certME - GPRR Notice

regarding the processing of personal data

CERTSIGN S.A., headquartered in Bucharest, Sector 4, 107A Olteniței road, Building C1, Floor 1, room 16, registered at the Trade Register under no. J40/484/2006, CUI 18288250, Telephone: (+40) 311 011 870, E-mail: hello@certme.ro, as a personal data controller processes your personal data in order to issue and enable use of the certME electronic identification means, in accordance with the provisions of Regulation (EU) 2014/910 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS), the provisions of Implementing Regulation (EU) 2015/1502, and in accordance with Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("GDPR") and other provisions of Union or national law relating to data protection and remote electronic identification using video means.

Your personal data is processed in the context of the contract concluded between you and us ("Terms and conditions for the use of the certME application and certME electronic means of identification") regarding your use of the means of identification provided through the certME application.

Contact details of the certSIGN Data Protection Officer:

Section 1. Purpose and basis of personal data processing

The purposes of processing your personal data are:

a) Issuance and usage of an electronic identification means ("EIM"), in accordance with the provisions of Regulations (EU) 2014/910 and 2015/1502, which you can use when purchasing products or services, in order to identify yourself in relation to suppliers who accept authentication / registration with the certME means of identification, according to Article 6 (1) (b) of the GDPR.

To use the electronic identification means, through the certME application, our partners (generically called "Identity Validators") will process your personal data in order to create an electronic identity, which is a numerical representation made using the proprietary certME solution. The list of Identity Validators certME can be found online atwww.certme.ro.

This numerical representation allows the validation of your identity at the request of a service or product provider in relation to which you will use the certME identification means and only if you want this validation. The list of Service Providers or products enrolled in the certME platform can be found online atwww.certme.ro.

b) Your identity proofing and verification, as a user of EIM in order to issue, suspend, revoke and reactivate certME EIM, according to art. 6 (1) (c) of the GDPR, in conjunction with Regulation (EU) 2014/910 and art. 2.1.2 of the Annex to Regulation (EU) 2015/1502;

c) Photocopying the identity document in case of your remote identification by video means according to art. 6 (1) (a) of the GDPR and art. 16 (1) of the Norms of the Romanian Digitization Authority regarding the regulation, recognition, approval or acceptance of the remote person identification procedure using video means approved by the Decision of the Romanian Digitization Authority no. 564/2021 (ADR Standard);

d) Your unique identification through the processing of biometric data, respectively the processing of the facial image transposed into biometric data, in case the identification was made by video means, according to art. 6 (1) (a) and art. 9 (2) (a) of the GDPR;

e) Recording the video-audio session in case the identification is done remotely by video means in accordance with art. 6 (1) (a) of the GDPR, using this method of identifying yourself in order to obtain a certME EIM being your option;

f) Your authentication in relation to the suppliers enrolled in the certME system, according to Article 6 (1) (b) of the GDPR;

g) Suspension, revocation and reactivation of the certME EIM, in accordance with Article 6 (1) (b) of the GDPR;

h) Technical support provided by certSIGN to you, the Supplier of products and services or the Validator in the use of the certME system, according to Article 6 (1) (b) of the GDPR;

i) Ensuring the continuity of the certME service, according to art. 6 (1) (c) of the GDPR, in conjunction with art. 8 para. 3 of Regulation (EU) 2014/910 and the Annex to Regulation (EU) 2015/1502;

j) Ensuring the security of systems and databases, according to art. 6 (1) (c) of the GDPR, in conjunction with art. 8 para. 3 of Regulation (EU) 2014/910 and the Annex to Regulation (EU) 2015/1502;

k) Demonstrating/proving the creation and use of the electronic identification means, in conjunction with Regulation (EU) 2014/910 and the Annex to Regulation (EU) 2015/1502;

l) Compliance with the legal obligations of certSIGN - Data Operator (e.g. transmission of information representing personal data at the request of the competent state authorities), according to Article 6 (1) (c) of the GDPR;

m) Data storage, including a copy of the identity document, according to art. 6 para. (1) lit. (c) GDPR in conjunction with eIDAS Regulation and Regulation (EU) 2015/1502, as well as with art. 16 paragraph (2) and art. 22 of the ADR Standard

n) The transmission of newsletters, promotional materials, marketing communications, commercial offers or any other relevant information regarding certSIGN products and services in case you have given your consent in this regard according to art. 6 (1) (a) GDPR

o) To pursue the legitimate interests of the Data Controller or a third party - such as the internal reports of the controller, to communicate with the representatives of legal entities that have requested the issuance of certME EIM for employees, customers or their representatives, to manage contracts or supporting documents accounting, for resolving complaints, for auditing or verifying internal processes, for defending the rights of the operator such as the recovery of claims held by him, according to art. 6 para. (1) (f) of the GDPR.

