CHAPTER I. Reference Documents

CHAPTER II. Purpose of the Personal Data Protection Policy

CHAPTER III. Terms and Definitions

CHAPTER IV. Scope and Policy Modification

CHAPTER V. Principles for Personal Data Processing

Article 1. Correctness and Legality

Article 2. Restricting to a Certain Purpose

Article 3. Transparency

Article 4. Minimizing / Reducing Data to a Minimum

Article 5. Storage Limitation and Deletion

Article 6. Data Exactness and Topicality

Article 7. Integrity and Confidentiality

CHAPTER VI. Personal Data Processing

A)Personal Data of Customers and Partners

Article 1. Data Processing for a Contractual Relationship

Article 2. Data Processing for Publicity Purposes

Article 3. Data Processing on the Basis of Consent

Article 4. Special Data Processing

Article 5. Automated Individual Decision Processes

Article 6. Processing the data of the www.cfrcalatori.ro website users

B) Personal Data of the Employee

Article 1. Data Processing for the Working Relationship

Article 2. Processing a National Identification Number

Article 3. Special Data Processing

Article 4. Automated Individual Decision Processes

Article 5. Telecommunications and Internet 15

CHAPTER VII. Personal Data Processing on the Basis of a Legitimate Interest

CHAPTER VIII. Personal Data Transfer

CHAPTER IX. Processing of Data Regarding Contracts

CHAPTER X. Record of Processing Activities (Mapping)

CHAPTER XI. Risk Management

CHAPTER XII. Initiating a New Process

CHAPTER XIII. Rights of the Concerned Person

Article 1. Right to Be Informed

Article 2. Right of Access

Article 3. Right of Data Intervention

Article 4. Right to Object

Article 5. Right of Not Being the Subject of an Individual Decision

Article 6. Right of Data Deletion

Article 7. Right of Restricting Data Processing

Article 8. Right of Data Portability

Article 9. Right to Submit a Complaint

CHAPTER XIV. Confidentiality of Processing

CHAPTER XV. Security of Processing

CHAPTER XVI. Personal Data Processing and Protection Control

CHAPTER XVII. Security Incidents

CHAPTER XVIII. Responsibilities and Sanctions

CHAPTER XIX. The Person in Charge with Personal Data Protection

Operator: SNTFC “CFR Călători”-S.A., headquartered in: Bucharest, 38 Dinicu Gloescu bvd, Sector 1, tel: 021/311.27.41, fax: 021/315.30.04, fiscal registry no: RO 11054545, trade registry no: J40/9764/1998, email: office@cfrcalatori.ro, dpo@cfrcalatori.ro, website: www.cfrcalatori.ro

CHAPTER I. Reference Documents

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
  2. Law no. 190/2018 regarding implementing measures for Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
  3. Website of the European Commission: https://ec.europa.eu/;
  4. Website of the National Supervisory Authority for Personal Data Processing: dataprotection.ro;

CHAPTER II. Purpose of the Personal Data Protection Policy

The main purpose of the present document is to establish the policy of SNTFC “CFR Călători”-S.A. with regard to the protection of the personal data which the company processes during its activities and in the relationships with its employees, customers and other data subjects, as well as guaranteeing and protecting the fundamental rights and freedoms of the data subjects, especially the right to intimate, family and private life, in the context of personal data processing.

As part of its social responsibility, SNTFC “CFR Călători”-S.A. is commited to following national and international laws regarding data protection. As a consequence, the current policy is based on accepted principles at European and global levels regarding data protection. This data protection policy is applied by the entire company and is followed exactly by its employees and/or collaborators/ business partners, each time they process personal data during their exercise of professional duties.

Ensuing data protection represents the base for trustworthy business relations and for the reputation of our company. During its activities, SNTFC “CFR Călători”-S.A. processes personal data for fulfilling contracts (individual, commercial etc.), with regard to fulfilling legal obligations, for its legitimate interests, for marketing purposes etc.

The data protection policy states the necessary framework conditions for ensuring an adequate level of data protection, provided by Regulation (EU) 679/2016, offering a general overview of the minimal requirements for the protection of natural persons with regard to the processing of personal data and the free movement of such data.

