certSIGN S.A., with the registered office in Bucharest, 107A, Sos. Oltenitei, building C1, 1st floor, room 16, sector 4, registered with the Trade Register Office under the no J40/484/17.01.2006, C.U.I. 18288250 (hereinafter referred to as „certSIGN”) acts as a controller of personal data in accordance with the provisions of Regulation (EU) No 679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”).
certSIGN treats the privacy of personal data seriously. The security and confidentiality of your personal data is very important to us. As such, we take all necessary and reasonable steps to ensure the security and confidentiality of your personal data and to process it in accordance with GDPR and applicable European and national legislation.
- Trust services covered by EU Regulation 910/2014 – eIDAS for electronic signature, electronic seal, for website authentication and certification services under Law 455/2001 on electronic signature. Detailed information on the data processing carried out by certSIGN for the provision of these services can be found here https://www.certsign.ro/en/information-note-on-the-processing-of-personal-data/.
- Services on the creation and use of a certME identification tool. Detailed information on the data processing carried out by certSIGN for the provision of these services can be found at https://www.certme.ro/app-gdpr-notice
1. Who are we?
We are CERTSIGN S.A. (hereinafter referred to as “certSIGN”), with the registered office in Bucharest, 107A, Sos. Olteniței, building C1, 1st floor, room 16, sector 4, registered with the Trade Register Office under the no. J40/484/17.01.2006, CUI 18288250, Phone: 0311 011 870, Fax: 021 311 9905, E-mail: firstname.lastname@example.org.
Contact details of the Data Protection Officer:
- Email: email@example.com / fax:(+4021) 3119905;
- Address: 29A, Tudor Vladimirescu Bvd, building AFI Tech Parc 1, 2nd floor, Bucharest sector 5.
2. Categories of personal data we process
Depending on the product/service we provide or how you have interacted with certSIGN, the categories of personal data we process include:
- Identification data: name, surname, position and/or capacity held and the organisation in which they are held, handwritten or electronic signature, data from your identity document, information on your unique identification by remote video means including the processing of biometric data with your consent for the purpose of issuing a qualified digital certificate or a certME means of identification (details on the processing of these data can be found in the information notes related to these services, mentioned in the preamble of this policy),
- Financial data: bank account or bank card information if making an electronic payment,
- Contact and shipping details: e-mail address, phone number, home address, shipping address,
- Data on our relationship with you: data on the issuance, provision, use and revocation of digital certificates, or the issuance, use, suspension, revocation, and reactivation of the certME identification means, information related to the performance of the contract with certSIGN, details on mailing, applications, complaints, claims you make or other information related to your interaction with us (e.g. for support in using our services), information on the exercise of the rights you have with regard to personal data,
- Service usage data: login data, user account data, log data such as IP address, data about your actions on certSIGN platforms and website, data about the mobile device used, references – encrypted codes generated by the applications used,
- Data collected by cookies and similar technologies – such as unique ID allowing user session identification, IP data, more details can be found in the Cookies Policy available at https://www.certsign.ro/en/cookies-policy/,
As a processor of its clients under contractual clauses concluded in accordance with Article 28 of the GDPR, certSIGN also processes other categories of data provided by its customers, for the provision of physical and electronic archiving or tachograph card personalization services or the use of remote signature platforms or the validation of electronic signatures and seals or other services that certSIGN may provide to its customers. Such data may be, but are not limited to: personal data contained in documents subject to the above-mentioned services, application user data, data related to electronic signatures and digital certificates with which they were generated, subject to the electronic signature and seal validation service, logs.
