Romanian version HERE
1. Information on the personal data controller
For the company ISRA Center Marketing Research SRL , the confidentiality of your personal data is of particular importance. To this end, we have drawn up this commitment to respect the confidentiality of your data by which we explain what categories of personal data we collect, the source of these data, the purpose of processing, as well as how these data are used/processed.
We want to assure you that we have taken all appropriate and necessary measures to ensure the confidentiality of your data, which is processed only by ISRA staff trained and authorized with regard to the processing of personal data.
The operator that processes your personal data is the company ISRA Center Marketing Research SRL (hereinafter referred to as “ISRA”), with registered office in Calea Vitan, 23C, Vitan Center building, 2nd floor, Sector 3, Bucharest, with unique registration code RO13788602 and registration number J40/3169/2001.
- “Personal data” means, for the purposes of the national and international legislation in force, any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, genetic, physiological, mental, economic, cultural or social identity.
- “Processing of personal data” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic or non-automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means are determined in Union or national law, the controller or his specific criteria may be provided for in Union or national law.
- “Data Subject” means the natural person whose personal data are the subject of processing of personal data.
- “Recipient” means the natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities to which personal data may be disclosed in the framework of a particular investigation in accordance with Union or national law are not considered as recipients.
- “Consent” of the data subject means any freely given, specific, informed and unambiguous statement of the data subject’s wishes by which the data subject consents, in an unequivocal statement or action, to the processing of personal data relating to him or her.
- “Third party” means the natural or legal person, public authority, agency or body other than the data subject, the controller, the controller’s authorised representative and persons who, under the direct authority of the controller or the controller’s authorised representative, are authorised to process personal data.
- “Controller’s processor” means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
3. Purpose of processing personal data
ISRA processes your personal data in accordance with the European and national provisions governing the protection of individuals with regard to data processing, as controller, for the following activities:
– fulfilling the legal obligations as an employer, as provided for by the Labour Code and the specific legislation on labour relations (recruitment of staff, registration of employment contracts, conclusion of additional documents, professional training, periodic occupational health checks, keeping records of working hours, etc.).
– execution of commercial, collaboration and/or partnership contracts;
– marketing research and market studies;
– use and administration of https://isracenter.com
4. Legal basis
We will process personal data exclusively for the purposes for which we have collected them, in accordance with and within the limits of the legal provisions in force:
a) for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract, in accordance with Article 6(6). (1)(b) of Regulation (EU) No 679/2016 ;
b) on the basis of the specific consent of the data subjects, pursuant to Article 6(6). (1)(a) of Regulation (EU) No 679/ 2016 (for a specific purpose: for example, we obtain your consent when conducting marketing research and market studies);
c) in order to fulfil legal obligations of the operator, according to Art. 6, para. (1), lit. c) of Regulation (EU) No 679/ 2016 (for compliance with our legal obligations; for example, if we have an obligation to respond to requests from public authorities or for compliance with tax legislation);
d) for the purpose of the legitimate interests pursued by the operator, according to Article 6 para. (1)(f) of Regulation (EU) No 679/ 2016 (if necessary, by virtue of our legitimate interest or that of a third party, and to the extent that the fundamental rights and freedoms of the data subject do not override those interests, for example, where personal data are used for research purposes in a way that data subjects would reasonably expect and the processing is unlikely to have a significant impact on the rights and privacy of those data).
5. Categories of personal data processed
We collect and process only the categories of data that are appropriate and necessary to fulfil a specific purpose.
The categories of personal data (traditional or digital) subject to processing at ISRA level are the following:
⦁ In the context of the pre-contractual employment relationship (recruitment stage), ISRA will process the following types of personal data:
– the totality of the data in the CV (if such a document is provided);
– ID card details (in the unlikely event that a CV is not provided).
