INFORMATION NOTE ON PERSONAL DATA PROCESSING ACCORDING TO ART. 13 AND 14 OF REGULATION (EU) NO. 2016/679
Mega Image S.R.L., a limited liability company, organised and operating under the Romanian law, registered with the Romanian Trade Register Office under number J40/27872/1994 and Sole Reg. Code 6719278, with registered office in Bulevardul Timişoara Nr. 26, Etaj 2, Sector 6, Bucharest, Romania (hereinafter referred to as "We", "Mega Image" or "Data Controller") hereby communicate to you this Information Note in order to provide you with a summary of our practices regarding the collection, registration, organisation, structuring, storage, adoption or amendment, extraction, consulting, use, disclosure by transmission, dissemination or making available in any way, alignment or combining, restricting, erasing or destroying (hereinafter referred to as "Processing") of information of any type about you (hereinafter referred to as "Data Subject") (hereinafter referred to as "Personal Data") related to the activity carried out by you (i) within the relationship with Mega Image or, if applicable (ii) for your employer/collaborator with whom Mega Image has concluded various contractual relationships. Every time we are using a technical term taken from the applicable laws and regulations on data confidentiality, we shall explain it in parenthesis the first time (as above), and then we shall use it hereinafter, the term having the defined meaning.
I. Categories of Personal Data
We process your Personal Data (hereinafter referred to as "Data about the Data Subject"), as well as certain special categories of personal data about you (i.e., data regarding your health condition - hereinafter referred to as "Special Categories of data about the Data Subject").
Usually, we mention that we can process your Personal Data in your capacity as:
i. Member (employee, collaborator, etc.) of one of our contractual partners (legal person) in order to maintain the contractual relationship with the company which you are part of. In order to collaborate with the company which you are part of (including to communicate with you for the solving of eventual issues which your company or Mega Image incurs in relation to the agreement between them), we will have to process personal data about you. In this case, we shall base our processing on our legitimate interests of being able to execute the agreements that we concluded with other companies and to make sure that the other companies execute, in turn, those agreements, as well as on legal grounds, taking into account our obligations set under the law.
ii. Our contractual partner - natural person in order to establish and maintain contractual relationships with you. It is necessary to process certain information about you in order to initiate and maintain our collaboration with you. In this case, we shall base our personal data processing about you on the need of processing for the conclusion/execution of the agreement between you and us, as well as on legal grounds.
II. The purposes, processed Personal Data, respectively the grounds of Processing of your Personal Data
We process your Personal Data to the extent permitted or imposed by the applicable law for the following purposes:
i. Carrying out commercial, operational activities, indirect purchases/providers' management activities (local or group level), activities for the establishment of a contractual relationship between business partners, activities of managing the relationship between business partners (hereinafter referred to as "Purposes related to commercial-operational activities");
o Data Categories of the involved Data Subject
First and last name, phone number, contact details (residence address, post code, city), email address(es), bank account, position/capacity at the workplace, employee identification number, PIN, information regarding the salary, signature, parents' name/family
o Legal grounds
Based on legitimate interest (art. 6, para. 1, letter f) GDPR), contractual grounds (art. 6, para. 1, letter b) GDPR), based on a legal obligation (art. 6, para. 1, letter c) GDPR)
ii. Complying with financial responsibilities, including with audit requirements (internal and external), analysis and control of costs/budgets, treasury activities/bank guarantee letters issuing, financial activities for managing clients/providers/database and issuing invoices to the clients of the restaurant pertaining to Mega Image (hereinafter referred to as "Purposes related to financial aspects and audit");
o Data Categories of the involved Data Subject
First and last name, email address, contact details (residence address, post code, city), phone number, tax identification number/tax details, bank account, account number/client number, signature, work schedule/worked hours, data regarding the seller/client, IP address(es), profiling, segmentation, employee identification number, PIN
o Legal grounds
Based on a legal obligation (art. 6, para. 1, letter c) GDPR), contractual grounds (art. 6, para. 1, letter b) GDPR), based on a legitimate interest (art. 6, para. 1, letter f) GDPR)
iii. The performance of IT resource access control activities, operational support activities, facilitating access to the company's IT resources based on the agreement and services provided, respectively depending on business needs and internal security rules (hereinafter referred to as "Purposes related to control and IT support activities");
o Data Categories of the involved Data Subject
First and last name, position/capacity at the workplace, phone number, email address, work schedule/worked hours, IP address, device identification data, profiling, segmentation, signature, employee identification number
o Legal grounds
