1. Introduction
1.1. Premises
When you use this website, you entrust us with your information. The purpose of this Privacy Policy is to explain to you what data we collect, why we collect it and what we do with it.
This information is important. We hope you will read them carefully.
Through this policy, FRAGILE SOCIETY ASSOCIATION undertakes to respect the confidentiality of the personal data of any user who accesses this website, according to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council issued on April 27, 2016 regarding the protection regarding the processing of personal data and regarding the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), published in the Official Journal of the European Union no. L 119/1 of 04.05.2016 (hereinafter referred to as GDPR), provisions in conjunction with those of the other acts applicable to the protection of personal data (Law no. 102/2005, amended and supplemented, Law no. 190/2018, Law no. 506/2004, Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016, Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002).
To the extent that users will be required to provide any information regarding their personal data, they will do so voluntarily.
ASOCIAȚIA FRAGILE SOCIETY is not responsible for personal data received and unsolicited.
According to art. 4 GDPR “Operator” means the person or legal entity, public authority, agency or other body that, alone or together with others, establishes the purposes and means of personal data processing; when the purposes and means of processing are established by Union law or domestic law, the operator or the specific criteria for its designation may be provided for in Union law or domestic law.
1.2. Information about the Operator
ASOCIAȚIA FRAGILE SOCIETY has its registered office in Voroneț Street, No. 18, Bl. A22, Sc. 2, Ap. 27, Sector 3, Bucharest, tax registration code no. 44848500, having account no. RO12INGB0000999911938000 opened at ING BANK. ASOCIAȚIA FRAGILE SOCIETY will hereafter be referred to as the “Operator” within the meaning of the GDPR definition mentioned above.
2. Definitions of terms and applicable notions
2.1. The GDPR relates in particular to the processing of personal data by operators.
2.2. Main terms, defined by art. 4 GDPR:
2.2.1. “Personal data” means any information regarding an identified or identifiable person (“data subject”); an identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more many specific elements, specific to his physical, physiological, genetic, psychological, economic, cultural or social identity.
2.2.2. “Processing” means any operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
2.2.3. “Consent of the data subject” means any manifestation of the free, specific, informed and unambiguous will of the data subject by which he accepts, through a statement or an unequivocal action, that the personal data concerning him be processed.
2.2.4. “Personal data security breach” means a security breach that results in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of personal data transmitted, stored or otherwise processed or in unauthorized access to these.
3. Principles and purpose of processing
The processing of all personal data must be aligned with the principles defined in the regulation. For the implementation of the GDPR, it is important to understand the principles that are stated in Article 5 of the GDPR. As these principles form the basis of GDPR requirements, they must be made known and understood by the Operator’s members, volunteers and collaborators.
- Personal data are processed in a legal, fair and transparent manner (“legality, fairness and transparency”). The operator will not carry out processing that is not legitimate. It will also demonstrate transparency regarding the processing of personal data and inform the data subject openly and transparently.
- Personal data are collected for specific, explicit and legitimate purposes and are not further processed in a manner incompatible with these purposes (“purpose limitations”). The processing of personal data must be limited to the legitimate purpose for which it was originally collected from the data subject. It is forbidden to process personal data outside the legitimate purpose for which they were collected.
- Personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”). When collecting personal data, only the personal data necessary to fulfill the purpose for which the collection was made may be requested.
- Personal data are accurate and, if required, updated. The operator takes the necessary measures to ensure that personal data that are inaccurate, given the purposes for which they are processed, are deleted or rectified without delay (“accuracy”).
- Personal data are kept in a form that allows the identification of the data subjects, for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed (“legal storage limitations”). The operator will establish the retention period for each set of personal data. After the storage period expires, the data will be deleted.
- Personal data are processed in a way that ensures adequate security of personal data by taking appropriate technical or organizational measures (“integrity and confidentiality”).
- The operator is responsible for complying with the above principles and can prove the fulfillment of this obligation (“responsibility”).
Personal data will be processed only in case of the existence of one of the legal grounds presented in art. 6 para. (1) of the GDPR.
These grounds that establish the legality of the processing are:
- Consent of the data subject.
- Processing necessary for the conclusion or execution of a contract.
- Processing necessary to fulfill a legal obligation.
- Processing necessary to protect the vital interests of the data subject or another natural person.
- The processing necessary for the performance of a task that serves a public interest or that results from the exercise of the public authority with which the operator is vested.
- The processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail that require the protection of personal data, in particular when the data subject is a child.
The choice of the basis under which the processing is done must be correct before the collection of the processing begins.
This website uses the Google Analytics system, which is a web traffic analysis service provided by Google Inc (hereinafter “Google”).
