Privacy Policy

 

  1. DEFINITIONS

1.1. Administrator – Topoloveni City Hall, Calea Bucuresti, no. 111, Arges county.

1.2. Personal data – all information about a natural person identified or identifiable by one or more specific factors that determine physical, physiological, genetic, mental, economic, cultural or social identity, including images, voice recording, contact data, location data, information contained in correspondence, information collected through recording equipment or other similar technologies.

1.3. Policy – ​​this policy for the processing of personal data.

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC.

1.5. Data subject – any natural person whose personal data is processed by the Administrator, for example, a person who visits the Administrator’s premises or sends him a question by e-mail.

 

  1. DATA PROCESSING BY ADMINISTRATOR

2.1. In connection with the business activity carried out, the administrator collects and processes personal data in accordance with the relevant provisions, in particular the GDPR, and the data processing principles contained therein.

2.2. The administrator ensures transparency of data processing, in particular, always informs about data processing at the time of collection, including the purpose and legal basis of processing – for example, when concluding a contract for the sale of goods or services. The administrator ensures that the data is collected only to the extent necessary for the indicated purpose and processed only for the period in which it is necessary.

2.3. When processing data, the Administrator ensures their security and confidentiality and access to processing information for the persons concerned. If, despite the security measures used, there has been a violation of the protection of personal data (for example, “data leaks” or losses), the administrator will inform the data subjects about such an event in a manner consistent with the provisions .

 

  1. CONTACT WITH THE ADMINISTRATOR

3.1. The administrator can be contacted, contact form at www.topolovenibikecity.ro, by phone at 0248666259 or in writing to the address of the headquarters.

3.2. The administrator has appointed a data protection officer who can be contacted by e-mail topoloveni@yahoo.com for any problem regarding the processing of personal data.

 

  1. SECURITY OF PERSONAL DATA

4.1. To ensure data integrity and confidentiality, the administrator has implemented procedures that allow access to personal data only to authorized persons and only to the extent necessary, due to the tasks performed by them. The administrator applies organizational and technical solutions to ensure that all operations regarding personal data are recorded and performed only by authorized persons.

4.2. The administrator also takes all necessary actions so that its subcontractors and other cooperating entities guarantee the use of appropriate security measures whenever they process personal data on behalf of the administrator.

4.3. The administrator performs a permanent risk analysis and monitors the adequacy of the data security applied to the identified threats. If necessary, the administrator implements additional measures to increase data security.

 

  1. PURPOSES AND LEGAL BASIS FOR PROCESSING

5.1. WEB SERVICES

5.1.1. Personal data of all persons using the Administrator’s websites (www.topolovenibikecity.ro and websites of the individual city bike systems operated by the Administrator), including IP addresses or other identifiers and information collected through cookies or other similar technologies, are processed:

  1. to provide services in electronic format for the purpose of providing users with content collected on the website – then the legal basis for processing is the need for processing for the execution of the contract (art. 6 para. 1 letter b RODO);
  2. for analytical and statistical purposes – then the legal basis of the processing is the justified interest of the Administrator (art. 6 para. 1 letter f RODO) consisting in performing analyzes of the users’ activity, as well as their preferences for improving the functionalities and services provided;
  3. to be able to establish and declare claims against them – the legal basis for processing is the justified interest of the Administrator (art. 6 par. 1 letter f RODO) consisting in protecting his rights;
  4. for marketing purposes of the Administrator and other entities – the principles of personal data processing for marketing purposes are described in the “Marketing” section below.

5.1.2. The user’s activity on the Administrator’s website, including his personal data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities related to the IT system used to provide services by the administrator). The information collected in the logs is mainly processed for purposes related to the provision of services. The administrator also processes them for technical and administrative purposes, in order to ensure the security of the IT system and the management of this system, as well as for analytical and statistical purposes – in this sense, the legal basis for processing is the legitimate interest of the administrator (art. 6 para. 1 letter f RODO).

5.1.3. The session that the user’s web browser connects to the Administrator’s servers from the moment of connection until the site is disconnected is protected by the TLS protocol. This means that all data, including personal data, is sent using cryptographic security (encryption).

 

5.2. MARKETING

5.2.1. The administrator processes users’ personal data to carry out marketing activities that may consist of:

  1. displaying marketing content to the user that is not tailored to his preferences (contextual advertising);
  2. displaying marketing content relevant to the user’s interests (behavioral advertising);
  3. carrying out other types of activities related to the direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).

