Everything you need for your online presence
Personal Data Protection Policy
On 25 May 2018, the European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data becomes applicable.
Its main purpose is to increase the level of protection of personal data and to create a climate of trust that allows individuals to control their own data.
Through this document – Policy on Personal Data Protection we inform you how we protect your personal data and how we comply with the provisions of the Regulation.
Who is CHML?
CHML Web Services SRL (“CHML”) is a Romanian legal entity, established and operating under Romanian law. CHML has its registered office with activity in Bucharest, Calea Rahovei nr. 266 – 268, Corp 2, Ground Floor, Room 11, is registered at the National Office of the Trade Register with number J40/12312/2002, with unique registration number 15058531 and fiscal attribute RO.
How can you contact us?
For any complaint regarding personal data processed by CHML you can contact us in writing at the address of the head office, by phone at +184.108.40.206.998, by email at firstname.lastname@example.org or via the ticketing system accessible from the customer account.
What personal data does CHML process?
Personal data is information relating to a natural person who can be identified, directly or indirectly.
CHML processes the following categories of data:
– identification data: name, surname, CNP, series and number of identity card, home address, mailing address, e-mail, telephone (landline, mobile, fax), online identifier (IP address);
– Bank information: bank and branch, IBAN code
The principle on the basis of which we collect and process this data is that we will only ever request the minimum amount of personal data necessary to provide the contract and fulfil legal obligations.
What does it mean that CHML processes personal data?
Processing means operations such as collecting, recording, organizing, storing, modifying, retrieving, consulting, using, transmitting, combining, blocking, restricting, deleting, destroying, archiving personal data.
Who owns the personal data processed by CHML?
CHML processes personal data relating to its customers and employees.
In the case of corporate clients, CHML processes the personal data of the client’s contact persons.
The natural persons whose personal data are processed are referred to as “Data Subjects”.
Where does CHML obtain personal data?
In the case of individual customers, the data is obtained directly from the customer.
In the case of corporate clients, the data is obtained from the client’s authorised representatives.
CHML does not obtain/collect personal data from third parties.
For what purposes does CHML process personal data?
The purposes for which CHML processes personal data are:
- provision of hosting and related services
- registration and administration of internet domains
- registration of SSL certificates
- contacting the customer/other data subject via communication means in order to solve technical support requests
- invoicing of services rendered
- customer account management
On what grounds does CHML process personal data?
CHML processes your personal data for the purposes mentioned above on the following grounds:
- for the performance of the contract to which the client/data subject is a party. The contract can be in written form as well as online, signed by the customer by accepting the Terms and Conditions of the provision of services.
- legitimate interest
To whom do we transmit your personal data?
For the vast majority of services provided by CHML, personal data is not transmitted to third parties.
In the case of registration and maintenance services of internet domains, we will transmit personal data to the company Hostvision SRL, located at str. G-ral Eremia Grigorescu 87, 400304 Cluj-Napoca, Romania.
In the case of SSL certificate issuance services, we will transmit personal data to LEX Media Concepts S.R.L., based in Bucharest, Sector 6, Bd. Iuliu Maniu nr. 57, bl. OD16, sc. E, ap. 184.
CHML does not directly transmit personal data outside the European Union.
How long does CHML process personal data?
In order to achieve the aforementioned purposes, personal data will be processed by CHML throughout the contractual relationship and after its termination in order to comply with the applicable legal obligations in the field, including but not limited to archiving provisions.
What are your rights and how can they be exercised?
The data subject has the following rights:
- Right to information – the right to receive detailed information on the processing activities carried out by CHML, as set out in this document;
- Right of access – you can request and obtain confirmation as to whether or not your personal data is being processed by CHML, and if so, you can request access to it and to certain information. Upon request, CHML will also issue a copy of the personal data processed free of charge;
- Right to rectification – the right to have inaccurate personal data rectified and incomplete data completed;
- The right to erasure of data (“right to be forgotten”) – in situations expressly regulated by law (in particular in the case of withdrawal of consent or if it is established that the processing of personal data was not lawful), you may obtain the erasure of such data. Following such a request, CHML will proceed to delete the data, except in cases provided for by law.
- The right to restrict processing – in situations expressly regulated by law (in particular if the inaccuracy of the data is contested for the period necessary to determine this inaccuracy or if the processing is unlawful, and it is not desired to delete the data, but only to restrict it);
- Right to object – may object at any time, for reasons relating to his/her particular situation, to processing based on the legitimate interest of CHML.
- Right to data portability – can receive personal data in a structured, machine-readable format or request that the data be transferred to another controller.
- The right to lodge a complaint – may lodge a complaint against the way personal data is processed by CHML with the National Supervisory Authority for Personal Data Processing;
- Right to withdraw consent – in cases where processing is based on consent, consent may be withdrawn at any time.