⦁ The following categories of personal data will be processed for the conclusion, execution, termination of the individual employment contract: all information from the identity card (name, surname, domicile/residence, place of birth, gender, CNP, series and CI number, etc.), all information from the individual employment contract and job description (profession, place of work, income, type of employment contract, etc.), information on the employee’s work capacity, medical information resulting from regular occupational health checks, information on professional training resulting from diplomas/certificates of studies/qualifications, citizenship/nationality, military status, signature, bank details, driving licence details (where applicable), family status (dependants, death, birth, marriage, etc.), names and surnames of family members/co-insured (if applicable), e-mail address, data on disciplinary sanctions applied to the employee, information on hours worked, information on rest and medical leave, data from children’s birth certificates (where applicable, for deductions), data from the marriage/medical certificate (for certain benefits offered by the operator), image, if the data subject is in the premises under video surveillance.
⦁ For the execution of commercial, collaboration and partnership contracts, as appropriate:
– name, surname, telephone number, e-mail address, signature, ID number and series, CNP, home/residence address, bank details;
⦁ For market research and public opinion polling:
– name, surname, profession, telephone number, e-mail address, signature, and other categories of data as detailed in the specific informed consent forms for the respective research and studies.
In some research projects they can be processed:
– audio/video recordings obtained by specific means necessary to carry out the market research activity.
⦁ To use the site https://isracenter.com/
Navigating the website https://isracenter.com/ involves the processing of two categories of personal data, namely:
a) personal data that you voluntarily disclose to the operator (e.g. via the contact form), which is collected on an individual basis;
b) data that you provide unintentionally by simply browsing our website.
ISRA collects, on the basis of the voluntary provision of the data subject, the following personal data: name and surname (for identification purposes), e-mail address (for communication purposes) and any other categories of personal data that the user may provide via the contact form.
Your personal data will be processed by us for:
a) improving the site and the services provided through it;
b) determining the usefulness/popularity of the web content presented on the site;
c) sending technical, assistance or administrative notifications;
d) solving requests and complaints received from users;
e) facilitating user access to ISRA services;
f) communicating information of interest to users of the site;
g) protecting the rights and legitimate interests of ISRA.
ISRA will be able to carry out anonymous registrations based on the information you provide, by excluding data that could lead to your identification. The anonymous registrations are for the purpose of analysing your requests, which will lead to an improvement of our services and navigation on the site.
Collection of children’s data:
If, for a specific project, it is necessary to directly involve children under 16 years of age, we process the personal data of children only to the extent permitted by law, with the prior consent of the legal holder of parental responsibility, where necessary.
6. Source of personal data
ISRA may collect personal data as follows:
⦁ from public sources, such as various websites, social networks, various publicly accessible databases;
⦁ directly from you when you are party to a contract with us or when you have given us explicit consent to remain in our database;
⦁ from contract partners, third parties – we may receive your contact details from a company that is a client of ours and has contracted us to carry out a study on their behalf.
7. Categories of recipients of personal data
Access to personal data is strictly limited to the relevant staff responsible for managing each business segment.
Appropriate personal data, relevant and limited to what is necessary in relation to the purposes mentioned above, are used by us in accordance with legal provisions, with the establishment of adequate safeguards for the fundamental rights and interests of the data subject and are communicated to the following categories of recipients, as appropriate:
– the data subject;
– external suppliers of goods and services (labour medicine, accounting, etc.), banking companies (garnishments/cards/salary accounts), associated operators, bailiffs (garnishments), ITM, ANAF, CASMB;
– the client company for which ISRA conducts market research studies, including auditors of the client company;
– other addressees, authorised persons, with the establishment of appropriate guarantees, in the interest of carrying out the specific ISRA activity.
Depending on the topic of the research project, by exception, ISRA may disclose your identity to client companies strictly in connection with reports of adverse events or drug quality defects, only after obtaining your explicit consent to do so.
The disclosure of data to third parties is made in accordance with the legal provisions applicable to the categories of recipients specified above, ISRA taking all reasonable steps to ensure a secure transfer.
8. Storage period of personal data
ISRA retains personal data in accordance with the principles of proportionality and necessity, and in any case only for a reasonable period not exceeding the period necessary to fulfil the purpose for which it was collected.
The criteria used to determine this period are: the legal provisions in force, the purpose for which the data was collected, the period of completion of the project, including the delivery of results and their audit.
