Privacy
1. Introduction
Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR") replaces the 1995 EU Data Protection Directive while also replacing the legislation of each Member State that was drafted in accordance with the Data Protection Directive 95/46/EC. Its purpose is to protect the rights and freedoms of natural persons (living natural persons) and to ensure that personal data is not processed without their knowledge and, whenever necessary, that it is processed with their specific and informed consent.
Definitions used by YSN34 Transport S.R.L. (taken from the GDPR)
Material scope of application (Article 2) - GDPR applies to the processing of personal data wholly or partly by automated means (computer, laptop), as well as to the processing by means other than automated means of personal data (paper records) which form part of a data filing system or are intended to form part of a data filing system.
Territorial scope (Article 3) – The GDPR will apply to all controllers established in the EU (European Union) that process the personal data of data subjects, regardless of whether the processing takes place within the EU. It will also apply to controllers outside the EU who process personal data to offer goods and services or to monitor the behavior of data subjects residing in the EU.
Article 4 Definitions
National Authority for Personal Data Protection – is the public authority in Romania, with headquarters at B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania, website http://www.dataprotection. ro, whose purpose is to protect the fundamental rights and freedoms of individuals, in particular the right to intimate, family, and private life, in relation to the processing of personal data and the free movement of such data (“ANSPDCP”)
Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious beliefs or philosophical convictions or trade union membership, and the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Consent of the data subject – means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Child – The GDPR defines a child as any person under the age of 16, although this may be reduced to 13 by the domestic law of the Member State. The processing of a child's personal data is only lawful if the consent of the parents or guardians has been obtained. The operator shall make every reasonable effort to verify in such cases that the holder of parental authority has given consent.
Profiling – any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyze or predict that person's performance at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the data subject's right to object to profiling and the right to be informed about the existence of profiling, measures based on profiling, and the intended effects of profiling on the individual.
Personal data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity. Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The controller is required to report personal data breaches to the supervisory authorities and cases where the breach could adversely affect the personal data or privacy of the data subject.
Controller – a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Third party – a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or the processor, are authorized to process personal data.
Data subject – any living natural person who is the subject of personal data held by an organization.
Processing – any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Headquarters – the main place of business of the controller in the EU will be the place where the controller takes the main decisions regarding the purpose and means of its data processing activities. The main place of business of a controller in the EU will be the place where its central administration is located. If a controller is established outside the EU, it will have to appoint a representative in the jurisdiction where the controller carries out its activities to act on behalf of the controller and deal with the supervisory authorities.
Data filing system – any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or distributed according to functional or geographical criteria.
2. Policy Statement
YSN34 Transport S.R.L., through its management members, with its registered office in ILFOV Municipality, Str. Florilor 8, Ap301, Ilfov County, registered with the Trade Register under no. J2025003173007 CUI RO 51149148, undertakes to comply with all relevant EU and Member State laws on personal data and the protection of the rights and freedoms of individuals whose information it collects and processes in accordance with the GDPR. Compliance with the GDPR is described in this policy and relevant procedures, such as the Data Subject Request Procedure, the Data Breach Procedure, and related processes and procedures. The GDPR and this policy apply to all YSN34 personal data processing operations, including those performed on the personal data of customers, employees, and partners, and any other personal data that the organization processes from any source. This policy applies to all YSN34 employees, as well as its suppliers who process personal data as YSN34's representatives. Any breach of the GDPR or this policy will be dealt with in accordance with YSN34's internal policy, and under the conditions set out in the GDPR, YSN34 will notify the ANSPDCP of the breach. If the act that led to the breach may also constitute a criminal offense, it will be brought to the attention of the competent authorities as soon as possible. YSN34 partners who process personal data as representatives and who have or may have the right to information must have read, understood, and complied with this policy. YSN34 will communicate this policy to any such partner. No third party may process personal data held by YSN34 without having entered into a contract whereby the parties regulate their obligations regarding data confidentiality. YSN34 will impose on the third party obligations at least as onerous as those to which YSN34 is committed.
3. Responsibilities and roles under the General Data Protection Regulation
YSN34 is a personal data controller under the GDPR. The members of YSN34's management bodies are responsible for developing and promoting good practices for the management of personal data within YSN34. The members of YSN34's management bodies are responsible for reassessing the analysis of the impact on the protection of personal data in situations where YSN34 intends to initiate special data processing or processing that may pose a high risk to the rights and freedoms of individuals. A new analysis will also be carried out if national legislation introduces additional obligations regarding the protection of personal data beyond those provided for in the GDPR. Compliance with data protection legislation is the responsibility of all YSN34 employees who process personal data.
