Rompetrol processes personal data in accordance with the provisions of the General Data Protection Regulation no. 679/2016 (“GDPR”) as well as with the applicable legislation on the protection of personal data. In this sense the present policy was drafted with the purpose and role to serve as a mean of information with regard to:
(i) the activities of processing your personal data, thus performed by the companies part of KMG International Group, as Personal Data Operator, in carrying out its activities;
(ii) the security of the data and the confidentiality of the processing of your personal data;
(iii) your rights regarding personal data and how to exercise these rights.
Personal Data Operator:
The company Rominserv SRL, is a Personal Data Controller, with its headquarter in Bucharest, P-ta Presei Libere, no. 3-5, City Gate, registered at the Trade Register Office under no. J40 / 8331/2001, UIC RO 14208851, Romania Unicredit Bank SA.
The companies, part of KMG International NV Group with the headquarter in European Union are Personal Data Operators for data processing, carried out by these companies.
Contact details of the companies part of the KMG International NV Group can be found here.
References to "Rompetrol" or "Operator" in this policy mean companies within the KMG International NV Group, including subsidiaries, affiliates, branches, offices of these companies.
What categories of personal data we process, the purposes, the legal basis and the period for which your personal data are processed
Depending on the quality you have in relation to our company, Rompetrol as a Personal Data Operator processes certain personal data of yours for different purposes and legal basis, and keeps them for a certain period of time, as follows:
3.1. Visitor of the website
3.1.1 Accessing the website
188.8.131.52 Purposes of personal data processing
a) Your data are processed to ensure an optimal connection, to evaluate the safety and stability of the system, these processing being done based on the legitimate interest of the Operator according to art. 6, para. 1, lit. f) from GDPR
184.108.40.206 Personal Data Processed
a) the IP address of your terminal connected to the Internet,
b) date and time of access,
c) the name and URL of the accessed file,
d) the web page/application from which the access took place (Referrer-URL),
e) the browser used and, as the case may be, the operating system of your device connected to the Internet as well as the name of the network provider.
3.1.2 Using cookies
Cookies are small files, generally made up of texts and numbers, which when accessing a website are saved in the browser used by the computer, phone, tablet or any other device through which the respective website is accessed online. At each subsequent access to the site, the browser sends this file to the website server, thus allowing the identification of a visitor who has returned to the site.
The cookies used in this website are both own cookies and cookies from third parties Google Ireland LLC (Google Analytics and YouTube), Meta Platforms, Inc., USERCENTRICS A/S (Cookiebot).
220.127.116.11 Purposes of personal data processing
a) Through the necessary cookies, some of which are provided by third parties (YouTube, Cookiebot), your data is processed to make a website usable by activating basic functions, such as page navigation and access to secure areas on the site, the monitoring and management of cookie agreements, these processing being done based on the legitimate interests of the Operator according to art. 6, para. 1, lit. f) from GDPR.
b) By means of statistical cookies from third parties, namely Google Analytics, your data is processed in order to understand how website visitors interact with it by collecting and reporting information anonymously. In this way, we can determine, for example, how we can adapt our internet pages even better according to user habits. These data are processed based on your consent by ticking the corresponding boxes, according to art. 6, para. 1, lit. a) from GDPR.
c) Through marketing cookies from third parties, namely Google Analytics, YouTube, Meta Platforms, Inc., your data is processed in order to display relevant ads for individual users. The processing consists of analyzing your usage behavior and/or analyzing the interest you have shown in certain products. Your behavior and interest can be reconstructed through the different internet pages, browsers or terminals, accessed by you, with the help of a user ID (clear identification). These data are processed based on your consent by ticking the corresponding boxes, according to art. 6, para. 1, lit. a) from GDPR.
18.104.22.168 Personal Data Processed
a) the IP address of your terminal connected to the Internet,
b) date and time of access,
c) the name and URL of the accessed file,
d) the web page/application from which the access took place (Referrer-URL),
e) the browser used by you and, as the case may be, the operating system of your device connected to the Internet as well as the name of the network provider
f) Individual user ID,
g) Potential interests regarding products, topics on the website, the selected gas station, etc.
h) Events triggered on the website (browsing behavior)
i) Data necessary for the distribution of traffic to the website on various servers to optimize the response and loading time of the website
j) The decision regarding the use of cookie modules on the website
k) Data on relevant security incidents
l)Data for playback of multimedia content (e.g. viewing recordings/videos (regarding products) selected by the user.