Based on legitimate interest (art. 6, para. 1, letter f) GDPR)
iv. Carrying out non-profit organisations sponsorship activities (in fields such as: environment, education, sports, health, humanitarian etc.) (hereinafter referred to as "Purposes related to sponsorship activities");
o Data Categories of the involved Data Subject
First and last name, address, email address
o Legal grounds
Based on legitimate interest (art. 6, para. 1, letter f) GDPR)
v. Management of the debts register in the insurance field (e.g., claims initiated by third parties regarding Mega Image products or employees) (hereinafter referred to as "Purposes related to insurance activities");
o Data Categories of the involved Data Subject
First and last name, phone number, data contained in the ID, details regarding the incident, respectively data regarding the vehicle and the owner of the vehicle
o Legal grounds
Based on legal obligation (art. 6, para. 1, letter c) GDPR), based on legitimate interest (art. 6, para. 1, letter f) GDPR)
vi. Carrying out document transports between offices/internally (hereinafter referred to as "Purposes related to the management of document transport");
o Data Categories of the involved Data Subject
First and last name, phone number, transport data, position/capacity at the workplace, images, signature, account number/client number
o Legal grounds
Based on legitimate interest (art. 6, para. 1, letter f) GDPR)
vii. Making reservations at the restaurant pertaining to Mega Image (hereinafter referred to as "Purposes related to the management of the restaurant's activity");
o Data Categories of the involved Data Subject
First and last name, phone number, reservation time
o Legal grounds
Based on legitimate interest (art. 6, para. 1, letter f) GDPR)
viii. For the fulfilment of legal obligations, such as to maintain our accounting evidence and to submit the necessary reports to the state authorities (hereinafter referred to as "Purposes related to the fulfilment of legal obligations");
o Data Categories of the involved Data Subject
Contact details (residence address, post code, city), social or health insurance number, social and psycho-social information
o Legal grounds
Based on legal obligation (art. 6, para. 1, letter c) GDPR)
ix. Carrying out various activities with or with the support of our contractual partners, such as analyzes, surveys, statistics, etc., in order to improve the activity and processes of Mega Image as well as to implement in our operations appropriate measures to protect the environment and of Mega Image customers (hereinafter referred to as “Organizational Purposes”);
o Data Categories of the involved Data Subject
Name and surname, represented entity, position, telephone number, e-mail address, content of questionnaires or other content / answers related to the documentation prepared / used in the project
o Legal grounds
Based on the legitimate interest (art. 6 paragraph 1 letter f) GDPR)
x. In order to provide you access to our promotions and news (hereinafter referred to as "Purposes related to marketing").
o Data Categories of the involved Data Subject
First and last name, email address, position/capacity at the workplace, phone number, order number, shop, country
o Legal grounds
Based on legitimate interest (art. 6, para. 1, letter f) GDPR), based on consent (art. 6, para. 1, letter a) GDPR)
III. Data sources
Your personal data can be collected by us from various sources such as:
- Directly from you when you are party to an agreement concluded with us or when you request various information or services from us;
- From your employer if we have an agreement concluded with it or when we are about to carry out procedures for the conclusion of such an agreement;
- As a result of the correspondence carried out with you or with a business partner who provides us with your data;
- From other entities in the Ahold Delhaize group with which you have already concluded a contract, in order to be contacted by Mega Image for the purpose of establishing a contractual relationship;
- From other entities in the Ahold Delhaize group with which you have already concluded a contract, in order to be contacted by Mega Image for the purpose of establishing a contractual relationship;
- From public sources, such as Trade Register, Official Gazette or from the media, various websites, various databases;
- From our insurers, as a result of an event in which you are involved.
IV. Data transfers, recipients and the legal grounds of these transfers
- Recipients
Other companies in the group: We transfer your Data about the Data Subject to other companies from the Ahold Delhaize group, to the extent allowed by the applicable laws for the legitimate interests of Mega Image, in order to facilitate internal communication, to manage the tasks, the identification / contracting of certain suppliers and the identification / contracting of certain suppliers together with other companies from the Ahold Delhaize group.
Third parties: Mega Image and/or other companies in the Ahold Delhaize group may transfer data to government and regulatory agencies (e.g., tax authorities), national social insurance houses, courts and other governmental authorities, in compliance with the provisions of the applicable law, according to Art. 6 (1) (c) GDPR, and to external consultants as data controllers (for example: attorneys, accountants, auditors, etc.) according to Art. 6 (1) (f) GDPR.
Service sellers (from within the Ahold Delhaize group and outside it): Within its usual commercial operations, Mega Image concludes agreements with third party service Sellers or with other companies within the Ahold Delhaize group for the performance of certain tasks related to Human Resources or IT, for the management of Human Resources at global level.