CHAPTER III. Terms and Definitions

  1. “personal data” means any information regarding an identified or identifiable (data subject) natural person; a data subject natural person which can be identified, directly or indirectly, especially by referring to an identification element (such as: name, identification number, localization data, online ID etc.) or to one or several specific elements of the individual’s physical, physiological, genetic, psychological, economic, cultural or social identity;
  2. “special data” means data regarding racial or ethnic origin, political opinions, religious confession or philosophical beliefs, trade union association or membership to an organization, processing of genetic data, biometric data, criminal record data, health data or data regarding sexual life or sexual orientation of a natural person;
  3. “GDPR”, “RGPD” of “The Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
  4. “data subject”, in the framework of this data protection policy, means any natural person whose personal data can be processed;
  5. “processing” means any operation or set of operations made upon personal data or personal data sets, with or without using automated means, such as: collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consulting, using, disclosing by transmitting, disseminating or making available by any means, aligning or combining, restricting, deleting or destroying;
  6. “restriction of processing’ means marking stored personal data for limiting their future processing;
  7. “creating profiles” means any form of automatic processing of personal data, consisting in using personal data for evaluating certain personal aspects regarding a natural person, especially for analyzing or foreseeing aspects regarding workplace performance, financial situation, health, personal preferences, interests, reliability, behavior, the location of the respective natural person or its journeys;
  8. “pseudonymization” means processing personal data in such way that they cannot be attributed to a certain data subject without using additional information, given that these additional information are stored separately and are subjected to technical and organizational measures ensuring the respective personal data are not attributed to an identified or identifiable natural person;
  9. “data record system” means any set of accessible personal data structured according to specific criteria, be it centralized, non-centralized or distributed according to functional or geographical criteria;
  10. “operator” means a natural or legal person, public authority, agency or another organism which, by itself or together with others, established the purposes and means to process personal data; when the purposes and means of processing by Union law or domestic law, the operator or the specific criteria for its selection may be stated in Union or domestic law;
  11. “person empowered by operator” means a natural or legal person, public authority, agency or another organism which processes personal data in the name of the operator;
  12. “recipient’ means a natural or legal person, public authority, agency or another organism to whom the personal data are disclosed, no matter if it is a third party or not. However, public authorities to which persona data can be communicated during an inquiry in accordance to Union or domestic law, are not considered recipients; processing these data by the respective public authorities follows the applicable norms regarding data protection, in accordance to the purposes of the processing;
  13. “third party’ means a natural or legal person, public authority, agency or another organism, other than the data subject, the operator, the person empowered by the operator and the persons whom, under the direct authority of the operator or the person empowered by the operator, are authorized to process personal data;
  14. “third countries”, in the framework of the personal data protection policy, means all countries outside the European Union / EEA. This does not include countries with a data protection level considered sufficient by the European Commission;
  15. “European Economic Area (EEA)” is an economic region associated with the EU, which includes Norway, Iceland and Liechtenstein;
  16. “consent” of the data subject means any manifestation of free, specific, informed and non-ambiguous will, through which the person accepts, by a declaration or unequivocal action, for the concerned personal data to be processed;
  17. “breach of personal data security” means a security breach which leads, accidentally or illegally, to the destruction, loss, modification of unauthorized disclosure of the personal data which were transmitted, stored or processed by other means, or to the unauthorized access to them;
  18. “genetic data” means personal data regarding the inherited or acquired genetic traits of a natural person, which offer unique information about the physiology or health of the respective person and which result especially following an analysis of a sample of biological materiel harvested from the person in question;
  19. “biometric data” means personal data which result following specific processing techniques regarding physical, physiological of behavioral traits of a natural person, which allow or confirm the unique identification of the person in question, such as facial images of dactyloscopic data;
  20. “data regarding health” means personal data regarding physical or mental health of a natural person, including the provision of medical assistance services, which disclose information regarding the state of health of the respective person;
  21. “representative” means a natural or legal person, established in the Union, designated in writing by the operator or the person empowered by the operator, according to Article 27, which represent the operator or the empowered person in respect to their respective obligations according to the present Regulation;
  22. “undertaking” means a natural or legal person providing an economic activity, no matter its legal form, including partnerships or associations, which regularly provide an economic activity;
  23. “supervisory authority’ means an independent public authority, established by a Member State according to Article 51;
  24. “relevant and motivated objection” means an objection regarding a decision draft, with the purpose of establishing whether there is a violation of the present Regulation or whether the foreseen measures regarding the operator of the person empowered by the operator follow the present Regulation, which clearly demonstrate the importance of the risks present by the decision draft regarding the rights and fundamental freedoms of the data subjects and, as the case, free movement of the personal data in the Union;
  25. “user” means any person acting under the authority of the operator, the person empowered by the operator or the representative, with a recognized right of access to the personal databases.

