application.

 

DPO responsibilities:

  • Inform and advise controllers/processors and employees about obligations under GDPR and other EU/national data protection laws;
  • Monitor compliance with GDPR, other laws, and GTS policies, including responsibility allocation, awareness, training, and audits;
  • Provide advice on data protection impact assessments;
  • Cooperate with supervisory authorities;
  • Serve as contact point for supervisory authorities.

 

Internal monitoring

To prevent serious data protection breaches, GTS implements compliance programs and controls designed to prevent, detect, monitor, and address potential violations.

 

ARTICLE VII – COMPLAINTS

GTS has an internal complaint resolution process. Data subjects in regulated jurisdictions may complain about illegal or improper processing inconsistent with this Policy.

 

Complaints are submitted to:

  • The Data Protection Officer;
  • The relevant data protection authority.

 

GTS provides practical tools on its website, including:

  • DPO email address;
  • Postal address.

Complaints must be investigated within one (1) month, barring exceptional difficulty.

 

ARTICLE VIII – COOPERATION WITH DATA PROTECTION AUTHORITIES

 

GTS cooperates with the Data Protection Authority by:

 

  • Providing staff for dialogue;
  • Actively reviewing decisions and opinions of authorities and the Article 29 Working Party;
  • Responding to information requests or complaints;

 

Implementing recommendations and advice from authorities.

If the Authority requests information or exercises investigatory rights, the GTS Administrator informs the DPO immediately. The DPO coordinates response in consultation with the GTS Steering Committee.

The DPO serves as the primary contact for the Authority.

ARTICLE IX – EFFECTIVE DATE AND DURATION

This General Data Protection Framework Policy takes effect on 25 May 2018 for an indefinite period.

ARTICLE X – IMPLEMENTATION – BREACH NOTIFICATION – REVIEW – REPORTING

Implementation

The GTS Administrator is responsible for ensuring an effective data protection program. GTS supervises ongoing implementation and operation of compliance programs, subject to periodic internal audits to test control effectiveness.

Data breach notification

If a personal data breach is suspected, the GTS Administrator must immediately notify the DPO, who must notify the Data Protection Authority without undue delay and, where possible, within 72 hours of becoming aware.

If the breach poses a high risk to data subjects’ rights and freedoms, affected individuals must also be notified without undue delay, unless exceptions apply (e.g., risk mitigation or disproportionate effort).

Review

The DPO ensures periodic review and updating of this Policy, especially due to major corporate or regulatory changes.

The DPO assists in defining and updating organizational and technical measures to be implemented immediately after review and approval.

 

Reporting

GTS reports security breaches, audits, examinations, and communications with the Data Protection Authority to relevant GTS management.

Have Any Questions? 

Feel free to chat with us.

Contact Us