The information generated by cookies after accessing this website is transmitted to Google and stored in Google’s servers and IT systems which may be located in the EU and outside the EU, including in the USA. Google uses this information to track the visitors of this website, to examine its use, to create summaries of website visits for website administrators and to provide other services related to website activities and internet usage. At the same time, Google has the possibility to transmit this information to third parties if this is required by the legislation in force applicable in the case or if these third parties process the above-mentioned information on behalf of Google. By using this website, visitors agree to the processing of their browsing data by Google for the fulfillment of the above objectives and by using the previously mentioned means.
For additional details related to the processing of personal data by Google Analytics, interested persons can access the Google privacy page available at the web address: https://support.google.com/analytics/topic/2919631?hl=ro&ref_topic=1008008.
To prevent Google from processing cookies resulting from accessing this website, interested persons can download and install the Google plug-in available at the web address: https://tools.google.com/dlpage/gaoptout.
4. Our Commitment to Privacy
4.1. Our policy regarding the protection and security of personal data is to process only the personal data that is necessary for us to carry out the activity, which involves, among other things, the administration in the best conditions of this website, and to request the persons concerned to communicate to us only those personal data strictly necessary to fulfill these purposes.
4.2. We make efforts to protect this website, the services offered through it, as well as the personal data of users that are collected through this website, against unauthorized access or unauthorized modification, disclosure or destruction of the information it holds.
4.3. We will never divulge/sell confidential information to unauthorized third parties and will ensure by means at our disposal that this information is secure.
4.4. Whenever we collect personal data, the purpose of collection is information about our projects, collaborators, beneficiaries and beneficiary organizations of our projects, creating fundraising pages or donation forms, making online and offline donations and statistics regarding the use of this website.
4.5. We will take all necessary measures to protect the security of information voluntarily provided by users and will not communicate said information to any other entity, natural or legal person, except where disclosure is permitted/required by applicable law.
4.6. We inform you that any data subject, whose personal data is collected as a result of accessing this website, has, according to art. 12 of the GDPR, the following rights:
The right to information
This right gives the data subject the opportunity to request information from the Operator regarding the personal data it processes and collects in relation to the data subject, as well as the purpose of that processing/collection. For example, a customer can request the list of proxies to whom this personal data is transferred.
The right of access
This right gives the data subject the possibility to have access to his personal data that is processed by the operator. This request gives data subjects the right to see or view their personal data, as well as to request copies of their personal data.
Therefore, if you would like to obtain a copy of the personal information we hold about you, please send us a written, dated and signed request by any of the methods below:
- either post/courier, to the Operator’s correspondence address in Bucharest, Voroneț Street, No. 18, Bl. A22, Sc. 2, Ap. 27, Sector 3
- either by e-mail to the address: asociatiafragilesociety@gmail.com.
Before we respond to your request, we may ask you to confirm your identity and provide additional details about your request. We will respond to you as soon as possible and in any case within the time limits required by law.
The right to rectification
This right gives the data subject the possibility to request changes to his personal data, if the data subject considers that this personal data is not updated or accurate.
The right to withdraw consent
This right gives the data subject the possibility to withdraw a previously granted consent to the processing of his personal data for a specific purpose. This situation is applicable when the processing is based on one of the following provisions of the GDPR:
- article 6 paragraph (1) letter (a): “the data subject has given his consent for the processing of his personal data for one or more specific purposes”;
- article 9 paragraph (2) letter (a): “the data subject has given his explicit consent to the processing of this personal data for one or more specific purposes, unless Union law or domestic law provides that the prohibition provided for in paragraph (1) cannot be lifted with the consent of the person concerned” of the GDPR.
None of these situations affect the legality of the processing carried out on the basis of consent before its withdrawal. In other words, processing prior to the modification or, as the case may be, the withdrawal of consent remains legal.
You can modify or withdraw your consent at any time by sending a written, dated and signed request to the Operator either at its mailing address in Bucharest, Voroneț Street, No. 18, Bl. A22, Sc. 2, Ap. 27, Sector 3, or by e-mail to the address: asociatiafragilesociety@gmail.com. Upon receipt of a request to this effect, the Operator will cease the respective processing, except in situations where there is a legal reason or a legitimate interest of the Operator not to do so.
The right to object
This right gives the data subject the possibility to object to processing including automated processing and profiling.
The right to data erasure (“the right to be forgotten”)
This right gives the data subject the possibility to request the erasure of his personal data. The operator is obliged to comply with the request without undue delay within a maximum of 30 days from the date of the request. If there is a legal basis given by local or Union law, the data subject will be informed of this and only those data that are subject to these laws will be kept.
The right to data portability
This right gives the data subject the possibility to request the transfer of his personal data to another operator.
The right not to be subject to an automatic decision
This right gives the data subject the possibility to oppose a processing that may lead to the taking of automatic decisions.