CHAPTER IV. Scope and Policy Modification

This policy of personal data protection is applicable to all SNTFC “CFR Călători”-S.A. employees and is applied throughout the entire company, being followed exactly every time persona data are being processed, during the exercise of professional duties.

The data protection policy extends to all personal data processing made by SNTFC “CFR Călători”-S.A. during its activities, in the relationships with its employees, its customers or other data subjects.

The anonimyzed data (namely those information which, due to their origin or specific processing method, cannot be associated with an identified or identifiable person), where they exist, being used for instance for statistical evaluations or other studies, are not submitted to this data protection policy.

The personal data protection policy is revised yearly, if necessary, and its most recent version, approved by the General Director, shall be immediately available, both to the SNTFC “CFR Călători”-S.A. employees, as well as to its partners / consultants / third parties, on the www.cfrcalatori.ro website.

CHAPTER V. Principles for Personal Data Processing

Article 1. Correctness and Legality

When processing personal data, the individual rights of the data subjects must be protected. The personal data must be collected and processed legally and correctly. Processing is legal only if and to the extent in which at least one of the following conditions apply:

  • The data subject has given its consent for processing its personal data for one or more specific purposes;
  • Processing is necessary for fulfilling a contract in which the data subject is a party or for taking steps at the request of the data subject before concluding a contract;
  • Processing is necessary for fulfilling a legal obligations of the operator;
  • Processing is necessary for protecting the vital interests of the data subject or of another natural person;
  • Processing is necessary for fulfilling a task which serves public interest or which results from the exercise of public authority with which the operator is being invested;
  • Processing is necessary for the purpose of legitimate interests of the operator or a third party, except for the case in which the interests or the fundamental rights and freedoms of the data subject prevail, which require processing personal data, especially when the data subject is a child.

Article 2. Restricting to a Certain Purpose

Personal data may be processed only for the purpose defined before the data collection and communicated to the data subject. Further modifications of the purpose are possible only in a limited manner and require a solid substantiation. According to Article 13, paragraph (3), of Regulation (EU) 2016/679, in case the operator intends to further process the personal data for another purpose than the one for which they have been collected, the operator shall give to the data subject, before this further processing, information regarding the respective secondary purpose, as well as any additional relevant information.

Article 3. Transparency

The principle of transparency states that any information and communication regarding personal data processing must be easily accessible and understandable. Therefore, the data subject must be informed regarding the way its data are being processed, in a brief, transparent, intelligible and accessible form.

The operator may collect personal data directly from the data subject or they may be obtained from other sources.

  1. Information provided to the data subject, at the moment personal data are being obtained, if they are directly collected from the data subject and it does not already possess the respective information (Article 13, paragraphs (1), (2) and (4), from Regulation (EU) 2016/679):
  2. Identity and contact details of the operator and, if the case, its representative;
  3. Contact details of the data protection officer, if the case;
  4. The purposes for which the personal data are being processed, as well as the legal base of the processing;
  5. The legitimate interests pursued by the operator of a third party, if the processing is being performed on the basis of Article 6, paragraph (1), letter (f), from Regulation (EU) 679/2016;
  6. The recipients or the categories of recipients of the personal data;
  7. The operator’s intention to transfer personal data towards a third country or an international organization, if the case;

 

