CUSTOM SOLUTIONS ON PARTNERS REQUIREMENTS

Personal data processing policy

Customized solutions on the requirements of the partners

1. Operator Name:   S.C. GIGRANO S.R.L

2. Purposes and objectives for which the data are collected and processed:

According to U.E. no. 679 / 27.04.2016, the natural persons whose data are processed, are guaranteed the right to access them, to rectify or delete them, to restrict the processing, to oppose the processing, the right to data portability and the right to withdraw consent at any time.

Gigrano SRL processes personal data provided by individuals in accordance with the legal provisions on the protection of personal data in the Republic of Moldova, the processing being for a legitimate, contractual, economic-financial and administrative management. / p>

Gigrano SRL takes all necessary measures to keep all personal information in conditions of security and confidentiality.

The purpose of data collection is:
- the development and execution of the service contract concluded between Gigrano SRL and the CLIENT, including data collected and processed in the stages prior to the conclusion of the contract;
- legitimate collection, economic-financial and administrative management. Gigrano SRL collects only those data that are necessary for concluding and executing in good conditions the service contracts

Personal data represents:
- any information that may be related to an identified or identifiable natural person;
- includes all the information that refers to an identification element (eg name and surname; date and place of birth; personal numerical code; series and bulletin number; citizenship, signature; telephone; email; job, profession, etc.).

If the Gigrano website, www.gigrano.md, is accessed, the internet browser does not automatically transmit data (eg the URL of the website that makes the submission, the date and time of access, the file accessed, the amount of data transmitted, the type and version of the browser, the operating system, etc.) to the Gigrano server. This data (such as IP addresses) is not collected or used for any purpose.

Certain traffic data (such as IP addresses) may, in certain circumstances, be personal data and will be treated as such.

3. The type of processing operations are:   both legal and contractual.

4. Existence and nature of the means of protection of the processing:   Mixed protection systems (eg dedicated terminals, password files, etc.);

5. Duration for which data is stored (period after which it is deleted):

The company stores personal data only for the period necessary to achieve the purposes for which the data were collected and for which they will be further processed, as well as in accordance with the legal provisions in force regarding the archiving of documents.

At the same time, the storage of personal data for a longer period of time can be done for the management of the client portfolio.

6. If internal or external data transmissions are made and what their purpose is:

Data transfer is always allowed in the following situations:
a) When the data subject has explicitly given his / her consent for the execution of the
transfer b) When necessary for the execution of a contract concluded between the data subject and the Operator or for the execution of pre-contractual measures, it shall, at the request of the data subject, order
c) When it is necessary for the conclusion or execution of a contract concluded or which will be concluded in the interest of the data subject, between the Operator and a third party
d) When necessary to satisfy a major public interest, such as national defense, public order or national security, for the proper conduct of criminal proceedings or for the establishment, exercise or defense of a right in court provided that the data are processed in connection with this its purpose no longer than necessary
e) When necessary to protect the life, physical integrity or health of the data subject
f) When it occurs as a result of a previous request for access to official documents that are public or a request for information that can be obtained from registers or through any other documents accessible to the public.

1. Situations in which the operation falls from the point of view of the legality of the processing

According to Art. 6: Legality of processing:

(1)   Processing is legal only if and to the extent that at least one of the following conditions applies:
(a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes; (b) the processing is necessary for the performance of a contract to which the data subject is a party or for making arrangements at the request of the data subject before the conclusion of a contract; (c) the processing is necessary in order to fulfill a legal obligation incumbent on the controller; (d) the processing is necessary to protect the vital interests of the data subject or of another natural person; (e) the processing is necessary for the performance of a task which serves a public interest or which results from the exercise of the public authority vested in the operator
(f) the processing is necessary for the legitimate interests pursued by the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail, which require the protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply in the case of processing carried out by public authorities in the performance of their duties.

2. Where the processing for a purpose other than that for which the personal data were collected is not based on the consent of the data subject or on Union or national law, which constitutes a necessary and proportionate measure in a democratic society to protect the objectives referred to in Article 23 (1) - national security, defense, public order, legal proceedings - the operator, to determine whether the processing for another purpose is compatible with the purpose for which the personal data were initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing; (b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller; (c) the nature of personal data, in particular in the case of the processing of special categories of personal data, in accordance with Article 9, or in the case of the processing of personal data relating to criminal convictions and offenses, in accordance with with article   10;
(d) the possible consequences for the persons concerned of the intended further processing; (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