The legal bases for data processing operations refer to Article 6 (1) (a), (b), (c) and (f) of the GDPR and Art. 9 (2) (a) of the GDPR, as detailed above.

Section 2. The categories of personal data we process

For the purposes mentioned above, certSIGN will process the following categories of personal data:

Identity data is retrieved through the certME system (which does not contain personal data) by the certME validation application. Also, the identity data from the certME mobile application is stored only on your device and controlled only by you.

The certME system does not store your identity data, only non-personal data, respectively references - encrypted codes generated by the certME mobile application installed on your device and by the certME validation application. Codes encrypted by the certME system cannot be used to reverse the process by which they were generated such that the personal data on which they were created be known.

The processing of the biometric data mentioned above involves obtaining and comparing biometric templates from the photo of the identity card and the photo of your face and is done through the VideolD application (https://www.electronicid.eu/en/solutions/videoid).

The biometric template is the digital reference of the distinct features that were extracted from a biometric sample. Biometric templates are used during the video identification process. Basically, what is compared are not the photos (from the identity card and the one obtained during the interview, but the biometric templates of the two photos).

Section 3. Using the personal data and the consequences of not supplying them

The processing of personal data is mainly necessary for the issuance of certME EIM and for its use in your relationship with the Service or Product Providers. The personal data are thus necessary to identify the data subject for the issuance of the certME EIM.

The personal data mentioned above are processed directly by certSIGN or with the help of other operators we associate with (Identity Validators and Providers of services or products) in order to identify you for the purpose of issuing and using certME EIM, in compliance with art. 26 of the GDPR.

CertSIGN may also process personal data for the purpose of your identification in order to issue certME EIM and through authorized persons who provide adequate guarantees, in accordance with art. 28 of the GDPR. Such persons may be legal entities to whom we will outsource the activity of identity verification or providers of the identification solution by video means.

The refusal to provide the necessary data leads to the impossibility of issuing and using the certME EIM.

If you do not agree with the processing of your data involved in the remote identification of the person using the video means referred to in Section 1 (c) to (e), you may report to certSIGN or a Validator to obtain a certME EIM by way of in-person identification - face to face with an Agent of the Operator.

Section 4. Duration of personal data processing

Personal data processed for the purposes mentioned above will be stored for the entire period of validity of the means of identification, plus 10 extra years to demonstrate/prove the creation and use of the electronic identification means. The basis for storing data for a period of 10 years from the end of the validity of the electronic identification means is art. 6, para. 1, let. f) ot the GDPR, i.e. the legitimate interest of certSIGN to be able to demonstrate/prove the creation and use of the electronic identification means.

The data may be processed after this date, when there is a legal obligation or a legitimate interest in this regard.

References resulting from the processing of data by the certME system will be stored indefinitely. These references may in no way lead to the personal data from which they were created/derived.

Please note that biometric data is not stored and is automatically deleted as soon as the result of the comparison operation described in Section 2 above on data categories has been generated.

If the user does not complete the procedure for issuing a certME EIM, their data will be deleted after a period of 48 hours.

Section 5. Recipients of personal data

Your personal data may be disclosed: to you for the exercise of your rights under the GDPR, to the auditors for the performance of the audit obligations to which certSIGN is subject, to the supervisory body under applicable law, to public authorities and institutions under legal obligations, lawyers to represent us in the event of a dispute or for consulting, certSIGN's contractual partners for the purposes mentioned above (such as: courier companies, video identification service providers or maintenance and support service providers).

Section 6. Data transfer outside the European Union

certSIGN does not transfer your personal data outside the European Union / European Economic Area.

Section 7. The rights of the data subject

As a data subject, you have the following rights under the General Data Protection Regulation:

You, as the data subject, also have the right to withdraw your consent at any time, to the extent that the data processing operation is based on your consent without affecting the lawfulness of the processing carried out on the basis of the consent before its withdrawal (Article 7 (3) of the GDPR).

At the same time, we inform you that you have the right to contact the National Authority for the Supervision of Personal Data Processing - ANSPDCP for the protection of any rights granted by the applicable legislation in the field of personal data protection, which have been violated and to appeal to the competent courts.

To exercise these rights, you can address a written request, dated and signed, sent to the Department of Personal Data Protection certSIGN:

If you submit a request regarding the exercise of your rights regarding the protection of personal data, you will receive a response within a maximum of 30 days, under the conditions provided by the GDPR.