  1. The period for which the personal data shall be stored or, if this is not possible, the criteria used for establishing this period;
  2. The way in which the data subject may exercise its rights;
  3. When processing is based on Article 6, paragraph (1), letter (a), or on Article 9, paragraph (2), letter (a), from Regulation (UE) 2016/679, the existence of the right to withdraw the consent at any moment, without affecting the legality of the processing performed on the basis of the consent before its withdrawal;
  4. The right to submit a complaint to a supervisory authority;
  5. If providing personal data is a legal or contractual obligation, or a necessary obligation for concluding a contract, as well as if the data subject is obliged to provide these personal data and what are the eventual consequences of not fulfilling this obligation;
  6. The existence of an automated decision-making process, including the creation of profiles, mentioned at Article 22, paragraphs (1) and (4), as well as, at least for the respective cases, relevant information regarding the logic used and the importance and foreseen consequences of such a processing for the data subject;
  7. Information which are being provided to the data subject (in a reasonable term after obtaining personal data, but no longer than a month), if the personal data have not been obtained from the data subject and it does not already possess the respective information (Article 14, paragraphs (1), (2), (3) and (5) from Regulation (UE) 679/2016).
  8. The identity and contact details of the operator and, if the case, of its representative;
  9. The contact details of the data protection office, if the case;
  10. The purposes for which the personal data are being processed, as well as the legal base of the processing;
  11. The subject categories of personal data;
  12. The recipients or the categories of recipients of the personal data;
  13. The operator’s intention to transfer personal data towards a third country or an international organization, if the case;

 

  1. The period for which the personal data shall be stored or, if this is not possible, the criteria used for establishing this period;
  2. The legitimate interests pursued by the operator of a third party, if the processing is being performed on the basis of Article 6, paragraph (1), letter (f), from Regulation (EU) 679/2016;
  3. The way in which the data subject may exercise its rights;
  4. When processing is based on Article 6, paragraph (1), letter (a), or on Article 9, paragraph (2), letter (a), from Regulation (UE) 2016/679, the existence of the right to withdraw the consent at any moment, without affecting the legality of the processing performed on the basis of the consent before its withdrawal;
  5. The right to submit a complaint to a supervisory authority;
  6. The source of the personal data and, if the case, if they are collected from publicly available sources;
  7. The existence of an automated decision-making process, including the creation of profiles, mentioned at Article 22, paragraphs (1) and (4), as well as, at least for the respective cases, relevant information regarding the logic used and the importance and foreseen consequences of such a processing for the data subject;

Art. 5. Storage limitation and deletion

Personal data must be kept in a form allowing the identification of data subjects, for a period not exceeding the period necessary to fulfill the purposes for which data are processed. Personal data no longer needed after the expiry of the legal or business process, must be deleted/destroyed /anonymized. There may be situations where legal interests require to keep these data for predefined terms. In this case, data must be kept in files, until the expiry of the legal obligations.

Art. 6. Accuracy and timeliness of data

Personal data collected must be accurate, complete and, if necessary, updated. Permanent measures must be taken to ensure that inaccurate personal data, given the purposes for which they are processed, are deleted or corrected without delay.

Art. 7. Integrity and confidentiality

Within SNTFC CFR Călători SA, personal data are considered confidential information and must be protected by appropriate organizational and technical measures, to prevent unauthorized access, illegal processing or distribution, and their accidental loss, alteration of destruction. Any breach or non-compliance of this Policy or the instructions therefrom, especially any deliberate disclosure of personal data by an unauthorized person or third party, may lead to disciplinary action.

Failure to comply with this principle directly implies security and confidentiality breaches and therefore, extremely severe penalties provided for in Regulation (UE) 679 / 2016.

Data controller is responsible for complying with the principles of the Regulation (UE) 679 / 2016 and must be able to prove compliance with them („responsibility”).

CHAPTER.. VI. Personal data processing

SNTFC CFR Călători SA collects, uses, processes and provides given personal data only to achieve the purposes for which they were collected.

This Policy establishes the personal data processed by the Company, within the activities carried out, as follows:

A) Personal data of customers and partners

Art. 1 Data processing for a contractual relationship

Personal data of potential, existing customers and partners can be processed in order to conclude, perform and complete a contract. It also includes consulting services for the partner, if this is related to the contractual purpose. Prior to this contract, during its initial phase, personal data may be processed to prepare tenders or other documents that meet different requirements of the perspective related to the conclusion of the contract. People can be contacted during the contract preparation process, using the personal information they provided. Any restrictions requested by potential customers must be respected.

Art. 2 Data processing for advertising

If the data subject contacts SNTFC CFR Călători SA to request information (eg. to receive information about offers, promotions, etc.), data processing to reply to this request is allowed.

