This document is the information notice on the activities carried out by Policolor SA that involve your personal data and will provide you with the necessary aspects you need to be informed as properly as possible about the use of your data within the organization.
Thus, Policolor SA is the entity that will process your personal data. This data can be most often: last name, first name, telephone number, e-mail address, and will be received and processed in various situations, such as: product sales, loyalty card issuance, marketing activities, etc. Where appropriate, we will obviously need to use your personal data for the purpose of responding to your requests or communicating with you on a need-to-know basis.
We also want you to be aware that the personal data we work with may come directly from you (when you place an order in physical stores or online, for example), from a third party (if the marketing agencies we work with provide us with your data as a contest participant) or from the activities carried out in the commercial relationship between you and Policolor.
What entitles us to process your personal data is, first of all, the need to conclude and execute the contract for the sale of Policolor products and/or the provision of services, (according to art. 6 letter b) without the provision and use of personal data there can be no such contract. Another basis on which we process personal data is the consent you give us (under Article 6 paragraph 1, letter a) regarding certain activities that cannot be carried out without such consent. We also process personal data on the basis of a legitimate interest to carry out certain activities involving such data where appropriate (as per Art. 6 paragraph 1 letter f).
In addition, we want you to be aware of certain rights, detailed in Chapter VIII of this document, which you can exercise whenever you have reason to do so.
It is important to keep in mind that you can always contact us at firstname.lastname@example.org if you want to get in touch with us regarding the processing and protection of your personal data.
All this being said, in short, please find below all details in order to have a complete picture regarding the use of personal data.
Chapter I Introduction
The protection of personal data is an important objective of our organization. We respect your privacy and personal life.
As of 25 May 2018, Regulation (EU) 2016/679 (of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) became applicable.
We are able to comply with the provisions prescribed by this Regulation by implementing all protective measures relating to the processing of personal data.
One of them is to inform in a transparent and accurate way all users of our website www.policolor.ro (where you will find the present notice) as well as Policolor customers.
Therefore, we will inform you below about the processing of personal data when you decide to be a customer of one of the Policolor entities or when you use the options included in our website e.g. the contact form.
As controller, Policolor SA hereinafter referred to as Policolor or the Company, is a Romanian legal entity, with registered office in Bucharest, Bd. Timișoara, nr. 98, sector 6, registered at the Trade Register J40/205/1991, with unique registration code RO 326318.
This personal data protection policy describes our practices regarding the processing of data, communicated directly or indirectly to our organization, and how we use personal data for the purpose of providing services:
·Sales process in Policolor physical stores;
·Registration in our stores’ loyalty programs, for loyalty card registration and also for loyalty bonuses.
·Sales through various platforms that facilitate this process (e.g. eMag);
·Participation in various online competitions organized by Policolor: Instagram, Facebook, etc.
·Marketing activities carried out via the website (e.g. advertisements).
In our work, we make ourselves responsible for strictly adhering to the existing principles of the Regulation, thus:
·the principle of lawfulness, fairness and transparency – in the sense that data processing is carried out in a concise, comprehensible form, only on a lawful basis, in line with the conditions imposed by this Regulation;
·the principle of purpose limitation – data processing is carried out for a clear, well defined and established purpose from the outset;
·the principle of data minimization – the data processed will be only those relevant to the situation and limited only to the stated purpose;
·the principle of accuracy – ensures that the data processed must be accurate and up-to-date.
Our data protection practices comply with the applicable law. However, if for any reason, the terms set out in this data protection policy are not acceptable to you, you may communicate your objection to us at email@example.com.
Chapter II Definitions and clarification of concepts
1. Personal Data
Personal data is all data that relates to you personally. In general, this includes personal identification data and characteristics (last name, first name, personal numeric code, nationality, home/residence address, phone number, etc.), electronic identification data (identifiers from various applications, IP, Skype ID, Facebook ID, Instagram, etc.).
2. Data subject. Processing. Controller or processor
First of all, we would like to explain the notion of data subject, which is often used in this notification and elsewhere.
By this notion the person whose personal data are processed, and who benefits from protection and security thanks to the requirements of the Regulation implemented by the controller in its activity. In Policolor’s business, this may be represented, for example, by people who use our website or people who choose to purchase our products.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction. Therefore, whenever personal data provided by you is collected and then used for the purposes described in this information notice, processing of your personal data takes place.
According to the Regulation, controller means the natural or legal person, public authority, agency or other body “which alone or jointly with others determines the purposes and means of the processing of personal data”.
Policolor acts as the controller, processing personal data received from data subjects, and determines the purposes and means of processing such data. Thus, it is obliged to ensure the compliance of its processing activity with the rules imposed by the Regulation, in order to provide data security to data subjects who entrust their personal data for the fulfilment of certain purposes.
Also in the text of the Regulation, the notion of processor is defined as “the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. It will process the personal data of data subjects only with the consent of the controller, within the limits and under the conditions imposed by the controller.
In this case, processors may be persons with certain tasks in the controller’s business who come into contact with personal data of data subjects in the course of their activities, such as various suppliers or collaborators (e.g. advertising agency).
