Ver. 1.0, 26.07.2021
Data protection is a very important issue for us. The use of our website and application is possible without giving out personal data, however, if anyone wishes to use our services and contacts us through the website, processing of personal data may become necessary. If the processing of personal data is necessary and there is no legal basis or contract for such processing, we generally obtain the consent of the data subject (concerned person).
In order to comply with the provisions of the General Data Protection Regulation (GDPR), we have implemented numerous technical and organizational measures designed to provide a thorough protection of personal data processed through the website and the application. However, the process of transferring data over the Internet may, in principle, have security gaps, so absolute protection can not be guaranteed. For this reason, each data subject has the opportunity to transfer personal data to us through alternative means – by phone, in writing, etc.
Our data protection policy uses the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). We want our Data Protection Policy to be legible and easy to understand for everyone. In order to achieve this goal, we will first explain the terminology used.
In the current data protection policy, we use, among others, the following expressions:
a) Personal data
Personal data means any information relating to an identified or identifiable real person (“the data subject”). An identifiable individual is one that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more physical, physiological, genetic, mental, economic, cultural or social factors of that individual.
b) Data subject
The data subject is any identified or identifiable real person whose personal data is processed by the data controller or data processor.
Processing is any operation or set of operations that is performed with personal data or personal data sets, whether or not by automatic means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, recovering, consulting, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing is the selection of stored personal data in order to limit future processing.
Profiling means any form of automatic processing of personal data, consisting of the use of personal data to assess certain personal aspects relating to a real person, particularly to analyze or anticipate aspects of the performance of the individual at the workplace, the economic situation, health, personal preferences, interests, behavior, location or travel plans.
Pseudonymization is the processing of personal data so that personal data can no longer be attributed to a particular subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that personal data can not be attributed to an identified or identifiable individual.
g) Operator or controller responsible for processing
The operator or controller responsible for data processing is a legal person, public authority, agency or other body which, alone or with others, determines the purposes and means of processing personal data. In cases in which the purposes and means of such processing are laid down by EU legislation or Member State law, the operator or the specific criteria for his appointment may be provided by EU legislation or Member State law.
h) Empowered Person – Processor
The empowered person / the processor is a natural or legal person, a public authority, an agency or another body that processes personal data on behalf of the operator.
The beneficiary is a natural or legal person, a public authority, an agency or other organization to which personal data is disclosed, even if a third party is involved. However, public authorities which may receive personal data in an investigation, in accordance with EU legislation or Member State law, are not considered beneficiaries. The processing of such data by the respective public authorities must be in accordance with the applicable data protection rules in accordance with the purposes of the processing.
j) Third party persons
They may be a third party person, a natural or legal person, a public authority, an agency or organization, but different than the data subject, the operator, the empowered person. Under the direct authority of the operator or the person empowered to process personal data, third party persons are authorized to process personal data.
The consent of the data subject is any specific, informed and unambiguous indication of the person’s wishes by which he, through a statement or clear affirmative action, accepts the processing of his or her personal data.
2. The principles that govern our privacy and personal data processing policy are the following:
- The principles of legality, fairness and transparency. This requires that the data subject’s personal data be processed legally, fairly and transparently.
- The purpose limiting principle. It requires personal data to be collected only for specified, explicit and legitimate purposes.
- The principle of collecting the minimum data to reach the purpose for which consent was obtained. According to this principle, personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- The principle of maintaining updated data ensures that personal data is accurate and up-to-date where necessary.
- The principle of storing data strictly during the period for which consent was obtained. This requires that personal data be retained in a form that permits the identification of the data subjects for just as long as the data processing is necessary.
- The principle of ensuring adequate data security so that these are integrated, confidential and available.
- The principle of responsibility, according to which the operator is responsible for compliance with the principles listed in Article 5 (1) of the GDPR and must be able to demonstrate compliance.
3. Name and address of the operator, in accordance to the General Data Protection Regulation (GDPR):
SC ETA Automatizari Industriale SRL, Gheorghe Dima Street, No. 1, 300079, Timișoara
Phone: +40 256 294 608
4. Name and address of the DPO (data processing officer):
Gheorghe Dima nr.1, Timișoara, România
Any data subjects may contact the DPO directly, at any time, with all questions and suggestions concerning data protection.
Through a cookie, the information and offers on our site can be optimized based on the user. Cookies allow us, as mentioned before, to recognize the users of our website. The purpose of this recognition is to make our website easier to use. The user of the website for example, does not need to enter access data each time the site is accessed because it is retrieved and the cookie is stored in the user’s computer system. Another example is the shopping cart cookie in an online store. The online store remembers articles that a customer has placed in their virtual shopping cart through a cookie.
