The operator : Covers Systems SRL Company, based in Timisoara, Calea Aradului no 48 C, Hall Nr 10, Office 3, Timis County, registered at the Trade Register Office near the Valcea Tribunal under number J35/1374/2020, having Identification Code Prosecutor's Office: RO42621976.
1.1 The protection of the security and security of personal data is important for the Company, so that the activities carried out are in accordance with the applicable legislation regarding the protection of data security and their security. Providing guarantees regarding the security, protection and confidentiality of data, including personal data, ensuring confidence in the quality of the services provided and ensuring a stable business environment, is a fundamental element of the company's activity.
Therefore, the company, by its activities assumes responsibilities towards employees, clients and collaborators, based on confidentiality, protection and security, ensured by applying and observing the laws and norms applicable at national and European level and implementing and applying its own security policies regarding personal data protection and corporate security. Thus, this Security Policy aims to ensure the appropriate level of security regarding the way personal data (DCP) is collected, stored and processed and is prepared in accordance with the provisions of Regulation (EU) 2016/679 of To the European Parliament and the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
1.2 The security policy shows how this information is collected and used, the purpose of the collection and processing, as well as the conditions of use of personal information.
2.1 Personal data are processed in good faith, on the basis and in accordance with the legal provisions.
2.2 Personal data are collected only for well-defined, explicit and legitimate purposes, and subsequent processing will not be incompatible with these purposes.
2.3 Personal data is not stored for longer than it is required for the purposes for which they were collected.
2.4 The Company will take all appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, modification, disclosure or unauthorized access in terms of the purpose for which they are collected and for which will be processed.
3.1 In fulfilling its object of activity , the Company collects, processes and stores, with the consent of the data subjects, or under the legal provisions regarding the establishment and functioning of the companies, based on the contracts concluded or for the purpose of concluding commercial contracts, the following categories of data:
a) the personal information provided by the client / provider the natural person or the natural person representing the client / provider the legal person, necessary to identify the client / supplier, in order to conclude the commercial contracts: name surname data from the identity card of the resident natural person (series, number, CNP, home address) passport data (series, number, home address) for non-residents email address, other mailing addresses phone numbers signature.
b) personal information necessary to conclude and execute contracts individual work and human resources management: name surname data from the identity card of the resident natural person (series, number, CNP, home address) passport data (series, number, home address) for non-residents email address, other mailing addresses phone numbers profession, qualification / training-professional employment history / professional background the information provided by the GPS installed on a car information on how to use a computer Bank account signature revenue data.
c) personal data of the shareholders natural persons necessary to keep the Register of shareholders records and to exercise this quality within the company: name surname data from the identity card of the resident natural person (series, number, CNP, home address) passport data (series, number, adrhome domicile) for non-residents email address, other mailing addresses phone numbers Bank account. signature the data regarding the contribution of the shareholder within the company (type of contribution, amount of contribution, date of subscription, date of payment, etc.) data on the share of profit and loss data regarding the rights and obligations of the shareholder information regarding the participation and how to vote in the general meetings (date of participation, place of participation, how to vote) data on the income obtained by the shareholder from the company (eg the amounts paid, their amount, the date of payment, their nature, etc.).
d) personal data of the administrator the natural person, necessary to exercise this quality within the company: name surname data from the identity card of the resident natural person (series, number, CNP, home address, etc.) passport data (series, number, home address, etc.) for non-residents email address, other mailing addresses phone numbers Bank account. signature data on professional experience data regarding the rights and obligations of the administrator; information on how to perform the function revenue data.
3.2. The company processes health data exclusively for the purpose of fulfilling the obligations and exercising specific rights of the company or of the data subject in the field of employment and social security and social protection.
3.3. The company does NOT collect and store information regarding special categories of data, respectively personal data that reveals racial or ethnic origin, political opinions, religious confession or philosophical beliefs or membership of unions and does NOT process genetic data, biometric data for the unique identification of a natural person, or data on the sexual life or sexual orientation of a natural person.