Chapter III Purposes of the processing of personal data and their type in relation to each purpose
We will present below each of the purposes for which your personal data are processed within our organization, exemplifying for each of these purposes the categories of such personal data.
1. Processing of personal data for the purpose of selling products made available by Policolor
As its core business, Policolor provides interested parties with specific products: paints, varnishes, finishing materials, etc.
They are sold through two main channels:
1.1. Sale of Policolor products in physical stores
In this activity, the Company processes the following categories of personal data necessary for the invoicing process:
·last name, first name;
·address of residence;
·client account details;
·name of the person taking delivery/receiving the products.
·financial data related to payments (bank card, bank account)
·delivery address details (where applicable)
1.2. Sale of Policolor products through various platforms
In this case, it is the eMag platform/online shop (own/partner) where interested people can order Policolor products. This involves the following personal data:
·last name, first name;
·financial data related to payments (bank card, bank account)
·delivery address details (where applicable)
2. Processing of personal data for the purpose of registering Policolor customers in the loyalty program
As part of this process, if you are interested in being part of the Policolor loyalty program, you will be able to fill in a form with the following personal data in our partner stores/online platforms/Policolor representatives:
After filling in the form, your card can be registered and used for its intended purpose.
3. Processing of personal data for the purposes of competitions organized by Policolor
Occasionally, the Company organizes, in collaboration with a specialized marketing agency, contests on Policolor platforms (Instagram, Facebook, other social media platforms). These contests have Policolor products as prizes and registration is done by registering your user ID on one of these platforms. If you are the winner of one of these competitions, you will be asked for the following personal data:
•last name, first name;
•phone number and/or e-mail;
•prize delivery address.
For the awarding of prizes/gifts the above mentioned data can be supplemented with:
•identification data from the identity card: Personal number, address, Identity Card series and number
•financial data: bank account
4. Processing of personal data for market research
We process your personal data for the purpose of market research and surveys. You may withdraw your consent at any time (with effect for the future, without stating your reasons) and the data will be anonymized upon your express request. For this purpose, your data will be anonymized, used by us exclusively for statistical purposes and cannot be linked to you under any circumstances.
This data processing serves in particular to improve service offers that are more relevant to you.
5. Other categories of processing
Processing of personal data may also take place for the following processes:
·customer satisfaction assessments,
·reply to quotes,
Our company does not request or process personal data in special categories, but only non-sensitive, necessary and relevant data, unless legally required to do so at a later stage.
It should also be noted that in the sales activity carried out by Policolor there may also be situations in which the customer/buyer is a person who has not yet reached the age of 16 (in the case of contracts for the sale-purchase of products, made in the name and on behalf of minors by their representatives/legal guardians, or even by minors themselves – depending on the value of the products purchased). In this situation, the controller shall ensure that all necessary measures are taken to ensure that the processing of their personal data is carried out in accordance with Article 8 of the Regulation. As a clarification, the data of persons under the age of 16 will only be collected only for the purpose explained above.
Chapter IV Data storage duration
The duration for which we keep your data is 10 years, in order to ensure continuity if, after the completion of the current order or request, you want to continue or make other orders or requests also through our teams.
It is also good to know that your data will be kept for the duration of the contract.
Chapter V Use of service providers for processing personal data/processing data in countries outside the European Economic Area
Policolor does NOT use providers from outside the European Economic Area to provide services and process your data.
In the event that this happens, we will ensure that our suppliers and collaborators ensure confidentiality and provide adequate protection of your personal data based on signed agreements.
Chapter VI Source of personal data
Personal data can be obtained from the following sources:
a. directly from you whenever: you provide the necessary billing information when you purchase our products; you fill in the form to obtain your loyalty card, etc..;
b. indirectly from third parties, such as if we receive your personal data from third parties with whom we collaborate (e.g. the eMag platform or other own or partner platforms through which you place an order, the advertising agency organizing the competitions you enter);
c. through the activities you carry out while you are our customer/user of the Policolor website.
Chapter VII Legal basis for the processing of personal data
The legal grounds for the personal data processing operations described in this notification are:
(i) to perform a contract to which you are a party or to take steps prior to the conclusion of a contract for the sale and purchase of our products;
(ii) our legitimate interests in accordance with the legal provisions on data privacy;
(iii) your consent.
We would like to point out that in cases (i) and (ii), in the absence of the personal data necessary to complete such contract, it will be impossible to conclude the contract.
Our legitimate interests or those of a third party include our requirements to use your personal data in litigation, law enforcement investigations, marketing or advertising or for other lawful purposes involving Policolor.
If Policolor is obliged by a regulatory act (law, regulation, decision) ordinance or court order to communicate personal data, compliance can and will be carried out without the need to inform or consent of the data subject.
Chapter VII Data Security
To prevent unauthorized access, maintain data accuracy and ensure the correct use of data, we implement reasonable and appropriate physical, IT and organizational security measures to effectively protect all personal data we process.
The information you provide through the online platforms will then be transmitted in encrypted form using Secure Socket Layer (SSL) to prevent misuse of the data by third parties. You can identify this by the fact that a closed padlock symbol appears in your browser’s status bar and the URL begins with “https”.