5.2.2. In order to implement marketing activities, the Administrator may use profiling in some cases. This means that, thanks to automatic data processing, the Administrator evaluates selected factors related to natural persons in order to analyze their behavior or create a forecast for the future. The legal basis for data processing in this case is the legitimate interest of the administrator (Article 6 paragraph (1) letter (f) of the GDPR).

 

5.3. COOKIES AND SIMILAR TECHNOLOGY

5.3.1. Cookies are small text files installed on the user’s device browsing the site. Cookies collect information that facilitates the use of a website – for example, by remembering the user’s visits to the website and his activities. The legal basis for the processing of this data is the legitimate interest of the administrator (Article 6 paragraph 1 letter f of the GDPR).

5.3.2. The administrator uses cookies mainly to provide the user with services provided electronically and to improve the quality of these services. Therefore, the administrator and other entities that provide him with analytical and statistical services use cookies, store information or gain access to information already stored in the user’s telecommunications terminal equipment (computer, phone, tablet, etc.). The cookies used for this purpose include:

  1. cookies with data entered by the user (session ID) throughout the session (user input cookies);
  2. authentication cookies used for services that require authentication during the session (authentication cookies);
  3. cookies used to ensure security, for example, used to detect authentication fraud (user-centric security cookies);
  4. session cookies of some multimedia players (for example, cookies for the flash player), for the duration of the session (multimedia player session cookies);
  5. persistent cookies used to personalize the user interface for the duration of the session or slightly longer (user interface personalization cookies),
  6. cookies used to monitor website traffic, i.e. data analysis, including Google Analytics cookies (these are files used by Google to analyze how the website is used by the user, to create statistics and reports on website operation) Google Analytics is also used to target behavioral advertising users. Google does not use the collected data to identify you or combine this information to enable identification.
    Detailed information about the scope and rules of data collection in relation to this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.

 

5.4. LOCATION DATA

5.4.1. The mobile applications provided by the Administrator, such as the Nextbike application as well as some websites of the Administrator, such as www.topolovenibikecity.ro may use data about the location of the user’s device (computer, mobile phone, tablet, etc.).

5.4.2. The administrator processes the location data, in particular to provide the user with a map indicating the nearest Nextbike bicycle stations. The user is informed about all other purposes of location data processing in separate information clauses.

5.4.3. The legal basis for the processing of this data is the user’s consent (art. 6 par. 1 letter a RODO) expressed by granting a mobile application or a web browser access to data about the location of the user’s device.

 

5.5. CONTACT FORMS AVAILABLE ON INTERNET SERVICES

5.5.1. The Administrator offers the possibility to contact him using electronic contact forms available on the Administrator’s websites. The use of the form requires the provision of personal data necessary to contact the user and answer the question. The user may also provide other data to facilitate the contact or to manage the query. The provision of data marked as mandatory is necessary to receive and serve the query, and failure to comply with them leads to the impossibility of providing services. The provision of other data is voluntary.

5.5.2. Personal data are processed:

  1. to identify the sender and manage the request or answer a question sent through the contact form – the legal basis for the processing is the legitimate interest of the administrator (Article 6(1)(f) of the GDPR) consisting in enabling the management of requests and the response to questions requested in particular by persons interested in the Administrator’s services;
  2. to monitor and improve the quality of services, including customer service – the legal basis for the processing is the legitimate interest of the administrator (Article 6 paragraph (1) letter (f) of the GDPR) consisting in enabling the improvement of the quality of the services provided by the administrator.

 

5.6. EMAIL AND TRADITIONAL CORRESPONDENCE

5.6.1. In case of sending a message to the administrator by e-mail or traditional correspondence, the personal data contained in this correspondence are processed exclusively for the purpose of communication and resolution of the case to which the correspondence refers.

5.6.2. The legal basis for processing is the administrator’s legitimate interest (Article 6 paragraph 1 letter f of the GDPR) consisting in carrying out the correspondence addressed to him in connection with his business activities.

5.6.3. The administrator only processes personal data relevant to the case to which the correspondence refers. All correspondence is stored in a manner that ensures the security of the personal data contained therein (and other information) and disclosed only to authorized persons.

 

5.7. CONTACT TELEPHONE

5.7.1. In the case of contacting the administrator by telephone, the administrator may request personal data only if it is necessary to deal with the case to which the contact relates. In such a case, the legal basis is the administrator’s legitimate interest (art. 6 para. 1 letter f GDPR) consisting in allowing the requests and answering the questions asked by the persons interested in the Administrator’s services.