3. Purpose and grounds of personal data processing
Purposes of processing your personal data are:
- initiating the contractual relationship, negotiating, concluding and performing contracts with you or certSIGN’s contractual partners, including the provision of services, the delivery of products covered by the contracts and their payment or the provision of information on the status of the development of the contracted services or the creation of a user account on certSIGN’s applications or websites for the purpose of contracting services, in accordance with Article 6 (1) (b) of the GDPR;
- the fulfilment of certSIGN’s legal obligations in the context of the contractual relationship, according to Article 6 (1) (c) of the GDPR, such as: obligations to draw up and keep financial-accounting documents; compliance by certSIGN with the right of withdrawal that you have exercised in accordance with GEO 34/2014 on consumer rights in contracts concluded with professionals, as well as for the amendment and completion of certain regulatory acts, if you have purchased products and services online; keeping personal data throughout the duration of contractual relations and archiving documents; conducting audits; transmission of information representing personal data at the request of the competent state authorities; ensuring the security of systems and databases (including backup); other legal obligations applicable depending on the nature of the contractual relationship and/or the status of the contractual partner;
- for the pursuit of cerSIGN’s or a third party’s legitimate interests under Article 6 (1) (f) of the GDPR, such as: for internal reporting or for streamlining company processes; for managing contracts or supporting accounting documents; for communicating with contract partner representatives; for resolving complaints; for auditing or verifying internal processes; for fraud prevention; for defending cerSIGN’s rights such as recovering claims held by cerSIGN and formulating defences in the event of litigation;
- sending newsletters, promotional materials, marketing communications, commercial offers or any other relevant information on certSIGN products and services if you have given your consent in accordance with Article 6 (1) (a) GDPR;
- your unique identification by remote video means including the processing of biometric data with your consent as per Art. 6 (1) (a) and Art. 9 (2) (a) GDPR, for the purpose of issuing a qualified digital certificate or a certME identification means (details on the processing of these data can be found in the information notes related to these services, mentioned in the preamble of this policy).
4. Grounds for processing personal data
certSIGN processes your data on the following grounds:
- conclusion and performance of the contract with you in accordance with Article 6 (1) (b) of the GDPR,
- legitimate interests pursued by certSIGN or a third party under Article 6 (1) (f) GDPR,
- fulfilment of certSIGN’s legal obligations under Article 6 (1) (c) of the GDPR,
- your consent under Article 6 (1) (a) or Article 9 (2) (a) of the GDPR, as detailed above in section 3.
5. How we get the data?
certSIGN can get the data:
- directly from you when you purchase and use certSIGN products and services or when you contact us through various channels or when you request offers or information about certSIGN products and services or when you visit our websites;
- from other sources: public sources (e.g. websites, public databases such as: Trade Register database, Ministry of Finance database, Official Journal, websites of court of law, etc.) or from third parties (contractual partners of certSIGN or third parties relying on trust services provided by certSIGN),
- public authorities (e.g. in case of court requests or judicial investigations);
- by generating data from the information provided by you (such as the serial number of the digital certificate for electronic signature or references – encrypted codes generated by the certME system applications related to the issuance and use of the certME electronic means of identification, etc.).
6. Use of data and consequences of non-disclosure
The processing of personal data mentioned above is necessary for the purposes specified above.
Personal data are processed directly by certSIGN or with the help of other personal data controllers with whom we partner (e.g. in order to identify you for the purpose of issuing and using a qualified digital certificate or certME electronic identifier) in compliance with Article 26 of the GDPR.
certSIGN may also process personal data through processors providing adequate safeguards in accordance with Article 28 of the GDPR, to whom we outsource certain activities.
Your refusal to provide data may make it impossible to provide the services or products covered by the contracts.
If you no longer wish to receive promotional materials and marketing communications about our products and services, we will no longer process your data for this purpose.
7. To whom we disclose your personal data?
Your personal data may be disclosed to the following categories of recipients:
- To you, to exercise your rights,
- To external auditors of certSIGN, in order to fulfil our audit obligations,
- To the supervisory body under the legislation applicable to the service provided,
- To public authorities and institutions based on our legal obligations under the applicable legislation,
- To lawyers to represent us in the event of litigation or for advice,
- To bailiffs for contractual notices or enforcement of any court judgments,
- To debt recovery firms,
- To contractual partners of certSIGN (such as courier companies, suppliers, subcontractors, consultants and technical experts, etc.) for the conclusion and execution of contracts,
- To banks for mortgaging receivables and/or obtaining financing and/or guarantee instruments,
- To insurance companies for obtaining guarantee instruments and/or insurance policies,
- To affiliated companies of certSIGN that support us in the services we provide,
- If certSIGN undergoes a sale or reorganisation process we will provide your data to the acquiring entity or the entity resulted from reorganisation.
8. Transfer of data outside the European Union
In general, certSIGN does not transfer your data outside the European Union.
