This document, Privacy Policy, regulates the way we process personal data our website users (the "Website").

Protecting your personal data in the course of our business is a major concern for us. That is why we aim to offer you a secure online experience, respecting the right to privacy and the protection of personal data.

Under Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("GDPR") and Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, as amended and supplemented, our company has the obligation to process personal data in accordance with the principles of processing and only for the purposes specified below, as well in a secure manner.

Principles of processing

We process personal data of our website users in accordance with the following principles:

a) Personal data are processed in a legal, fair and transparent manner with respect to users,

b) Personal data are only collected for specified, explicit and legitimate purposes and are not processed in a manner that is incompatible with these purposes,

c) Personal data must be adequate, relevant and non-excessive in relation to the purpose for which they are collected and/or further processed,

d) Personal data must be accurate and, if necessary, updated; all reasonable measures must be taken to erase or correct inaccurate, incomplete data, having regard to the purposes for which they were collected or for which they are further processed,

e) Personal data are not kept longer than necessary for the purposes for which they were collected or for which they are further processed,

f) Personal data will be processed safely, ensuring a level of protection against illegal or unauthorized access, as well as loss, destruction, damage. We will maintain the privacy of the Site users' personal data, as required by the GDPR,

g) The observance of the principles set out in sections (a) to (f) above must be demonstrated, for which purpose the rules and requirements for the processing of personal data should be documented.

Processing purposes

We will only process those personal data that are appropriate, relevant and strictly necessary for the identified processing purposes.

Personal data are processed for the following purposes, which we will always present to you specifically and explicitly, in principle by means of the Notifications, or by any other means that are used to provide information to users (such as posters, symbols, etc.):

a) to contact you through the means of communication to provide you with information (i.e. non-marketing information),

b) to create and analyse profiles about you in order to present you content that is suited to your preferences and to improve our services,

c) to perform marketing or general advertising activities as well as customer loyalty activities and surveys,

d) to perform economic, financial and/or administrative management activities,

e) to centralize your operations and maintain an internal database that stores your information about you in order for us to access it for use (that is, the use of these data involves processing by the means of our internal applications),

f) to perform internal analyses (including statistical analyses, reports) on the customer portfolio, improving and developing services, and to conduct market studies and analyses to improve and develop our services, NEPI Rockcastle Group and its Partners’ services,

g) to archive, settle disputes, investigations or any other petitions/complaints which involve us and to perform risk checks on our procedures and processes and to conduct audits or investigations in our company,

h) to ensure a high level of security both in what concerns the computer systems (e.g. applications, network, infrastructure, website) and physical locations,

i) to provide you with support services when you request so.

Information

Every time we get personal data from you or we obtain your data from other entities, we'll let you know about issues related to:

a) identity and contact details of operator and officer of personal data,

b) the type of data,

c) the purposes of processing,

d) the basis of processing,

e) the need for processing as a result of a legal provision/execution of a contract, and the consequences of your refusal,

f) the categories of recipients to whom we submit your personal information,

g) if we transmit these data to a third country,

h) the duration for which we store these data and

i) your rights in relation to the processing of personal data.

This information will be available either in Notifications or other means used by us to achieve this purpose (e.g. posters, symbols, etc.)

Access to your data

Access to your data will only be provided to those individuals or entities with whom we collaborate for processing purposes and for whom we (the new or the intended recipients) can justify a legitimate ground in accordance with the GDPR provisions or if we have a legal obligation to provide your data.

The following entities and their employees will have access to your data:

a) IT service providers (e.g., software maintenance and development, site maintenance and development),

b) market research service providers, service providers used for the transmission of the marketing communications, providers of traffic monitoring service and online tools users’ behavior, providers of customization of various types of marketing, providers of marketing services through social media resources, content providers for marketing,

c) Companies in the Nepi Rockcastle Group (the "Group").

We will require these entities and their staff to respect the confidentiality of these data, ensuring a high level of security for your data processing.

We will also provide your personal data to judicial bodies, public institutions, or central and local public authorities, based on a duly substantiated request or legal obligation.

Security of personal data

We will take all necessary security measures to protect your personal data transmitted, stored or otherwise processed against destruction, loss, unlawful or accidental change, unauthorised disclosure or unauthorised access, as well as against any other unlawful processing. The security measures we implement with regard to your personal data can ensure the confidentiality, integrity, availability and continued resilience of processing systems and services, as well as the capacity to restore the availability of and access to personal data in a timely manner if a physical or technical incident occurs.

As provided by the GDPR, in case of personal data breaches, we will properly inform the relevant authorities and relevant persons.

Accuracy of personal data

We process personal data that is accurate and has an updated procedure in place. Thus, we take all necessary steps to ensure that inaccurate personal data, in view of the processing purposes, are erased or rectified without delay.