6. Collection of general data and information
Our website collects a series of general data and information when a user or an automated system requests it. These general data and information are stored in the server log files. What can be collected:
- browser types and versions used
- the operating system used
- the website from which an access system reaches our website (the so-called referral)
- date and time of access
- the Internet Protocol address (IP address)
- the Internet service provider of the access system
- any other similar data and information that can be used in case of attacks on our IT systems.
These general data and information are required for:
- the correct delivery of the content of the website
- website content optimization
- ensuring the long-term viability of our IT systems
- providing authorities with the necessary information to investigate in the unfortunate event of a cyber attack.
We therefore analyze data and statistical information anonymously in order to increase data security and our security and to ensure an optimal level of protection of the personal data we process. The anonymous data of the server log files is stored separately from all the personal data provided.
7. Registration on our website
The data subject has the possibility to register on our website with the indication of personal data. Personal data entered by the data subject are collected and stored exclusively for the purposes for which they were collected. By registering on the website, the IP address assigned by the Internet Service Provider (ISP) and used by the user is stored, as well as the date and time of the registration. The storage of these data takes place on the basis of legitimate interest, as this is the only way to prevent the misuse of our services and, if necessary, will help support the investigation of committed felonies. Such data shall not be passed on to third parties, except where there is a legal obligation to transmit the data or if the transfer is requested by the law enforcement agencies.
The registration of the data subject, with the voluntary indication of personal data, allows us to make use of the content and the services provided, which can only be provided to registered users. Registered persons have the ability to change the personal data specified during registration at any time or to remove them completely from our database. We must provide at any time, at the request of the data subject, information about their stored personal data. Additionally, we need to correct or delete personal data at the request of the data subject, unless there are legal storage obligations.
8. Subscription to our newsletter
On our website, users can subscribe to our company newsletter. The subscription form specifies which personal data is transmitted, as well as the request to receive the newsletter. We regularly inform our customers and business partners through our newsletter about our offers. The newsletter may only be received by the data subject if they:
- Have a valid email address and
- Subscribe to this service.
Upon subscription, a confirmation email will be sent to the email address specified by the person concerned. During the subscription to receive the newsletter, we store the IP address of the IT system assigned by the Internet Service Provider (ISP) and used by the data subject at the time of registration, as well as the registration date and time. Collecting this data is necessary to prevent the (potentially) abusive use of the person’s email address at a later date.
The personal data collected from the newsletter registration will only be used to send our newsletter. In addition, subscribers to the newsletter can be informed by email as long as this is necessary for the operation of the newsletter service or in case of technical changes.
There will be no transfer of personal data collected by the newsletter service to third parties. Subscription to our newsletter can be denounced by the person concerned at any time. The consent to the processing of personal data that the data subject has expressed upon subscription may be revoked at any time. To revoke your consent, a link is found in each newsletter. It is also possible to unsubscribe from the newsletter at any time directly on our website or to communicate this in other ways.
9. Newsletter monitoring
Our newsletter contains so-called tracking pixels. A tracking pixel is a thumbnail graphic embedded in emails that are sent in HTML format to allow logging and analysis of log files. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, we can see if and when an email was opened by a recipient and which email links were accessed by the person concerned.
Such personal data collected in the tracking pixels contained in the newsletter are stored and analyzed to optimize the delivery of the newsletter as well as to adapt the content of future newsletters to the interests of the concerned person. This personal data will not be passed on to third parties. The individuals concerned are at all times entitled to revoke their expressed consent. After a reversal of consent, these personal data will be deleted.
10. The ability to communicate through the website
Our web site allows for quick electronic contact and direct communication with us through an email address. If a person is contacting us by email or a contact form, the personal data transmitted is automatically stored. Such personal data transmitted voluntarily by the data subjects are stored for processing or contacting that person. There is no transfer of personal data to third parties.
11. Automatic deletion of personal data
We process and store the personal data of the person concerned only for the period necessary to achieve the purpose for which they were collected, except when the storage period is required by national or European legal rules.
If the purpose for which the data was collected has been reached or if the storage period required by national or European legal rules has expired, personal data is automatically deleted in accordance with legal requirements.
12. Rights of the data subjects
THE RIGHT TO BE INFORMED
Once you have consented and become a data subject, you have the right to be informed about everything that happens to your personal data, usage purpose, access, change, and even revoke your consent for a specific organization. At the same time, you have the right to access your personal information whenever you want.
Based on this right, you can request information on all aspects of your personal data collected by the operator: whether your data is processed or not, where it comes from, who processes it, what purpose, what time period, where it is stored. Also under this right, you can request a “copy” of the processed information.