9. Transfer of personal data
In certain specific situations and purposes we may transfer your personal data to third parties on one or more legal grounds. We always ask all recipients to take the necessary measures to protect the security of your personal data in accordance with the applicable data protection legislation.
Sometimes it will also be necessary to transfer your personal data to countries outside the European Union and the European Economic Area (EEA). Any transfers of personal data to countries other than those for which there is a European Commission decision on the adequacy of data protection measures in place are made on the basis of standard contractual clauses adopted by the European Commission or other appropriate safeguards under applicable law.
ISRA undertakes that the data collected will only be processed in accordance with the stated purposes and will not make public, transfer or process information relating to data subjects without authorisation.
10. Rights of data subjects
According to the legal provisions in force, you have the following rights in relation to your personal data processed by us:
⦁ The right to information means the right of the data subject to receive any information relating to the processing in a concise, transparent and easily accessible form;
⦁ The right of access means the right of the data subject to obtain confirmation from the controller whether or not personal data concerning him or her are being processed and, if so, access to those data and to information on how the data are processed;
⦁ The right to rectification refers to the right of the data subject to obtain from the controller the correction, without undue delay, of inaccurate personal data concerning him or her or to have them completed if they are incomplete. These can be amended by sending an e-mail to adresa:firstname.lastname@example.org;
⦁ The right to erasure of data means the right of the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay if one of the following grounds applies: they are no longer necessary for the purposes for which they were collected or processed; he/she withdraws his/her consent and there is no other legal basis for the processing; he/she objects to the processing and there are no overriding legitimate grounds; the personal data have been unlawfully processed; the personal data must be deleted for compliance with a legal obligation; the personal data have been collected in connection with the provision of information society services;
⦁ Right to restriction of processing. The data subject shall have the right to obtain from the controller the restriction of the processing where one of the following applies:
(a) the data subject disputes the accuracy of the data, for a period allowing the controller to verify the accuracy of the data;
b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use;
c) the controller no longer needs the personal data for the purpose of processing, but the data subject requests them for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to the processing in accordance with Article 21(1) of the GDPR, for the period of time during which it is verified whether the legitimate rights of the controller prevail over those of the data subject.
⦁ The right to portability refers to the right to receive personal data in a structured, commonly used and machine-readable format and the right to have such data transmitted directly to another controller when the processing is based on consent or performance of a contract and is carried out by automated means, if technically feasible;
⦁ The right to object concerns the right of the data subject to object to the processing of personal data concerning him or her when the processing is carried out for the performance of a task carried out in the public interest or when it is necessary for the purposes of legitimate interests pursued by the controller;
⦁ The right to object to data processing based on automated individual decisions refers to the fact that the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects him or her to a significant extent. However, it will not be possible to exercise this right if the decision is necessary for the conclusion or performance of a contract between the data subject and the controller; is authorised by Union law or national law applicable to it, provided that the data subject’s rights, freedoms and legitimate interests are adequately protected; or is based on the data subject’s consent obtained in compliance with applicable law.
In order to exercise the rights provided above, as well as for further information, the data subject may contact ISRA CENTER MARKETING RESEARCH SRL, by sending a request by e-mail to email@example.com, or to the address: Calea Vitan nr 23C, Cladirea Vitan et. 2, sector 3, Bucharest, with the title “Protection of personal data” or “GDPR”.
The data subject also has the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (Bucharest, Bd. G-ral. Gheorghe Magheru 28-30, sector 1, postal code 010336), as well as the right to apply to the courts.
Special or consent-based data processing
Where the processing is based on Article 6(1)(a) “the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes” or on Article 9(2)(a) “the data subject has given his or her explicit consent to the processing of those personal data for one or more specific purposes”, unless Union or national law provides that the prohibition laid down in paragraph 1 cannot be lifted by the data subject’s consent” of the GDPR, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal. Thus, you can change or withdraw consent at any time, and we will act immediately accordingly, unless there is a legal reason or legitimate interest not to do so.
11. Final provisions
If ISRA determines that a change to the privacy rules is necessary, we will publish those changes to inform data subjects about the information we collect and how we use it.
Document Version: V2, 29 August 2023