Privacy policy

This policy applies to all employees of the Company, contractors, stakeholders, and all other subjects who participate directly or indirectly in the processing of personal data, including data subjects who visit the website of FABRICA DE BERE BUNA S.R.L. – http://www.bere-zaganu.ro, (hereinafter referred to as “users”) within the Company’s activities.

CHAPTER I – Definitions
During the processing of personal data, the terms used shall have the following meaning:
a. Personal data – any information regarding an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more specific elements typical of his or her physical, physiological, genetic, mental, economic, cultural, or social identity;
b. Special categories of personal data (sensitive data) – personal data revealing race or origin, political opinion, religious or philosophical beliefs or membership in trade unions, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
c. Controller – the natural or legal person, public authority, agency, or other body which, alone or together with others, determines the purposes and means of processing personal data; when the purposes and means of processing are established by Union law or national law, the controller or the specific criteria for its designation may be provided for in Union law or national law;
d. Processing – any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or making available in any other way, alignment or combination, restriction, erasure, or destruction;
e. Processor – the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
f. Recipient – the natural or legal person, public authority, agency, or other body to whom personal data are disclosed, whether or not a third party. However, public authorities to which personal data may be communicated in the context of a specific investigation in accordance with Union or national law shall not be considered recipients; the processing of such data by the respective public authorities complies with the rules applicable in the field of data protection, in accordance with the purposes of the processing;
g. Third party – a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
h. Data subject’s consent – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she accepts, by a statement or by a clear affirmative action, that personal data relating to him or her be processed;
i. Personal data security breach – a breach of security that leads, accidentally or unlawfully, to the destruction, loss, alteration, or unauthorized disclosure of personal data transmitted, stored, or otherwise processed, or to unauthorized access to them;
j. Genetic data – personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information regarding the physiology or health of that person and which result in particular from an analysis of a biological sample collected from the person concerned;
k. Biometric data – personal data resulting from specific processing techniques relating to the physical, physiological, or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or fingerprint data;
l. Data concerning health – personal data related to the physical or mental health of a natural person, including the provision of medical assistance services, which reveal information about his or her health status;
m. Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects regarding that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
n. Pseudonymization – the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organizational measures to ensure that the respective personal data are not attributed to an identified or identifiable natural person;
o. Automated decision-making – the ability to make decisions by technological means without human involvement.
p. Personal data security breach – a breach of security that leads, accidentally or unlawfully, to the destruction, loss, alteration, or unauthorized disclosure of personal data transmitted, stored, or otherwise processed, or to unauthorized access to them.
q. Child – any natural person under the age of 14. The processing of a child’s personal data is possible only if the consent of the parents or guardian is obtained. The controller must make every effort to verify in such cases whether the consent is given or authorized by the child’s parent or guardian.
r. Filing system – any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or distributed according to functional or geographical criteria;
s. Company – FABRICA DE BERE BUNA S.R.L., a legal entity legally registered in accordance with the laws of Romania.
t. Website – the site http://www.bere-zaganu.ro, which is owned by the Company.
u. Clients – natural/legal persons who use the Company’s services.
v. Partners – legal entities whose personal data could be transferred for the purpose of processing in the interest of the Company. Thus, these partners may act as processors as well as sub-processors, depending on the circumstances.
w. Services – services provided by the Company through the use of the Software and the main conditions that are mentioned on the site.
x. Supervisory authority – an independent public authority established by a Member State in accordance with the provisions of the GDPR.