THE RIGHT TO RECTIFICATION
You may request the rectification, modification of your personal data processed by the operator after the operator has verified your identity through internal procedures.
RIGHT TO BE FORGOTTEN (RIGHT TO DELETION OF DATA)
Another important right is for data deletion (or to be forgotten). The general principle is that a person has the right to request the deletion of personal data. This right is not an absolute one, meaning that there are circumstances in which the data will not be erased at the request of the data subject. For example, if personal data are used to comply with a legal obligation or for public health safety, for scientific research, then the right to delete data may be denied to the data subject.
THE RIGHT TO RESTRICT DATA PROCESSING
According to GDPR, a person has the right to restrict the processing of personal data under various circumstances. For example, a person may restrict the processing of personal data when he thinks they are not accurate. In this case, the person will be able to restrict data processing until their accuracy is verified. Another case where data processing can be restricted is when the data subject objects to the processing.
PORTABILITY OF DATA
You also have the right to port the data. In the absence of any other contractual terms (of which you should be informed before consenting to data processing), you can move your data from one supplier to another easily and quickly.
THE RIGHT TO OPPOSITION
This right includes: the right to oppose processing and the right to oppose the application of automated decision-making and profile creation.
RIGHTS CONCERNING THE AUTOMATIC DECISION-MAKING PROCESS AND PROFILE CREATION
This right wants to protect people from certain negative decisions that can be taken without human intervention. GDPR defines profile creation as any automated form of processing in order to evaluate certain personal aspects of the individual, such as performance at work, health, personal preferences, economic situation, location, and so on. If an organization uses profile creation, it needs to take certain security measures. For example, to use correct mathematical or statistical procedures, to secure personal data and to put in place measures to allow anomalies to be corrected with a minimum risk of error. To be remembered, automated decision-making should never be applied to a child.
THE RIGHT TO WITHDRAW YOUR CONSENT
Through a will manifestation symmetrical to the one in which you have given your consent, you will be able to withdraw it at any time, and we will take into account this withdrawal.
In the exercise of any of these rights, if there are no legal impediments, we will comply with the provisions of the GDPR Regulation, operating as requested by the data subject, and informing the data subject about the steps taken.
13. The legal basis of the processing
- Article 6 (1), point a. of the GDPR Regulation serves as a legal basis for the processing operations for which you give us consent, for a particular processing purpose.
- If the processing of personal data is necessary for a contract implementation to which the data subject is a party, as the case may be, for example, when the processing operations are necessary for the supply of goods or for the provision of services, the processing is carried out on the basis of Article 6 (1), point b. of the GDPR Regulation. The same applies to the processing operations required for pre-contractual measures, for example in the case of bidding.
- If our company is subject to a legal obligation that requires us to process personal data, such as fulfillment of tax obligations, the processing is based on Article 6 (1), point c. of GDPR Regulation.
- In rare cases, processing of personal data may be necessary to protect the vital interests of the data subject or of another individual. This would be the case, for example, if a visitor was injured in our company and name, age, health insurance data or other vital information should be passed to a doctor, hospital or other third party. Under this hypothesis, processing will be based on Article 6 (1), point d. of the GDPR Regulation.
- Finally, the processing operations could be based on Article 6 (1), point f. of the GDPR Regulation, if processing is not carried out for any of the above-mentioned reasons, in cases in which the processing is necessary for the purposes of legitimate interests pursued by our company or a third party, unless such interests are contrary to the interests or fundamental rights and freedoms of the data subject that require the protection of personal data. Such processing operations are permitted because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is the client of the operator (recital 47 in sentence 2 of the GDPR).
14. Legitimate interests pursued by the operator or by a third party
If the processing of personal data is based on Article 6 (1), point f. of the GDPR Regulation, our legitimate interest is to conduct our business in the interests of all our employees and shareholders.
15. The period for how long personal data will be stored
The criteria used to determine the storage period of personal data is defined by the purpose of the collection and the legal basis. After the expiry of that period, the corresponding data is deleted if it is no longer required for the continuation or conclusion of a contract or if the data subject has not given his consent to the storage of such data for a certain period of time.
16. The existence of an automatic decision-making process
As a responsible company, we do not make profiled or automation-based decisions.
17. Data protection for employment applications, careers and job alerts
In certain cases, we collect and process the personal data of applicants for jobs in our company. Especially in cases in which an applicant sends us the CV or other documents related to employment, by email or through a web form on the Careers website. If we hire that person, by entering into an employment contract, the data transmitted will be stored for the purpose of performing the obligations arising from the employment report, in accordance with the legal requirements. If no employment contract is sent to the applicant, the personal data and the documents containing them will be archived and may be deleted at the request of the applicants, provided that no other legitimate interest is opposed to its deletion.
