Privacy Policy
1. Policy Scope
Respecting the right to the protection of Personal Data, as well as the right to privacy is one of the fundamental objectives of Berrystack Services S.R.L., a company incorporated and validly existing under the laws of Romania, having its registered office at Bucharest, B-dul Iuliu Maniu 15H, Bl. 2, Sc. 2, Et. 11, Ap. 188 registered with the Trade Registry under no. ROONRC.J40/9964/2021 Sole Registration Code: 44403102 (the “Company” or “Berrystack Services”). Therefore, we commit ourselves to be transparent about how the Company collects and uses your Personal Data and to fulfil its obligations regarding the protection of Personal Data as a data controller.
This policy establishes the principles in accordance with which Berrystack Services processes Personal Data of the suppliers, business partners, employees and other individuals, and the responsibilities of the employees in relation to the processing of Personal Data.
This policy applies to:
- The main office of Berrystack Services;
- All branches, and work sites of Berrystack Services;
- All staff and consultants, permanently or temporary working for Berrystack Services;
- All contractors, suppliers and other individuals working on behalf of Berrystack Services.
It also applies to all data that the Company holds relating to identifiable individuals such as: name, surname, home or residence address, identification data, workplace, e-mail address, phone numbers, and other information about individuals.
2. Definitions
The following definitions of the terms used in this document are based on the provisions of art. 4 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („GDPR”):
- Personal Data: any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Sensitive Personal Data: personal data which, by nature, are particularly sensitive in relation to the fundamental rights and freedoms and require specific protection considering that their processing could create significant risks to fundamental rights and freedoms. This Personal Data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
- Data Controller: natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
- Processor: a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.
- Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Anonymisation: Personal Data that cannot irreversibly be identified so that the individual cannot be identified by reasonable use of time, cost and technology either by the data controller or by any other person to identify the individual. The principles of processing Personal Data do not apply to anonymous data because it cannot be considered Personal Data.
- Pseudonymisation: the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person. Pseudonymisation reduces, but does not completely eliminate, the link between the Personal Data and the Data Subject. Considering that pseudonym data is still Personal Data, processing of pseudonym data should be in accordance with the principles of processing of Personal Data.
- Cross-border processing: (i) processing of Personal Data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (ii) processing of Personal Data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect Data Subjects in more than one Member State;
- Supervisory authority: an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.
3. Principles of processing Personal Data
The principles of Personal Data protection define the core responsibilities of the organizations managing Personal Data.
3.1. Lawfulness, fairness and transparency
Personal Data of the Data Subject must be lawfully, fairly and transparently processed.
3.2. Purpose limitation
Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3.3. Data minimisation
Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
3.4. Accuracy
Personal Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
3.5. Storage limitation
Personal Data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
3.6. Integrity and confidentiality
Personal Data must be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. In some cases, it is necessary to anonymize or pseudonymize Personal Data, if possible, to reduce the risks to the Data Subjects concerned.
3.7. Accountability
The Data Controller shall be responsible for and be able to demonstrate compliance with the above-mentioned principles.
4. Integrating Personal Data protection into business activities
To demonstrate compliance with the principles of Personal Data protection, an organization should integrate a Personal Data protection structure into its business activities. Therefore, Berrystack Services has established the following general rules in relation to processing of Personal Data:
4.1. Collection
Berrystack Services must strive to collect Personal Data as little as possible. If Personal Data is collected from a third party, the employees of the Company must ensure that Personal Data is lawfully collected.
4.2. Use, retention and disposal
The main purpose for the processing of personal data is to process it in order to respond to individuals which ask us questions/for support by completing the contact form available on the site of Berrystack Services.
Other purposes, methods, storage limitation and retention period of Personal Data should be compatible with the information provided in this privacy policy. The employees of the Company must keep the Personal Data accurate and must ensure the integrity and confidentiality of Personal Data in accordance with the purpose of the processing. Appropriate security mechanisms for the protection of Personal Data should be used to prevent the loss, theft, misuse of Personal Data and Personal Data breaches.