Storage period

Your personal data are processed and stored during the necessary period for which we provide the access to the website.

Your rights

As a Website user, you have the following rights which can be exercised individually or cumulatively with respect to the personal data we hold about you:

a) Right of access - you may request confirmation if your personal data are processed or not by us, and if so, you may request access thereto, as well as certain information about this. Upon request, we will also issue a copy of the processed personal data. The request for additional copies will be charged based on the actual costs incurred by us,

b) Right to rectification - you can get your inaccurate personal data rectified and also supplement incomplete data, including by providing additional information.

c) Right to delete data ("the right to be forgotten") - in situations expressly regulated by law, you can obtain from us the deletion of the data. Thus, you can request deletion of personal data if:
- the data are no longer necessary for the purposes for which they were collected or otherwise processed;
- you withdraw your consent on the basis of which processing takes place;
- you oppose to the processing under the right of opposition;
- processing your personal data is illegal;
- data must be deleted for compliance with a legal obligation incumbent on us.

d) Right to restrict processing - you may request the restriction of processing of personal data in certain situations governed by law, as follows:
- you contest the accuracy of your data, for the time the accuracy of the concerned data is checked;
- processing is illegal and you oppose to the deletion of data;
- you need these data to establish, exercise or defend some rights in court, and we no longer need this data;
- you opposed the processing of personal data for the period in which we check if our legitimate interests prevail over the interests of your rights and freedoms.
In these situations, except for storage, the data will not be processed anymore.

e) Right to object to the processing of personal data - you can object at any time, for reasons related to your particular situation, to processing (including profiling) based on our legitimate interest or, where appropriate, on us exercising a task which is in the public interest or results from the exercise of a public authority with which we would have been invested thereby.
Marketing materials sent electronically may contain brief information on your option of objecting to the processing of personal data in order to perform direct marketing. If you object to the processing of personal data for direct marketing purposes, your personal data will no longer be used in for these purposes.
The right to object to the direct marketing activity is available when the processing of personal data for direct marketing purposes is based on (i) our legitimate interest, or (ii) on the existing contractual relationship with us and concerns products that are similar to those already contracted, and not on the consent given.

f) Right to data portability - you can receive your personal data in a structured, readable format, and you can request that the data be passed to another operator. This right applies only to personal data provided directly by you, and only if the processing of personal data is done by automated means and is legally based on either the execution of a contract or the consent of that person,

g) Right to complain - you can complain about how we processes your personal data. The complaint will be filed with the National Supervisory Authority for Personal Data Processing ("ANSPDCP") – details at www.dataprotection.ro,

h) Right to withdraw your consent - you may at any time withdraw your consent to the processing of personal data in cases where processing is based on consent. Withdrawal of the consent will only have effect for the future, and processing prior to the withdrawal remains valid.

i) Additional rights related to automated decisions used in the delivery of services - if we make automated decisions about personal data and these decisions affect you significantly, you can (a) obtain human intervention with respect to said intervention, (b) express your point of views on such processing, (c) obtain explanations of the decision made and (d) contest that decision.

These rights (except the right to contact ANSPDCP, which you can exercise under the conditions established by this authority - in this regard you can see the official website www.dataprotection.ro) may be exercised, either individually or by aggregation sending a letter/message in the following ways:
- by post, at: Calea Floreasca nr. 169A, Floreasca 169, Cladirea A, etajul 5, Sector 1, Bucuresti, Romania (to the attention of NEPI Rockcastle);
- by email, at the email address: data.protection@nepirockcastle.com.
In addition, a Data Protection Officer ("DPO") has been appointed at the Group level, who can be contacted if there are any concerns about the protection of personal data and the exercise of data protection rights. The OPD may be contacted by the means of a written, dated and signed application, using the contact details mentioned above.

Privacy Policy and other documents relating to the processing of personal data

This Privacy Policy is the general framework that reflects the principles of personal data processing within our company.
When visiting our website (the "Website"), we process the following personal data: the IP address, the browser type, the type of computer used and the usage system, the date and time of access and your location.
As a result of the use of the Website, we place cookies or other similar technical means on your computer to help you access the services of our Website with ease and efficiency, and to provide, protect and improve our Website’s features. More information about cookies can be found in the Cookie Policy available on our website, at “Cookies” section.

Changes to the Privacy Policy

This Privacy Policy was last updated on 26.11.2018.
We reserve the right to revise and update this Privacy Policy at any time. Additional information will be included in this updated document, available on our website. Therefore, please check the relevant section of our Privacy Policy when you visit the Website, because it may have changed since your last visit. If you have any questions about the information contained in this page, please contact us at data.protection@nepirockcastle.com.