2. Processing principles

According to Art. 5 Principles related to the processing of personal data

(1)   Personal data is:
(a) processed lawfully, fairly and transparently to the data subject ("legality, fairness and transparency")
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research or for statistical purposes is not considered incompatible with the original purposes ("purpose-related limitations");
(c) appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("minimization of data");
(d) accurate and, where necessary, updated; all necessary measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay ('accuracy');
(e) kept in a form which permits identification of data subjects for a period not exceeding the period necessary to fulfill the purposes for which the data are processed; personal data may be stored for longer periods to the extent that they are processed exclusively for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, subject to the implementation of technical measures. and organizational arrangements provided for in this Regulation in order to guarantee the rights and freedoms of the data subject ("storage restrictions"); f) processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures ("integrity and confidentiality") .
2. The operator shall be responsible for compliance with paragraph 1 and may demonstrate compliance ("liability").

3. Rights of data subjects

Art. 15. The right of access of the data subject
1. The data subject shall have the right to obtain confirmation from the controller that personal data concerning him or her are being processed or not and, if so, access to that data and to the following information:
a) the purposes of the processing; b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or are to be disclosed, in particular recipients from third countries or international organizations;
d) where possible, the period for which personal data are expected to be stored or, if this is not possible, the criteria used to establish this period;
e) the existence of the right to request the operator to rectify or delete personal data or to restrict the processing of personal data concerning the data subject or the right to oppose the processing; f) the right to lodge a complaint with a supervisory authority; g) if personal data are not collected from the data subject, any available information on their source;
h) the existence of an automated decision-making process including the creation of profiles, referred to in Article 22 (1) and (4), as well as, at least in those cases, relevant information on the logic used and on the importance and expected consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 concerning the transfer. 3. The controller shall provide a copy of the personal data subject to processing. For any other copies requested by the data subject, the operator may charge a reasonable fee, based on administrative costs. If the data subject submits the application in electronic format and unless the data subject requests another format, the information shall be provided in a commonly used electronic format.
4. The right to obtain a copy referred to in paragraph 3 shall be without prejudice to the rights and freedoms of others. Section 3: Correction and Deletion

Art. 16.   Right of rectification The data subject has the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him. Taking into account the purposes for which the data were processed, the data subject has the right to obtain the completion of personal data which are incomplete, including by providing an additional statement.

Art. 17.   The right to delete data ("the right to be forgotten")
(1) The data subject has the right to obtain from the controller the deletion of personal data concerning him, without undue delay, and the controller has the obligation to delete personal data without undue delay if one of the following reasons applies : a) personal data are no longer necessary for the purposes for which they were collected or processed; (b) the data subject withdraws his or her consent on the basis of which processing takes place in accordance with Article 6 (1) (a) or Article 9 (2) (a) and there is no other legal basis for the processing; (c) the data subject opposes the processing pursuant to Article 21 (1) and there are no legitimate reasons prevailing in respect of the processing or the data subject opposes the processing pursuant to Article 21 (2); d) personal data have been processed illegally; e) character data personnel must be deleted in order to comply with a legal obligation incumbent on the operator under Union or national law under which the operator is subject; f) personal data have been collected in connection with the provision of information society services referred to in Article 8 (1).
2. If the controller has made his personal data public and is obliged to delete them pursuant to paragraph 1, the controller shall, taking into account the available technology and the cost of implementation, take reasonable measures, including technical measures, to inform operators who process personal data that the data subject has requested the deletion by these operators of any links to those data or of any copies or reproductions of such personal data.
3. Paragraphs 1 and 2 shall not apply in so far as processing is necessary: ​​(a) for the exercise of the right to freedom of expression and information; b) for the observance of a legal obligation providing for processing under Union or national law applicable to the controller or for the performance of a task performed in the public interest or in the exercise of official authority with which the controller is vested; c) for reasons of public interest in the field of public health, in accordance with Article 9 (2) (h) and (i) and Article 9 (3); d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, in accordance with Article 89 (1), in so far as the right referred to in paragraph 1 is likely to make it impossible or seriously affect the achievement of the objectives of that processing; or e) for finding, exercising or defending a right in court. (on May 23, 2018 Art. 17, paragraph (3) of Chapter III, section 3 rectified by point 3. of the Rectification of May 23, 2018)

Art.18.   The right to restrict processing
(1) The data subject has the right to obtain from the operator the restriction of the processing in case one of the following cases applies: a) the data subject disputes the accuracy of the data, for a period that allows the operator to verify the accuracy of the data; b) the processing is illegal, and the data subject opposes the deletion of personal data, requesting instead the restriction of their use; c) the controller no longer needs the personal data for the purpose of processing, but the data subject requests them for the establishment, exercise or defense of a right in court; or d) the data subject has objected to the processing in accordance with Article 21 (1), for the period during which it is verified whether the legitimate rights of the controller prevail over those of the data subject. 2. Where processing has been restricted pursuant to paragraph 1, such personal data may, except in the case of storage, be processed only with the consent of the data subject or for the purpose of establishing, exercising or defending a right in court; or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained a processing restriction pursuant to paragraph 1 shall be informed by the controller before the processing restriction is lifted.