- Additional rights related to automated decisions used in the process of providing CHML services – where CHML makes automated decisions in relation to personal data, the data subject may (i) seek and obtain human intervention with respect to such processing, (ii) may express his or her views on the processing and (c) challenge the decision.
The client may exercise these rights, either individually or cumulatively, by sending a written request, dated and signed, to the CHML headquarters in Bucharest, Calea Rahovei 266 – 268, Corp 2, Ground Floor, Room 11, Sector 5, postal code 050912, by Fax +220.127.116.11.997 or by E-mail: email@example.com.
Automated decision-making processes
CHML does not use automated decision-making processes, does NOT create profiles exclusively by automated means, resulting in decisions being made about the customer.
How do we apply GDPR to minors?
CHML does not offer services to minors under the age of 18 and does not collect personal data on minors.
Recording telephone calls
With the consent of the customer/data subject given prior to each telephone call, CHML may record and store telephone calls to/from the CHML switchboard. CHML will use this information exclusively for the purpose of investigating certain situations, to prove certain operations/instructions/agreements given by the Client/other data subject, to use it as evidence in court in case of a dispute, and to improve its services.
In order to ensure a high level of security appropriate to the data centre activity, the server room operated by CHML is video monitored. In this location there are appropriate markings with specific video recording symbols, followed by the message “Video Surveillance Area”.
How do we protect personal data?
For the security of personal data, CHML has implemented a number of security measures that are in line with industry standards.
CHML Web Services SRL’s information security and privacy statement
1. General note
CHML Web Services SRL is committed to protecting the security and privacy of all customer data, and employee data.
Our information security and protection programme is based on the ISO 27001 standard on information security and ISO 29100 and follows a risk-based approach encompassing people, processes and technologies. The Information Security (IS) team at CHML Web Services SRL is dedicated to data protection and reports directly to the company’s management.
2. Information security measures for the protection of personal data
Information security policies
– set of rules for information security, approved by the company’s management, published and communicated to employees and relevant external parties.
Review of information security rules
– To ensure effectiveness and continued appropriateness, we review our information security rules at planned intervals or when significant changes occur.
Information security roles and responsibilities
– establish and assign specific information security responsibilities to all employees and external collaborators.
Segregation of duties
– we separate areas of responsibility to reduce the chances of unauthorised or unintended disclosure, modification or use of organisational assets.
Information security in project management
– We address information security in project management, regardless of the type of project.
Mobile device rules
– we use rules and security measures to deal with the risks of using mobile devices. We use security rules and measures to protect information accessed, processed or stored on mobile devices.
Managing security during employment
– We conduct checks on all applicants for available jobs in accordance with relevant laws, regulations and ethics and proportionate to business requirements, classification of information to be accessed and perceived risks. The contractual agreement between us and our employees specifies responsibilities of both parties regarding information security. Information security, responsibilities and duties that remain valid after termination of employment or change of employment within the organisation are defined, communicated to the employee or external contractor and enforceable.
– Company management requires all employees and contractors to comply with information security in accordance with the rules and procedures established by the organisation.
Information security awareness, education and training
– all employees of the organisation are continuously made aware of organisational rules and procedures relevant to their function.
Managing and removing removable media
– we use procedures that implement the management of removable media devices. When no longer needed, removable media devices are destroyed, ensuring that data can no longer be read.
Transfer of physical materials
– materials containing information are protected against unauthorised access, improper or unauthorised use and corruption during transport.
Access control and management
– We use an access control policy, which is reviewed based on business and information security requirements. Users are only given access to the networks/network services they have been authorised to use.
Managing and using user login passwords
– we use a process to control the allocation of authentication information. Users follow best practices in the use of secret authentication information. We use our password management system to ensure quality passwords.
Restricting access to information
– access to application information and functions is restricted in accordance with access control rules.
– Access to systems and applications is controlled through a secure authentication process.
Physical location and protection of equipment
– IT&C equipment is located and protected to reduce risks from environmental threats and hazards and the possibility of unauthorised access.
Utilities and cable security
– equipment is protected from power failures and other interruptions caused by utility support failures. Power and telecommunications cables carrying data are protected from interception, interference or damage.
– equipment is continuously and properly maintained to ensure its availability and integrity.
Checking and safe re-use of equipment
– multiple overwriting of data and low level formatting of storage media is provided to ensure that sensitive information and licensed software is securely removed or overwritten prior to disposal or reuse of equipment.
Clear desk / clear screen
– we have adopted clear rules for documents and removable storage media and a clear screen rule for information processing facilities.