CHAPTER II – Statements
2.1 FABRICA DE BERE BUNA S.R.L., with its registered office as a Romanian legal entity, with headquarters in Bucharest, Str. Intr. Dr. Felix, no. 2, Sector 1, registered with the Trade Register under no. J40/2096/2013, having CUI 31252415, undertakes to comply with all relevant European Union and Romanian laws regarding personal data and to protect the “rights and freedoms” of individuals while collecting and processing personal data in accordance with the GDPR.
2.2 The privacy and data protection policy establishes how the company uses, processes, and stores the recipients’ personal information. The Company may obtain this information from you or from your partners in order to fulfill its contractual obligations. In other cases, the Company will receive this information from you with your permission and consent, or we will receive personal information from third parties to whom you have given consent regarding the transmission of this information.
2.3 This policy describes the main steps the Company has taken to be in compliance with the GDPR; therefore, other compliance conditions together with related processes and procedures may be described through other relevant documents that recipients and any other interested persons can find at the corresponding reference links mentioned within this policy.
2.4 Users have the right to notify the Company or the competent authority for data protection, in the event of a personal data breach, if they become aware of this fact before the Company.

CHAPTER III – Principles Applicable to Data Protection
3.1 While carrying out the collection and processing of personal data, the Company respects the principles provided by the GDPR. The Company’s policies and procedures are designed to ensure compliance with the principles.
3.1.1 Lawfulness, fairness, and transparency
Lawfulness – The Controller will identify a legal basis before processing personal data. This will often be referred to as the “conditions for processing,” such as consent.
Fairness – In order to process fairly, the Controller must make certain information available to the data subjects as practically as possible. These apply whether the personal data were obtained directly from the data subjects or from other sources.
Transparency – any information and communication related to the processing of personal data must be easily accessible and easy to understand and a clear and simple language must be used.
3.1.2 Purpose limitation
Personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a way that is incompatible with these purposes; further processing for archiving in the public interest, for scientific or historical research purposes, or for statistical purposes, in accordance with Article 89(1) of the GDPR, is not considered incompatible with the initial purposes.
3.1.3 Data minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
3.1.4 Accuracy
Personal data must be accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure that personal data that are inaccurate, considering the purposes for which they are processed, are erased or rectified without delay.
3.1.5 Storage limitation
Personal data must be kept in a form that permits the identification of data subjects for a period that does not exceed the period necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, insofar as the personal data will be processed exclusively for archiving in the public interest, for scientific or historical research purposes, or for statistical purposes, in accordance with Article 89(1) of the GDPR, as well as the organizational measures imposed by the GDPR to protect the rights and freedoms of the data subject.
3.1.6 Integrity and confidentiality
Personal data must be processed in a manner that ensures an adequate level of security of the personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

CHAPTER IV – Collection and Processing of Data by the Company
4.1 Throughout its activity, the Company collects and processes the following data:
4.1.1 Recipients’ personal data: Email address, First name, Surname, Date of birth, Sex, Country, Postal code, Password, PayPal, bank details, Telephone, Address, age, mouse activity on the page http://www.bere-zaganu.ro, session duration and IP as will be defined on the site http://www.bere-zaganu.ro, according to the technical specifications of the device used (such as hardware model, operating system version). The Company does not collect more personal data than is necessary for the purpose of processing as provided in this document.
While collecting and processing the recipients’ personal data, the Company acts as a controller; therefore, it will have the rights and responsibilities that Controllers have under the GDPR.
The Company collects and/or processes the following sensitive data in its activities: such as the recipients’ sex.
4.1.2 Users’ personal data
IP address, username, first name, address, telephone number (landline or mobile), email address, company name, country, email address, usage data, data about interaction with external social networks or platforms, information about registration and notification on the site http://www.bere-zaganu.ro, geographical position.

We collaborate with Microsoft Clarity and Microsoft Advertising to record how you use and interact with our site through behavioral metrics, heatmaps, and session replays, for the purpose of improving and promoting our products/services. Site usage data are collected through our own and third-party cookies, as well as through other tracking technologies, to determine the popularity of products/services and online activity. We also use this information to optimize the site, for security/fraud-related purposes, and for advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

CHAPTER V – Purpose of Processing
5.1 GDPR requirements
5.1.1 Under the GDPR, one or more specific purposes for which personal data are to be processed should be mentioned. Therefore, it is illegal to collect and process personal data that do not correspond to the purposes mentioned above.
5.2 Recipients’/users’ personal data
5.2.1 The recipients’/users’ personal data are collected and processed for the following purposes:

• Execution of services established according to the Contracts concluded between the Recipient and the Company;

• Improving customer services (allows a more efficient response to customer requests);

• Personalizing the recipients’/users’ experience;

• Maintaining contact with the recipient/user by sending marketing or promotional materials and other information that include the Company’s news, information about services, with a note regarding the instructions on how the recipient/user can refuse such notifications;

• Conducting statistical research and other types of analyses based on anonymous data;

• Offering recipients/users certain personalized services;

• The recipient’s/user’s participation in various projects implemented by the Company through the site, responses to the recipient’s/user’s questions addressed to the Company through the site, research, maintaining accounts, registration, and promotion of services.

CHAPTER VI – Lawfulness of Processing Personal Data
6.1 GDPR requirements
6.1.1 In accordance with Article 6 of the GDPR, there are six alternative ways by which data processing can be lawful. This policy has been developed to identify appropriate grounds for processing in accordance with the rules provided by the GDPR.
6.2 Recipients’ personal data
6.3 The recipients’ personal data are collected through the conclusion of contracts between the Recipient and the Company. The personal data thus collected will be processed with the recipient’s consent, expressed in accordance with the GDPR requirements.
6.4 The recipient’s consent will be expressed by the recipient signing a consent request form that will be provided by the Company.
6.5 Together with the consent request form, the Company will provide the user with the privacy notice, which contains, but is not limited to, precise information regarding the purpose of processing and information regarding processing methods, as well as the period for which such personal information must be stored.
6.6 Consent is considered to be granted when the recipient has completed the consent request form.
6.7 By giving consent, the Recipient acknowledges and accepts all the terms, as well as the conditions specified in the Privacy Notice and Consent Form, as well as all the conditions specified in this policy.
6.3 Users’ personal data
6.3.1 Users’ personal data are collected while the user accesses the site http://www.bere-zaganu.ro.
6.3.2 The Company will collect and process personal data on the basis of consent that will be obtained from the User in accordance with the GDPR. In this way, consent will be given by completing the consent request form that the Company will make available to the user.
6.3.3 Together with the consent request form, the Company provides the user with the privacy notice, which contains, but is not limited to, precise information regarding the purpose of processing and processing methods, as well as the period for which such personal data must be stored.
6.3.4 Consent is considered to be provided after the user has pressed the “Accept” button on the Consent Request Form, provided by the Company through the Website, for each separate purpose of processing personal data, as mentioned in the respective form.
6.3.5 By giving consent, the Recipient acknowledges and accepts all the terms, as well as the conditions specified in the Privacy Notice and Consent Form, as well as all the conditions specified in this policy.

CHAPTER VII – Age of Recipients/Users
7.1 GDPR requirements
7.1.1 The processing of a child’s personal data is lawful if the child is at least 16 years old. If the child is under 16, such processing is lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.
7.1.2 For this purpose, Member States may provide by law for a lower age for these purposes, provided that such lower age is not lower than 13 years.
7.2 Recipients’/users’ personal data
7.2.1 The Company collects personal data on the basis of consent obtained from individuals (data subjects) who have reached the age of 16.
7.2.2 When the person is under 16 years of age, the processing of his/her personal data is lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.
7.2.3 By registering on the site and giving consent to the Company, the recipient/user confirms that he/she has reached the age of 16 and has all rights to provide the Company with consent for the processing of his/her personal data. Therefore, the Company is not responsible for any kind of consequences if it becomes clear that the User had not reached the age of 16 at the time of giving consent.