The right to submit a complaint to the competent national authority in the field of personal data protection (ANSPDCP)
Any complaint by data subjects regarding the violation of the GDPR will be documented, registered by the Customer Relations department in the GDPR request/complaint record file and will be informed the management of the Operator. Communication of the resolution of the request/complaint to the person concerned will be done by using the e-mail address of the Operator (associatiafragilesociety@gmail.com). If the data subject requests another means of communication (not via e-mail), then an alternative form of communication and transmission of the Operator’s response to the data subject’s petition will be agreed with.
The control of the complaints and requests of the persons concerned will be carried out monthly by the operator responsible for internal control. The verification will consist of analyzing the requests/complaints and verifying their resolution together with the people involved in this process. The deadline for resolving the complaints and requests of the persons concerned is a maximum of 20 days from the date of registration of these petitions.
The contact details of the competent national authority in the matter of personal data protection are as follows: National Authority for the Supervision of Personal Data Processing (ANSPDCP), with headquarters in Bucharest, B-dul General Gheorghe Magheru no. 28-30, Sector 1, postal code 010336; telephone: 031/8059211; fax: 031/8059602; e-mail: anspdcp@dataprotection.ro; website: https://www.dataprotection.ro/.
5. Information We Collect
5.1. We collect information to provide better services to all our users.
5.2. This website collects personal data in the following ways:
Directly from you – by filling in information in the forms on the website (comments, contact, newsletter registration, fundraising page creation, online donation, etc.)
Information we obtain automatically through the use of this website respectively through automatic methods of detecting the device or connection used to access them:
Device information
This information includes for example your IP address, browser type and version, browser plug-in types and versions, system and operating platform.
Log information
When you use our services, we automatically collect and store certain information in server logs.
Location information
We use various technologies to determine location, including IP address, GPS signal transmitted through your browser or other sensors.
Cookies and similar technologies
We and our partners use various technologies to collect and store information when you access a Service, and this may include the use of cookies and similar technologies to identify your browser or device.
5.3. The personal data processed following access by the data subject to this website are as follows:
- the name and surname of the person concerned, e-mail address, telephone;
- IP address;
- online visit duration;
- pages visited;
- time spent on each page;
- search queries;
- the date and time of the data subject’s request;
- access details (URL used to access the website);
- the type of browser used;
- the language;
- the type of operating system used;
- the version of Flash and JavaScript support used;
- screen resolution;
- color processing capacity;
- the location of the network from which this website is accessed (in the case of traffic monitoring on this website, as well as in the case of the processing of the use of strictly necessary cookie files, as well as functional and marketing files).
5.4 In order to make donations through the fundraising tools made available by the Association, it is necessary to fill in some fields with the following personal data:
- Name surname
- email address
- Amount donated
5.5. In the aforementioned cases, the Association, as a personal data operator, undertakes to comply with the following duties including, but not limited to:
5.5.1 Ensuring the ability to respect the rights of data subjects, respectively, the data subject’s right of access to the data collected about him, the right to rectification, the right to delete data (the right to be forgotten), the right to restrict processing, the right to data portability, the right to opposition and the right to petition;
5.5.2 Information in the event of a data security breach to all relevant recipients, within 72 hours of becoming aware of the occurrence of the event;
5.5.3 Fulfillment of all mandatory duties regarding the documentation of compliance with EU Regulation 679/2016 of the European Parliament and of the Council.
5.6. The Association will process the personal data of its own employees, exclusively within the limits of the execution of the Individual Employment Contract and, as the case may be, of the Collective Employment Agreement at unit level, as well as within the limits of the provisions of the Internal Order Regulation valid at the Association level. Any additional processing or for a purpose other than the execution of the Contract is subject to a separate data processing agreement.
5.7. The Association’s policy regarding the protection and security of the personal data of its own employees is to collect only the personal data necessary in the contractual employment relations with them. In this sense, the Association requests its employees to communicate personal data only where it is strictly necessary for these purposes. The personal data that the Association processes regarding its own employees are mainly the information that they provide at the time of employment, supplemented later with information generated by the execution of the Individual Employment Contract and, as the case may be, the Collective Employment Agreement at unit level, as well as within the limits of the provisions of the Internal Order Regulation valid at the level of the Association.
5.8. The personal data mentioned above may be made available or transmitted to third parties, respectively: central and local public authorities and institutions, auditors or control institutions / organizations regarding the activities or assets of the Association or other entities in order to fulfill certain legal requirements or to protect the rights and legitimate interests of the Association or its assets.
5.9. The employees of the Association have the obligation to process, in compliance with the provisions of Regulation (EU) no. 2016/679 and the relevant national legislation, the personal data obtained in the exercise of service duties.
5.10. The employees of the Association are prohibited from providing third parties with the personal data of which they are aware in the exercise of their work/service duties, within the limits of the execution of the individual employment contract and, as the case may be, of the collective employment contract at the entity level, with unless the provision of this data constitutes an obligation established by the legislation in force.