Advertising actions are subject to additional legal requirements. Personal data may be processed for advertising, market research and public opinion purposes, provided that such processing is carried out according to the purpose for which the data were originally collected. Data subject must be informed of the use of his/her data for advertising purposes. If data are collected only for advertising, their disclosure by the data subject is voluntary. Data subject must be informed that the provision of personal data for advertising purposes is voluntary and that consent must be obtained from the data subject in order to process those data for advertising. When consent is given, data subject should be able to choose between the available forms, such as pre-printed forms, sending consent by e-mail, etc.

If data subject refuses to use his/her data for advertising, these data may no longer be used and must be blocked/deleted/restricted for the use of these purposes.

Art. 3 Data processing based on consent

Data subject consent means any free will, specific, informed and unambiguous manifestation of the data subject, by which he/she accepts, by an unequivocal statement or action, that personal data are processed.

Data may be processed according to the data subject consent. Before giving the consent, the data subject must be informed according to the provisions of Chap. V art. 3. Statement of approval – consent must be obtained in writing, data controller must be able to prove that the data subject gave his/her consent for personal data processing.

Data subject has the right to withdraw his/her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out based on the consent, before its withdrawal. Before granting the consent, the data subject shall be informed thereof. Withdrawal of consent is as simple as granting it.

Processing personal data of a child is legal if the child is at least 16 years old. If the child is under 16 years old, such processing is lawful and to the extent that the consent is given or authorized by the legal guardian of the child.

Art. 4 Special data processing

Sensitive personal data can only be processed if required by law or if the data subject has given his/her express consent. These data may also be processed if it is mandatory for the fulfillment, performance or defense of the legal claims concerning the data subject. If there is an intention to process sensitive data, data protection officer must be informed in advance.

Art. 5 Automated individual decision-making processes

Strictly automated decision-making process takes place when decisions are made regarding a person, by technological means and without any human involvement. These decisions can be taken even without creating profiles.

Automated decisions can be based on any type of data, for example:

  • data provided directly by the persons concerned (such as answers to a questionnaire);
  • data observed on people (such as location data, collected through an application);
  • data derived or obtained by inference, such as an already created profile of the person (for example, a credit score).

Data subject has the right not to be subject to a decision based on automatic processing, including creating profiles, which produces legal effects concerning the data subject or similarly affecting him/her to a significant extent. The decision must not be based on sensitive data.

It does not apply if:

  • the decision is necessary for the conclusion or performance of a contract between the data subject and a data controller;
  • the decision is based on the express consent of the data subject;
  • „data controller shall implement appropriate measures to protect the rights, freedom and legitimate interests of the data subject, at least his/her right to obtain human intervention from the controller, to express his/her views and to challenge the decision”;
  • the decision is authorized by the European Union or national law applicable to the controller and which also provides appropriate measures to protect the rights, freedom and legitimate interests of the data subject.

Art. 6 Processing data of www.cfrcalatori.ro users

For the website www.cfrcalatori.ro, its domains and subdomains, where personal data are collected, processed and used, data subjects must be informed about this, by an Information note and if the website uses cookies, data subjects must have access to the Cookies Policy. The Information note and other information about cookies must be integrated so that it is easy to identify, directly accessible and constantly available to data subjects.

If user profiles (tracking) are created to assess the use of websites and applications, data subjects must always be informed in the Information note.

If for registered user, personal data are used to identify and log in the data subject, sufficient safeguards shall be established during access.

B) Personal data of the employee

Art. 1 Data processing for the employment relationship

In employment relationships, personal data may be processed if it is necessary to initiate, perform and conclude the individual labor contract, as well as to fulfill the legal obligations incumbent to the controller. At the beginning of an employment relationship, personal data of the applicants may be processed. When deciding to conclude an employment contract, along with the request for a set of documents containing personal data, the employee will also be informed regarding the processing of employees’ personal data in the activities carried out by S.N.T.F.C. „CFR Călători” S.A., the dated and signed document will be kept in the employee’s personal file and archived according to legal requirements.

If the candidate is rejected, his/her data must be deleted (according to the necessary data storage period), unless the applicant has agreed to store the data for a future selection process. Therefore, if the candidate wishes to participate in the employment contests subsequently organized by SNTFC CFR Călători SA – Headquarters/ SRTFC 1-8, his/her written consent will be obtained through the form „Information note and candidates’ consent regarding the processing of personal data”. Information and consent documents will be kept and later archived according to the established storage terms.

