Processing and protection of personal data

I. General information

These specifications apply to the websites ListaFirme.ro and ListaFirme.eu created by the company Borg Design SRL with its registered office in Bucharest, 16a Ștefan Hepiteș Street, as Data Controller.

The operator respects your privacy and the personal data you provide when registering or operating on these sites. In this regard, appropriate technological and organizational protection measures have been implemented.

These specifications are intended to inform you about the processing of your personal data, in the context of using the ListaFirme.ro and ListaFirme.eu websites.

II. Categories of data processed

The operator processes the following data sets online:

1. databases with companies and information about them;
2. databases with website users;

a) Databases related to companies and their contact information is not subject to GDPR whereas regulation no. 679/2016 in point 14 stipulates that it does not apply to the processing of personal data concerning legal persons...

The contact information in the company database refers strictly to legal entities and does not belong to the company's contact persons.

For this reason, the contact information processed does not refer to natural persons, is anonymous, does not require identification and will be treated as such in accordance with paragraph 26 and art. 11 of the regulation.

if an individual claims certain contact information associated with companies as personal, they must provide additional information that allows them to be identified and prove that the information belongs to them in order to exercise their rights of access, rectification, erasure, restriction and portability.

Contact information associated with companies that are proven to be personal will be restricted without exception from any processing as personal contact data is not accepted in company databases.

Coincidences of addresses or names, namely the fact that a company includes the name of a person in part or in full or that the company operates at an address where a person from the company's management lives, are not considered personal data, since the data of the legal entity are data of public interest and the address and name were chosen and published with knowledge of the facts and can be changed at any time.

Associates, administrators and beneficial owners
since the identification and contact information of companies including the names of contact persons (associates, administrators) is information of public interest according to legea 31/1990, published in Official Gazette part IV, and the names of the beneficial owners are public information according to legea 129/2019, republishable according to legea 544/2001 and legea 109/2007, we believe that the rights to information, retrieval and reuse of public sector information provided by law allow for the processing of data on a legal basis.

According to paragraph 62 of the regulation, it is not necessary to impose an obligation on the controller to provide information on the processing of data of data subjects where the recording or disclosure of personal data is expressly provided for by law or where informing the data subject proves impossible or would involve disproportionate efforts.

in law 544/2001, in art. 14, it is mentioned that information regarding the citizen's personal data may become information of public interest under certain conditions.
Information of public interest is any information resulting from the activities of a public institution or authority or of an autonomous government that uses public money.

Information regarding companies is collected from official public sources such as ANAF, the Official Gazette, the Trade Register, the Ministry of Finance, the Justice Portal, but also from the companies' own websites and verified by direct contact by call center operators.

Associates, administrators and beneficial owners have the right to object and may submit requests for deletion and restriction in their personal name, after their identity is verified (sign electronically with a qualified certificate or attach a copy of an identity document) according to paragraph 64 and art. 12.6 of the regulation.

The purposes of data collection/processing are:

• centralizing information of public interest and providing easy access to it;
• creating and providing data selections with information of public interest at the request of users.

Information regarding associates and administrators is processed on the legal basis of public interest and legitimate interest.

Other types of information
Information that is not personal and cannot be considered personal data even accidentally (registered trademarks, court cases, activity status, financial information, etc.) is not covered here.

For requests (see application form), suggestions, complaints, thanks or congratulations regarding company data, you can contact us at .

b) User databases
For categories of data relating to users (natural persons), the operator minimizes their content and provides transparency regarding the content and processing carried out as follows:

Types of personal data processed: name, surname, email, mobile, IP, cookies, Google Id, token associated with the card

Card details are not stored by us or the payment processor PayU, but by the transaction authorization institution corresponding to each card. The token associated with the card is only processed for users who opt for automatic payments.

III. Purposes and grounds of processing

Data collection is done directly from users by filling out registration form or order forms.