4.1 The Company will collect, use and process personal data both directly, by obtaining the consent of the data subjects, by entering into commercial contracts, service contracts, individual employment contracts or other necessary contracts or Opportunity for the realization of the object of activity, as well as as a recipient, through the commercial partners who have previously obtained the agreement of the persons concerned. 4.2 The personal data are intended for use by the Company, but they can be provided to business partners only if this is considered necessary in the context of the delivery / purchase of goods or the purchase / provision of services.
4.3 Personal data of employees are collected, processed and stored in order to conclude and execute individual employment contracts, in accordance with the provisions of labor law, for the purpose of managing human resources and ensuring employment relationships (Revisal records , salary payments and compulsory social contributions, archiving, etc.).
4.4 Shareholders 'personal data Individuals are required to keep the Shareholders' Record Register
5. Coverage of minimum security requirements
5.1 Restricted access to the database
Access type
Users only access the personal data required to perform the service duties. For this purpose, user roles are established, and each user role has access only to the data required to perform the job duties.
Users have the following specific obligations:
to know and apply the provisions of the normative acts in the field of the processing of personal data as well as of the present Security Policy;
to inform the data subject when the personal data are collected directly from it, according to the law, regarding: the identity of the operator, the purpose for which the data is processed, the eventual recipients of the data, the obligation to provide all the requested data and the consequences of the refusal of to make available to them, the rights provided by the law, in particular the rights of access, intervention on data and opposition, the conditions under which these rights can be exercised;
to process only the personal data necessary for the fulfillment of the duties of the service and to give support to the operator's manager for carrying out his specific activities;
to maintain the confidentiality of the processed data, of the account user interface, password / access code to computer systems / databases through which personal data are managed;
to comply with the security measures, as well as the other rules established by the operator;
to inform immediately the management of the company about circumstances that may lead to unauthorized dissemination of personal data or about a situation in which personal data were accessed / processed through violation of legal rules, which it became aware of. />
Programmers of personal data processing systems do not have access to personal data, programmers access to personal data is only allowed after they have been transformed into anonymous data. The department that provides technical support has access to personal data for solving exceptional cases. Anonymous data are used for the activity of preparing the users or for the presentation of presentations.
5.2 User identification and authentication
In order to gain access to a personal database the user must identify himself. The identification can be done on the basis of a unique username, so more users never have the same username. A user can authenticate by entering a password that must meet the following complexity criteria:
- must have at least 6 characters of which at least one must be a number. When entering passwords these are not displayed clearly on the monitor. The user accounts are managed by an authorized person who has the right to revoke or suspend an identification and authentication code, if the user has resigned or was terminated, has concluded his contract, has been transferred to another service and the new tasks do not require access to personal data or abuse the received codes. Access to personal databases to make manual changes is made only by persons approved by the company management according to the job description.
5.3 Data collection
Data collection is done by direct introduction by authorized personnel and any modification of personal data can be done only by authorized users. The information system records who made the change, date and time of the change. The information system maintains a history of deleted or modified data.
5.4 Backup
The backups of the personal databases and of the programs used for the automated processing are executed daily, by specialized personnel. The backups are stored in other rooms, in metal sockets with an applied seal, and access to the backups is monitored.
5.5 Computers and access terminals
Access to computers and other access terminals is only through a username and password. If the user does not perform actions within the application a period of 5 minutes the working session expires automatically. Servers that host databases containing personal data can only be accessed in a controlled manner and are housed in locked rooms.
5.6 Access files
Any access to the personal database is recorded in an access file (called log). The information registered in the access file are: the identification code, the name of the accessed file, the code of the executed operation or the program used, the access date (year, month, day), time (hour, minute, second). Any attempt for unauthorized access is also recorded. The company keeps the access files for at least 2 years, for use as evidence in case of investigations. If investigations are prolonged, these files will be kept for as long as deemed necessary. The access files make it possible for the operator or the authorized person to identify the persons who have accessed personal data for no particular reason, in order to apply sanctions or to notify the competent bodies.