By applying to the job alerts section, the data subject gives his consent to the processing of his personal data, namely name, surname, email address, as well as to receiving communications by email.
18. Data protection provisions related to the application and use of Facebook
On this website, we have integrated Facebook components.
The Facebook operator is Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. Outside the United States or Canada, the operator is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland.
An overview of all Facebook plugins can be accessed at https://developers.facebook.com/docs/plugins/. Through these plugins, Facebook is informed about which specific sections of our website were visited by the data subject.
The Facebook Privacy Guide, available at https://facebook.com/about/privacy, provides information on Facebook’s collection, processing and use of personal data. The options available in Facebook’s settings to protect the privacy of the data subject are also explained. Different configuration options are available to stop data transfer on Facebook, as well.
19. Data protection regarding the application and use of Google AdSense
On this website, we have integrated Google AdSense. Google AdSense is an online service that allows you to place advertisements on third-party websites. Google AdSense is based on an algorithm that selects ads displayed on third-party websites to match the content of that third-party website. Google AdSense allows an Internet-based targeting that is implemented by generating individual user profiles.
The Google AdSense operator is Alphabet Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, United States.
The data subject may, as mentioned above, prevent the cookies from being set on our website at any time through a proper adjustment of the web browser used and thus, permanently refuse the cookie setting.
Through Google AdSense, personal data and information – which also include the IP address and are necessary for the assessment of the displayed ads’ results – is sent to Alphabet Inc. in the United States. These personal data will be stored and processed in the United States of America. Alphabet Inc. may disclose personal data collected through this technical procedure to third parties.
Google AdSense is further explained at the following link: https://www.google.com/intl/en/adsense/start/.
20. Data protection provisions for applying and using Google Remarketing
On this website, we’ve integrated Google Remarketing services. Google Remarketing is a component of Google Ads, which allows display of advertising material to Internet users who have visited our website.
The Google Remarketing Operator is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, United States.
The data subject may, as mentioned above, prevent the cookies from being set on our site at any time, through a proper adjustment of the web browser used and hence permanently refuse the cookie setting. Such an adjustment of the Internet browser would prevent Google from inserting a cookie on the data technology system of the person concerned. In addition, cookie modules already used by Google can be deleted at any time through a web browser or other software.
Additionally, the data subject has the ability to challenge Google’s interest-based advertising. For this to happen, the data subject must access the link at www.google.de/settings/ads and make the desired setting adjustments in each Internet browser used by the concerned person.
Additional information and actual Google data protection provisions can be downloaded from https://www.google.com/intl/en/policies/privacy/
21. Data protection provisions for applying and using Google+
On this website, we’ve integrated Google+ as a component. Google+ was a social network. Google+ allowed social network users to create private profiles, upload photos and connect through friendship requests.
The Google+ operator is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, United States.
If the person is linked to Google+ at the same time he visits our website, Google collects for the entire duration of the visit, which specific sub-pages were visited by the person concerned. This information is collected through the Google+ button and Google matches the Google+ account associated with the concerned person.
If the person concerned does not want to transmit personal data to Google, he or she may prevent this transmission by disconnecting from their Google+ account before accessing our website. Additional information and Google data protection provisions can be found at: https://www.google.com/intl/en/policies/privacy/
22. Data protection provisions for the application and use of the Google Ads service
On this website, we’ve integrated Google Ads. Google Ads is an Internet advertising service that allows the advertiser to place ads on Google search engine results and on the Google advertising network. Google Ads allows an advertiser to pre-define certain keywords on the basis of which an ad is displayed in Google search results when the user engages with the search engine to find what he or she is looking for.
The Google Ads operator is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, United States.
The purpose of Google Ads is to promote our website by including relevant advertising on third-party websites and in Google’s search engine results and by inserting third-party advertisements on our website.
The data subject may at any time block cookies from our website, as mentioned above, through a proper setting of the Internet browser used, and thus permanently refuse the cookie setting. Such a configuration of the Internet browser used would prevent Google from sending a conversion cookie into the person’s information technology system. Additionally, a cookie set by Google Ads can be deleted at any time through your Internet browser or other software.
The data subject has the ability to oppose Google’s interest-based advertisements. As such, the concerned person has to access the link www.google.de/settings/ads from each of the browsers used and choose the desired settings.
