Personal data protection policy

ONLINE Privacy Policy

In accordance with GDPR – REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and LAW (RO) NO. 190/2018 on implementing measures for Regulation (EU) 2016/679, the following privacy policy has been adopted.

1. Introduction
The confidentiality of personal data is one of the main concerns of the undersigned. As such, we want to ensure the highest standards of confidentiality and transparency regarding the personal data we process in our current activity.
Since in the course of our activity it is necessary to process a series of personal data with a predilection in relation to the specifics of our object of activity, we want to provide assurances that the processing will take place in compliance with the principles of transparency and security of personal data. This privacy policy is intended to help you understand what data we collect, why we collect it and what we do with it.
We hope that you will take the time to read this privacy policy carefully. We have tried to formulate this policy in as simple a language as possible, so that it is clear and understandable.

1.1. The personal data controller in relation to you
The personal data controller in relation to the personal data provided by you is the company CEDHYFASO SRL, with headquarters in Cluj-Napoca, str. Aurel Suciu no. 20 ap. 49, Cluj County, registered with the Trade Register attached to the Cluj Court under file no. J12/6465/2017, unique registration code no. 38503700, having the IBAN account: RO77BTRLRONCRT0CH9687401, opened at Transilvania Bank, with no activity at the registered office, the activity being carried out online or at the client’s premises.

1.2. To whom does this Privacy Policy apply?
This Privacy Policy applies to visitors to our website http://www.catalinvasiloiu.com and to customers who purchase online courses on this website.
This privacy policy does not apply to visitors to our website who are also contractual collaborators or suppliers.
To the extent that you have one of these latter qualities, please consult the other privacy policies located at our headquarters and we invite you to proceed with mutual agreement to conclude an agreement to maintain the confidentiality of personal data.

1.3. Definitions
• “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
• “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or national law, the controller or the specific criteria for his designation may be provided for in Union or national law;
• “Visitor” – any person who accesses or uses our Site;

2. Categories of data we process
2.1. To the extent that you complete the contact form on our website in order to make an appointment or to request information, or send us an e-mail requesting information, we may receive the following data from you: e-mail address, name, first name, as well as other information provided when completing the message form.

2.2. When you opt to purchase consultations or courses on the catalinvasiloiu.com, the online course platform teachable.com is used, which has the stripe.com platform as a financial service provider , which will collect on the Secured Site, in our name and on our behalf, the following information of the End User:
a) name / title;
b) contact details;
c) payment details: payer name, payment amount, invoice number, currency, payment description;
d) other information necessary for the provision of the Services.

The financial services provider stripe.com undertakes to comply with the Legal Requirements regarding the Technical Solution and to ensure the security and confidentiality of the data received in the operation of the Transactions.
The financial services provider stripe.com undertakes to display its own conditions for the use of Personal Data on the Secured Site and to use any Personal Data provided by Customers in accordance with the Law and the Contract concluded between us and it and only for the purpose of performing its obligations under this Contract.

The basis for processing is found in art. 6 para. 1 lit. a of the GDPR, namely the data is processed based on your consent.

A. How we collect your personal data
We collect your personal data including name, surname, email address, etc., directly from you, when you fill out the contact form or purchase an online course or seminar, when you send us an email through which you request information or make an appointment.

B. Form of storage of personal data
The personal data of our site visitors are stored in electronic format via internal servers, where only people from the human resources, administrative, and accounting departments have access.

C. Purpose of data processing
We use the information we collect from you for the following purposes:
• To communicate with you, as well as to make an appointment;
• To inform you about the services provided;
• To fulfill our obligations to provide services;
• For any other purpose ancillary to the above, or for any other purpose for which the personal data was provided to us, in compliance with the relevant legislation;
Sometimes, personal data is used for a series of secondary purposes (e.g. for archiving, internal, external audit, etc.), these being always compatible with the main purposes for which the data was collected. In situations where we will use your data for purposes other than those mentioned in this Policy, we undertake to obtain your consent, unless we are subject to a legal obligation or have another legal basis for data processing.

D. To whom we disclose your information.
As a rule, the information you provide to us as a visitor to our website cannot be disclosed. However, there may be situations in which we are required to do so, such as in the case of public authorities or institutions when there is a legal obligation to communicate (in accordance with tax, accounting, labor protection, social security or any other applicable regulations) or there is an imperative and legal request from them.
At the same time, we have the right to disclose, in good faith, personal data or other information when we consider it necessary to take precautionary measures against liability, protect ourselves or others from fraudulent, abusive or illegal uses, to investigate and defend ourselves against any claims or allegations of third parties, to protect the security or integrity of our services and any facilities or equipment used to make the services available; to protect our property rights or other rights, as well as the safety of others or to enforce contracts.
Regarding the transfer of personal data that we obtained as a simple visitor to our website to third countries, we mention that we do not transmit this data.

E. Period for which your personal data will be stored
Your personal data that you provide to us via the contact form or by sending an e-mail will be stored until the completion of your information/scheduling process. In any case, these data will not be stored for a period longer than 30 days.
At the same time, we will destroy the personal data when they no longer correspond to the purpose of the processing, providing sufficient guarantees regarding the security of this process.