At the same time, in the light of employments relationships, according to art. 5 of the law no. 190 / 2018, regarding the measures to implement the Regulation (UE) 2016/679, if monitoring systems are used by electronic means of communication and/or by means of video surveillance at work, the processing of personal data of employees, in order to achieve the legitimate interests pursued by the employer, is allowed only if:

  • the legitimate interests pursued by the employer are duly justified and prevail over the interests or the rights and freedom of data subjects;
  • the employer has provided mandatory, complete and explicit information to employees;
  • the employer consulted the trade union or, as the case may be, the employees’ representatives, before introducing the monitoring systems;
  • other forms and means less intrusive to achieve the goal pursued by the employer that have not previously proven effective;
  • storage period of personal data is proportional to the purpose of processing, but not more than 30 days, unless expressly regulated by law or in duly justified cases;
  • the information icon is displayed regarding the video surveillance area.

Art. 2 Processing a national identification number

National identification number – the number by which a natural person is identified in certain record systems and has general applicability such as: social security number, series and number of the identity card, passport number, driving license number, health insurance number.

According to art. 4 of the law no. 190 / 2018, a national identification number may be processed only in the situations provided by art. 6 para. (1) from Regulation (UE) 2016/679, including by collecting or disclosing the documents containing it.

A national identification number may be processed, including by collecting or disclosing the documents containing it, for the purpose provided in art. 6 para. (1) f) of the Regulation (UE) 2016/679, or by achieving legitimate interests pursued by the collector or a third party, by establishing the following guarantees:

  • implementing appropriate technical and organizational measures to comply with the principle of minimizing data, as well as to ensure the security and confidentiality of personal data processing, according to the provisions of art. 32 of the Regulation (EU) 2016/679;
  • establishing storage deadlines depending on the nature of data and purpose of processing, as well as specific deadlines in which personal data must be deleted or revised for deletion;
  • regular training regarding the obligations of people who, under the direct authority of the data controller, process personal data.

In the existing employment relationship, the purpose of processing personal data must always be related to the purpose of the individual labor contract.

Art. 3 Processing special data

It is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious denomination or philosophical beliefs or trade union membership and to process genetic, biometric data for the unique identification of a natural person, health data or data on the sexual life or sexual orientation of a person.

It does not apply in the following situations:

  1. a) data subject has given his/her explicit consent for the processing of personal data, for one or more specific purposes;
  2. b) processing is necessary for the purpose of fulfilling the obligations and exercising specific rights or the controller or the data subject, for employment and social security and social protection, to the extent that it is permitted by the Union law, national law or a collective labor agreement;
  3. c) processing is necessary to protect the vital interests of the data subject or of another natural person;
  4. d) processing is performed within their legitimate activities and with appropriate guarantees, by a foundation, association or other non-profit organization with political, philosophical, religious or trade union beliefs, provided that the processing relates only to the members or former members of that organization or to people with whom it has permanent contacts regarding its purposes and that personal data are not communicated to third parties without data subjects’ consent;
  5. e) processing relates to personal data made voluntarily public by the data subject;
  6. f) processing is necessary for the establishment, exercise or defense of a right in court;
  7. g) processing is necessary for public interests reasons, based on the European Union or national law;
  8. h) processing is necessary for purposes related to preventive or occupational medicine, the assessment of the employee’s working capacity, the establishment of a diagnosis, provision of medical/social assistance or treatment or management of healthcare or social assistance systems and services;
  9. i) processing is necessary for public interest reasons in the field of public health, such as: protection against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicines or medical devices;
  10. j) processing is necessary for public interest archiving purposes, scientific or historical research or statistical purposes.

The above mentioned data may be processed for the purposes referred to in section (h), where such data are processed by a professional, subject to the obligation or professional secrecy or under his/her responsibility, under the Union or national law or pursuant to rules laid down by competent national bodies or another person subject to an obligation of confidentiality, under the Union or national law or the rules established by competent national bodies. Special data categories require a high level of protection.

Art. 4 Automated individual decision-making processes

If, at some point, personal data are processed automatically as part of employment relationships and certain specific personal data are assessed automatically (for example, in the selection of staff or the assessment of skills profiles), this automatic processing cannot be the only basis for decisions that could have a negative impact on that employee. To avoid wrong decisions, the automated process must be assisted by a natural person assessing the content of the situation and this assessment is the basis of the decision. Data subject must also be informed of the facts and results of the automated individual decisions and of the possibility to respond.