CHAPTER VIII – Withdrawal of Consent by the Recipient/User
8.1 The recipient/user has the right to withdraw consent at any time. Withdrawal of consent is considered to be properly carried out after the recipient/user has completed the appropriate form and sent it to the email address: bar@bere-zaganu.ro, or has completed the appropriate form on the site http://www.bere-zaganu.ro.
8.2 The recipients’/users’ personal data collected by the Company are processed in accordance with the GDPR principles. The Company takes all appropriate measures to ensure compliance with the GDPR requirements while processing the recipients’/users’ personal data.
8.3 The appropriate request to withdraw consent will be examined within 72 hours from the moment of receiving the respective withdrawal form, and the appropriate decision will be made by the Company.

CHAPTER IX – Period of Storage of Personal Data
9.1 GDPR requirements
9.1.1 Article 5 paragraph (1) letter (e) of the GDPR provides that personal data must be kept in a form that allows the identification of data subjects for a period that is not longer than necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, insofar as the personal data will be processed exclusively for archiving in the public interest, for scientific or historical research purposes, or for statistical purposes, in accordance with Article 89 paragraph (1), subject to the implementation of the technical and organizational measures imposed by this regulation to protect the rights and freedoms of the data subject (“storage limitation”).
9.2 Recipients’ personal data
9.2.1 The Company processes and stores the recipients’ personal data for the period necessary to achieve the processing purposes specified above. The storage period may be longer than the processing period.
9.2.3 Considering the purposes of processing, the retention period of the recipients’ personal data (the retention period) does not exceed 12 months from the date on which consent to data processing is duly obtained from them, taking into account all legal rules that the Company must comply with for processing.
9.3 Users’ personal data
9.3.1 The Company processes and stores users’ personal data for the period necessary to achieve the processing purposes specified above. The storage period may be longer than the processing period.
9.3.2 Considering the purposes of processing, the retention period of the recipients’ personal data (the retention period) does not exceed 12 months from the date on which consent to data processing is duly obtained from them, taking into account all legal rules that the Company must comply with for processing.
9.4 General provisions
9.4.1 After the storage period expires, the Company is obliged to delete the personal data or to ask the recipients/users to provide the Company with new consent if the necessity of processing remains necessary for the Company or another processing purpose arises.
9.4.2 The Company has the right not to store longer and to delete the recipients’/users’ personal data at any time, if such personal data are not necessary for a longer period. In this situation, the Company is obliged to notify the recipient/user that his/her personal data are deleted.
9.4.3 The Company may continue to store personal data if further processing is provided by law and is considered relevant for a purpose that is not compatible with the initial processing purpose mentioned in this policy. By purposes that are not compatible we mean purposes regarding archiving in the public interest, scientific, statistical, or historical use.

CHAPTER X – Disclosure of Personal Data
10.1 Recipients’/users’ personal data
10.1 The Company will not sell or trade the personal data of recipients/users to other legal entities, natural persons, or third parties, except in cases where they are processors or sub-processors of the Company.

CHAPTER XI – Rights of Recipients
11.1 GDPR requirements
11.1.1 Data subjects whose personal data are processed by the Company have the rights provided by the GDPR for data subjects, namely:

1. Right of access of the data subject. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being processed and, if so, access to the personal data and to the following information:
   (a) the purposes of the processing;
   (b) the categories of personal data concerned;
   (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
   (d) where possible, the period for which it is envisaged that the personal data will be stored or, if this is not possible, the criteria used to determine that period;
   (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or the right to object to processing;
   (f) the right to lodge a complaint with a supervisory authority;
   (g) where the personal data are not collected from the data subject, any available information regarding their source;
   (h) the existence of automated decision-making including profiling referred to in Article 22 paragraphs (1) and (4), as well as, at least in those cases, relevant information regarding the logic used and regarding the importance and the envisaged consequences of such processing for the data subject.

2. Right to rectification
   According to Art. 16 of the GDPR, the data subject has the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him/her. Taking into account the purposes for which the data have been processed, the data subject has the right to obtain the completion of personal data that are incomplete, including by providing a supplementary statement.

3. Right to erasure (“right to be forgotten”)
   The data subject has the right to obtain from the controller the erasure of personal data concerning him/her, without undue delay, and the controller has the obligation to erase personal data without undue delay, in the situation where any of the reasons provided in Art. 17 of the GDPR occurs.

