Privacy Notice

regarding the processing of personal of SC Reea SRL’s clients and commercial partners

The purpose of this Privacy Notice is to inform you about the processing of your personal data within SC Reea SRL when you collaborate with us as a representative/contact person (natural person) of our clients and commercial partners.

This Privacy Notice does not apply to personal data collected by Reea through our website. For the latter, on the Privacy page of our website we have added a distinct Privacy Notice.

REEA SRL is a Romanian company, organized under the Romanian law, based in Târgu-Mureș, 41 Republicii Square, Mureș County, Postal Code 540110, registered with the Mureș Trade Registry J26/628/1998, tax code RO10966500.

1. The purpose of this Privacy Notice regarding the processing of personal data

When we provide you with our services, we process several of your personal data, as we will describe below. In the vision of the legislation regarding the protection of personal data, Reea SRL is in this case the Data Controller or Processor, depending on the contractual relationship we have agreed. The personal data that we can process differs from case to case. This document is only intended to inform you of the guidelines we apply when processing personal data as a Data Controller.

This Privacy Notice is formulated in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, also known as the "GDPR Regulation".

The processing of personal data is the set of operations that we can perform on your data, such as: collection, storage, organization, transfer, and deletion of data.

2. What personal data we collect and what’s our purpose?

Reea processes the personal data of our clients’ representatives and partners for the following purposes:

• a) In order to conclude the contract between us and our clients or potential clients, to provide our services (e.g. name, surname, e-mail, telephone number of the natural person representing our client or potential client).

The legal basis for the processing of such personal data is the performance of a contract to which you or the company you represent is a party or to take at the request of the data subject prior to entering into a contract.

• b) For issuing fiscal invoices or various activity reports.

The basis for processing your personal data is in this case the fulfilment of our legal obligations imposed by tax legislation.

• c) To provide the support requested by our clients or potential clients, according to written or oral agreements between us and them (email, phone number).

The legal basis for the processing of such data is the performance of the contract to which you or the company you represent is a party or to take steps to conclude a contract at the request of the data subject.

• d) To promote our services of a similar nature to the companies that are our clients.

We reserve the right to send commercial messages regarding our activities to the e-mail addresses we use in our commercial relations, under the conditions of art. 12 para. (2) from Law 506/2004. The legal basis for such data processing is our legitimate interest.

3. How we store and protect your personal data?

Reea securely stores your data on servers located in the European Union.

Reea implements appropriate technical and organizational measures to ensure the security, confidentiality, integrity, availability and protection of data against destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data processed.

Some of the technical measures are:

• - Implementation of an ISO27001 certified information security management system. This system involves a series of technical (monitoring systems, compliant equipment, specialized staff, physical, cyber security measures, etc.) and organizational (policies, operational procedures) measures that apply to all staff;
• - Use of cryptographic systems for medium and long-term data storage;
• - The use of antivirus solutions on the computer systems we use;
• - Encryption of electronic communications;
• - Safe and redundant backup systems.

Some of the organizational measures are:

• - Appointment of a Data Protection Officer (DPO);
• - Designation of a person in charge of the information security management system;
• - Adoption of an internal code of conduct, applicable to all staff;
• - Ensuring specialized legal support regarding local and international legislation on personal data;
• - Establishing contractual obligations with our partners and employees regarding the confidentiality and protection of personal data.

Your personal data that we process is limited to those that are necessary, appropriate and relevant for the purposes stated in this Privacy Notice.

Even though we strive to provide as much security as possible to your data, we cannot 100% guarantee the security of the information transmitted, considering the lack of security of data transmissions made via the Internet due to external factors such as: viruses or malware programs, the loss of the electronic devices from which you access the Website, the access of unauthorized persons to your electronic devices, the insecurity of some Wi-Fi networks.

4. How long do we keep your personal data?

The collected data will only be kept for a determined period, depending on the needs and purpose of the processing.

The data collected to conclude and perform the contract between us will be kept by Reea for a period of 3 years from the date of the termination of our contractual relationship.

The data collected in our legitim interest in maintaining a commercial relationship with our clients is kept for 3 years from the date on which we have stopped working with you.

The data collected to issue tax invoices are kept for 10 years from the end of the year in which the invoice was issued, or another period imposed by tax legislation.

After the expiration of the periods indicated above, your data will be deleted by the persons authorized by Reea according to our internal procedures.

5. Who do we share your personal data with?

In accordance with the above purposes, your personal data will not be sold or rented to third parties.

We will share your personal data only to the extent necessary and only to the following categories of third parties:

• a) If you choose to use our Website, we will be able to provide your personal data to:
  • - the company that provides us with certain services, as we have indicated in Section 2 of this Privacy Notice (eg: the company that hosts our servers, Hetzner Online GmbH);
  • - archiving services in physical and/or electronic format; legal, notarial, accounting or other consulting services.

The third parties indicated above, who have access to your personal data, are obliged, according to the legislation in force or the contracts we have concluded with them, to use the personal data to which they have access only for the purpose of providing the service for which we contracted them.