4.3. Disclosure to third parties
Whenever Berrystack Services uses the services of a third party or business partner for the processing of Personal Data on its behalf, the responsible person must ensure that this processor provides appropriate security measures to protect Personal Data from associated risks. For this purpose, the contractual relationships with these persons shall be governed by contractual clauses for processors in accordance with GDPR.
Berrystack Services shall require the supplier or business partner to offer the same level of protection of Personal Data. The supplier or business partner is required to process Personal Data only to fulfil its contractual obligations with Berrystack Services or in accordance with its instructions and not for other purposes. When the Company processes Personal Data with an independent third party, it must explicitly state the respective responsibilities of the third party in the relevant contract or any other legally binding document.
4.4. Cross-border transfer
Prior to any transfer of Personal Data from the European Economic Area (EEA) appropriate safeguards (e.g. standard contractual clauses) must be used in accordance with EU requirements.
4.5. Right of access
When Berrystack Services acts as a Data Controller, the responsible person of the Company must provide the Data Subjects with a reasonable access mechanism that will allow them access to their Personal Data and, if necessary, must allow the Data Subjects to update, rectify, erase or transfer this data, or if the legal provisions require it.
4.6. The right to request the rectification or erasure of personal data
The data subject has the right to request, the rectification of inaccurate or incomplete personal data which we have about him/her, or the erasure of his/her personal data in case (i) the data are no longer necessary for their original purpose (and no new lawful purpose exists), (ii) the Company initially processed the data based on the Data Subject’s consent and him/her withdraws the consent and therefore no lawful ground exists anymore, (iii) the Data Subject objects and the Company has no overriding grounds for continuing the processing, (iv) the data have been processed unlawfully, (v) erasure is necessary for compliance with EU law or Romanian law, or (vi) the data were collected from children.
4.7. The right to request the restriction of processing
The Data Subject has the right to ask for the restriction of processing in cases where: (i) the Data Subject considers that the personal data processed is inaccurate, for a period enabling us to verify the accuracy of the personal data; (ii) the processing is unlawful, however the Data Subject doesn’t want the Company to erase his/hers personal data, but to restrict the use of data; (iii) in case the Company no longer need the personal data for the purposes that the Company described in this policy, but the Data Subject is requiring the data for establishing, exercising or defending a legal claim or (iv) the Data Subject has objected to processing pending the verification whether our legitimate grounds prevail.
4.8. The right to withdraw your consent for processing
When the processing is based on the Data Subject’s consent, without affecting the lawfulness of processing undertaken until that moment, the Data Subject has the right to withdraw its consent given for processing.
4.9. The right not to be subject to a decision based solely on automated processing
The Data Subject has the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects, or which affects him/her in a significant manner.
4.10. Data portability
The Data Subject shall have the right to receive the Personal Data concerning him/her, which he/she has provided to a controller, in a structured, commonly used format and have the right to transmit those data to another controller without hindrance from the controller. The responsible person must ensure that these requests are processed within one month, are not excessive and do not affect the rights to the Personal Data of others.
4.11. Right to be forgotten
Upon request, the Data Subjects are entitled to obtain from Berrystack Services the deletion of their Personal D¬ata. The Company should take the necessary measures (including technical measures) to inform third parties or business partners using or processing this data to comply with the request.
4.12. The right to lodge a complaint with the Supervisory authority
Any Data Subject has the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
- Address: 28-30 G-ral Gheorghe Magheru Bld, District 1, post code 010336, Bucharest, Romania
- E-mail: anspdcp@dataprotection.ro
- Phone: +40 318 059 211
5. Instructions for processing
5.1. Data Subject notification
Prior to collecting Personal Data or at the latest at the time of collection, for any kind of processing, the responsible person in the relevant department will ensure that the Data Subjects are properly informed through the data protection policies of the following: collected data, purposes for processing, processing methods, the rights of the Data Subjects with respect to their Personal Data, the retention period, the potential international data transfers, if the data will be communicated to third parties and Berrystack Services security measures for the protection of Personal Data.