3.1.3 Data processing period
a) User and event data retention: 14 months
The retention period applies to user-level and event-level data associated with cookies, user-identifiers (e.g., User-ID), and advertising identifiers (e.g., DoubleClick cookies, Android’s Advertising ID [AAID or AdID], Apple’s Identifier for Advertisers [IDFA]).
b) The retention period of the user identifier is reset with each new event from that user (thus setting the expiration date to current time plus retention period). For example, if data retention is set to 14 months but a user initiates a new session every month, then that user's identifier is refreshed every month and never reaches the 14-month expiry. If the user doesn't initiate a new session before the retention period expires, then that user's data is deleted
c) Session-timeout settings: 2 hours
Sets the duration of inactivity that terminates the current session
d) Timer for engaged sessions: 30 seconds
Engaged session is defined by: the number of sessions that lasted 10 seconds or longer, or had 1 or more conversion events or 2 or more page or screen views.
e) Override cookie settings: 24 months
Change how long cookies last and how they are updated.
3.2. Legal representatives, shareholders, employees, contact persons of the companies acting as business partners of KMG International NV Group
3.2.1. The purposes of processing the personal data
a) in order to contract and carry out the service/goods/sponsorship contracts concluded with the business partners, as clients/stakeholders and / or subcontractors, according to art. 6 paragraph 1, letter b) of the GDPR;
b) for fulfilling the legitimate interest of the Operator, in order to carry out the procedures regarding the selection of offers, organized by him for contracting of goods / services / works, etc. according to art. 6 paragraph 1, letter f) of the GDPR;
c) to perform the know your counterparty analysis of the business partner in order to carry out the business activity in full compliance with the applicable legal provisions, in order to strengthen the security of contracts, avoid conflicts of interest and protect the Operator's reputation, in order to manage contracts and perform veirifcation and reporting in accordance with applicable law, as well as for the fulfillment of a legal obligation such as the prevention and sanctioning of money laundering, the establishment of measures to prevent and combat the financing of terrorism. according to art. 6 paragraph 1, letter c) of the GDPR, as well as for the protection of the legitimate interest of the Operator according to art. 6 paragraph 1, letter f) of the GDPR;
d) for ensuring the safety and security at work of the employees of the partners carrying out activities on the industrial platforms where the Operator is the main contractor, on the industrial platforms of the Operator, or at the KMG International NV Group companies premises, in order to fulfill the legal obligations contained in the health and safety legislation. at work, in accordance with art. 6 paragraph 1, letter c) of the GDPR, as well as for the protection of the legitimate interest of the Operator according to art. 6 paragraph 1, letter f) of the GDPR;
e) for carrying out second party audits in order to fulfill the legitimate interest, (according to art. 6 paragraph 1, letter f) of the GDPR) of the Operator to ensure that the services / products offered by the business partner meet the necessary quality standards;
d) for contacting you in order to obtain the opinion of the company you represent regarding the quality of the Operator's services and products purchased, by telephone, e-mail, in accordance with art. 6 paragraph 1) letter f) of the GDPR on data protection, respectively in the legitimate interest of the Operator.
e) for contacting the clients by e-mail directly by the financial audit company that audits the financial statements of the Operator in order to carry out the annual audit process in accordance with art. 6 paragraph 1) letter f) of the GDPR, respectively in the legitimate interest of the Operator.
f) for commercial purposes, by using the means of communication, respectively e-mail, sms, fax, telephone call, newsletter / s and other commercial communications for the promotion of the Operator's services, in accordance with art. 6 paragraph 1) letter f) of the GDPR, respectively on the basis of the legitimate interest to collaborate with the company you represent;
3.2.2. Processed Personal Data
For the purposes indicated in point 3.2.1. above, following data of employees / affiliate/ legal representatives of business partners will be processed: name, surname, position, signature, telephone, email, serial and ID card number, as well as documents attesting certain qualifications / attestations / certifications, ( ex: diplomas, certificates, attestations, authorizations, attestations, permits, etc.).
3.2.3. Data processing period
The storage period of the collected personal data will be determined as follows:
(a) the data processed for contracting, knowing the partners and carrying out the service/goods/sponsorship contracts will be kept for a maximum of 5 years from their conclusion. In case of disputes, these will be kept until the end of the dispute in question.
(b) the financial-accounting data including the contracts concluded depending on their nature will be kept in accordance with the provisions established by the Fiscal Code and the related legislation.
