GDPR

INFORMATION NOTE

 regarding the processing of personal data of employees
 carried out by Von Consulting or by authorized operators

  1. Identification data of the Company (personal data operator)
     Von Consulting, headquartered at 1455 FRAZEE ROAD SUITE 500 SAN DIEGO, CA 92108, General Entity No.: 4594580, legally represented by Vivien UNTARU, administrator, as the personal data operator (hereinafter referred to as the “Company” or “Operator”), informs you about the processing of personal data of employees carried out by the Operator or by authorized operators of the Operator, as well as about the rights employees have in this context in accordance with REGULATION (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 and with the national legislation in force regarding the protection and security of personal data, especially Law No. 190/2018 regarding measures to implement Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of individuals with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) [hereinafter also referred to as the “Regulation”].

  2. Definitions

In the sense of Regulation (EU) No. 679/2016 regarding the protection of individuals with regard to the processing of personal data and regarding the free movement of such data and repealing Directive 95/46/EC:

  • “personal data” means any information relating to an identified or identifiable natural person; (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more specific elements, specific to their physical, physiological, genetic, mental, economic, cultural or social identity;

  • “processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use,
     disclosure by transmission, dissemination or making available in any other way, alignment or combination, restriction, erasure or destruction;

  • “operator” means a natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of processing personal data; when the purposes and means of processing are determined by Union law or national law, the operator or the specific criteria for its designation may be provided for in Union law or national law;

  • “recipient” means a natural or legal person, public authority, agency or other body to whom (to which) the personal data are disclosed, whether or not it is a third party. However, public authorities to which personal data may be communicated in the context of a particular inquiry in accordance with Union law or national law are not considered recipients; the processing of such data by those public authorities complies with the applicable data protection rules, in accordance with the purposes of processing. 3. Purpose of processing personal data of employees

The employer, as the Operator, processes personal data of employees through its functional structures and departments within the headquarters, as well as through its local/regional subunits, namely, _________ [list of workplaces, branches, subsidiaries], for the following purposes:

  • carrying out its operational activities necessary to achieve the Company’s objectives, in accordance with relevant legislation in force, strategic directions, applicable collective labor agreement, organization and operation regulations, internal regulations, internal policies, clauses of individual employment contracts, job descriptions, and other applicable norms, as appropriate;

  • fulfilling obligations and exercising specific rights of employees or the Company in the field of labor relations, occupational safety and health, civil protection, social protection, tax obligations, or other rights and obligations of the employer and the employee;

  • human resources management, including efficient management and communication within operational activities and labor relations in which the employee is a party, managing the recruitment process, managing the training and professional development of employees, performance management, managing relationships with trade unions, ensuring legal representation in labor disputes, administering/executing individual employment contracts/personnel files/other documents underlying the granting and ensuring compliance with obligations/rights/specific personnel declarations, managing attendance, managing salary rights and accounting records, managing other declarations or formalized documents according to applicable laws and regulations;

  • managing administrative activities, optimizing operational activities, ensuring access, permanent security, and protection of the Company’s assets, values, and heritage, as well as protecting and ensuring the safety of objectives, security areas, and individuals, and ensuring the protection and safety of employees and their property during working hours;

  • cooperating with internal or external control and law enforcement bodies, based on their legal responsibilities, including conducting investigations or carrying out activities concerning workplace discipline in accordance with applicable laws/regulations.

For the purpose of processing data, the Operator may allow third entities (authorized operators), based on outsourcing relationships, to access categories of data that are entered into applications, in virtual spaces, or in other similar ways, or stored in dedicated information media (cloud computing servers), limited to the purpose for which they were outsourced, secured (including through encryption) at an adequate level to prevent unauthorized access or use contrary to any of the principles stated in the Regulation. In the legal relations between the Operator and its authorized operators, the Company will ensure an optimal level of legal accountability for the authorized operators, through dissuasive measures and/or specific guarantees, including monetary ones, to prevent any inappropriate use by them contrary to the principles established by the Regulation, as well as to avoid compromising legitimate access to these processed data by the authorized operators.

Employees can periodically request access to data available to these authorized operators and can exercise any other right regarding any processing they consider illegal or that affects their rights, including the right to request legitimate processing in another legal manner, respecting the rights and legitimate interests of the Operator and without generating unjustified or disproportionate costs for the processing of personal data managed directly under internal legislation, in accordance with the Regulation.