5.7 Staff training
Within the training courses for users, they are informed about the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of these data, to the minimum security requirements of the processing of personal data, as well as regarding the risks involved in the processing of personal data. Users who have access to personal data are trained on confidentiality ii them.
5.8 Using computers
In order to maintain the security of the processing of personal data (especially against computer viruses) the following measures are taken:
- prohibiting the use by users of software programs that come from external or dubious sources
- informing users about the danger regarding computer viruses
- Implementation of automatic systems for virus detection and security of computer systems.
5.9 Data printing
Listing of personal data to the printer is performed only by authorized users for this operation, there are specific internal procedures regarding the use and destruction of these materials.
6.1 If the disclosure of data is required by law , the company, through the legal representative, will ensure that the third party requesting the disclosure acts in accordance with the legal provisions and is authorized to request the disclosure.
6.2 Servers that maintain databases are protected by antivirus software and firewall that update their signatures at regular and short intervals.
6.3 When accessing data through a web interface an HTTPS security certificate is used - GeoTurst
6.4 When accessing data through an API , authentication is done, in addition to the user and password, using a secure key.
6.5 If an error occurs or the equipment fails , the company has both its own qualified personnel and specialized external assistance, which can intervene.
The data subject has the rights provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, namely: the right to information, the right of access to the data, the right to intervene on the data, namely restriction, rectification and deletion, the right of opposition, the right not to be subject to an individual decision, which can be exercised by a written request addressed to the Company.
Without prejudice to the possibility of complaining to the supervisory authority, the data subjects also have the right to address the justice for the defense of any rights guaranteed by law, which would have been violated. Any person who has suffered an injury as a result of the processing of personal data, carried out illegally, can contact the competent court for its repair.
This Security Policy is a statement of the principles regarding the processing of personal data, in accordance with the relevant legislation and is mandatory for all departments of the Company.
1. Company commitment
1.1 The protection of the security and security of personal data is important for the Company, so that the activities carried out are in accordance with the applicable legislation regarding the protection of data security and their security. Providing guarantees regarding the security, protection and confidentiality of data, including personal data, ensuring confidence in the quality of the services provided and ensuring a stable business environment, is a fundamental element of the company's activity.
Therefore, the company, by its activities assumes responsibilities towards employees, clients and collaborators, based on confidentiality, protection and security, ensured by applying and observing the laws and norms applicable at national and European level and implementing and applying its own security policies regarding personal data protection and corporate security. Thus, this Security Policy aims to ensure the appropriate level of security regarding the way personal data (DCP) is collected, stored and processed and is prepared in accordance with the provisions of Regulation (EU) 2016/679 of To the European Parliament and the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
1.2 The security policy shows how this information is collected and used, the purpose of the collection and processing, as well as the conditions of use of personal information.
2. The principles of personal data collection and processing
2.1 Personal data are processed in good faith, on the basis and in accordance with the legal provisions.
2.2 Personal data are collected only for well-defined, explicit and legitimate purposes, and subsequent processing will not be incompatible with these purposes.
2.3 Personal data is not stored for longer than it is required for the purposes for which they were collected.
2.4 The Company will take all appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, modification, disclosure or unauthorized access in terms of the purpose for which they are collected and for which will be processed.