4. Data protection principles
Any processing of personal data must be carried out in accordance with the data protection principles as set out in Article 5 of the GDPR. YSN34's policies and procedures are designed to ensure compliance with the principles. Personal data must be processed lawfully, fairly, and transparently Lawful – identify a legal basis before you can process personal data. These are often referred to as “grounds for processing”: legal obligation, contract, consent, YSN34’s legitimate interest, public interest, or the vital interests of the data subject. Fair – for processing to be fair, the data controller must inform data subjects before processing begins or as soon as possible. Information is mandatory regardless of whether personal data has been obtained directly from data subjects or from other sources. Transparent – Articles 12, 13, and 14 of the GDPR establish the rules for informing data subjects. The provisions are detailed and specific, emphasizing that privacy notices must be easy to understand and accessible. The information must be communicated to the data subject in an intelligible form, using clear and plain language. The specific information to be provided to the data subject must include at least: the identity and contact details of YSN34; the contact details of the person(s) responsible for data protection; the purpose of the processing of personal data and the legal basis for the processing; the period for which the personal data will be stored; the existence of the rights to request access, rectification, erasure, or objection to processing and the conditions (or lack thereof) for exercising these rights, such as the impact on the lawfulness of previous processing; the categories of personal data concerned; the recipients or categories of recipients of the personal data, where applicable; if applicable, that YSN34 intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data; any additional information necessary to ensure fair processing. Personal data may only be collected for specific, explicit, and legitimate purposes. Data obtained for specific purposes must not be used for a purpose other than that originally stated in the processing register held by YSN34. Personal data must be adequate, relevant, and limited to what is necessary for processing The person(s) responsible for data protection must ensure that YSN34 does not collect information that is not strictly necessary to achieve the purpose for which it was obtained. All forms of data collection (electronic or paper-based), including data collection requirements in new IT systems, must include a statement of fair processing or a link to the Privacy Policy and be approved by YSN34. YSN34 will ensure in its annual internal audit that the data collected continues to be adequate, relevant, and proportionate to the purpose for which it is collected. Personal data must be accurate and, where necessary, kept up to date by erasure or rectification without delay. Data stored by the data controller must be reviewed and updated as necessary. Data should not be kept unless it can reasonably be assumed that it is accurate. YSN34 is responsible for ensuring that all staff are trained on the importance of collecting accurate data and maintaining it. It is also the responsibility of the data subject to ensure that the data held by YSN34 is accurate and up to date. The completion of a registration form or application by a data subject will include a statement that the data contained therein is accurate at the time of submission. Employees, partner representatives, and customers must notify YSN34 of any changes to personal data to allow the personal data record to be updated accordingly. It is YSN34's responsibility to ensure that any notification of a change in circumstances is recorded and taken into account. YSN34 has a responsibility to ensure that there are adequate procedures and policies in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed at which it may change, and any other relevant factors. At least annually, the person responsible for processing personal data shall check the deletion deadlines for all personal data processing carried out by YSN34, as recorded in the Data Processing Register.
5. Rights of data subjects
Data subjects have the following rights regarding data processing: Right of access – whereby they can obtain confirmation from He YSN34 as to whether or not their personal data is being processed. Right to rectification – this means the possibility to request YSN34 to rectify inaccurate data concerning them; Right to be forgotten – through which they can obtain the deletion of their data by the controller, under certain conditions provided for in the Regulation; Right to restriction of processing – arises in the case of inaccurate, illegal processing, or the exercise of the right to object by the data subject; Right to data portability – the right to receive personal data concerning them and which they have provided to YSN34 in a structured, commonly used, and machine-readable format, which also includes the right to transmit those data to another controller; Right to object – includes the right to object to profiling. Right to information – means informing data subjects in a concise, transparent, and easily accessible manner about the data being processed. To contact the Supervisory Authority if they notice a breach of the GDPR. YSN34 ensures that data subjects can exercise these rights: Data subjects may make requests for access to data as described in the Data Subject Request Procedure. Data subjects have the right to lodge complaints with YSN34 regarding the processing of their personal data.
6. Consent
YSN34 understands “consent” to be given by an unequivocal action that constitutes a freely expressed, specific, informed, and clear manifestation of the data subject's agreement to the processing of their personal data. The data subject may withdraw their consent at any time. Consent obtained under pressure or based on misleading information will not constitute a valid basis for processing. There must be evidence of communication between the parties to demonstrate the consent expressed by the data subjects. Consent cannot be inferred from a lack of response to a communication. YSN34 must be able to demonstrate that consent has been obtained for the processing operation. For the processing of sensitive data, the explicit written consent (Consent Procedure) of the data subjects must be obtained, unless there is another legal basis for processing. Where necessary, consent is the legal basis for processing, it will be obtained by YSN34 using the Consent Procedure.
7. Data security
All employees must ensure that any personal data held by YSN34 and for which they are responsible is kept secure and is not disclosed in any way to any third party, unless that third party has been expressly authorized by YSN34 to receive such information. All personal data should only be accessible to those who need to use it in accordance with access rights. All personal data must be handled with the utmost security and must be stored: in a locked room with controlled access; and/or in a locked drawer or cabinet; and/or, if computerized, password-protected in accordance with the security level established by YSN34; and/or stored on encrypted (removable) media. YSN34 employees shall ensure that the screens of the devices they use are not visible to any unauthorized third party. Physical documents and any copies thereof shall not be left in places accessible to unauthorized personnel and may not be used outside the workplaces where they are stored or the YSN34 headquarters without explicit authorization. Any copies must be destroyed as soon as the purpose for which they were made has been fulfilled. Physical documents for which the established deletion period has expired must be discarded and destroyed as “confidential waste.” Prior to the decommissioning of electronic devices, their storage media must be reset to factory settings or destroyed. Processing personal data outside YSN34 poses a potentially higher risk of loss, theft, or damage to personal data. Employees must be specifically authorized to process data off-site.