4. Legal basis for processing data

The personal data of the Company's employees are processed to fulfill its legitimate purposes, as presented above, having as legal basis, depending on the specificity of the activities carried out and related to the pursued purposes and the categories of personal data processed, Article 6(1)(a), (b), (c), and (f) of the Regulation:
 (a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
 (b) processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract;
 (c) processing is necessary for compliance with a legal obligation to which the operator is subject;
 (f) processing is necessary for the purposes of the legitimate interests pursued by the Operator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a minor (employee minor or child of the employee).

Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the unique identification of a natural person, health data, or data concerning the sex life or sexual orientation of a natural person may not be processed. Exceptionally, the Operator may process such personal data in accordance with the provisions of Article 9(2)(a), (b), or (h) of the Regulation, if:
 a) the data subject has given explicit consent to the processing of such personal data for one or more specific purposes, unless Union law or national law provides that the prohibition of processing may not be lifted by the consent of the data subject;
 b) processing is necessary for the fulfillment of obligations and the exercise of specific rights of the operator or of the data subject in the field of employment and social security and social protection, to the extent that this is authorized by Union law or national law or by a collective labor agreement concluded under national law, which provides adequate safeguards for the fundamental rights and interests of the data subject; [...]
 h) processing is necessary for purposes related to preventive or occupational medicine, the assessment of the employee’s working capacity, the establishment of a medical diagnosis, the provision of medical or social assistance or treatment, or the management of health or social care systems and services, under Union or national law or under a contract concluded with a medical professional and subject to the conditions and guarantees laid down in paragraph (3) of Article 9 of the Regulation, that is, only if the data are processed by a professional bound by a duty of professional secrecy or under their responsibility, under Union or national law or under rules established by competent national bodies or another person also subject to a duty of confidentiality under Union or national law or the rules established by competent national bodies.

5. Legitimate interests pursued by the Operator are mainly represented by the following:

  • Legitimate interests concerning the efficiency or optimization of certain activities/operational costs, or legitimate interests regarding the security and protection of the Operator's assets, through the use of IT applications, technologies, and telecommunications systems (IT&C), including GPS monitoring systems for the location of vehicles, which enable more efficient operational activities, faster data and information processing, and more effective collaboration, communication, and cooperation between the functional structures within the Operator, among employees, and between the Operator and external entities (third parties);

  • Legitimate interests regarding the development of employee competencies through training, professional development, and training programs for which there is no legal obligation (e.g., under the Labor Code) for training and professional development.

In cases where monitoring systems are used through electronic communication means and/or video surveillance in the workplace, the processing of employees' personal data is permitted for the purpose of pursuing the legitimate interests of the employer, which are thoroughly justified (if a less intrusive measure is not effective or feasible), prevailing over the interests or rights and freedoms of the data subjects. For this purpose, the Company ensures that it has provided the mandatory, complete, and explicit prior information to the employees affected by the measure and that it has consulted the union or, as appropriate, the employee representatives before implementing the monitoring systems. In these situations, the duration of personal data storage is proportional to the purpose of the processing, but no longer than 30 days, except in cases explicitly regulated by law or cases thoroughly justified (data necessary for the conduct of judicial procedures initiated within a reasonable time and for the protection of a right or legitimate interest of the Operator or a data subject).

6. Types of personal data processed

The Operator processes several categories of personal data, described below. These data are processed in relation to the specific purposes for which each processing activity is carried out, as well as in relation to the applicable legal grounds described above. Depending on legislative changes and, consequently, on possible operational changes, other types of personal data may also be processed, which will be communicated to the employee, as appropriate.

The categories of personal data of employees subject to processing within the Company, according to its legitimate purposes and the legal grounds considered for each specific purpose/activity of processing, are as follows:

Categories of simple identification data, from identification documents, contact details, biographical data, family data, professional data, digital data, as appropriate:

  • Name and surname, initials, previous names

  • Residential address (physical)

  • Personal numeric code (CNP), series and number of identity card, and, as appropriate, data from passport/other identity documents/permits and licenses/professional authorizations or regarding the profession or occupation exercised in the employment relationship

  • Other data from identity documents (e.g., place of birth, date of birth, citizenship/nationality, issuing authority, date of issue/expiration of the document, codes, etc.)

  • Handwritten signature

  • Phone numbers

  • Photograph/image of the person

  • Position/role within the function/project/work group/committee/council

  • Address/other identification details of the workplace

  • Data regarding marital status

  • Identification data regarding family members (e.g., dependents) for tax purposes or for granting rights provided by law or by the applicable individual or collective labor contract

  • Data regarding education/courses/degrees/professional competencies

  • Data regarding experience/qualifications/degrees/publications/professional history

  • Other personal data collected in resumes

  • Personal vehicle registration numbers

  • Digital data: email addresses, usernames, passwords for systems/applications used in the activity, electronic certificates, digital signatures, data regarding persistent cookies, IP address, logs of applications and systems used in the activity, other metadata specific to processes/automated systems, photo and video images.