Art. 19.   Obligation to notify the rectification or deletion of personal data or the restriction of processing The controller shall communicate to each recipient to whom the personal data have been disclosed any rectification or deletion of personal data or restriction of processing in accordance with Article 16, Article 17 (1) and Article 18, unless this proves impossible or involves disproportionate effort. The operator shall inform the data subject of those recipients if the data subject so requests.

Art. 20.   Right to data portability
(1) The data subject has the right to receive personal data concerning him / her which he / she has provided to the operator in a structured, commonly used and automatically readable format and has the right to transmit this data to another without hindrance from the controller to whom the personal data were provided, if: (a) the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) point (a) or on a contract pursuant to Article 6 (1) (b); and b) the processing is carried out by automatic means.
2. In exercising his right to data portability pursuant to paragraph 1, the data subject shall have the right to have personal data transmitted directly from one controller to another where this is technically feasible. > 3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task performed in the public interest or in the exercise of official authority with which the operator is vested. > 4. The right referred to in paragraph 1 shall be without prejudice to the rights and freedoms of others. Section 4: Right to Opposition and Automated Individual Decision-Making

Art. 21.   Right to Opposition
1. At any time, the data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data which, pursuant to Article 6 (1) (e) or (f), have been processed. regarding it, including the creation of profiles based on those provisions. The controller no longer processes personal data, unless the controller demonstrates that he has legitimate and compelling reasons justifying the processing and prevailing over the interests, rights and freedoms of the data subject or that the purpose is to establish, exercise or defend a right in court. (on 23-May-2018 Art. 21, paragraph (1) of Chapter III, section 4 rectified by point 4. of the Rectification of 23-May-2018)
2. Where the processing of personal data is for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him or her, including the creation of profiles, in so far as related to that direct marketing.
3. Where the data subject objects to processing for the purposes of direct marketing, personal data shall no longer be processed for that purpose.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information. 5. In the context of the use of information society services and notwithstanding Directive 2002/58 / EC, the data subject may exercise his right to object by automated means using technical specifications. 6. Where personal data are processed for the purpose of scientific or historical research or for statistical purposes in accordance with Article 89 (1), the data subject shall, for reasons related to his or her particular situation, have the right to opposes the processing of personal data concerning her, unless the processing is necessary for the performance of a task for reasons of public interest.

Art. 22.   Automated individual decision making, including
profiling 1. The data subject shall have the right not to be subject to a decision based solely on automatic processing, including profiling, which shall produce legal effects concerning the data subject or similarly affect him or her to a significant extent.
2. Paragraph 1 shall not apply where the decision: a) is necessary for the conclusion or performance of a contract between the data subject and a data controller; b) is authorized by Union or national law applicable to the controller and which also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or c) is based on the explicit consent of the data subject.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least his right to obtain human intervention from the operator, to express his point of view and to challenge the decision.
4. The decisions referred to in paragraph 2 shall not be based on the special categories of personal data referred to in Article 9 (1), unless Article 9 (2) (a) or (g) apply. ) and in which appropriate measures have been put in place to protect the rights, freedoms and legitimate interests of the data subject.

4. How the operator proceeds in the event of an incident:

Suspend the processing operation until the factual situation is clarified and adequate protection measures are implemented in order to respect the rights and freedoms of the data subjects.

11. Method of granting and withdrawing consent:

Gigrano SRL does not have to request the consent, according to Art. 6 par. 1), lit. b and c.
Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. Withdrawal of consent is as simple as giving it.

12. If there is a data protection officer, write down how to contact him:

 

For any other information regarding the processing of your personal data, you can contact Gigrano SRL, str. Ismail 33, Chisinau and / or e-mail: gigranosrl@gmail.com

The right to draft petitions, complaints and take legal action.

The data subjects may request information and / or submit a complaint regarding the Security Policy for the processing of personal data and / or the processing of personal data, by contacting the Manager on personal data protection issues, at email address: gigranosrl@gmail.com