Where Personal Data is disclosed to a third party, the responsible person must ensure that the Data Subjects have been notified thereof by a general notice on the protection of Personal Data.
When collecting sensitive Personal Data, the responsible person in the relevant department must ensure that the Data Subject is informed of the purpose for which these sensitive Personal Data is collected and explicit consent was sought for this type of processing.
5.2. Obtaining consent
Whenever processing of Personal Data is based on the consent of the Data Subject the responsible person in the relevant department must ensure that a record of this consent is kept at Berrystack Services. The responsible person in the relevant department is responsible for providing information to the Data Subjects who opt for consent and must inform them and ensure that their consent (whenever consent is used as the legal basis for processing) can be withdrawn at any time.
When requesting the correction, modification or deletion of Personal Data records, the responsible person must ensure that these requests are dealt with within a reasonable time. It also must register the applications and keep a log of them.
Personal Data must be processed only for the purpose for which they were originally collected. If the Company wishes to process Personal Data collected for another purpose, the responsible person in the relevant department must inform the Data Subject about such change and, where appropriate, seek the written consent of the Data Subjects.
6. Responsibilities
6.1. General Responsibilities
Personal Data processed on behalf of Berrystack Services must be accessed and used only by the hired personnel or collaborating staff who has responsibilities in relation with this data and only as to the purpose for which they were collected.
Hired personnel or collaborating staff will ensure not to request Personal Data if it is unnecessary and to the extent that the Data Subjects voluntarily provide more data than required, this data will be erased.
Hired personnel or collaborating staff will ensure that all forms by which Data Subjects have expressed their consent to the processing of Personal Data and by which they have been informed about the processing of Personal Data will be retained.
Hired personnel or collaborating staff should keep all data secure, by taking all necessary security measures and complying in accordance with this policy.
Hired personnel or collaborating staff should only use the equipment provided by Berrystack Services for business purposes. These devices must be secured with passwords that should not be shared onto others. For security reasons, employees will not use personal equipment to perform their job attributions.
Personal Data should not be disclosed to unauthorized persons, either within the Berrystack Services or externally.
Data should be reviewed and updated regularly to see if it is still up to date. If it is no longer necessary for the purpose for which it was collected, the data must be deleted.
6.2. Storage
If the data is stored in physical form, on paper, the documents must be stored in a safe place where only authorized persons have access and have service responsibilities in relation to such data.
Thus, when not used in the activity, the papers should be kept in a closet, drawer, locked key (for example, staff records should be stored in locks with access only to personnel employed in the human resources department).
Hired personnel or collaborating staff must ensure that papers and printed matter containing Personal Data are not left in places where unauthorized people might have access, such as a printer.
Printed materials containing data must be fragmented and safely removed so that they can no longer be accessed or reconstituted when they are no longer needed.
When data is stored electronically, it must be protected against unauthorized access, accidental erasure or attempts to break Berrystack Services networks or databases as follows:
- data must be protected by passwords that are changed regularly and are never distributed between hired personnel or collaborating staff;
- if data is stored on electronic media (CDs, DVDs, USB storage media) they must be kept under locked when not in use;
- data should only be stored on designated drives and servers and only uploaded to a cloud service authorized by Berrystack Services;
- servers containing Personal Data should be kept in a safe location, recommended in a location other than that of the main office or working site;
- data should be archived regularly to provide backup of Personal Data;
- data should not be saved directly on laptops or other mobile devices such as tablets or phones;
- all servers and computers containing data must be protected by approved security software and firewall.
6.3. Using data
The access and unauthorized use of any Personal Data could lead to risks of loss or theft.
Thus, when hired personnel or collaborating staff process Personal Data, they must ensure that the screens of their computers (computers) are always blocked when left unattended.