In order to improve the measures outlined in the current Personal Data Protection Policy, we will make every effort to ensure that the data is accurate, complete, current and relevant for the intended use, and any changes will be described in the updated version.
Policolor will periodically test and review the effectiveness of measures to protect data against the risks of loss, misuse, unauthorized access, disclosure, alteration or unauthorized deletion/destruction.
Your provision of personal information is entirely voluntary and you have the right not to provide personal information.
If you need assistance to access, update, correct or delete your personal information, or if you no longer want our services, you can always send a request to the e-mail address: firstname.lastname@example.org.
Among the organizational measures taken by our organization and which guarantee the security of the processing of your personal data is the fact that the training procedure for our own employees and processors and their employees is carried out in order to comply with the GDPR rules and to make them aware of their importance. Where there is a transfer of personal data from the controller to processors or employees, it shall be carried out under lawful, secure conditions, meeting the necessary guarantees.
If we, as a controller, collaborate with another controller in the processing of personal data, we guarantee the conclusion, in a lawful and transparent manner, of an agreement on the processing of personal data, in the content of which the disclosure of personal data to the other controller is fully explained, all under conditions that ensure the protection of the processing of your personal data.
Chapter VIII Your Rights
1. Right to access
You have the right to request information from us at any time about the data stored about you as well as, inter alia, about its origin, the recipients or categories of recipients to whom this data is transmitted and the purpose of storage. Reasonable administrative costs may be charged for all other copies except the first copy. This does not apply to electronic communication of information.
2. Right to withdraw consent
If you have given your consent to the use of your data on the legal basis of consent, you may withdraw it at any time with effect for the future, without stating your reasons. To do so, simply send an e-mail to email@example.com. Your action will not affect the data processing carried out up to that point, which remains a legal and valid process..
3. Right to correct
If your data collected by our organization are incorrect, you can request their correction at any time by contacting the project/service of interest to you or the representative with whom you are in contact.
4. Right to delete
You have the right to obtain from Policolor the deletion of your data, which can be exercised in certain circumstances provided by applicable law, including:
·where the personal data are no longer necessary for the purposes of the processing;
·where the data subject objects to the processing and there are no other legitimate interests prevailing for the processing;
·where personal data have been unlawfully processed.
Your personal data can be deleted at any time by means of a request using the methods already mentioned or by using our general contact details for each project/service. As a rule, your data will be deleted immediately, but no later than one month after you request this right. If deletion is contrary to the interests of the organization or the retention of the data is required by legal, contractual or statutory data retention obligations, or by commercial or other reasons prescribed by law, instead of deletion, your data may only be blocked. If this is the case for your customer account, you will receive a notification from us to this effect. After your data are deleted, it is no longer possible to receive information.
5. Right to port data
If you request personal data made available to us, we will, if you wish, provide or communicate the data to you or another person designated by you in a structured, common and electronically format. The latter only if this is technically feasible and only related to the data you have entrusted to us.
6. Right to object
You have the right to object to the processing of your data under the conditions and in the cases provided for by applicable law (situations which include e.g.: data processing for direct marketing purposes) at any time and without giving reasons. In addition, we inform you that by refusing all data processing, it is possible that the performance of the contract in respect of the services engaged and the running of the programs for customers may be limited or may no longer be possible, so please consider carefully before submitting such requests.
7. The right not to be subject to a decision based solely on automatic processing
We do not make decisions based solely on automated processing. If in the future we use automated processing and profiling within the meaning of Article 4.4, this will be done with human intervention and with respect for your right to challenge the decision and express your views.
If Policolor refuses a request from you, for example on the basis of your right of access, we will provide you with an explanation for this decision, which you in turn have the right to legally challenge.
Chapter IX Amendments to the personal data protection policy
Policolor reserves the right to amend the Personal Data Protection Policy whenever necessary. If and when changes occur, they will be reflected in the updated version of this document in due course.
Chapter X Contact (for the exercise of data subjects’ rights)
If you contact us by e-mail at firstname.lastname@example.org or by mail at the address: Bd. Theodor Pallady nr. 51 N, et. 3, ap. C13 of the building Metro Pallady, sector 3, București, postal code 032258, the information you provide (your email address, your name and your phone number, if applicable) will be stored by us to respond to your questions or requests.
Chapter XI Right to lodge a complaint
You have the right to lodge a complaint with the ANSPDCP, the competent supervisory authority with regard to the processing of your personal data, if you believe that your data protection rights have been violated, using the data available at Chapter XII.
Chapter XII Questions on data protection
Questions about all data processing can be addressed at any time to:
Address: Bd. Theodor Pallady nr. 51 N, et. 3, ap. C13 building Metro Pallady, sector 3, București, postal code 032258
Data protection manager: Serban Popa
Last but not least, you have the right to contact the National Supervisory Authority for Personal Data Processing (ANSPDCP) at the following contact details:
Web page: http://www.dataprotection.ro
Tel.: 40.318.059.211/ +40.318.059.212
Version updated on 19 August 2021