Article 1 – Definitions

For the purposes of this personal data processing policy (hereinafter referred to as the “Policy”), the following terms shall have the meaning established by the General Data Protection Regulation No. 2016/679 adopted by the European Parliament, applicable from 25 May 2018 (“GDPR”) and are defined as follows:

  • Personal data – any information relating to an identified or identifiable natural person;
  • Data subject – the person to whom the personal data belongs;
  • Processing of personal data – any operation or set of operations performed on personal data within the Assistance and Recovery Center for Damages and Compensation in relation to personal data that form part of a filing system, or are intended to be included in such a system;
  • Storage – the keeping of personal data collected on any type of support;
  • Personal data filing system – any structured set of personal data;
  • Controller – any natural or legal person, public or private, including the Assistance and Recovery Center for Damages and Compensation and its collaborators mentioned in this Policy;
  • Processor – a natural or legal person, public or private, including public authorities, their institutions and territorial structures, which processes personal data on behalf of the controller.

Article 2 – Purpose of the Policy

The purpose of this personal data processing policy (hereinafter referred to as the “Policy”) is to guarantee and protect the fundamental rights and freedoms of natural persons, in particular the right to respect for private and family life and to the protection of personal data and the processing of such data by the Assistance and Recovery Center for Damages and Compensation in accordance with the General Data Protection Regulation No. 2016/679 adopted by the European Parliament, applicable from 25 May 2018.

The Assistance and Recovery Center for Damages and Compensation, as the controller, collects and processes the personal data mentioned below, by telephone, for the following purposes, on the basis of the legal grounds indicated for each of them:

  • To provide assistance and information to passengers regarding their rights and obligations in the event of an accident or incident.
  • To investigate and settle claims for compensation for damages and losses suffered by passengers.
  • To prevent and combat fraud.
  • To improve the quality of services offered to passengers.

Article 3 – Method of Processing Personal Data

The Assistance and Recovery Center for Damages and Compensation will collect, use or disclose personal data provided only for the purposes indicated, except where the disclosure of data:

  • Relates to the use of personal data for any additional purpose that is directly related to the original purpose for which the personal data was collected;
  • Is required by law or by competent governmental or judicial authorities;
  • Is necessary to establish or defend a legal right.

The Assistance and Recovery Center for Damages and Compensation will not knowingly collect personal data from minors without the prior verbal or written consent of their parents, guardian or legal representative, if required by applicable law.

Article 4 – The Assistance and Recovery Center for Damages and Compensation’s Commitment to the Policy

Protecting the safety and security of personal data is important to the Assistance and Recovery Center for Damages and Compensation, therefore, our activities within the company are in accordance with applicable data protection and security laws.

By accessing our website (cardd.ro), you acknowledge the Personal Data Processing Policy.

Data subjects have the right to access the data that is processed, to intervene on it, to object and not to be subject to an individual decision, as well as the right to address the National Authority for the Supervision of Personal Data Processing or the court to defend any rights guaranteed by law that have been violated.

Article 5 – Rights of the Data Subject Regarding the Processing of Personal Data

In the context of the processing of your personal data, you have the following rights:

