• English
  • Română
  • Deutsch

Dear Partners,

Thank you for your visit on our website and for your interest in our companies and their activities.

In the context of the European legislation changes,  regarding the protection of individuals and  the processing of their personal data and on the free movement of such data, all companies from RAP Group (RAPTRONIC SRL, RAP Instal SRL, RAP Term SRL, RAP Systems SRL, RAP Confectionery RAP Development SRL, RAPTRONIC Process Engineering SRL, RAP Invest SRL, A & A Equipment SRL) are aligned with the new regulations regarding their collection, processing and storage in accordance with the Regulation (EU) 2016/679 of 27 April 2016 and repealing Directive 95/46 / EC (General Regulation on the protection of personal data).

RAP Group companies assume all the obligations and responsibilities arising from the content of the Regulation, both as personal data controllers and as processors, and guarantee that the respective personal data will be used exclusively for the purpose for which they were put at the disposal of the Group and will provide appropriate Data protection by design and by default.

The current Personal  Data Protection Compliance Policy

– applies to personal data processing by electronic means and paper-based storage systems,

– excludes any processing of personal data of employees or applicants for positions within the Group, and – does not apply to the Group’s obligations under national regulations in its specific field of activity. This Personal Data Protection Compliance Policy is effective as of 25 May 2018.

Right implementation and application of this personal data protection compliance policy shall be strictly monitored by rap group .

Willful, negligent or accidental noncompliance with this personal data protection compliance policy may result in significant financial losses and reputational damage for the group and it’s companies and possibly in disciplinary actions against liable employees of the company.

 

Rap Group generally uses the collected information for several purposes, including:

-to fulfill your requests for products, services, or support;

-to contact you;

-with your consent, where required by law, to send you promotional materials;

-to conduct research; and

-to provide anonymous reporting for internal and external clients.

 

 

Disclosure of Information

We may share or otherwise disclose the information we collect with the following categories of recipients:

Authorized third-party vendors and service providers. We share your information with third-party vendors and service-providers that help us with specialized services, including email deployment, business analytics, marketing, and data processing.

-Rap Group companies. We may share your information between Rap Group companies.

-Legal purposes. We may disclose information to respond to subpoenas, court orders, legal process, law enforcement requests, legal claims or government inquiries, and to protect and defend the rights, interests, safety, and security of Benchmark, our users, or the public.

-With your consent. We may share information for any other purposes disclosed to you at the time we collect the information or pursuant to your consent.

 

 

Principles relating to processing of personal data

  1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

  1. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

 

Responsibility of the controller

  1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
  2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
  3. Adherence to approved codes of conduct (as referred to in Article 40 of the Regulation) or approved certification mechanisms (as referred to in Article 42 of the Regulation) may be used as an element by which to demonstrate compliance with the obligations of the controller.

 

Processor

  1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
  2. The processor shall not engage another processor without prior specific or general written authorization of the controller. In the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
  3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) takes all measures required pursuant to Article 32;

(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

(e) taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

  1. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
  2. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
  3. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
  4. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
  5. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
  6. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
  7. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

 

Data protection by design and by default

  1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  2. The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
  3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

 

Flows of personal data to and from countries outside the Union and international organizations

Flows of personal data to and from countries outside the Union and international organizations are necessary for the expansion of international contracts. When personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organizations, the level of protection of natural persons ensured in the Union by the GDPR  should not be undermined, including in cases of onward transfers of personal data from the third country or international organization to controllers, processors in the same or another third country or international organization. In any event, transfers to third countries and international organizations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organizations are complied with by the controller or processor.

 

This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organizations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.

 

For complete version of the GDPR Regulation, please follow the link below:

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EL

For any additional information, please contact us directly over the following e-mail address:

gdpr@rap-group.ro

or, over our GDPR consultant, Mr. Atilla Albu at phone No. :  +4072 650 00 56