3. Categories of personal data processed by the Company
3.1 In fulfilling its object of activity , the Company collects, processes and stores, with the consent of the data subjects, or under the legal provisions regarding the establishment and functioning of the companies, based on the contracts concluded or for the purpose of concluding commercial contracts, the following categories of data:
a) the personal information provided by the client / provider the natural person or the natural person representing the client / provider the legal person, necessary to identify the client / supplier, in order to conclude the commercial contracts: name surname data from the identity card of the resident natural person (series, number, CNP, home address) passport data (series, number, home address) for non-residents email address, other mailing addresses phone numbers signature.
b) personal information necessary to conclude and execute contracts individual work and human resources management: name surname data from the identity card of the resident natural person (series, number, CNP, home address) passport data (series, number, home address) for non-residents email address, other mailing addresses phone numbers profession, qualification / training-professional employment history / professional background the information provided by the GPS installed on a car information on how to use a computer Bank account signature revenue data.
c) personal data of the shareholders natural persons necessary to keep the Register of shareholders records and to exercise this quality within the company: name surname data from the identity card of the resident natural person (series, number, CNP, home address) passport data (series, number, adrhome domicile) for non-residents email address, other mailing addresses phone numbers Bank account. signature the data regarding the contribution of the shareholder within the company (type of contribution, amount of contribution, date of subscription, date of payment, etc.) data on the share of profit and loss data regarding the rights and obligations of the shareholder information regarding the participation and how to vote in the general meetings (date of participation, place of participation, how to vote) data on the income obtained by the shareholder from the company (eg the amounts paid, their amount, the date of payment, their nature, etc.).
d) personal data of the administrator the natural person, necessary to exercise this quality within the company: name surname data from the identity card of the resident natural person (series, number, CNP, home address, etc.) passport data (series, number, home address, etc.) for non-residents email address, other mailing addresses phone numbers Bank account. signature data on professional experience data regarding the rights and obligations of the administrator; information on how to perform the function revenue data.
3.2. The company processes health data exclusively for the purpose of fulfilling the obligations and exercising specific rights of the company or of the data subject in the field of employment and social security and social protection.
3.3. The company does NOT collect and store information regarding special categories of data, respectively personal data that reveals racial or ethnic origin, political opinions, religious confession or philosophical beliefs or membership of unions and does NOT process genetic data, biometric data for the unique identification of a natural person, or data on the sexual life or sexual orientation of a natural person.
4. Purpose of processing personal data
4.1 The Company will collect, use and process personal data both directly, by obtaining the consent of the data subjects, by entering into commercial contracts, service contracts, individual employment contracts or other necessary contracts or Opportunity for the realization of the object of activity, as well as as a recipient, through the commercial partners who have previously obtained the agreement of the persons concerned. 4.2 The personal data are intended for use by the Company, but they can be provided to business partners only if this is considered necessary in the context of the delivery / purchase of goods or the purchase / provision of services.
4.3 Personal data of employees are collected, processed and stored in order to conclude and execute individual employment contracts, in accordance with the provisions of labor law, for the purpose of managing human resources and ensuring employment relationships (Revisal records , salary payments and compulsory social contributions, archiving, etc.).
4.4 Shareholders 'personal data Individuals are required to keep the Shareholders' Record Register
5. Coverage of minimum security requirements
5.1 Restricted access to the database
Access type
Users only access the personal data required to perform the service duties. For this purpose, user roles are established, and each user role has access only to the data required to perform the job duties.
Users have the following specific obligations:
to know and apply the provisions of the normative acts in the field of the processing of personal data as well as of the present Security Policy;
to inform the data subject when the personal data are collected directly from it, according to the law, regarding: the identity of the operator, the purpose for which the data is processed, the eventual recipients of the data, the obligation to provide all the requested data and the consequences of the refusal of to make available to them, the rights provided by the law, in particular the rights of access, intervention on data and opposition, the conditions under which these rights can be exercised;
to process only the personal data necessary for the fulfillment of the duties of the service and to give support to the operator's manager for carrying out his specific activities;
to maintain the confidentiality of the processed data, of the account user interface, password / access code to computer systems / databases through which personal data are managed;
to comply with the security measures, as well as the other rules established by the operator;
to inform immediately the management of the company about circumstances that may lead to unauthorized dissemination of personal data or about a situation in which personal data were accessed / processed through violation of legal rules, which it became aware of. />
Programmers of personal data processing systems do not have access to personal data, programmers access to personal data is only allowed after they have been transformed into anonymous data. The department that provides technical support has access to personal data for solving exceptional cases. Anonymous data are used for the activity of preparing the users or for the presentation of presentations.