5.7.2. Telephone conversations may also be recorded – in which case the appropriate information is provided at the beginning of the conversation. The interviews are recorded to monitor the quality of the service provided and to verify the activity of the consultants. Recordings are available only to employees of the Administrator and persons serving the support of the Administrator. The legal basis of the processing is the administrator’s legitimate interest (art. 6 para. 1 letter f RODO) consisting in allowing the improvement of the quality of the services provided by the administrator.

 

5.8. SOCIAL PORTALS

5.8.1. The Administrator processes the personal data of users who visit the Administrator’s profiles kept in social media (Facebook, YouTube, Instagram, Twitter). This data is processed only in connection with maintaining a profile, including to inform Users about the activity of the Administrator and to promote various types of events, services and products. The legal basis for the processing of personal data by the administrator for this purpose is its legitimate interest (art. 6 para. 1 letter f RODO) consisting in the promotion of its own brand.

 

5.9. VIDEO MONITORING AND ACCESS CONTROL

5.9.1. To ensure the safety of people and property, the manager uses video surveillance and controls access to the premises and the area he manages. The data collected in this way is not used for other purposes.

5.9.2. Personal data in the form of monitoring records and data collected in the entry and exit register is processed to ensure security and order in the premises of the facility and possibly to defend or pursue claims. The basis for the processing of personal data is the Administrator’s legitimate interest (art. 6 paragraph 1 letter f RODO) consisting in ensuring the security of the Administrator’s property and protecting his rights.

 

5.10. RECRUITMENT

5.10.1. As part of the recruitment processes, the administrator expects the transfer of personal data (for example in a resume or resume) only to the extent specified in labor law. Therefore, the information should not be provided at length. If submitted applications contain additional data, they will not be used or included in the recruitment process.

5.10.2. Personal data are processed:

  1. for the fulfillment of the obligations arising from the legal provisions relating to the employment process, including in particular the Labor Code – the legal basis for processing is the legal obligation of the administrator (Article 6 paragraph (1) letter (c) of the GDPR in relation to the provisions of the Labor Code) ;
  2. to carry out the recruitment process in the field of data that is not required by law, as well as for the purpose of future recruitment processes – the legal basis for processing is consent (art. 6 paragraph 1 letter a RODO);
  3. to determine or assert any claims or defend against such claims – the legal basis for data processing is the legitimate interest of the administrator (Article 6 paragraph 1 letter f GDPR).

 

5.11. COLLECTION OF DATA IN CONNECTION WITH THE AVAILABILITY OF THE SERVICES

5.11.1. In the case of data collection for purposes related to the execution of a certain contract, also through the website, the Administrator provides the data subject with detailed information regarding the processing of his personal data at the time of concluding the contract.

 

5.12. DATA COLLECTION FOR OTHER PURPOSES

5.12.1. In connection with its activities, the administrator also collects personal data in other cases – for example, during business meetings, at industry events or by exchanging business cards – for the purpose of initiating and maintaining business contacts. In this case, the legal basis for processing is the administrator’s legitimate interest (Article 6 paragraph 1 point f GDPR) consisting in creating a network of contacts in connection with the enterprise.

5.12.2. The personal data collected in such cases are processed only for the purpose for which they were collected, and the administrator provides them with adequate protection.

 

  1. DATA BENEFICIARIES

6.1. In connection with the performance of operations that require processing, personal data is disclosed to external entities, including suppliers responsible for the operation of IT systems and equipment (for example, CCTV equipment, GPS location services), entities that provide legal or accounting services, couriers, marketing or recruitment. Data may also be disclosed to partners of selected administrators, for example, as part of the implementation of promotional campaigns.

6.2. The administrator reserves the right to disclose selected information about data subjects to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.

 

  1. TRANSMISSION OF DATA OUTSIDE THE SEA

7.1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European legislation. For this reason, the administrator transfers personal data outside the EEA only when necessary and ensuring an adequate level of protection, mainly by:

7.1.1. cooperation with entities that process personal data in countries for which an appropriate decision of the European Commission has been issued;

7.1.2. the use of standard contractual clauses issued by the European Commission;

7.1.3. application of mandatory corporate rules approved by the competent supervisory authority;

7.1.4. in the case of data transfer to the USA – cooperation with entities participating in the “Shield Privacy” program approved by the decision of the European Commission.

7.2. The administrator always informs about the intention to transfer personal data outside the EEA at the stage of its collection.