• b) Public authorities and institutions if we have a legal obligation to disclose them.
• c) We may disclose your personal data to third parties:

  • - If you request or consent to this;

  • - If those people can demonstrate that they have the legal authority to act on your behalf;

  • - If we have a legitimate interest to administer, expand or develop our business: in the event that the Company or a substantial part of the Company’s assets is acquired by a third party, and the personal data held by us will be part of the transferred assets;

  • - In order to respond to any claims, to protect the rights of a third party, to protect the safety of any person or to prevent any illegal activity;

  • - To protect the rights of the Company or our employees and customers, as well as others.

6. Transfer of personal data outside the Economic European Area(EEA)

Reea stores the personal data it processes on servers located in the European Union.

However, some personal data to which we have access may be processed by Reea's partners who operate outside the European Economic Area (EEA). Thus, there are situations in which Reea collaborates with other companies that provide similar services, under Reea's guidance. In this case, the respective companies collect personal data under the guidance of Reea, having the role of processors from the perspective of the legislation on the processing of personal data. In this case, the companies authorized by Reea have contractual obligations to respect the confidentiality of personal data and to provide an adequate level of security. Companies authorized by Reea have the obligation not to transfer personal data to third parties without Reea's consent or without complying with Reea's instructions.

In case we provide any personal data to Reea's partners operating outside the EEA, we will take appropriate measures to ensure that they provide an adequate level of protection for the data they have access to. These measures include the conclusion of contracts in accordance with standard contractual clauses approved by the European Commission. If necessary, we also implement additional security measures, such as encryption and/or pseudonymization.

7. Which are your rights and how do we respect them when we act as Data Controllers?

Personal data legislation gives you several rights in relation to your data; please find below details about your rights and how you can exercise them:

1. Right to access - you have the right to request information about your personal data that we process, including the purpose of the processing, if and with whom it is shared and how long it will be kept.

2. Right to rectification - if your processed data is inaccurate, you have the right to obtain their rectification or completion.

3. Right to erasure ("the right to be forgotten") - you have the right to ask us to delete data we process about you, except in the case where the data is necessary for us: to exercise the right to free expression and information; for compliance with our legal obligations; for archiving purpose in the public interest, for scientific purpose, historical or statistical research; for establishing, exercising or defending a right in court.

4. Right to restriction - you can request the restriction of the processing of your personal data if: you dispute the correctness of the data, for the period in which we verify the accuracy of the respective data; the processing is illegal and you object to the deletion of your personal data, requesting instead the restriction; the data are no longer necessary for us to process, but you request them to establish, exercise or defend a right in court; you have objected to the processing, for the period of time in which we check whether our legitimate rights prevail over your rights.

5. Right to data portability - you have the right to receive your personal data from us if you have previously provided it to us in a structured, machine-readable form. You also have the right to ask us to transfer your data to another data controller.

6. Right to object - you have the right to object at any time, given your particular situation, to the processing of your data if we are processing it on the basis of our legitimate interests or the legitimate interests of a third party. In such a situation, we will no longer process your data with the following exceptions: (i) if we can demonstrate legitimate grounds and an interest that prevails over your interests, rights, and freedoms and (ii) if the purpose of the processing is to establish, exercise or defend a right in court.

7. Right to withdraw your consent - if your personal data is processed based on your consent (e.g. subscribing to the newsletter), you can withdraw your consent at any time. The withdrawal of consent does not have retroactive effect, so the withdrawal of consent does not affect in any way the processing carried out prior to the withdrawal.

Right to lodge a complaint to the National Data Protection Authority (ANSPDCP) - you have the right to lodge a complaint to the ANSPDCP if you believe that your personal data rights have been violated. Complaints can be submitted online, for more details regarding how to lodge a complaint to the Romanian Data Protection Authority please access the following link: https://www.dataprotection.ro/?page=Plangeri_pagina_principala

8. What can it happen if you do not wish to transmit your personal data to us?

In most cases, you do not have to provide us with your personal data. However, there are situations in which, without additional data, we cannot resolve your request. Also, if you do not provide us with this data, it will not be possible for us to provide you our services.

9. Further processing of personal data

Reea uses your personal data only for the purpose for which it was collected. According to the GDPR, the further processing of personal data for historical, statistical or scientific purposes is compatible with the initial purpose of processing.

10. Absence of automated decision-making process

As a user of our services, you will not be subject to a decision based solely on automated processing, which produces legal effects on you or similarly significantly affecting you.

11.  How can you reach us?

To send us a request related to the processing of your data, please write us a message in the contact form available on the Website or write us an e-mail at dpo.in@reea.net.

We will inform you, within one month of receiving your request, about the actions taken. This term can be extended to two months when necessary, considering the complexity, the number of applications or the impossibility of identifying the applicant. If the deadline is extended, you will be informed within one month of receiving the request, also presenting the reasons for the delay. If we cannot identify the person contacting us, we will only be able to respond to the respective request if we request and receive additional information to be able to identify the data subject.

If we do not resolve your request affirmatively, we will inform you of this within at most one month after receiving the request, regarding the reasons why we did not act and the possibility of filing a complaint with the ANSPDCP or the court.

12. Final clauses

This Privacy Notice may change from time to time. Changes are in force from the moment they are placed on the website. Each time your consent is required, we will inform you. We therefore recommend that you consult the Privacy Notice each time you use the website.

This version of the Privacy Notice is stored at https://www.reea.net/privacy/privacy-notice

Version 2 – in force since November 3rd, 2023

Version history

1. Version 1 – in force from November 13, 2018 to November 2nd, 2023