NIS PETROL S.R.L., an entity incorporated and functioning in accordance with the laws of Romania, having its registered office at 246-C Calea Floreasca, 9th floor, District 1, Bucharest, Romania registered with the Trade Registry under no. J40/11127/2011, sole registration code RO29111546, acting in its capacity as data controller (the “Company”) collects and processes Personal Data about you (the "Contractual Partner"), if you are self-employed, and your shareholders/ associates, legal representatives, employees' and collaborators (jointly defined the "Data Subjects") during your performance of an agreement (the "Agreement") with the Company.
If any Data Subject or the Contractual Partner has any doubt or questions about this Data Protection Notice or intends to exercise the rights provided by this Data Protection Notice, they can contact the Company at email address specified below at Section 2.
Please notify this to Data Subjects whose Personal Data we process on the basis of the Agreement concluded with you.
Unless otherwise provided herein, and where applicable, any term used under this Contractual Partner Privacy Notice shall have the same meaning given to them in EU General Data Protection Regulation 2016/679 (the "GDPR").
2. Who is the data controller?
The Company is the data controller with regard to the processing of the Data Subjects' Personal Data. If you have questions or requests about the processing of your Personal Data (as defined below), or need additional information, you can contact the Company’s Data Protection Officer ("DPO") at:
Tel. No: (004) 0737.088.124
3. What kind of Personal Data is processed by the Company?
During the execution of the Agreement, the Company collects and processes the personal data provided by the Contractual Partner regarding the Data Subjects, such as the Data Subjects' name, surname, work e-mail address, work telephone number and professional title, copy of identity card, Personal Identification Number (PIN), home address, signature, video recordings (CCTV images) from fuel stations, participation in the share capital (for shareholders / associates) (the "Personal Data").
4. How do we use your Personal Data and on what legal basis?
The Personal Data will be processed by the Company in compliance with applicable laws and regulations, including but not limited to the GDPR, for the following purposes:
Description of purpose
Type of Personal Data processed
Consequences of refusal to provide Personal Data
For the performance of the contractual obligations with the Contractual Partner
The refusal to provide the Personal Data would determine the impossibility to sign and execute the Agreement between the Contractual Partner and the Company.
Compliance with legal obligations
complying with legal and other requirements, such as income tax and national insurance deductions, record-keeping and reporting obligations, conducting audits, compliance with health and safety requirements
In order for the Company to comply with the applicable law
The refusal to provide the Personal Data would determine the impossibility to sign and execute the Agreement between the Contractual Partner and the Company
5. How do we process your Personal Data?
Personal Data is processed through both electronic and manual means and is protected through adequate security measures. With this regard the Company will take appropriate administrative, technical, personnel and physical measures to protect the Personal Data that are consistent with applicable privacy and data security laws and regulations that in particular include protecting Personal Data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access. This includes requiring service providers to use appropriate measures to protect the confidentiality and security of Personal Data.
6. Who has access to the personal data?
The Company might communicate the Personal Data for the purposes set out in this Data Protection Notice with the following categories of entities that can be located within and outside the European Union, in compliance with what indicated in Section 7 below:
NIS a.d. Novi Sad-sole shareholder of the Company
|OIL PROCESSING COMPANY NORTH BALKANS SRL
|Firme partenere care administrează stațiile de alimentare carburanți
Fuel card transaction processing
|PRICEWATERHOUSE COOPERS AUDIT SRL
|Fuel card transaction processing
|SC MARSH BROKER DE ASIGURARE-REASIGURARE SRL, SC EULER HERMES SA
|Commercial credit insurance
|Consultanți profesioniști: contabili, avocați și alți consultanți
|Providing consulting and representation services
|CCTV system maintenance
A complete list of the data processors may be requested to the Company with the modalities set out in Section 8 of this Data Protection Notice.
7. Is the Personal Data transferred abroad?
The Company may disclose Personal Data in the following countries situated outside of the European Economic Area (the “EEA”): Serbia.
This disclosure is performed in order to fulfill the purposes described in Section 4 of this Data Protection Notice. The Personal Data transferred is described in more detail in Section 3 of this Data Protection Notice. Please note that we have adopted appropriate safeguards to protect your Personal Data regardless of where it resides. Further information can be provided by filing a request to the Company as per Section 8 of this Data Protection Notice.
In any case, the Data Subject has the right to obtain a copy of the data transferred abroad and to acquire more information by contacting the Company at the e-mail address specified at Section 2.
8. Does the Data Subject have rights with regard to its data?
The Data Subject with regard to his/her data has the right, in any given time, to:
a) obtain confirmation as to whether or not the Personal Data exists and to be informed of its content and source, verify its accuracy or request its integration, update or amendments; and
b) request the deletion, anonymization or restriction of any Personal Data processed in breach of the applicable law.
In order to exercise the rights provided by this Data Protection Notice, the Data Subject can contact the Company at the e-mail address specified at Section 2.
In addition to the above, from May 25, 2018, Data Subjects will have the additional rights of Section 9 below.
9. What was changed starting with May 25, 2018?
From May 25, 2018, the GDPR will become effective and, as a consequence, the following provisions will apply:
A. Data retention
The Company will retain Personal Data for the duration of the Agreement plus the additional time further to the termination of the Agreement as required by other statutory laws and obligations . Please check the Company’s retention policy which is available on request by writing at the e-mail address specified at Section 2.
B. Additional rights
In addition to the rights as indicated in Section 8 above, the Data Subject will have the right, in any given moment, to:
a) request the Company to limit the processing of the Data Subject’s Personal Data where:
- it challenges the accuracy of the Personal Data until the Company has taken sufficient steps to correct or verify its accuracy;
- the processing is unlawful but the Data Subject does not want the Company to erase the Personal Data;
- the Company no longer needs the Personal Data for the purposes of the processing, but the Data Subject requires the data for the establishment, exercise or defense of a legal claim; or
- the Data Subject has objected to the processing justified on legitimate interests grounds pending verification as to whether the Company has compelling legitimate grounds to continue processing;
b) object to the processing of Personal Data;
c) request the erasure of Personal Data without undue delay;
d) port its Personal Data when the Company is relying upon the Data Subjects' consent or to the fact that the processing is necessary for the provision of services and the Personal Data is processed by automatic means;
e) lodge a complaint with the relevant supervisory authority.
In order to exercise such rights, the Data Subject can contact the Company at the e-mail address specified at Section 2.
10. Update to the Data Protection Notice
The Company may change or update this Data Protection Notice also following different interpretations, decisions, and opinions relating to the GDPR. Any changes to this Data Protection Notice will be notified in advance and become effective when we publish the revised Data Protection Notice on the Company Intranet unless otherwise provide for in the amendments.