The purposes of data collection/processing are:

• maintaining online access accounts, user and customer records;
• providing automatic notifications regarding the status of your account or activated services;
• processing your orders, requests, questions, requests, proposals and suggestions;
• ensuring information security;
  The processing of personal data for the above purposes is based on the fulfillment of contractual obligations and/or the completion of the stages preceding a contract and is necessary for the operation of the services, being necessary based on legal obligations. Providing your data for this purpose is necessary. Refusal to provide data may result in the inability of the operator to comply with its legal obligations and therefore the inability to provide you with services. Withdrawal of consent for any of the above purposes involves and is done by suspending the account.
• allocating or offering any rewards, discounts or benefits.
  The processing of data for the latter purpose is based on the consent of the data subject given when creating the account and which can be optionally activated/deactivated in the [Messages] section.
  This option can also be deactivated by accessing the unsubscribe link at the end of each email message of this type.

IV. Rights of data subjects

Site users are people who have set up an access account on the site by remotely accepting the contractual conditions stipulated in the section "Terms and conditions" and have agreed to the processing of personal data for the purposes mentioned above.

Rights provided to users:

• the right to be informed (you will always receive clear and transparent, easy to understand and accessible information about how we use your data and about the rights you have)
• access right (users can access their own data after logging in to the site, from the [My Account] menu);
  Also, each User has the possibility to obtain, free of charge for one request per year, through a request drawn up in writing, dated and signed, sent to the indicated address, confirmation of whether or not the data concerning them are processed by the operator.
  The first provision of information will be made without any charge. If you would like copies of the information already provided or if you repeat the request, we may charge you a reasonable fee taking into account the administrative costs of providing the information.
  We cannot respond to requests that do not identify the person concerned or where we have doubts regarding the identity of the requester.
• the right to rectification and deletion (users can modify the personal data associated with the access account);
  Users also have the right to request, free of charge, the rectification, updating, blocking or total or partial deletion of their data. Requests for data deletion will be made to the extent that there are no legal provisions requiring us to retain the data.
• the right to be forgotten (users can delete their access account and associated personal data);
• the right to data portability (users can save/print personal data in an external file);
• the right to restrict processing (users can suspend their access account, data from suspended accounts is restricted from processing);
• the right to object (users have the right to object to the processing of personal data for certain purposes);
• the right to withdraw consent (exercised by suspending or deleting the account);

You can find a detailed description of the rights of data subjects here. here.

in addition to the online possibilities presented above, to exercise rights, users can also submit requests see application form in writing to the operator at the address or by mail, receiving a response within a maximum of one month.

if users are dissatisfied with the way their rights have been respected, they can file complaints with the operator. (), the national supervisory authority or they can go to court.

V. Duration of data processing

in the case of customers, we will process the data for the entire duration of the contractual relationship and subsequently according to the legal obligations incumbent on the operator (e.g., in the case of financial and accounting supporting documents for which the retention period provided by law is 10 years from the end of the financial year during which they were drawn up).

When exercising the option to delete your user account, by pressing the Delete account button in the My account section, the operator will interpret this action as your option to restrict any type of processing. We inform you that deleting your account will not automatically result in the immediate deletion of your personal data, but the deletion will be done later in accordance with the data deletion policy.

Data deletion policy:

• data marked for deletion will initially be restricted from all processing and permanently deleted after there are no longer any security reasons or laws in effect that require the data to be retained;
• data that is no longer needed: accounts will be automatically deleted after two years of non-use;
• incorrect data: accounts whose data is clearly incorrect will be deactivated during the biannual checks.

For security reasons, account data marked for deletion is kept for two years, and for accounting reasons, data involved in billing is kept for 10 years.

VI. Disclosure of personal data

To fulfill the processing purposes, the operator may disclose your data to entities that support the activity through the Site (for example, courier companies, IT service providers), or to central/local public authorities, in the following exemplary cases listed:

• in situations where this communication would be necessary for the awarding of prizes or other facilities to the data subjects, obtained as a result of their participation in various promotional campaigns organized by the operator through the Site;
• to perform data analysis, testing and research, monitor usage and activity trends, develop security features, and authenticate users;
• when the disclosure of personal data is required by law, etc.

VII. Transfer of personal data

The transfer of personal data provided by the operator is expressly prohibited, regardless of destination.

If you would like to consult Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, you can find it here. here.