5.11. Considering the express provisions of the GDPR regarding the importance of complying with personal data processing procedures, the violation by any employee of the Association of the obligation to comply with the rules on data protection constitutes a serious disciplinary offense, which may have the most serious consequence severe disciplinary sanction from the first offense of this kind.
6. How we use the information we collect
6.1. We use the information we collect from all our services to provide, administer, protect and improve the services, to develop new ones and to protect this website, its administrators and users. We also use this information to provide you with personalized content, such as more relevant search results and ads.
6.2. When permitted by law, we may combine this information we receive from other sources, including social media, with information you provide to us and information we collect about you, including your to the cookie modules.
6.3. We may use this information and combine the information to learn more about your preferences as a customer, to improve your user experience on this website, and to provide you with information, content and offers tailored to your needs.
In addition to the situations above, we may use your information in the following situations:
- To respond to your questions and requirements;
- To process transactions related to online donations;
- To comply with legal requirements for operating online donations;
- To send announcements regarding technical situations;
- To detect, investigate and prevent activities that may be contrary to our policies or that are illegal in nature.
7. Information We Share
Personal data processed by us will not be sent to other parties outside our organization except in the following situations:
7.1. With your consent
We will share personal information with companies, organizations or individuals outside our organization when we have your consent to do so or when our association has a legal obligation to do so.
7.2. To provide online payment processing services
As appropriate, we may transmit or provide access to certain of your personal data to suppliers or partners in order to provide you with the services you have opted for. These may include the following categories of recipients:
- courier service providers;
- payment/banking service providers (eg: online payment processor).
The third parties to whom we provide your personal data assume full responsibility for their use in accordance with the legal regulations in force.
7.3. For legal reasons
If we believe in good faith that access, use, retention or disclosure of that information is reasonably necessary to:
- compliance with applicable law, regulations, legal procedure or enforceable government requests;
- the implementation of the Terms and Conditions in force, including the investigation of their possible violations;
- detecting, preventing or otherwise combating fraud, security or technical problems.
8. Information Security
8.1. We strive to protect this website, our services and our users from unauthorized access or unauthorized modification, disclosure or destruction of the information we hold.
8.2. We have implemented appropriate physical, administrative and technical procedures that are reasonably designed to protect and secure the information collected online. The security procedures used during the collection, transmission and storage of personally identifiable information include data encryption, firewalls, data use and access limitation and physical access control.
8.3. However, despite our diligent efforts, no commercial method of information transfer over the Internet or electronic data storage is 100% guaranteed, and we cannot guarantee such absolute security.
9. Third Party Services and Links
To provide our services we use services provided by third parties. These include:
Traffic analysis and monitoring
The applications are used to monitor and analyze user behavior on the website. The information is used to improve the services.
These services do not have access to your name or other personal information. For this purpose we use: Google Analytics.
Online payment processing
For users who wish to support the Operator through online donations we use integration with the online Stripe payment processor.
On the website www.stripe.con you can consult their Privacy Policy.
Newsletter applications
For users who have opted to receive newsletter information, we use dedicated services:
- MailChimp service. For additional information, you can also consult MailChimp.com’s Privacy Policy http://mailchimp.com/legal/privacy/
10. Retention of processed personal data
10.1. Personal data is kept as long as the purpose for which it was collected is valid or as long as it is required by the legislation in force.
10.2. The operator establishes a term in which the data will be kept after the expiry of the purpose for which they were collected in order to be able to respond to any complaints of the data subjects.
10.3. If the data subject requests the deletion of personal data belonging to him, the request will be registered immediately. In the settlement process, the existence of the legal requirements for maintaining this data will be verified. If they exist, only those data that are necessary will be kept, meaning that the data subject will be informed of this.
10.4. The information will state the retention period according to the legal provisions, as well as the right of the data subject to file a complaint with the supervisory authority if they dispute this. If there is no legal requirement, the data will be deleted and the data subject will be informed of this.
10.5. Requests to delete personal data will be resolved within a maximum of 30 days.
10.6. At the request of the data subjects, their personal data can be transferred to another operator in the shortest possible time (no more than 30 days) and will be deleted if there is no legal basis for their retention.
Useful links
Useful information regarding the implementation of the GDPR, as well as the rights of the data subject whose personal data is processed by the Operator, can be obtained by accessing the following websites:
- https://ec.europa.eu/info/law/law-topic/data-protection.ro (European Commission website)
- https://dataprotection.ro (website of the National Authority for the Supervision of Personal Data Processing)
- https://anpc.ro/ (the website of the National Authority for Consumer Protection).
For any other information regarding the processing of personal data, any person concerned can send us an e-mail at the address: asociaciatifragilesociety@gmail.com.
Last updated: October 12, 2022