8. Disclosure of data
YSN34 must ensure that personal data is not disclosed to unauthorized third parties. YSN34 employees are aware that unauthorized third parties include family members and friends.
9. Data retention and disposal
YSN34 will not keep personal data in a form which permits identification of data subjects for longer than is necessary in relation to the purpose(s) for which the data were originally collected. YSN34 may store data for longer periods where the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject. Personal data must be securely disposed of, in accordance with the sixth principle of the GDPR – processed in a manner appropriate to maintain security, thus protecting the “rights and freedoms” of the data subjects.
10. Data transfers
The transfer of personal data outside the EEA is prohibited unless one or more of the specified safeguards or exceptions apply: An adequacy decision The European Commission can and will assess third countries, a territory and/or certain sectors within third countries to assess whether there is an adequate level of protection of the rights and freedoms of natural persons. In these cases, no authorisation is required. Countries that are members of the European Economic Area (EEA) but not of the EU are accepted as meeting the conditions of an adequacy decision. A list of countries that currently meet the Commission's adequacy requirements is published in the Official Journal of the European Union. http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm Privacy Shield If YSN34 wants to transfer personal data from the EU to an organisation in the United States, it should check whether the organisation is registered under the Privacy Shield with the US Department of Commerce. The US DOC is responsible for managing and administering the data protection system and ensuring that companies comply with their commitments. In order to be certified, companies must have a privacy policy in place that complies with the Privacy Principles, i.e., the use, storage, and transfer of personal data in accordance with a strong set of data protection rules and safeguards. The protection afforded to personal data applies regardless of whether the personal data relates to an EU resident or not. Organizations must renew their “membership” to the Privacy Shield every year. If they do not, they can no longer receive and use personal data from the EU under this framework. Adequacy Assessment by the Data Controller When assessing adequacy, the exporting controller must take into account the following factors: the nature of the information transferred; the country or territory of origin and the final destination of the information; how the information will be used and for how long; the laws and practices of the country where it is transferred, including relevant codes of practice and international obligations; and the security measures to be taken with respect to the data in the foreign location. Binding corporate rules YSN34 may adopt its own for the transfer of data outside the EU. These require the prior approval of the competent supervisory authority. Exceptions In the absence of an adequacy decision, Privacy Shield membership, binding corporate rules, the transfer of personal data to a third country or to an international organization shall only take place under the following conditions: the data subject has explicitly consented to the proposed transfer,after being informed of the possible risks of such transfers for the data subject, due to the lack of an adequacy decision and appropriate safeguards; the transfer is necessary for the performance of a contract between the data subject and the controller or for the execution of pre-contractual provisions adopted at the request of the data subject; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; the transfer is necessary for important reasons of public interest; the transfer is necessary for the establishment, exercise or defence of legal claims; and/or the transfer is necessary to protect the vital interests of the data subject or of other persons where the data subject is physically or legally incapable of giving consent.
11. Personal data processing register
YSN34 has carried out a data inventory and a Processing Record as part of its GDPR compliance project. YSN34 is aware of any risks associated with the processing of certain types of personal data. YSN34 assesses the level of risk associated with the processing of personal data for data subjects. Data protection impact assessments are carried out in relation to the processing of personal data by YSN34, and in relation to processing carried out by other organisations on behalf of YSN34. YSN34 manages any risks identified through analysis carried out, in order to reduce the likelihood of infringement of the provisions on the protection of personal data contained in this policy. Taking into account the nature, scope, context and purposes of the processing, where a type of processing, in particular based on the use of new technologies, is likely to generate a high risk to the rights and freedoms of natural persons, YSN34 carries out, prior to processing, an analysis of the impact of the envisaged processing operations on the protection of personal data. A single analysis may address a set of similar processing operations that present similar risks. Where, as a result of a DPIA, it is clear that YSN34 is about to start processing personal data that is likely to cause harm to data subjects, the decision whether YSN34 can proceed must be submitted for review to the person(s) responsible for processing the personal data. Where there are significant concerns, either about the potential harm or the amount of data involved, the person(s) responsible for processing the personal data will submit the matter to the supervisory authority, following the prior consultation procedure referred to in Article 36 of the GDPR.
YSN34 TRANSPORT SRL
YSN34 TRANSPORT S.R.L.
CUI (Tax nr.): RO51149148
Reg Com: J2025003173007
Delivery, Return: & Cancel Order
© YSN34 Transport SRL. All Rights Reserved. Designed by HTML Codex