Art. 5 Telecommunications and Internet

Phone equipment, e-mail addresses, intranet and internet, together with internal applications are provided by the company, for business purposes. They are a tool and a resource of the company and therefore, they can be used within the applicable legal regulations and internal policies of the company. In case of authorized use for personal purposes, account shall be taken of the provisions of the Regulations, the internal procedures and the specific legislation on telecommunications.

In order to ensure a high level of information security and in order to solve computer security incidents, the use of phone equipment, e-mail addresses, intranet/internet networks and internal social networks can be recorded according to the company’s internal policies. These data can be assessed if there are suspected security breaches, violations of the laws in force or of the company’s policies, in the legitimate interest of the data controller. These assessments may be carried out in compliance with the principle of proportionality. Relevant national legislation must be observed in the same way as the company’s regulations.

To protect against cyber-attacks on infrastructure or individual users, safeguards can be implemented for the connections to SNTFC CFR Călători SA network blocking the technically harmful content or analyzing attack models.

CHAPTER.. VII. Processing personal data based on a legitimate interest
Personal data may also be processed if it is necessary to support a legitimate interest of SNTFC CFR Călători SA., but the legitimate interests of a data controller may be a legal basis for processing, unless the interests or fundamental rights and freedom of the data subject prevail.

In this regard:

  • Data processing for direct marketing may be considered as being carried out for a legitimate interest.
  • Strictly necessary and proportionate data processing to ensure the security of the networks and information is a legitimate interest of the data controller concerned.
  • Personal data processing strictly necessary to prevent fraud is also a legitimate interest of the data controller concerned.

Control measures requiring employee’s data processing may only be taken if there is a legal obligation to do so or if there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must always be examined. Justified interests of the company in the application of control measures (for example, complying with the legal provisions and internal rules of the company) must be weighed against any interest of the employee and must be protected so that control measures are appropriate.

In order to be able to use the legitimate interest as a basis for processing, the organization should perform a balancing test to determine whether its interests prevail over the rights and interests of data subject.

Elements that strike the balance in favor of the legitimate interest of the data controller may be:

  • Nature of interest (fundamental law, public interest, commercial interest);
  • Any damage suffered by data controller if the processing does not take place;
  • Processing involves a small group of people;
  • Data are not disclosed to third parties;
  • The organization does not have a dominant position on the market;
  • No special data categories are processed;
  • There is no significant impact on data subject rights;
  • Data subject can reasonably expect the existence of processing.

 CHAPTER. VIII. Transfer of personal data

Personal data transfer to recipients outside or inside SNTFC CFR Călători SA is subject to authorization requirements for the processing of personal data, both according to legal provisions in force and according to Company’s internal regulations. Data beneficiary must process personal data only for the initially established purposes and providing a proper security for personal data.

According to the European Commission, data transfers outside the European Union / EEA are possible only:

  • To a country recognized by the European Commission as having a proper level of protection (Andorra, Argentina, Canada – trade organizations, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, United Kingdom of Great Britain and Northern Irland, United States of America – trade organizations participating in the EU-USA Data Privacy Framework and Uruguay).The decisions on the adequacy of the protection level result in that personal data can flow freely from the EU (also from Norway, Liechtenstein and Iceland) to a third country, without further obstacles.
  • If the transfer takes place based on appropriate safeguards.

The transfer to the states to which the European Commission has recognized a proper level of protection, does not require any approval/authorization from the Supervisory Authority.

In case of personal data transfer to third countries (all nations outside the European Union/EEA) or international organizations, to which the European Commission has not recognized a proper level of protection, the Company and its employees undertake to make the transfer of personal data to them only after their submission of appropriate safeguards, as mentioned in art. 46 para (2) of EU Regulation 679/2016, respectively:

  1. a) a legally binding and enforceable instrument between public authorities or bodies;
  2. b) mandatory corporate rules, in accordance with art. 47 of Regulation (EU) 679/2016;
  3. c) standard data protection clauses adopted by the Commission, in accordance with the examination procedure referred to in art. 93 par. (2) of Regulation (EU) 679/2016;
  4. d) standard data protection clauses adopted by a supervisory authority and approved by the Commission, in accordance with the examination procedure referred to in art. 93 par. (2) of Regulation (EU) 679/2016;
  5. e) the code of conduct approved in accordance with art. 40 of Regulation (EU) 679/2016, accompanied by a binding and enforceable undertaking by the third country operator or authorized person to apply appropriate safeguards, including on the rights of concerned persons; or
  6. f) an approved certification mechanism, in accordance with art. 42, accompanied by a binding and enforceable undertaking by the operator or the person authorized by the third country operator to apply appropriate safeguards, including as regards the rights of concerned person.

