POLICY ON PERSONAL DATA PROTECTION AND DATA PRIVACY

 

Introduction

SustainAbility School, an E-learning platform in sustainable management, developed by the Sustainable Romania Coalition Association, based in 7 Benjamin Franklin Street, Sector 1, Bucharest, registered with the Trade Register under number J40/926/2009, CIF RO25004202, is committed to protecting and respecting your personal data confidentiality in accordance with the applicable legal provisions in this field. To this end, this section includes information on how your data is processed and the rights you have as a Data Subject in relation to your personal information we hold.

 

This section sets out how we may use, process and store your personal information that has been obtained directly from you.

 

The Sustainable Romania Coalition Association will protect the confidentiality of the identity of any user - natural person, accessing the sustainability-school.eu website, in compliance with data protection requirements, including those provided by the General Data Protection Regulation 2016/679/EU on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Regulation"), applicable as of May 25, 2018.

 

To the extent that users will be asked to provide any information about their personal data, users will do so voluntarily, by accepting the terms and conditions of this website and any other content.

SustainAbility School will take all necessary measures to protect the security of the information voluntarily provided by users and will not disclose such information to any other entity, natural or legal person, except where disclosure is permitted/ required by applicable law or the provisions of this section.

 

The Sustainable Romania Coalition Association is a personal data controller(hereinafter "Controller") within the meaning of the General Data Protection Regulation 2016/679/EU.

 

The terms and conditions set out in this section apply to the processing of personal data relating to individuals, including representatives (individuals) of companies, non-profit organizations or other entities, as a result of registering and creating an account on the SustainAbility School platform, subscribing to the "SustainAbility School" newsletter, or other data collection from the website you have accessed.

 

Legal framework

According to the requirements of Regulation 2016/679/EU on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as "the Regulation") applicable as of May 25, 2018, we are obliged to manage in a secure manner and only for the specified purposes the personal data you provide to us through the use of the sustainability-school.eu website, our services or in connection with our business, in accordance with the provisions of the Regulation.

 

For more details on the content of the legislative act, please visit the following link: https://eur- lex.europa.eu/legal-content/RO/TXT/?uri=CELEX%3A32016R0679

 

Definitions

1

 

According to Article 4 of the Regulation:

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

"Processing" means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

'Data controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. 'processor' means the natural or legal person, public authority, agency orother body processing personal data on behalf of the controller;

"Data subject(directly or indirectly) means a person identified or identifiable by means of an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to his or her physical, physiological, genetic, mental, psychological, economic, cultural or social identity, regardless of the source of the data(mobile devices, software applications, IP addresses, cookies, etc.).

"Pseudonymization" means the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

"Recipient" means the natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party.

"Third party" shall mean a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorized to process personal data; 

"Consent" of the data subject means any freely given specific, informed and unambiguous indication of his or her free, specific, informed and unambiguous will by which the data subject signifies his or her agreement, by an unequivocal statement or action, to personal data relating to him or her being processed;

Purposes of processing

The controller must consider processing the data for specifically determined purposes and ensure that the purposes of the processing do not contravene the applicable legal rules, i.e. that the purposes of the processing are lawful.

 

Personal data submitted through the sustainability-school.eu website and personal data we have collected from you or from third parties or public sources will be used for the purposes specified in this Policy on Personal Data Processing and Data Privacy. Depending on the relationship we have or wish to have with you, we may use your personal data for the following purposes based on the legal grounds set out in Art. 6 para. (1) Regulation and set out below:

❖ The consent you give, according to Art. 6 para. (1) letter a) of the Regulation, when the Operator does not rely on any other legal basis, but on your consent to the processing of personal data, which can be withdrawn at any time (for example, when the use of personal data is necessary in order to register your request to receive information, invitations or other informative materials regarding the event(s) promoted on the website or to create a user account);

 

1

 
❖ To comply with a mandatory legal requirement laid down in EU or national law (e.g. providing personal data to various authorities).
❖ Performance of a task serving a public interest (provided for in EU or nationallaw);
❖ The legitimate interests of the Controller - whenever the Controller relies on this legal basis to process your data, the interests of the Controller will be assessed to ensure that they do not override your rights.
❖ When there is a contractual obligation/for the performance of a contract, i.e. when the processing is necessary for the fulfillment of one of the stated purposes of the website - pursuant to Art. 6 para. (1) lit. b) of the Regulation by using and creating an account on the SustainAbility School platform and going through the study webinars on the platform.

Categories of personal data processed by thecontroller The types of information we may collect are as follows:

full name;
e-mail address;
address;
banking data;
internet protocol (IP) address;
a cookie identifier;

Source from which personal data originate:

The data processed by the Operator are the data that you have communicated to us directly and/or indirectly and that are necessary for the fulfillment of the purposes set out above.

The recipient or categories of recipients to whom personal data are disclosed:

The Operator may share your data with third parties in order to fulfill its legal obligations.

Your personal data may also be transmitted to our trusted partners, ensuring that the processing of your data will be done in compliance with the applicable legal provisions, for the purposes for which it was provided.