  • The right to access the personal data processed: You have the right to obtain confirmation as to whether or not your personal data is being processed and, if so, to have access to the type of personal data and the conditions under which it is processed, by submitting a request to the data controller to this effect;
  • The right to request the rectification or erasure of personal data: You have the possibility to request, by submitting a request to this effect to the data controller, the rectification of inaccurate personal data, the completion of incomplete data or the erasure of your personal data in the event that (i) the data is no longer necessary for the original purpose (and there is no new legal purpose), (ii) the legal basis for the processing is the consent of the data subject, the data subject withdraws his or her consent and there is no other legal basis, (iii) the data subject exercises his or her right to object and the controller does not have legitimate grounds prevailing to continue the processing, (iv) the data has been processed unlawfully, (v) erasure is necessary to comply with EU or Romanian law or (vi) the data has been collected in connection with information society services offered to children (if applicable), where specific requirements for consent apply;
  • The right to request the restriction of processing: You have the right to obtain the restriction of processing in the event that: (i) you consider that the personal data processed is inaccurate, for a period allowing the controller to verify the accuracy of the personal data; (ii) the processing is unlawful, but you do not wish to have your personal data erased, but rather to restrict the use of such data; (iii) in the event that the data controller no longer needs your personal data for the purposes mentioned above, but you need the data to establish, exercise or defend a right in court; or (iv) you have objected to the processing, for the period of time necessary to verify whether the legitimate grounds of the data controller prevail over the rights of the data subject;
  • The right to withdraw consent for processing, where processing is based on consent, without affecting the lawfulness of the processing carried out up to that point;
  • The right to object to the processing of personal data on grounds relating to your particular situation, where the processing is based on legitimate interests, as well as to object, at any time, to the processing of data for direct marketing purposes, including profiling;
  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects the data subject in a significant way;
  • The right to data portability, meaning the right to receive the personal data you have provided to the data controller in a structured, commonly used and machine-readable format, and the right to transfer that data to another controller, where the processing is based on your consent or the performance of a contract and is carried out by automated means;
  • The right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP) and the right to go to court.

The exercise of the rights mentioned above may be carried out at any time. In order to exercise these rights, we recommend sending a written notice, dated and signed, or in electronic format [adresa de e-mail a fost eliminată].

Article 6 – Termination of processing operations and subsequent destination of data

At the end of processing operations, if there is no contractual basis, a legal obligation and/or a legitimate interest, if the data subject has not expressly and unequivocally given his or her consent for another purpose or for further processing, the personal data will not be transferred to another controller.

Article 7 – Other recipients of personal data

The Assistance and Compensation Recovery Center may disclose your personal data to third parties, in order to fulfill a legal obligation of the Assistance and Compensation Recovery Center, for the execution of the service contract, as well as in cases where these actions are necessary to protect and defend the property rights of the Assistance and Compensation Recovery Center.

These recipients of data may be:

  • Mobile phone companies, for the purpose of billing services;
  • State authorities;

Article 8 – Data retention period

Personal data collected by the Assistance and Compensation Recovery Center may not be kept for longer than is necessary to fulfill the purposes for which it is processed, in compliance with applicable law in force. The data retention period is 90 days from the date of the call. After this period, personal data will be completely deleted from systems or transformed into anonymous data, in accordance with the company’s procedures.

Personal data collected on the basis of your consent will be deleted upon withdrawal of consent, with the exception of the

intervention of another legal basis for processing mentioned in this Policy.

Article 9 – Transfer of Personal Data Outside of Romania

Personal data may be transferred outside of Romania, based on legal or contractual obligations.

Recipient companies that process your personal data within the European Union/European Economic Area are subject to the same legal provisions and offer the same level of protection as that offered by the Assistance and Recovery Center for Damages and Compensation. However, if the transfer of passenger personal data to recipients outside the European Union/European Economic Area or to countries that do not offer an adequate level of protection is necessary to fulfill the purposes established by the Assistance and Recovery Center for Damages and Compensation, the Assistance and Recovery Center for Damages and Compensation will require these recipients to protect personal data in accordance with the requirements of the GDPR.

Article 10 – Confidentiality and Security of Processing

Since there are always risks associated with providing personal data by phone and there is no technology that can guarantee absolute security or prevent unauthorized access, the Assistance and Recovery Center for Damages and Compensation has taken appropriate technical and organizational security measures to prevent and minimize these risks. These measures include, where applicable, the use of firewalls, server security facilities, encryption, and the implementation of appropriate access control rights management systems and procedures, vendor selection, and other reasonable technical and commercial measures to ensure appropriate protection for your personal data in order to prevent unauthorized use or disclosure. Backups and other similar measures may also be used, where applicable, to prevent accidental damage or destruction of your personal data.

The Assistance and Recovery Center for Damages and Compensation certifies that it meets the minimum security requirements for personal data. It uses security methods and technologies, together with employee policies and work procedures, including control and audit, to protect personal data collected in accordance with applicable law.