When we are bound, pursuant to local provisions, to process Special Categories of data about the Data Subject, this information is transferred outside the country only if the applicable law allows it.
- Cross-border data transfers
We transfer your Data about the Data Subject outside the country you are in. Some recipients of your Data about the Data Subject are located in countries related to which the European Commission has not issued a resolution on insuring or non-insuring the adequate level of data protection, which are: United States of America or some of the locations that are not in Europe of the companies from the Ahold Delhaize group.
In each case, the transfer is recognized as providing an adequate level of data protection in light of European data protection legislation (Chapter V GDPR). Thus, concluded data transfer contracts based on the Standard Contractual Clauses (European Commission Decision 2010/87 / EU and/or European Commission Decision 2004/915 / EC), according to Art. 46 (5) GDPR or using other appropriate means, we determined that all other recipients outside the EEA provide an adequate level of data protection for the Data on the person visited and that there are appropriate technical security measures and organizations in place to protect the Data relating to the data subject against accidental or unlawful destruction, loss or accidental alteration, disclosure or unauthorized access and against all other illegal forms of processing. All subsequent transfers (including to our non-EEA affiliates) are subject to the transfer requirements set out in the applicable law.
V. Retention periods
The personal data processed for the purposes mentioned herein shall be stored only for the time that is necessary, during your labour/collaboration relationship established with the provider/economic operator/institution, etc. with whom Mega Image has established contractual relationships, respectively during your collaboration relationship with Mega Image, but also subsequent to the termination or your contractual relation, in accordance with the applicable legal provisions or for the purpose of documenting the adequate termination of the collaboration relation (for example: for tax authorities, etc.). If a legal action is initiated, Personal Data may be stored until the end of this action, including any appeal periods, and then it shall be deleted or archived, according to the provisions of the applicable law and/or the Mega Image Data Retention Policy. In principle, we shall keep your Personal Data for the period required or permitted by the applicable law. Subsequently, we shall remove/erase your Personal Data from our systems and records and/or take steps to anonymize it so that you can no longer be identified based on it. In all cases, the personal data in the agreements, communications and other identified documents may be subject to legal retention requirements, which require, in principle, the retention for up to 10 years. Any other Personal Data shall be, in principle, erased in at most 3 years from the termination of the labour/collaboration relationship between you and Mega Image, respectively with the provider/economic operator/institution etc. with whom Mega Image has established contractual relationships.
VI. Your legal rights
Based on the conditions provided by the applicable law (GDPR), you have the following rights:
- Access right:You have the right to be informed, upon request, if your Personal Data is processed, and if so, you have the right to request access to them. The information include, among others, Processing purposes, personal data categories involved and recipients or recipient categories to whom your Personal Data have been disclosed or shall be disclosed.
You have the right to obtain a copy of the processed Personal Data. For additional copies, we may charge a reasonable fee based on administrative costs.
- Right to rectification:You have the right to obtain from us the rectification of your incorrect Personal Data. Depending on the Processing purpose, you have the right to complete the incomplete Personal Data, including by means of an additional statement.
- Right to erasure („the right to be forgotten”):You have the right to request us to erase your Personal Data.
- Right to restriction:You have the right to request the restriction of Processing of your Personal Data. In this case, said data shall be marked and can be processed by us only for certain purposes.
- Right to data portability:You have the right to receive the Personal Data that you have provided us, in a structured, common format that can be read by devices, and you have the right to send this data to another entity without objections from us.
- You have the right to object, for reasons related to your situation, at any time, to the processing of your personal data by us, and we may be required not to process your personal data. If you have the right to object and you exercise it, we shall no longer process your personal data for that purpose. There is no cost for exercising this right.
This right may be invalidated in particular if the processing of your personal data is necessary for the formalities related to the conclusion of an agreement or for the fulfilment of an already concluded agreement.
Please note that the above rights may be limited under the applicable national data protection legislation. Mega Image, as your contractual partner or as partner of your employer/collaborator remains the central point of contact in order to exercise these rights.
You also have the right to file a complaint with the National Authority for the Supervision of Personal Data Processing.
Please send any questions at the address Bulevardul Timişoara Nr. 26, Etaj 2, Sector 6, Bucharest, Romania or by email at dataprotection@mega-image.ro.
Note:
Regulation (EU) no. 2016/679 on the protection of natural persons with regard to personal data processing and the free circulation of this data, repealing Directive 95/46/EC (hereinafter referred to as "General Data Protection Regulation" or GDPR").