 

  1. PROCESSING PERIOD OF PERSONAL DATA

8.1. The period of data processing by the administrator depends on the type of service provided and the purpose of the processing. The data processing period may also result from provisions when it forms the basis of the processing. In the case of data processing based on the administrator’s legitimate interest – for example, for security reasons – the data is processed for a period that allows the implementation of this interest or effectively opposes the data processing. If the processing is based on consent, the data is processed until it is withdrawn. When the processing basis is necessary for the conclusion and execution of the contract, the data is processed until its termination.

8.2. The data processing period may be extended if the processing is necessary to establish or pursue claims or defend against claims and beyond this period – only if and to the extent required by law. After the end of the processing period, the data is irreversibly deleted or anonymized.

 

  1. RIGHTS ASSOCIATED WITH PERSONAL DATA PROCESSING

9.1. Data subjects have the following rights:

9.1.1. the right to information about the processing of personal data – on this basis, the person who submits the request, the administrator provides information about the processing of the data, including mainly about the purposes and legal reasons for the processing, the scope of the data held, the entities to which they are disclosed and the planned date for deletion of data;

9.1.2. the right to obtain a copy of the data – on this basis, the administrator provides a copy of the processed data regarding the person who sends the request;

9.1.3. the right to rectification – the Administrator is obliged to remove any incompatibilities or errors of the personal data that are processed and to supplement them if they are incomplete;

9.1.4. the right to delete data – on this basis, you can request the deletion of data whose processing is no longer necessary to achieve any of the purposes for which they were collected;

9.1.5. the right to limit processing – in the event of such a request, the administrator ceases to carry out operations with personal data – with the exception of operations to which the data subject has consented – and their storage, in accordance with the accepted retention rules or until termination the reasons for data processing (for example, a decision of the supervisory authority to allow further data processing);

9.1.6. the right to transfer data – on this basis – to the extent that the data is processed in connection with the contract or consent concluded – the Administrator issues data provided by the person with whom it relates, in a format that allows them to be read by a computer. It is also possible to request that the data be sent to another entity – however, provided that it is technically possible to do so both on the part of the administrator and the other entity;

9.1.7. the right to object to the processing of data for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such an objection;

9.1.8. the right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data that is based on the justified interest of the Administrator (for example, for analytical or statistical purposes or for reasons related to the protection of property); opposition to this should include a justification;

9.1.9. the right to withdraw consent – ​​if the data is processed based on the expressed consent, the data subject has the right to withdraw it at any time, which, however, does not affect the legality of the processing carried out before the withdrawal of consent.

9.1.10. the right to complain – if it is considered that the processing of personal data violates the provisions of the GDPR or other provisions on the protection of personal data, the data subject may submit a complaint to the president of the Office for the Protection of Personal Data.

 

9.2. COMPLIANCE WITH REQUESTS REGARDING THE EXERCISE OF RIGHTS

9.2.1. A request can be submitted regarding the exercise of the rights of the persons concerned:

  1. in writing to the following address: Topoloveni City Hall, Calea Bucuresti, no. 111, Arges county
  2. by e-mail to the following address: topoloveni@yahoo.com

9.2.2. If the administrator cannot identify the applicant, it will ask the applicant for additional information.

9.2.3. The application can be submitted in person or through an agent (for example, a family member). For reasons of data security, the administrator encourages the use of a power of attorney in a form certified by a notary public or a legal advisor or a lawyer, which will significantly speed up the verification of the authenticity of the application.

9.2.4. A response to the request must be given within one month of receipt. If it is necessary to extend this period, the administrator informs the applicant about the reasons for the delay.

9.2.5. The response is given by traditional mail, unless the request was sent by email or a response was not requested electronically.

9.2.6. The data subject can also independently correct or update his personal data, as well as withdraw previously expressed consents to the processing of personal data and transfer marketing information, using the websites of the administrator. To do this, log in to the website (eg www.topolovenibikecity.ro), go to the “User Settings” tab and make the appropriate changes.

 

9.3. CHARGE RULES

9.3.1. The application procedure is free. Fees may only be charged for:

  1. submitting a request for the second and subsequent copies of the data (the first copy of the data is free); in this case, the administrator may request the payment of additional costs.
  2. submission of excessive (eg extremely frequent) or manifestly unjustified requests by the same person; in this case, the administrator may request the payment of additional costs.

9.3.2. If the decision to impose a fee is in doubt, the data subject can send a complaint to the president of the Office for the Protection of Personal Data.

 

  1. CHANGES TO THE PERSONAL DATA PROCESSING POLICY

The policy is constantly reviewed and updated as necessary. The current version of the Policy was adopted on May 23, 2018