5.2 User identification and authentication
In order to gain access to a personal database the user must identify himself. The identification can be done on the basis of a unique username, so more users never have the same username. A user can authenticate by entering a password that must meet the following complexity criteria:
- must have at least 6 characters of which at least one must be a number. When entering passwords these are not displayed clearly on the monitor. The user accounts are managed by an authorized person who has the right to revoke or suspend an identification and authentication code, if the user has resigned or was terminated, has concluded his contract, has been transferred to another service and the new tasks do not require access to personal data or abuse the received codes. Access to personal databases to make manual changes is made only by persons approved by the company management according to the job description.
5.3 Data collection
Data collection is done by direct introduction by authorized personnel and any modification of personal data can be done only by authorized users. The information system records who made the change, date and time of the change. The information system maintains a history of deleted or modified data.
5.4 Backup
The backups of the personal databases and of the programs used for the automated processing are executed daily, by specialized personnel. The backups are stored in other rooms, in metal sockets with an applied seal, and access to the backups is monitored.
5.5 Computers and access terminals
Access to computers and other access terminals is only through a username and password. If the user does not perform actions within the application a period of 5 minutes the working session expires automatically. Servers that host databases containing personal data can only be accessed in a controlled manner and are housed in locked rooms.
5.6 Access files
Any access to the personal database is recorded in an access file (called log). The information registered in the access file are: the identification code, the name of the accessed file, the code of the executed operation or the program used, the access date (year, month, day), time (hour, minute, second). Any attempt for unauthorized access is also recorded. The company keeps the access files for at least 2 years, for use as evidence in case of investigations. If investigations are prolonged, these files will be kept for as long as deemed necessary. The access files make it possible for the operator or the authorized person to identify the persons who have accessed personal data for no particular reason, in order to apply sanctions or to notify the competent bodies.
5.7 Staff training
Within the training courses for users, they are informed about the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of these data, to the minimum security requirements of the processing of personal data, as well as regarding the risks involved in the processing of personal data. Users who have access to personal data are trained on confidentiality ii them.
5.8 Using computers
In order to maintain the security of the processing of personal data (especially against computer viruses) the following measures are taken:
- prohibiting the use by users of software programs that come from external or dubious sources
- informing users about the danger regarding computer viruses
- Implementation of automatic systems for virus detection and security of computer systems.
5.9 Data printing
Listing of personal data to the printer is performed only by authorized users for this operation, there are specific internal procedures regarding the use and destruction of these materials.
6. Additional security measures
6.1 If the disclosure of data is required by law , the company, through the legal representative, will ensure that the third party requesting the disclosure acts in accordance with the legal provisions and is authorized to request the disclosure.
6.2 Servers that maintain databases are protected by antivirus software and firewall that update their signatures at regular and short intervals.
6.3 When accessing data through a web interface an HTTPS security certificate is used - GeoTurst
6.4 When accessing data through an API , authentication is done, in addition to the user and password, using a secure key.
6.5 If an error occurs or the equipment fails , the company has both its own qualified personnel and specialized external assistance, which can intervene.
7. Rights of persons whose personal data are collected and / or processed
The data subject has the rights provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, namely: the right to information, the right of access to the data, the right to intervene on the data, namely restriction, rectification and deletion, the right of opposition, the right not to be subject to an individual decision, which can be exercised by a written request addressed to the Company.
Without prejudice to the possibility of complaining to the supervisory authority, the data subjects also have the right to address the justice for the defense of any rights guaranteed by law, which would have been violated. Any person who has suffered an injury as a result of the processing of personal data, carried out illegally, can contact the competent court for its repair.
8. Other provisions
This Security Policy is a statement of the principles regarding the processing of personal data, in accordance with the relevant legislation and is mandatory for all departments of the Company.