There are situations in which we transmit your personal data outside the European Union, i.e. to send you, with your consent, newsletters, promotional materials, marketing communications about the certME service, the recipient of the data being in the State of Georgia, USA. The transfer of data is carried out with due respect for the rights of data subjects based on adequate safeguards in accordance with Article 46 of the GDPR. In this regard, the company has entered into a standard clauses contract with The Rocket Science Group LLC based in the State of Georgia, USA based on the European Commission Decision 2021/914 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council.
9. Duration of processing of personal data
certSIGN processes personal data, in general, throughout the period of negotiation and performance of contractual relations with you or with contractual partners that you represent or that have provided us with data for processing. Upon termination of these relationships, the information and personal data will be archived/stored. The archiving/storage period differs depending on the type of service you have contracted or the type of relationship you have with certSIGN.
We also process certain categories of data for the period of time required by law or by a public authority, in accordance with the law or, in the event of a dispute, until a final settlement is reached. For processing based on the legitimate interest of certSIGN or a third party, we process data according to our retention policies.
- for compliance with financial and tax legislation, we keep data for 5 or 10 years as appropriate;
- for the handling of referrals, we keep the data for the statutory limitation period, i.e. 3 years;
- logs are kept according to the risk analysis for at least 2 years;
- details on the duration of the processing of personal data for the purpose of providing trust or certification services can be found in the related Information Note by clicking here.
- details on the duration of the processing of personal data for the purpose of issuing and using the certME identifier can be found in the related Information Note by clicking on here.
- where data processing is based on your consent, we will process the data until you withdraw your consent to the processing.
After the archiving/storage timeframes for which there is a justifiable legal reason, your personal data will, as appropriate, be destroyed/deleted in accordance with Law 16/1996 on National Archives or irreversibly anonymised.
10. The rights you have
Your rights under Articles 13-22 of EU Regulation 2016/679 are:
- Right to information: the right to be informed of the identity and contact details of the controller and the data protection officer, the purposes for which the data are processed, the categories of personal data concerned, the recipients or categories of recipients of the data, the existence of the data subject’s rights under data protection law and the conditions under which they can be exercised;
- Right of access to data: the right to obtain from the data controller confirmation as to whether or not personal data concerning you are being processed by the controller;
- Right to rectification: the right to have inaccurate data relating to you rectified and incomplete data completed;
- The right to restrict processing if you have objected to the processing for the purposes of legitimate interests pursued by certSIGN or third parties or if certSIGN no longer needs the personal data but you request it for the establishment, exercise or defence of legal claims;
- The right to withdraw your consent at any time, insofar as the data processing operation is based on your consent, without withdrawal of consent affecting the lawfulness of the processing carried out on the basis of consent prior to the withdrawal of consent;
- The right to erasure of data if the data are no longer necessary for the purposes of the processing or if you withdraw your consent insofar as the processing is based on consent or if you object to the processing pursuant to Article 21 of the GDPR and there are no overriding legitimate grounds for further processing;
- The right to the portability of the data provided, insofar as the data processing operation is based on consent or is based on a contract concluded with you.
- The right to object, on grounds relating to your particular situation, to data processing carried out for the purposes of pursuing the legitimate interests of certSIGN or third parties.
- The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects him or her to a significant extent, in accordance with Article 22 of the GDPR.
certSIGN will inform the recipients to whom it has disclosed personal data of any erasure, rectification or restriction of the processing of personal data, unless this proves impossible or involves disproportionate effort.
At the same time, we inform you that you have the right to address the National Supervisory Authority for Personal Data Processing – ANSPDCP to defend any rights granted by the applicable legislation in the field of personal data protection, which have been violated, as well as to appeal to the competent courts of law.
To exercise your rights under Articles 13-22 of the GDPR, you may submit a written, dated and signed request to the Personal Data Protection Department of certSIGN:
- E-mail: firstname.lastname@example.org
- fax: (+4021) 3119905
- 29A Tudor Vladimirescu Bvd, building AFI Tech Parc 1, 2nd floor, Bucharest, sector 5.
If you make a request to exercise your personal data protection rights, you will receive a reply within 30 days at the latest, under the conditions set out in the GDPR.
11. Security measures for your personal data
certSIGN implements, both as a personal data controller and as a trust service provider, appropriate technical and organisational measures to ensure the integrity and confidentiality of your personal data in accordance with Articles 25 and 32 of the General Data Protection Regulation 2016/679 and the EU Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market.
certSIGN has implemented an Information Security Management System and is ISO 27001 certified.