(c) the data to be processed in order to carry out the tender selection procedures will be kept for 3 years from the completion of the procedures.
(d) data processed for the purpose of the second part audit shall be retained for 3 years from the audit complition date.
(e) the processing of data in order to ensure safety and health at work will be done throughout the performance of the service contract.
(f) the processing of data in order to obtain the opinion on the quality of services will be done during the existence of the business relationship.
(g) the processing of data for the purpose of carrying out the financial audit process will be done for a maximum of 1 year from the completion of the business relationship.
3.3. Processing of personal data of former employees of the companies from KMG International NV Group
3.3.1. The purposes of processing the personal data of former employees of the companies from KMG International NV Group
The personal data of the former employees are processed based on the legal obligations of the former employer in accordance with art. 6 paragraph 1, letter c), and art. 9 letter b) of the GDPR, respectively the obligations to keep these data and to issue certificates at the request of the former employee or to transmit information to the state authorities, as well as based on Operator’s legitimate interest to perform internal audits and verifications or to responds to the requests of external auditors, but also to protect Operator’s interests in court., in accordance with art. 6 paragraph 1, letter f) of the GDPR.
3.3.2. Processed Personal Data
For the purposes indicated in point 3.3.1. above, the following data of the former employees will be processed: the content of the personnel file, without being limited to: name, surname, position held, unique ID, identity data and photo-copies of them, employment contracts, retirement data, data on education and professional experience (CV, copies of diplomas), etc., the payroll and elements contained therein, including the documents that formed the basis for its preparation (not limited to: name, surname, ID data, uniques ID, position, job, salary data, bank account, medical certificates, salary statements, seizures, timesheets, dependents, benefits, etc.).
3.3.3. Data processing period
The data will be kept according to the legal provisions as follows: 75 years the data regarding the personnel file and 50 years the data regarding the salary statement, periods that run from the termination of the employment relationship.
3.4. Candidates who have applied for a vacant position in order to be employed or to complete an internship
3.4.1. Purposes of personal data processing
In order to participate in the recruitment and selection program related to the occupation of one of the existing or future vacancies / positions or to carry out a current or future internship or internship program, where you are a Candidate, your personal data are processed by Operator for purposes related to activities related to the field of human resources. The processing of your personal data in the mentioned context is done in accordance with Article 6 paragraph 1), letter a) of the GDPR, respectively your agreement to participate in the recruitment and selection process.
3.4.2. Processed Personal Data
(a) General information when registering the CV in our database: Name, surname, date of birth, marital status, telephone number and email address, nationality, citizenship, gender and details regarding any disabilities or work restrictions, your photography, any other information that is found in your CV;
(b) Checks in the vew of your selection: references / request for references, interview notes, records / test / test results including technical tests and psychometric tests (measures your abilities, skills, behaviors or personality traits).
3.4.3. Data processing period
Your personal data as indicated in point 3.4.2. above are kept 6 months from your agreement or 6 months from the last login in your account created on the career website of the KMG International NV Group in case you applied through it.
3.5. Visitors of our headquarters
3.5.1. Purposes of personal data processing
The personal data of the visitors are processed in order to ensure the security and safety of persons, guarding the assets and goods in accordance with art. 6 lit. f) of the GDPR, namely the legitimate interest of Operator, as well as of the affiliated companies within the KMG International NV Group.
3.5.2. Personal data of visitors
In order to achieve the objectives indicated at point 3.5.1. above, the following personal data of visitors are processed: name, surname, entry time, exit time, visitor's image, the name of your employer or the company you work with (if the visit is for business purposes) and the name of the person visited.
3.5.3. Data processing period
The storage of personal data will be done for the purposes presented above for a maximum period of 2 years, except for the image of the visitor captured by the cameras, this being kept for a maximum period of 30 calendar days.
Who receives your data?
4.1 Recipients of your personal data
In order to achieve the purposes described above, Rompetrol uses the services of various contractors or other companies within the KMG International NV Group. According to GDPR, they are divided into several categories, which in relation to the operation of processing your personal data, are classified as follows: operators, processors or associated operators.
Therefore, we specify that, in order to achieve the purposes mentioned in section 3 above, your data can be shared, without being limited to, with the following types of recipients:
- companies ensuring operating of Rompetrol gas stations, in the name and on behalf of Rompetrol;
- IT and telecommunications service providers, security and protection, courier, advertising agencies, other contractual partners (eg lawyers, debt collection companies, auditors bound by the obligation of confidentiality regarding the data transmitted, etc.);
- state authorities such as ANAF, ANPC, etc. based on their competencies provided by the applicable law.
