Personal Data Protection Policy
The general data protection regulation (GDPR) – the European Regulation no. 2016/679 on the protection of individuals regarding the processing of personal data and the free movement of such data – is applicable from May 25 2018
Its main purpose is to increase the level of protection of personal data and create a climate of trust that allows each person to control their own data.
Through this document – the Personal Data Protection Policy – we inform you how we protect your personal data and how we adopt the provisions of the Regulation.
Who is CHML?
CHML Web Services SRL (“CHML”) is a company in Romania, established and operating under Romanian law. CHML has its registered office with activity in Bucharest, Calea Rahovei no. 266 – 268, Building 2, Ground floor, Room 11, is registered at the National Office of the Trade Register with number J40/12312/2002, having a unique registration number 15058531 and fiscal attribute RO.
How can you contact us?
For any notification regarding the personal data processed by CHML you can contact us in writing, at the registered office, by phone at +40.31.82.60.998, by email at protectiadatelor@chml.ro or through the accessible ticketing system from the client area.
What is personal data and what personal data does CHML process?
Personal data is information about a natural person that can be identified, directly or indirectly. CHML processes the following categories of data:
– identification data: name, surname, number of the identity document, address, correspondence address, e-mail, telephone (landline, mobile, fax), online identifier (IP address);
– banking information: Bank and branch, IBAN code
The principle based on which we collect and process this data is that we will request each time only the minimum of personal data necessary for the provision of the contract and the fulfillment of legal obligations.
What does it mean that CHML processes personal data?
Processing means operations such as: collecting, registering, organizing, storing, modifying, extracting, consulting, using, transmitting, combining, blocking, restricting, deleting, destroying, archiving personal data.
Who owns the personal data that CHML processes?
CHML processes personal data about its customers and employees.
In the case of corporate clients, CHML processes the personal data of the client’s contact persons.
The individual persons whose personal data are processed are called “concerned persons”.
Where does CHML get personal data from?
In the case of individual clients, the data are obtained directly from the client.
In the case of corporate clients, the data are obtained from the client’s authorized personnel..
CHML does not obtain / collect personal data from third parties.
For what purposes does CHML process personal data?
The purposes for which CHML processes personal data are:
– providing web hosting and related services
– registration and administration of internet domains
– registration of SSL certificates
– contacting the client or other concerned person through in order to resolve technical support requests
– invoicing provided services
– client account administration
On what grounds does CHML process personal data?
CHML processes your personal data for the purposes mentioned above, based on the following grounds:
– for the execution of the contract to which the client / data subject is a party. The contract can have both written and online form, signed by the client by accepting the Terms and Conditions for providing the services.
– consent
– legitimate interest
To whom do we transmit your personal data?
For the vast majority of services provided by CHML, personal data is not transmitted to third parties.
In the case of internet domain registration and maintenance services, we will transmit personal data to Hostvision SRL, based at 87 G-ral Eremia Grigorescu Street, 400304 Cluj-Napoca, Romania.
CHML does not directly transmit personal data outside the European Union.
How long does CHML process personal data?
In order to achieve the above-mentioned purposes, personal data will be processed by CHML throughout the contractual relationship and after its completion in order to comply with applicable legal obligations in the field, including, but not limited to, the provisions on archiving.
What are your rights and how can they be exercised?
The concerned persons has the following rights:
– The right to be informed – the right to receive detailed information on the processing activities performed by CHML, according to those provided in this document;
– Right of access – may request and obtain confirmation that his personal data are processed or not by CHML, and if so, may request access to them, as well as certain information. Upon request, CHML will release a free copy of the personal data processed;
– The right to rectification – the right to obtain the rectification of inaccurate personal data and the completion of incomplete ones;
– The right to deletion of data (“right to be forgotten”) – in situations expressly regulated by law (especially in case of withdrawal of consent or if it is found that the processing of personal data was not legal), may obtain the deletion those data. Following such a request, CHML will delete the data, except as provided by law.
– The right to restrict the processing – in situations expressly regulated by law (especially if the inaccuracy of the data is challenged for the period necessary to determine this inaccuracy or if the processing is illegal, and you do not want to delete the data, but only the restriction );
– The right of opposition – may oppose at any time, for reasons related to the particular situation in which it is, to the processing based on the legitimate interest of CHML
– The right to data portability – may receive personal data, in a structured format, which can be read automatically, or may request that such data be transmitted to another operator.
– The right to file a complaint – may file a complaint regarding the manner of processing personal data by CHML to the National Authority for Supervision of Personal Data Processing;
– The right to withdraw consent – in cases where the processing is based on consent, it can be withdrawn at any time.
– Additional rights related to automatic decisions used in the process of providing CHML services – if CHML makes automatic decisions regarding personal data, the concerned persons may (i) request and obtain human intervention in respect of such processing, (ii) ) may express its views on the processing and (iii) challenge the decision.