F. Your rights in relation to the processing of personal data
In accordance with the provisions of the General Data Protection Regulation no. 679/2016, you have the following rights:
• Right to information – the right to be informed about the identity of the controller, the purpose for which the data is processed, the recipients or categories of recipients of the data, the existence of the rights provided for by the GDPR and the conditions under which the rights can be exercised.
• Right of access – the right to obtain from us, upon request and free of charge, confirmation as to whether or not the data concerning you are being processed and the right to access these data, except where such requests are repetitive or made in manifest bad faith;
• Right to rectification – you may request the rectification of inaccurate personal data.
• Right to erasure of data (“right to be forgotten”) – data may be deleted where the processing was not lawful or in other cases provided for by law (for example when the data are no longer necessary in relation to the purpose for which they were processed). However, data deletion cannot take place when processing is carried out on the basis of the law;
• Right to restriction of processing – you can request restriction of processing if you contest the accuracy of the data, as well as in other cases provided for by law;
• Right to opposition – the right to object at any time, for justified and legitimate reasons, to your data being processed, except in cases where there are contrary legal provisions or when the processing is based on our legitimate interest;
• Right to data portability – you can receive the personal data you have provided to us in a machine-readable format or you can request that the data be transmitted to another operator.
• Right to lodge a complaint – you can lodge a complaint regarding the processing of your personal data with the National Supervisory Authority for Personal Data Processing or you can address the courts.
• Right to withdraw consent – ​​if the basis for data processing is consent, we inform you that this consent can be withdrawn at any time. The withdrawal of consent will only have effect for the future, the processing carried out prior to the withdrawal being valid. However, if the processing is mandatory for the provision of services and it can be carried out on the basis of other legal provisions, we will proceed with such processing and notify the data subjects.
• The right not to be subject to automated decisions or further profiling related to automated decisions – the right to request and obtain the withdrawal, cancellation or re-evaluation of any decision that produces legal effects, adopted exclusively on the basis of a processing of personal data, carried out by automated means, intended to evaluate some aspects of the personality, such as professional competence, credibility, behavior or other such aspects, when applicable;
If you wish to exercise your rights mentioned above, please contact us, by means of a written, dated and signed request, addressed to the undersigned. You can also contact us by e-mail at catalin@catalinvasiloiu.ro if the e-mail includes a certified electronic signature.
To the extent that you exercise your rights, we may ask you to prove your identity, by providing an identity document or any other information necessary to carry out a prior verification procedure of the requesting person, in accordance with our legal obligations regarding data security and confidentiality.
We undertake to consider any request or complaint received and to respond within a reasonable time, so that the legal provisions in question are respected. We work with the competent regulatory authorities, including national data protection authorities, in order to resolve any complaints regarding the transfer of personal data, which we cannot resolve directly with our users.

At the same time, below we present the deadlines for responding to requests regarding the aforementioned rights:

• Right to be informed: at the time the data are collected or at the latest within one month – in the event that the personal data are not provided by the data subject
• Right of access: 1 month
• Right to rectification: 1 month
• Right to erasure: without undue delay
• Right to restrict processing: without undue delay
• Right to portability: 1 month
• Right to object: at the time of receipt of the objection
• Right not to be subject to automated decisions or additional profiling related to automated decisions: unspecified – does not have the ability to be limited in relation to the specifics of the activity

G. Security of personal data
We follow the highest standards to protect the data processed, both during transmission to us and after this moment.
To this end, we have adopted technical security policies and procedures in order to protect personal data against loss, unauthorized use, destruction, alteration, unauthorized modifications, unauthorized disclosure or access and any other form of illegal processing of personal data in our possession.
In order to guarantee security, we mention, as a general rule, the security methods:
• access to personal data is limited and authorized only to persons who have the legal right to use them, who are obliged to ensure the confidentiality of the data. For example, only persons within the human resources department will have access to the data of potential employees, in principle. Access to personal data of other departments will be made only by virtue of the performance of their job duties or to the extent that there is an obligation imposed by law.
• Access to the electronic servers used is done by password and other access and authentication controls.
• Data held for a client will be kept separate from data for another client
• Data held for a person will be kept separate from data for another person.
• No employee or person who comes into contact with personal data or documents containing this data has the possibility of disclosing this data to third parties.

H. Minimum security measures applied by the undersigned
• Use of a password with a high level of protection (consisting of numbers, letters and symbols)
• Prohibition of disclosing the password to other persons, respectively prohibition of using the account used for business purposes by several persons.
• Prohibition of saving the password both in physical and/or electronic format
• Any computer, laptop or device left unattended must be disconnected from the network, must be locked or closed.
• When the computer is not in use, information such as usernames required for connection or passwords must not appear on its screen.
• Prohibition of access to areas for which there is no authorization.
• Verification of physical security of data by locking, applying a padlock; verification of security of electronically stored data by not leaving the computer unattended, using a password in accordance with this Policy.
• Informing our IT staff of any changes to the role and access requirements
• Changing all passwords every 3 months
• Databases are located on secure computers, to which only people in the department have access
Failure to comply with these requirements may result in disciplinary action being taken against the guilty parties.
However, no method of electronic or physical transmission or storage is 100% secure. If you believe that your personal data has been compromised, please contact us in writing. You can also contact us by email at catalin@catalinvasiloiu.ro if the email includes a certified electronic signature.
If we learn of a breach of the security system, we will inform both you and the authorities of the occurrence of the breach in accordance with the legislation in force, within a maximum of 72 hours, within which time we will communicate to you the relevant information related to security incidents.

I. Security Breaches
As our policy is to be fair and to respect the principle of proportionality when considering the actions we must take to inform the persons affected by the security incident that is likely to result in a risk to the rights and freedoms of individuals, in the event of a breach we will notify both the Supervisory Authority and the person or persons concerned about this breach.

J. When this Privacy Policy applies
Our Privacy Policy applies to all services offered.

K. Changes
Our Privacy Policy may change from time to time, but we undertake not to reduce your rights under such changes without your explicit consent.
We will publish any changes to the Privacy Policy in visible places so that it is easy to identify the updates and to be aware of its content. We will also keep previous versions of this Privacy Policy in the electronic archive so that they can be reviewed by you at any time upon simple request.

This privacy policy comes into effect on May 25, 2018.