Financial data categories, data regarding assets, and financial liabilities:

  • Financial data processed in the context of managing the rights and obligations of the data subjects according to legal provisions (e.g., account number and bank), other data regarding assets held for the management of specific rights and obligations of employees.

Special categories of personal data:
 The Operator does not process special data, except for:

  • Data regarding the membership of employees in unions based on Article 6(c) and Article 9(2)(b) of the Regulation, for the application of the provisions of the Law on Social Dialogue, the Tax Code, and the applicable collective labor contract, regarding the payment of union dues (payment of dues);

  • Data regarding employees' health, according to legal obligations regarding:

    • Medical certificate upon hiring, according to Article 6(c) and Article 9(2)(h), under the Labor Code;

    • Occupational health and safety, according to Article 6(c) and Article 9(2)(h), under Law No. 319/2006 on occupational health and safety, HG No. 355/2007, as well as specific secondary legislation;

    • Other medical documents (certificates, attestations), according to Article 6(c) and Article 9(2)(b), under specific legislation granting health and social security rights (benefits, aid, etc.).

Categories of data from military records and service:

  • According to Law No. 446/2006 on preparing the population for defense.

Categories of personal data regarding criminal convictions and offenses:

  • Criminal record, in cases of employees for whom the law requires obtaining a certificate to exercise certain activities (e.g., according to Law No. 22/1969 regarding the employment of managers).

Other categories of personal data processed, relating to:

  • The use of professional software applications [______ - mention the applications if there are not too many], date of access, location of the IP used for connection, type of device used for connection, associated devices, actual work time (date and time of activity start and end, as well as duration of use), usage/navigation method, visited websites, copied/accessed/transmitted files, types of browsers, language used, completion of forms, and specific feedback – for the purpose of preventing, identifying, and resolving software or hardware issues, monitoring and increasing the security level of usage, improving user experience, and developing/personalizing applications (features, practices, algorithms, etc.); data regarding the keys used (typing) or personal passwords, other than those regarding access credentials are not processed;

  • Breaches, contraventions, disciplinary sanctions, other administrative sanctions related to the activity that may influence the legal or contractual exercise of this activity;

  • Specific data within the whistleblower procedure.

7. Source of personal data

The Operator (Company), through its departments/services/offices/units, collects personal data directly from employees or, in certain circumstances, from third parties, in accordance with the law. Data may be collected in the context of:

  • requests made regarding the exercise of any legal or contractual rights of employees concerning the employment relationship, online or in printed format

  • transmission or confirmation of working time in attendance registers

  • payment of salaries and other salary rights

  • carrying out any work or verification/investigation procedures

  • participation in any process, litigation, action, petition, complaint, or notification from one of the parties in the employment relationship or from a third party entitled or from a legally empowered authority or institution

  • other situations in which the employer or employee exercises a right or fulfills a legal or contractual obligation in which personal data are used.

8. Categories of recipients of personal data

Personal data are primarily intended for internal use by the Operator for the purposes outlined above, but may also be communicated to recipients outside the Company, such as, depending on the legitimate purposes of the Operator:

  • public institutions/authorities/agencies/social and health services/digital platforms/other public entities, both central and local in Romania (e.g., Trade Registry, Ministry of Finance, Ministry of Labor – Labor Inspectorate (Revisal), Health Insurance House, Pension Insurance House, tax authorities, local authorities, etc.)

  • contractual partners

  • courts for the purpose of initiating actions and representation in court

  • in the context of organizing/running events

  • in certain circumstances, to authorized third parties such as competent bodies involved in investigation/control/criminal research, according to the law

  • banking units

  • internal and external auditors.

The transmission of data to third parties is carried out in accordance with legal provisions for the categories of recipients mentioned above and is subject to processing obligations exclusively in accordance with the purposes and principles stated in the Regulation.

Transmission of data to a third country

The Operator does not intend to transfer personal data to a third country or to an international organization. If the Operator intends to transfer personal data of employees to a third country or to an international organization, it will ensure that they are appropriately protected in accordance with the provisions of the Regulation and will inform employees of this transfer, its content, purpose, and limits of processing personal data.

9. Period for storing personal data

Personal data are processed for the period necessary to support the activities and achieve the legitimate purposes of the departments/services/offices/units within the Operator and its subunits, after which they are archived according to the Operator's archival nomenclature, within the time limits of applicable legislation and regulations, depending on each document in question. Data that do not constitute documents in electronic format or archived electronically, under Law no. 135/2007 regarding the archiving of documents in electronic form, will be kept for a maximum duration of 30 days from processing.