Procedures for working with documents
– we have defined operating procedures and made them available to all users who need them.
Separation of development, testing and operational environments
– We use separate environments for development, testing and operation to reduce the risk of unauthorised access or changes to the operational environment.
Controls against malware
– We implement detection, prevention and recovery controls to ensure protection against malware and combine these controls with appropriate user awareness.
– we regularly back up information and systems. The number of backups is correlated to the potential risks of the information and systems supported.
Event logging and log file protection
– we produce, maintain and regularly review event logs that record user activities, exceptions, defects and information security events. Log files are protected.
Installing software on operating systems
– we have established rules governing the installation of software on operating systems, especially user installation.
– Technical vulnerabilities are managed by mitigating them in a timely manner, assessing the organisation’s exposure and taking appropriate measures that address the associated risk.
Restrictions on changes to software packages
– we use software modification rules, limiting this action to necessary changes.
Addressing security in supplier agreements
– We review, document and agree with our suppliers information security requirements to reduce the risks associated with supplier access to the organisation’s assets.
Reporting information security events and incidents
– when information security events are observed, they are reported through the appropriate management channels in a timely manner. Employees and contractors note and report any observed or suspected weaknesses in systems or services. We assess and classify the information security events we face accordingly. We respond in a timely manner and in accordance with our internal procedures to information security incidents. We use the knowledge we gain when analysing and resolving information security incidents to reduce the likelihood or impact of future incidents. We have a process for identifying, collecting, acquiring and retaining information that can be used as evidence.
Intellectual property rights
– implement appropriate procedures to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and the use of proprietary software products.
Review of technical compliance
– IT systems are regularly reviewed to comply with the organisation’s security rules and standards.
3. Privacy safeguards for the protection of personal data
Identify and document the purpose – we identify and document the specific purposes for which personal data is processed.
Identify the legal basis – we determine, document and comply with the legal basis for processing personal data for the purposes identified.
Determining when and how consent is obtained – we determine and document a process for demonstrating when and how consent is obtained from data subjects.
Obtain and record consent – we obtain and record the consent of data subjects as required by the documented requirements.
Records relating to the processing of personal data – we determine and maintain the records necessary to demonstrate compliance with our obligations relating to the processing of personal data.
Rights of personal data owners – we ensure that the rights of data subjects in relation to the processing of personal data are respected and we provide the necessary means for them to exercise their rights.
Providing information to individuals – we provide data subjects with clear and easily accessible information about the personal data processed.
Provide a mechanism to change or withdraw consent – we provide mechanisms for data subjects to change or withdraw their consent.
Providing the mechanism to object to processing – we provide the mechanism for data subjects to object to the processing of their personal data.
Notification of the rights exercised by the owners of personal data – we take steps to inform third parties to whom we have transmitted personal data of any changes, withdrawals or objections resulting from the exercise of data subjects’ rights.
Correction or erasure – we implement a mechanism to facilitate the exercise of data subjects’ rights to access, correct and erase personal data.
Providing a copy of the personal data processed – we are able to provide a copy of the personal data that is processed, in accordance with the retention and erasure rules, upon request of the data subject.
Request management – we have the means to deal with legitimate requests from data subjects.
Automated decision-making – we identify and resolve any obligations, including legal obligations, to data subjects arising from decisions based solely on automated processing of personal data.
Limiting collection and processing – we limit the collection of personal data to the minimum that is relevant, proportionate and necessary for the identified purposes. We limit the processing of personal data to what is appropriate, relevant and necessary for the identified purposes.
Compliance with the objectives of minimisation and anonymisation of personal data – we identify and document the mechanism by which personal data are processed in a timely manner so that the extent to which personal data can identify or be associated with data subjects meets the objectives of minimisation and anonymisation of personal data.
Deactivation and deletion of personal data – we either delete personal data or transform it into a form that does not allow the identification of data subjects as soon as the original personal data are no longer necessary for the identified purpose.
Temporary files – we ensure that temporary files and documents created as a result of processing personal data are deleted.
Retention – we do not keep personal data longer than necessary for the purpose for which the data is processed.
Collection procedures – we ensure that personal data is accurate, complete and up-to-date as necessary for the purposes for which it is to be processed, throughout the lifecycle of personal data.
Identify the basis for the transfer of personal data – we identify and document the relevant basis for the transfer of personal data.
Countries and organisations to which personal data may be transferred – we specify and document the countries and international organisations to which personal data may be transferred.
Recording the transfer of personal data – we record transfers of personal data to or from third parties and ensure cooperation with those parties to support the exercise of future access rights to data subjects.
Records of disclosures of personal data to third parties – we record disclosures of personal data to third parties, including what personal data has been disclosed, to whom and when.
Last update: 24.05.2018