 

Storage period of personal data:

The operator may keep the data for as long as the law provides for the obligation to keep such data or for as long as the data subject's consent is given or, as the case may be, untilthe conclusion/end of the event in which you have registered as a participant or volunteer.

 

THE RIGHTS OF DATA SUBJECTS

Each data subject may contact the Controller at any time and free of charge with a notification in order to exercise the following rights provided for in the Regulation:

(1) The right to be informed - You have the right to access your information by making a request to the Operator's e-mail address if you wish to access the personal information that the Operator holds about you (right of access, Article 15 of the Regulation);
(2) Right to rectification - If the information that the Operator holds about you is inaccurate or incomplete, you have the right to ask for it to be corrected. If this data has been transmitted to a third party with your consent or for legal reasons, then theOperator will have to ask them to rectify the data as well (right of access, Art. 16 of the Regulation);
(3) Right to erasure - The Controller aims to process and retain your data only for as long as necessary. In certain circumstances, you have the right to request theOperator to erase your personal data it holds. If you believe that the Operator is keeping your data longer than necessary, contact the Operator to check whether your contract has ended. If it has, there may still be legal grounds for processing yourpersonal data (right of erasure, Article 17 of the Regulation).
(4) Right to restrict data processing - In certain circumstances you have the right to ask the Controller to restrict the way your data is processed. This means that theController is

 

1

 

allowed to store the data but not to further process it (right to restriction of processing, Article 18 of the Regulation),

(5) The right to data portability - According to the Regulation you have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format and you have the right to have these data transmitted to another controller without obstacles from the controller to whom the personal data were provided, if:
1. the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b);
2. processing is carried out by automated means (right to data portability, Article 20 of the Regulation).
(6) Right to object - At any time, you have the right to object, in accordance with Article 21 of the Regulation, to the processing pursuant to Article 6(1)(e) or (f) or Article 6(1) of personal data concerning you, including the creation of profiles on the basis of those provisions. In such a case, the Controller shall no longer process the personal data, unless the Controller demonstrates compelling legitimate grounds justifying the processing which override your interests, rights and freedoms.
(7) Right to withdraw consent - If you have given your consent to the processing of your data, but later change your mind, you have the right to withdraw your consent at any time and the Controller must stop the processing (right to withdraw consent, Article 7 of the Regulation).
(8) Right to complain to the supervisory authority - If you consider that the Controller has failed to respond to your request to resolve a specific problem, you have the rightto complain to the National Supervisory Authority for Personal Data Processing (right to lodge a complaint to a supervisory authority, Article 77 of the Regulation).

 

Disclosure and transfer of personal data

The information we collect from you will be processed in the European Economic Area. Also, based on the consent you give us, certain categories of data you provide (such as your first and last name) may be published on the sustainability-school.eu website, to the extent that you give us a testimonial.

 

The Operator takes all reasonable steps to apply appropriate safeguards to protect theconfidentiality and security of your personal data during the transfer and to use it only in accordance with your relationship with the Operator and the practices described in this Privacy Policy. The Operator minimizes the risk to your rights and freedoms by not collecting or storing sensitive information about you.

 

We may also disclose your personal data:

• to the extent that we are obliged to do so by law;
• in connection with any ongoing or potential legal proceedings;
• to establish, exercise or defend legal rights (including providing information to othersfor fraud prevention purposes).

 

Third party websites

 

This website may include hyperlinks to and details of third party websites. We have no control over and are not responsible for the privacy policies and practices of third parties.

 

Data breaches

1

 

data breach occurs when the data for which the Controller is responsible suffers a security incident that accidentally or unlawfully results in the compromise of the confidentiality, availability or integrity of personal data, such as for example, the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of personal data.

Such security incidents can occur, for example, as a result of cyber-attacks, but also when equipment (such as a laptop phone, etc.) on which personal data is stored is lost, or when an e-mail containing personal data is sent in error to someone other than the intended recipient.

Any person who becomes aware of a security incident that may lead to personal data being compromised must immediately notify the management of the Operator who, together with the IT Officer,shall analyze the incident, then establish and implement the necessary measures to eliminate the consequences of the incident.

 

Where the breach is likely to present a risk to the rights and freedoms of natural persons, the Operator is obliged to notify the National Supervisory Authority for Personal Data Processing within 72 hours of becoming aware of the breach.

 

If the data breach poses high risk to the individuals affected, then all such individuals must also be informed (unless effective technical and organizational safeguards or other measures have been implemented to ensure that the risk is no longer likely to materialize).

 

Final provisions

 

This section on data protection is designed to inform you about the processing of your personal data and your rights regarding such processing in accordance with the General Data Protection Regulation and applicable national law.

If you have any questions about your personal information or if you wish to exercise your rights or have any queries or complaints, please contact us by sending a request to our address in Bucharest, 7 Benjamin Franklin Street, or by sending an e-mail to [email protected].

Also, in order to update or correct your personal data, please contact us in any of the waysindicated above.