Personal Data Processing Policy of ALRO S.A. and ALUM S.A.
The personal data processing requirements are adhered to within ALRO S.A., ALUM S.A. (hereinafter collectively referred to as "ALRO") in accordance with the data processing security provisions indicated in Regulation No. 679/2016 regarding the protection of individuals with respect to the processing of personal data and the free movement of such data (hereinafter referred to as "GDPR").
Both at the time of establishing the processing means and during the processing itself, ALRO implements appropriate technical and organizational measures to guarantee and demonstrate that processing is carried out in compliance with applicable legal provisions.
ALRO takes all necessary measures to ensure that, by default, only personal data strictly necessary for each specific purpose of processing is processed.
Personal Data refers to any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Description
The ALRO Personal Data Processing Policy describes how ALRO collects and processes the personal data of customers, business partners, potential clients, potential employees, and potential collaborators. This policy applies to all personal data collected on the website www.alro.ro, as well as any personal data collected via email, the website, or any other communication channel through which such data will be processed.
Additionally, ALRO may collect information regarding user preferences through the use of the aforementioned website when requesting information from ALRO or when engaging its services or other offerings.
GDPR Principles
Whenever personal data is processed, the following principles are observed:
- Lawfulness, Fairness, and Transparency: Personal data will be processed “lawfully, fairly, and in a transparent manner”;
- Purpose Limitation: Data will be collected for specified, legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Data Minimization: Any collection of personal data will be carefully considered before the actual request for data, which will be relevant and limited to what is absolutely necessary for the purposes for which it is processed;
- Accuracy: Controllers must take all measures to ensure data validity, and inaccuracies must be corrected without delay or erased;
- Storage Limitation: Data must be retained only for the period necessary for processing. Longer retention periods are exceptions associated with public archiving, research, or statistical activities, which may be conducted under specific conditions;
- Integrity and Confidentiality: Personal data processing must be carried out securely, including “protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by taking appropriate technical or organizational measures.”
Rights
ALRO ensures the respect of the rights granted to data subjects under GDPR, including:
- Right of Access: Allows obtaining details about the processing of personal data;
- Right to Rectification: Allows correction of personal data if it has been incorrectly processed;
- Right to Erasure: Allows the deletion of personal data in certain cases (e.g., if data is no longer necessary for the purposes for which it was collected);
- Right to Restrict Processing: Allows the restriction of processing personal data in certain cases (e.g., when the user contests the accuracy of their personal data, for a period enabling verification of such accuracy);
- Right to Object: Allows users to object to the continued processing of their personal data under the conditions and limits established by law;
- Right to Data Portability: Allows users to receive their personal data provided in a structured, commonly used, and machine-readable format or to transmit these data to another data controller.
Processing
Purposes and Processing of Personal Data Based on Obtained Consent
ALRO will process personal data legally, fairly, and transparently; the purposes for which these data will be used are well-defined, specifically for preparing and providing the services and products requested by users.
Among other things, personal data will be processed for communication purposes via email, correspondence, phone, or any other communication means through which responses to user requests will be transmitted. In this case, the processing of personal data will be based on legitimate interest for providing ALRO's services according to the contractual relationship.
In all cases, data are provided directly by users as a result of ALRO’s request and users' consent. The categories of data processed in this context generally include name, surname, email address, and other personal data provided to ALRO, usually by users, for fulfilling the aforementioned purposes.
ALRO requests the provision of all categories of personal data, exclusively for the aforementioned purposes, for carrying out its current activity and for providing its services.
Disclosure of Personal Data
As a rule, personal data will not be disclosed to third parties. However, if necessary, ALRO will disclose relevant personal data to public authorities requesting such data.
Duration of Personal Data Storage
Personal data will be stored in accordance with ALRO’s internal policies and legal obligations.
If data are not stored based on a contractual relationship, such data will be retained as long as necessary to achieve the processing purpose.
Miscellaneous
This privacy policy is effective as of May 25, 2018.
This privacy policy may be updated periodically. On the day of any update, ALRO’s website will display a notification containing a link to the changes in ALRO’s data protection policy.
Users also have the right to file a complaint with the National Supervisory Authority for Personal Data Processing in Romania if they believe that the processing of their personal data violates applicable laws.