4.2 Transfer of your data to foreign countries
In the context of the operations described above, your personal data may be transferred to countries of the European Union ("EU") or the European Economic Area ("EEA").
We hereby inform you that any transfer made by the Operator to an EU or EEA member state will comply with the legal requirements established by GDPR. As part of the processing of the data described above, the transmission of personal data to recipients from countries outside the European Union may also take place. The transfer in this case will be made to: (i) countries for which the EU Commission has established that they provide an adequate level of data protection, or (ii) countries or operators in relation to which we ensure that there is an adequate level of protection of data (especially by concluding agreements containing standard contractual clauses for data transfer and / or any other measures imposed as the case may be).
6. Security of your personal data
Rompetrol guarantees that it processes your data in conditions of legitimacy and legality, implementing at the same time adequate technical and organizational measures to ensure the integrity and confidentiality of the data according to art. 25 and 32 of the GDPR.
7. Your rights rearding personal data:
As the data subject, you have the following rights provided by GDPR, regarding exclusively your personal data:
(a) The right of access means your right to obtain a response from the Operator whether or not it process personal data concerning you and, if so, you may have access to those data and to the information provided by art. 15 of the GDPR.
(b) The right to data portability refers to the right to receive personal data in a standard, structured, commonly used and automatically readable format and the right to have your data transmitted to another operator without hindrance from Rompetrol, if these data are processed automatically and, the data are processed based on your consent expressed according to art. 6 para. 1) lit. a) or art. 9 para 2) lit. a), respectively on the basis of a contract according to art. 6 para. 1) lit. b) of the GDPR.
(c) The right to object represents the right to oppose, for reasons related to your particular situation, to the processing of personal data concerning you, including the creation of profiles based on those data, when the processing is carried out pursuant to art. 6 paragraph 1) letters e) and f), respectively for the achievement of a legitimate interest of the operator or for the accomplishment of a task that serves a public interest.
(d) The right to rectification refers to the correction, without undue delay, of inaccurate personal data. You have the right to obtain the completion of personal data that are incomplete, including by providing an additional statement, and the rectified data will be communicated to each recipient who received the data, unless this proves impossible or involves disproportionate effort.
(e) The right to delete data ("right to be forgotten") means the right to request the deletion of personal data, without unreasonable delay, if: the data are no longer necessary for the purposes for which they were collected or processed; you withdraw your consent and there is no other legal basis for processing; you object to the processing and there are no legitimate legal reasons prevailing; personal data have been processed illegally; personal data must be deleted in order to comply with a legal obligation; personal data were collected in connection with the provision of information society services. The deletion of the data will be communicated to each recipient who received the data, unless this proves impossible or involves disproportionate efforts.
(f) The right to restriction of data processing refers to the case where you challenge the accuracy of the data, for a period that allows the operator to verify the correctness of the data: if the processing is illegal and the person opposes the deletion of personal data, requesting instead the restriction of their use; if Operator no longer needs the personal data for the purpose of processing, but you request them for the ascertainment, exercise or defense of a right in court; if you objected to the processing for the period of time in which is needed to verify whether the legitimate rights of Operator prevail over those of the respective person.
(g) The right not to be subject to a decision based solely on automatic processing, including the creation of profiles, which produces legal effects that concern or significantly affect you, with the exception of processing for the conclusion or performance of a contract with you, such processing is authorized by the applicable legal provisions or the data processing is performed based on your freely expressed consent.
(h) The right to withdraw your consent. When the processing of personal data is carried out on the basis of your consent, you have the right to withdraw your consent at any time, without affecting the legality of the processing carried out on the basis of consent before its withdrawal.
(i) The right to file a complaint: if you are dissatisfied, you can contact the National Authority for the Supervision of Personal Data or the competent courts at any time.
8. Exercise your rights
All the rights can be exercised through a written request sent to:
(a) Operator’s headquarters, using the contact details mentioned in section 2 of this Policy,
(b) e-mail, for the attention of the Data Protection Officer, at the e-mail address: email@example.com
(c) by calling the following phone numbers: 0800 0800 08 or 0800 0800 12.
Your request will be analysed and you will receive an answer within maximum 30 days.
Update date of this policy: 20.07.2023