Personal Data should be encrypted when it is transferred electronically, and access is limited to those who have attributions in connection with these data.
6.4. Data accuracy
Personal Data will be stored in as few media/places as possible. Hired personnel or collaborating staff should not create additional physical or electronic copies after these data unless they are needed.
Personal Data should be updated as the inaccuracies are discovered, and erroneous data should be deleted. For example, if a provider can no longer be contacted on the phone number originally stored, it should be removed from the databases.
7. The answer to the incidents relating to the Personal Data breach
When a Personal Data breach occurs in Berrystack Services, the responsible person must conduct an internal investigation and take appropriate remedial action on time. If there is any risk for the rights and freedoms of Data Subject, the Company should notify the Personal Data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours.
8. The Personal Data storage
8.1. Default storage period
For any category of documents for which Berrystack Services has not set a storage time and if the applicable law does not provide otherwise, the default storage period required for these documents will be considered to be 5 years from the date they were created.
8.2. Agreed storage period
The responsible person defines the period of time for which the documents and electronic records should be stored.
The Storage periods may be extended in exceptional situation such as:
- Ongoing investigations by Member State authorities, where there are Personal Data risk records, and data is required to show compliance with any legal requirements; or
- When legal rights are exercised in cases of judicial proceedings or similar legal proceedings recognized under the law of the Member State.
8.3. Data protection during the storage period
To the extent that the data/information will be stored in physical format, such data/information shall be archived for the required period within Berrystack Services or to an authorized archiving facility in accordance with legitimate interests or legal obligations and the Company ensures that the Data Subjects shall have access to such data;
Where electronic storage media are used, procedures and systems that provide access to information during the storage period will also be preserved (both in terms of information support and legibility of formats) to protect information against loss arising from future technological changes.
8.4. Personal Data destruction
Berrystack Services and its employees should regularly review all data, whether they are stored electronically on their own equipment or on paper to decide whether to dispose or delete any data after the purpose for which the document was created is no longer relevant.
Data must be deleted, fragmented, or destroyed in an appropriate and secure manner to ensure their confidentiality. The method of removal varies and depends on the nature of the document. For example, all documents that contain sensitive or confidential information (and particularly sensitive Personal Data) must be disposed of as confidential waste and subject to a secure electronic wipe; some expired or replaced contracts may only justify shredding with internal equipment.
In this context, the employee performs the tasks and assumes the relevant responsibilities for the information destruction in an appropriate manner. The specific erasure or destruction process may be performed either by an employee or by an internal or external service provider employed for such purpose. Berrystack Services will comply with any general provisions applicable in accordance with the relevant data protection laws and the Personal Data protection policy.
Full legal requirements for the destruction of information, in particular the requirements of applicable data protection laws, must be fully respected.
9. Audit and Accountability
Any suspicion of breach of this policy must be reported immediately to the responsible persons of the Company. All cases of suspicion of violation of such policy will be investigated and appropriate measures will be taken.
Failure to comply with such policy may result in negative consequences including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to Berrystack Services reputation, damage or material loss. Failure to comply with this policy by hired or collaborating personnel or any third parties who have been granted access to Berrystack Services premises or information may therefore lead to disciplinary proceedings or termination of the employment or collaboration agreement. This non-compliance may also lead to legal action against the parties involved in such activities.
Any employee violating this policy will be subject to disciplinary action, and the employee may also be subject to civil or criminal obligations if his or her conduct violates laws or regulations.
10. Conflict of laws
This policy is intended to comply with the laws and regulations of the headquarters location of the country in which Berrystack Services operates. In the event of a conflict between this policy and the applicable laws and regulations, the latter prevail.
11. Validity and management of documents
This document is valid as of 13.12.2021.
The persons responsible with this policy are Avramiuc Ruxandra and Popescu Cristian-Nicolae, which must check and, if necessary, update the document each time will be necessary.