4. Right to restriction of processing
   The data subject has the right to obtain from the controller restriction of processing in the case where one of the cases provided in Art. 18 of the GDPR applies.

5. Right to be informed.
   The Company is obliged to inform the data subjects regarding the collected data, the way they are used, how long they will be kept, and whether they will be communicated to other third parties. This information must be communicated concisely and in simple language.

6. Right to data portability
   The data subject has the right to receive the personal data concerning him/her, which he/she has provided to the controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller, without obstacles from the controller to whom the personal data were provided, where:
   (a) the processing is based on consent;
   (b) the processing is carried out by automated means.

7. Right to object
   Data subjects have the right to object to the processing of personal data that are processed by the Company. The Company must stop processing the data, except where the controller demonstrates that it has legitimate and compelling grounds that justify the processing and that prevail over the interests, rights, and freedoms of the data subject or that the purpose is the establishment, exercise, or defense of a legal claim.

8. Automated individual decision-making, including profiling
   The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects that concern the data subject or similarly significantly affect him/her. Data subjects have the right for their personal data to be processed with human involvement.
   11.2 Recipients’/users’ personal data
   11.2.1 To exercise any of the rights mentioned above, the recipient/user must complete the Company’s form which can be accessed at www.bere-zaganu.ro.
   11.2.2 The time intervals in which recipients/users can exercise the rights provided above are:

Right of the recipient/user — Time interval
Right of access of the data subject — One month
Right to rectification — One month
Right to erasure (“right to be forgotten”) — Without undue delay
Right to restriction of processing — Without undue delay
Right to be informed — When data are collected (if they are provided by the data subject) or within one month (if they are not provided by the data subject)
Right to data portability — One month
Right to object — At the moment of the objection
Automated individual decision-making, including profiling — Not specified

CHAPTER XII – Data Protection Officer
12.1 According to the GDPR, the Controller and the Processor shall designate a Data Protection Officer whenever:
(a) the processing is carried out by a public authority or body, with the exception of courts acting in the exercise of their judicial function;
(b) the core activities of the controller or of the processor consist of processing operations which, by their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or of the processor consist of large-scale processing of special categories of data.
12.2 The Data Protection Officer may be a member of the staff of the controller or processor or may perform his/her tasks on the basis of a service contract.
12.3 Taking these aspects into account, the Company will have a Data Protection Officer, and information regarding this will be found on the Company’s website: http://www.bere-zaganu.ro.

CHAPTER XIII – Security
13.1 GDPR requirements
13.1.1 Taking into account the current state of the art, implementation costs, and the nature, purpose, context, and purposes of processing, as well as the risk of variation in the probability and severity for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
13.2 Recipients’/users’ personal data
13.2.1 The Company has the responsibility to ensure that all personal data that the Company holds and for which it is responsible are kept secure and are not disclosed in any way to a third party, except where that third party has been specifically authorized by the Company to receive this information and has entered into a confidentiality agreement.
13.2.2 All personal data will be accessible only to those who need to use them and access can be granted only in accordance with the Access Control Policy, which is available on the site http://www.bere-zaganu.ro. The recipients’/users’ personal data will be kept secure and must be stored:
• in a room with controlled access; and/or
• in a locked drawer or cabinet; and/or
• if computerized, password-protected in accordance with corporate requirements in the Access Control Policy; and/or
• stored on (removable) computing media that are encrypted.
13.3.3 Recipients/users have the right to request the Company to clarify what security measures are applied during the processing of their personal data.