Additional information and applicable data protection provisions on Google can be downloaded at: https://www.google.com/intl/en/policies/privacy/
23. Data protection provisions related to the application and use of LinkedIn
We have also integrated components of LinkedIn Corporation on this website. LinkedIn is a web-based social network that allows users with existing business contacts to connect and make new business contacts. More than 400 million people registered in over 200 countries use LinkedIn. Thus, LinkedIn is currently the largest business contact platform and one of the most visited websites in the world.
More information about the LinkedIn plug-in can be accessed at: https://developer.linkedin.com/plugins
LinkedIn receives information via the LinkedIn component provided that the data subject is linked to LinkedIn when using our website. This happens regardless of whether the person clicks on the LinkedIn button or not. If such a transmission of information to LinkedIn is not desirable to the data subject, then he or she could prevent this by disconnecting from their LinkedIn account before entering our website.
LinkedIn offers, under https://www.linkedin.com/psettings/guest-controls, the ability to unsubscribe from email, SMS and targeted ads, as well as the ability to manage your ad settings. LinkedIn also uses affiliates such as Eire, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and Lotame.
24. Data protection provisions to apply and use YouTube
On this website, we have integrated YouTube components. YouTube is an Internet video portal that allows video editors to create free videos, giving users free viewership, as well as review and comment opportunities.
The YouTube operator is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, United States. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, United States.
More information about YouTube can be found at: https://www.youtube.com/about/. YouTube’s data protection provisions are available at: https://www.google.com/intl/en/policies/privacy/ and provide information on the collection, processing and use of personal data by YouTube and Google.
25. Data protection provisions for Twitter application and use
On our website, we have integrated Twitter components. Twitter is a short messaging service, just like SMS, where people around the world explain what they are doing at the moment, leave a link, put a question, a challenge, an invitation, a contest, in brief – they communicate. These short or old texts are called “tweets” and must be 140 characters or less in length. You can track the messages of other people, whether they are your friends, politicians, celebrities or bloggers, by becoming their “followers.” Beside tweets, you can send private messages to those you follow and who follow you back.
The Twitter operator in the United States is Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, United States. Out of the US, there’s the Twitter International Company, registered in Ireland, based in One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland.
More information about Twitter can be found here: https://twitter.com/en/tos#update and information on data protection policy here: https://help.twitter.com/en/rules-and-policies/update-privacy-policy
26. Data protection provisions for the application and use of other SEO and analysis tools
These tools are used on various sections or subsections of our website, and they are:
- SEMRush – An SEO analysis tool. More information about SEMRush can be found here: https://www.semrush.com/company/legal/terms-of-use/ and data protection policy information is available here: https://www.semrush.com/company/legal/privacy-policy/
- Hotjar – A tool for tracking user behavior on the website with anonymized data. More information about Hotjar can be found here: https://www.hotjar.com/legal/policies/terms-of-service and information about data protection policy here: https://www.hotjar.com/legal/policies/privacy
- Hubspot – An in-depth analysis tool for user behavior on the website. More information about Hubspot can be found here: https://legal.hubspot.com/community-tou and the data protection policy here: https://legal.hubspot.com/privacy-policy?_ga=2.115176261.353259744.1526989630-105251658.1526989630
27. Data protection provisions regarding the application and use of WordPress plug-ins
On some parts or subsections of our website, we have integrated other WordPress plug-ins to facilitate the sales process of our products and services. WordPress is an open source platform for website publishing. Plug-ins used:
- MailChimp for WordPress
28. Payment methods: data protection provisions for the use of MobilePay as a payment processor
On this website, we have integrated components of the PayPal service and of Braintree from PayPal. PayPal is an online payment service provider. Payments are processed through so-called PayPal accounts, which are virtual private or business accounts. Also, PayPal can process virtual credit card payments when a user does not have a PayPal account. A PayPal account is managed through an email address, which is why there are no classic account numbers. PayPal makes it possible to trigger online payments to third parties or receive payments.
The European company that operates PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.
If the data subject chooses PayPal as a payment option in the online store during the order process, we automatically send the data of the data subject to PayPal. By selecting this payment option, the data subject agrees with the transfer of the personal data necessary to process the payments.
Personal data sent to PayPal usually consists of the name, surname, address, email address, IP address, telephone number, mobile phone number, payment amount, card number, name on card, expiration date, CVV code, unique transaction identification and any other data required for payment processing.
The data subject has the possibility to revoke the consent for the manipulation of personal data from PayPal at any time. The revocation has no effect on the personal data that must be processed, used or transmitted in accordance with the (contractual) processing of payments.
The applicable PayPal and Braintree data protection provisions of the PayPal service can be found at: https://www.paypal.com/us/webapps/mpp/ua/privacy-full