The client can exercise these rights, either individually or cumulatively by sending a written request, dated and signed, at the CHML headquarters in Bucharest, Calea Rahovei no. 266 – 268, Building 2, Ground floor, Room 11, Sector 5, postal code 050912, by Fax +40.31.82.60.997 or by E-mail: protectiadatelor@chml.ro.
Automated decision making processes
CHML does not use automated decision-making processes, it does NOT create profiles exclusively by automated means, resulting in customer decision-making.
How do I apply GDPR to minors?
CHML does not offer services to minors under the age of 18 and does not collect personal data regarding minors.
Recording telephone conversations
With the consent of the customer / concerned persons expressed before each telephone call, CHML may record and keep telephone conversations to / from the CHML telephone exchange. CHML will use this information exclusively for the purpose of investigating certain situations, to test certain operations / instructions / agreements given by the Client / other concerned persons, to use them as evidence in court in case of litigation, and to improve its services.
Video monitoring
In order to ensure a high level of security corresponding to the data center activity, the server room operated by CHML is video monitored. In this location there are corresponding markings with symbols specific to the video recording, followed by the message “Video Surveillance Area”.
How do we protect personal data?
For the security of personal data, CHML has implemented a number of security measures that are in line with industry standards.
Information security and privacy statement of CHML Web Services SRL
- General note
CHML Web Services SRL is committed to protecting the security and confidentiality of all customers ‘data and employees’ data.
Our information security and protection program is based on the ISO 27001 standard on information security and ISO 29100 and follows a risk-based approach that encompasses people, processes and technologies. The Information Security Team (IS) within CHML Web Services SRL is dedicated to data protection and reports directly to the company’s management.
- Information security measures for the protection of personal data
Information security policies
– set of rules for information security, approved by the company’s management, published and communicated to employees and relevant external parties.
Review of information security rules
– to ensure continued effectiveness and adequacy, we review our rules for information security at planned intervals or when significant changes occur.
The roles and responsibilities of information security
– establish and assign specific responsibilities for information security for all employees and external collaborators.
Task segregation
– we separate areas of responsibility to reduce the chances of unauthorized or unintentional disclosure, modification or use of organizational assets.
Information security in project management
– we approach information security in project management, regardless of the type of project.
Mobile device rules
– we use rules and security measures to deal with the risks associated with the use of mobile devices. We use security rules and measures to protect information accessed, processed or stored on mobile devices.
Managing security during employment
– we carry out checks for all candidates for available employment in accordance with the relevant laws, regulations and ethics and in proportion to the requirements of the business, the classification of the information to be accessed and the perceived risks. The contractual agreement between us and our employees specifies the responsibilities of both parties regarding information security. The security of information, responsibilities and duties that remain valid after termination of employment or change of employment within the organization are defined, communicated to the employee or external contractor and are enforceable.
Management responsibilities
– the company’s management requires that all employees and contractors comply with information security in accordance with the rules and procedures established by the organization.
Information security awareness, education and training
– all employees of the organization are continuously aware of the organizational rules and procedures relevant to their position.
Management and disposal of removable media
– we use procedures that implement the management of removable media devices. When no longer needed, removable media devices are destroyed, ensuring that data can no longer be read.
Transfer of physical materials
– materials containing information are protected against unauthorized access, incorrect or unauthorized use and corruption during transport.
Access control and management
– we use an access control policy, which is revised based on business and information security requirements. Users are only given access to the networks / network services they have been authorized to use.
Manage and use authentication passwords
– we use a process to control the allocation of authentication information. Users adhere to best practices in using secret credentials. We use the password management system to ensure quality passwords.
Restricting access to information
– access to application information and functions is restricted in accordance with access control rules.
Secure login
– access to systems and applications is controlled through a secure authentication process.
Physical location and protection of equipment
– IT&C equipment is located and protected to reduce the risks posed by environmental threats and dangers and the possibility of unauthorized access.
Utilities and security of cables
– equipment is protected from power failures and other interruptions caused by failures to support utilities. Power and telecommunication cables carrying data are protected from interception, interference, or damage.
Equipment maintenance
– the equipment is continuously and correctly maintained to ensure their availability and integrity.
Safe inspection and reuse of equipment
– ensure multiple data overwriting and low-level formatting of storage media, to ensure that sensitive information and licensed software are securely deleted or overwritten before deleting or reusing the equipment.
Clear desk / clear screen
– we have adopted clear rules for removable documents and storage media and a clear screen rule for information processing facilities.
Document operating procedures
– we have defined operating procedures and made them available to all users who need them.
Separation of development, testing and operational environments
– we use separate environments for development, testing and operation, to reduce the risk of unauthorized access or changes in the operational environment.