CHAPTER XIV – Notification Regarding Personal Data Security Breach
14.1 GDPR requirements
14.1.1 A personal data breach means a breach of security that leads to the destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed, accidentally or unlawfully.
14.1.2 There are three different types of breaches within the GDPR:
• “confidentiality breach” – where there is unauthorized or accidental disclosure of, or access to, personal data.
• “integrity breach” – where there is unauthorized or accidental alteration of personal data.
• “availability breach” – where there is accidental or unauthorized loss of access to, or destruction of, personal data.
14.2 Recipients’/users’ personal data
14.2.1 The Company takes all reasonable measures to minimize the risk of personal data breaches during the processing of personal data.
14.2.2 In the event of a personal data breach, the Company notifies the competent supervisory authority in accordance with Article 55 of the GDPR, without undue delay and, if possible, no later than 72 hours after becoming aware of it, unless it is likely to result in a risk to the rights and freedoms of recipients/users.
14.2.3 The risk assessment that the Company must carry out will determine whether the risk to the rights and freedoms of the affected data subjects is considered high enough to justify notifying them.
14.2.4 Also, in the case of a personal data breach that may lead to a high risk to the rights and freedoms of recipients/users, the Company will notify without delay the respective recipient/user whose personal data were breached.
14.2.5 However, if subsequent measures have been taken to mitigate the high risk for recipients/users so that the risk no longer exists, according to the GDPR, then notification of recipients/users is not necessary.
14.2.6 The Company records all personal data breaches, comprising the facts regarding the personal data breach, its effects, and the remedial measures taken. This documentation must allow the supervisory authority to verify compliance with the GDPR.
14.2.7 In accordance with the GDPR, the Supervisory Authority may impose a series of fines on the Company in the situation where it does not act according to the rules provided by the GDPR.
14.2 The processor is obliged, without undue delay, to notify the Company about the personal data breach of the recipients/users during the processing of these data according to the Company’s instructions.

CHAPTER XV – Data Transfer
15.1 GDPR requirements
15.1.1 Any transfer of personal data that are subject to processing or that are intended for processing after transfer to a third country or to an international organization takes place only if, subject to the other provisions of the GDPR, the conditions set out in Chapter 5 of the GDPR are respected by the Controller, including for future transfers of personal data from the third country or from an international organization to another third country or to another international organization. All the provisions of Chapter 5 of the GDPR will be applied to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined.
15.1.2 The European Commission has the competence to determine, on the basis of Article 45 of the GDPR, whether a country outside the EU offers an adequate level of data protection, either through domestic legislation or through international commitments it has undertaken. According to the corresponding decision of the European Commission, personal data may flow from the EU (and from Norway, Liechtenstein, and Iceland) to that third country without any further safeguard being necessary.
15.2 Recipients’/users’ personal data
15.2.1 The Company may transfer the recipients’/users’ personal data to their Processors, who are registered in the European Union, however the transfer of data will be according to the GDPR rules and the adequacy decision, if necessary.
15.2.2 Personal data are transferred for the purposes defined in this document and in the other processing conditions provided by this policy and specified in other documents, in particular in the Personal Data Transfer Policy, which can be found on the site http://www.bere-zaganu.ro.

CHAPTER XVI – Compliance with the GDPR
16.1 The following actions are undertaken to ensure that the Company respects at all times the accountability principle of the GDPR:
• The legal basis for the processing of personal data is clear and unambiguous;
• All employees involved in the processing of personal data understand their responsibilities for complying with good data protection practices;
• Data protection training has been provided to all staff;
• The rules regarding consent are respected;
• routes are available to data subjects who wish to exercise their rights regarding personal data and such inquiries are handled efficiently.
• Regular reviews of procedures involving personal data are carried out;
• Privacy by design is adopted for all new or changed systems and processes.
16.2 These actions are reviewed periodically as part of the data protection management process.
16.3 The Company has developed all internal documents to define roles among staff regarding the processing of personal data within the Company.
16.4 The Company may revise this policy from time to time. If the Company makes substantial changes to this Policy, we will notify you by email or by posting a notice on the site before the effective date of the changes. By continuing to access or use the website after these changes become effective, you agree to the revised policy.
FABRICA DE BERE BUNA S.R.L
By
ALEXANDRU GEAMANU