In the event of security incidents, including breaches of personal data security, the Operator shall notify the competent Authority and appropriately inform the data subjects affected by the incident about the incident and the measures taken to remedy and prevent similar situations, as well as the duration of processing. The retention period may be extended if there are reasonable suspicions regarding the commission of illegal acts that may incur liability for any party involved, or if procedures have been initiated regarding the investigation and sanctioning of such acts. In these cases, personal data may be made available to disciplinary investigation committees, institutions/authorities/competent bodies with control/investigative powers, in the cases provided by law, circumstances in which the storage period may exceed the limits specified in the nomenclature, depending on the time necessary for investigations and, if applicable, for a sufficient period to support the case before the competent authorities and institutions.

10. Rights of employees and how to exercise them

According to applicable legal provisions, employees benefit from the following rights:

  • the right to access data and to request a copy of it, according to Article 15 of the Regulation;

  • the right to request the rectification of data when invalid data processing is found, such as an expired identity document;

  • the right to request the deletion of data ("right to be forgotten"), especially when such data are no longer necessary for the purpose for which they were collected or processed in another way, or are processed illegally, or when the obligation to delete them results from legal provisions;

  • the right to limit/restrict the processing of personal data, meaning marking stored personal data to limit their further processing, especially when the accuracy or legality of processing personal data is challenged;

  • the right to data portability, meaning the right to request the transfer of personal data provided by the employee (e.g., in relation to entering into a payment commitment, especially regarding the repayment of debts in installments);

  • the right to object, meaning to oppose the processing of their personal data (based on a request to cease the processing of personal data), especially for reasons related to the employee's particular situation. Exercising the right to object will generally prevent the processing of the employee's data. Such an outcome will not occur if the Operator demonstrates that there are legally justified grounds for processing that outweigh the interests, rights, and freedoms of the employee or if it shows that there are grounds to establish, investigate, or support claims against the employee;

  • the right to withdraw consent, at any time, for the processing of personal data to which the employee previously consented; when the processing is based on the provisions of Article 6 paragraph (1) letter (a) [“the data subject has given consent to the processing of their personal data for one or more specific purposes”] or those of Article 9 paragraph (2) letter (a) ["the data subject has given explicit consent for the processing of such personal data for one or more specific purposes, unless Union or domestic law provides that the prohibition laid down in paragraph (1) cannot be lifted by the consent of the data subject"] of the Regulation, the employee has the right to withdraw their consent at any time, without affecting the lawfulness of the processing carried out based on the consent before its withdrawal; thus, the employee can modify or revoke consent at any time, and the Company will act accordingly, unless there is a legal reason or legitimate interest not to do so, appropriately informing the employee;

  • the right to file a complaint with the National Authority for the Supervision of Personal Data Processing (ANSDPDC), located at Bd. General Gheorghe Magheru, no. 28-30, sector 1, postal code 010336, phone 031 805 92 11, email anspdcp@dataprotection.ro, website: https://dataprotection.ro.

11. Updates to this personal data information notice

The most recent update to this Employee Information Notice was made on [approval date]. The Company reserves the right to periodically update and modify this Information Notice to reflect any changes in how it processes the personal data of employees or any changes in legal requirements. In the event of any such changes, the Company will communicate the modified version to employees.

12. Contact details of the Operator and the Data Protection Officer

The Company has designated a Data Protection Officer (DPO), who is appropriately and timely involved in all matters related to the protection of personal data and has all the necessary resources to carry out the tasks assigned to them under the Regulation, as well as to access personal data and processing operations, ensuring that employees are guaranteed protection against improper, illegal, or abusive use.

The DPO is obligated to respect the confidentiality of their duties, in accordance with Union law or domestic law. In performing their tasks, the DPO appropriately considers the risk associated with processing operations, taking into account the nature, scope, context, and purposes of the processing.

The rights of employees, as data subjects (individuals concerned), can only be exercised nominally, by sending, as appropriate, requests in this regard to the Personal Data Management Department within the Company or to the Data Protection Officer [to be completed with the details of the designated DPO - it can be one for several entities, but must report only at the highest level and must have autonomy regarding findings and measures taken in the application of GDPR]: Address: __________ Phone: __________ Email: __________

Von Consulting
 Administrator,
 Vivien UNTARU


Terms of Use - Cookies policy - GDPR - Do not sell or share my personal information
© 2023 VONSTAFF. ALL RIGHTS RESERVED.