Checks against malware
– we implement detection, prevention and recovery controls to ensure protection against malware and combine these controls with adequate user awareness.
Backups
– we regularly make backups of information and systems. The number of backups is correlated with the potential risks of the information and systems supported.
Event logging and protection of log files
– produce, maintain and regularly review event logs that record user activities, exceptions, defects and
information security events. Log files are protected.
Installing software on operating systems
– we have established rules governing the installation of software on operating systems, in particular the installation made by users.
Vulnerability management
– technical vulnerabilities are managed by mitigating them in a timely manner, assessing the organisation’s exposure and taking appropriate measures to address the associated risk.
Restrictions on changes to software packages
– we use rules to modify the software, limiting this action to the necessary changes.
Addressing security in agreements with suppliers
– we analyze, document and agree with our suppliers the information security requirements to reduce the risks associated with the supplier’s access to the organization’s assets.
Reporting events and incidents related to information security
– when information security events are found, they are reported through appropriate management channels in a timely manner. Employees and contractors shall note and report any weaknesses in the systems or services observed or suspected. We evaluate and classify accordingly the information security events we face. We respond in a timely manner and in accordance with our internal procedures for information security incidents. We use the knowledge we gain when analyzing and resolving information security incidents to reduce the likelihood or impact of future incidents. We have a process for identifying, collecting, purchasing and storing information that can serve as evidence.
Intellectual property rights
– we implement appropriate procedures to ensure compliance with legal, regulatory and contractual requirements related to intellectual property rights and the use of proprietary software.
Technical compliance review
– IT systems are regularly reviewed to comply with the organization’s security rules and standards.
- Measures to ensure the confidentiality of personal data protection
Purpose identification and documentation – we identify and document the specific purposes for which personal data are processed.
Identifying the legal basis – we determine, document and comply with the legal basis for the processing of personal data for the purposes identified.
Determining when and how to obtain consent – we determine and document a process for demonstrating when and how to obtain consent from data subjects.
Obtaining and registering consent – we obtain and record the consent of data subjects according to documented requirements.
Records related to the processing of personal data – we determine and maintain the records necessary to demonstrate compliance with our obligations regarding the processing of personal data.
The rights of the owners of personal data – we ensure the observance of the rights of the data subjects related to the processing of personal data and we offer the necessary means to be able to exercise their rights.
Providing information to individuals – we provide data subjects with clear and easily accessible information regarding the personal data we process.
Providing a mechanism for modifying or withdrawing consent – we provide mechanisms for data subjects to modify or withdraw their consent.
Providing the mechanism to oppose the processing – we provide the mechanism for data subjects to oppose the processing of their personal data.
Informing of the rights exercised by the owners of personal data – we take measures to inform third parties to whom we have transmitted personal data, about any change, withdrawal or objection resulting from the exercise of the rights of data subjects.
Correction or deletion – we implement a mechanism to facilitate the exercise of the rights of data subjects over access, correction and deletion of personal data.
Providing a copy of personal data processed – we are able to provide a copy of personal data that are processed, in accordance with the rules of retention and deletion, at the request of the data subject.
Application management – we have the means to deal with the legitimate demands of data subjects.
Automatic decision-making – we identify and resolve any obligations, including legal obligations, towards the data subjects resulting from decisions based exclusively on the automated processing of personal data.
Limiting the collection and processing – we limit the collection of personal data to a minimum that is relevant, proportionate and necessary for the purposes identified. We limit the processing of personal data to what is appropriate, relevant and necessary for the purposes identified.
Compliance with the objectives of minimizing and anonymizing personal data – we identify and document the mechanism by which personal data are processed in a timely manner, so that the extent to which personal data can identify or be associated with data subjects to meet the objectives of minimizing and anonymizing data personal.
Disabling and deleting personal data – we either delete personal data or turn it into a form that does not allow the identification of data subjects, as soon as the initial personal data are no longer needed for the identified purpose.
Temporary files – we ensure that temporary files and documents created as a result of the processing of personal data are deleted.
Retention – we do not store personal data longer than necessary for the purpose for which this data is processed.
Collection procedures – we ensure that personal data are accurate, complete and up-to-date, as necessary for the purposes for which they are to be processed, throughout the life cycle of personal data.
Identifying the basis for the transfer of personal data – we identify and document the relevant basis for the transfer of personal data.
Countries and organizations to which personal data may be transferred – we specify and document the countries and international organizations to which personal data may be transferred.
Evidence of the transfer of personal data – we record transfers of personal data to or from third parties and ensure cooperation with those parties to support the exercise of future access rights to data subjects.
Records of the disclosure of personal data to third parties – we record the disclosure of personal data to third parties, including personal data that has been disclosed, at what time and at what time.
Last update: 2020.02.10