Subject to the authorization of the competent supervisory authority, appropriate guarantees may also be provided, in particular, by:

  1. a) contractual clauses between the operator or the person authorized by the operator and the operator, the person authorized by the operator or the recipient of personal data from the third country or the international organization; or
  2. b) provisions to be included in administrative agreements between public authorities or bodies, which include opposable and effective rights for the persons concerned.

EU-US privacy shield

Personal data transfer to recipients outside or inside SNTFC CFR Călători SA is subject to authorization requirements for the processing of personal data, both according to legal provisions in force and according to Company’s internal regulations. Data beneficiary must process personal data only for the initially established purposes and providing a proper security for personal data.

The EU-US Data Privacy Framework brings new mandatory safeguards to address all concerns raised by the Court of Justice of the European Union, including limiting the USA intelligence access to the EU data to what is necessary and proportionate and establishing a data protection review courts (Data Protection Review Court – DPRC), to which the EU persons will have access.

The new framework brings significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if finding that data has been collected in violation of the new safeguards, the DPRC will be able to order the deletion of data. The new safeguards in the area of public authorities’ access to data will complete the obligations that US companies importing data from the EU will have to comply with.

The operation of the EU-US Data Privacy Framework will be subject to periodic reviews, which will be carried out by the European Commission, together with representatives of European data protection authorities and US competent authorities.”

CHAPTER. IX. Processing of contract data

SNTFC CFR Calatori SA, identifies the relationship with business partners, not as a whole, but by types of processing operations. An entity cannot be both an operator and the person empowered by the operator, for the same processing operation.

  • In the case of operator-operator type, the processing of data through a product provider / service provider will be carried out with the obligation to conclude an Agreement on the processing of personal data, which will include at least the following:
  • Identification data of the operators;
  • Object and duration of processing;
  • Nature and purpose of processing;
  • Type of personal data processed;
  • The categories of persons concerned;
  • Obligations and rights of the operator;
  • The rights of the data subject;
  • Contact details of Personal Data Protection Officers.
  • In the case of operator – person empowered by the operator type (natural or legal person, public authority, agency or other body, which processes personal data on behalf of the operator), the personal data processing operations involved in the collaboration between the two parties, shall be made with the obligation to conclude an Agreement on the processing of personal data, which shall include at least the following:
  • Identification data of the operators;
  • Object and duration of processing;
  • Nature and purpose of processing;
  • Type of personal data processed;
  • The categories of persons concerned;
  • Obligations and rights of the operator;
  • The rights of the data subject;
  • Technical and organizational measures to ensure the security of personal data;
  • Contact details of those responsible for personal data protection;
  • Written instructions from the operator.

This Agreement for the Processing of Personal Data must be documented in writing and is an annex to the existing or new contracts.

For the person empowered by the operator, the Agreement represents the act that points out the precise instructions that the operator transmits and that defines, thus, the role and responsibilities of each of the parties, in compliance with the provisions of art. 28 (3) and (4) of Regulation (EU) 679/2016.

The person empowered by the operator must act only on the basis of the written instructions of the operator (unless the law requires him to act without such instructions). The instructions of the operator are those explanations and requests, which help the proxy to know at any time what to do, without having to make decisions in this regard. The person empowered by the operator should not make any decision regarding the processing he does on behalf of the operator.

The operator shall only use authorized persons who provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of Regulation (EU) 679/2016 and ensures the protection of the rights of concerned persons.

The Personal Data Processing Agreement, for the person authorized by the operator, establishes the following:

  1. process personal data only on the basis of documented instructions from the operator, including transfers of personal data to a third country or an international organization, unless this obligation is incumbent on the person empowered under Union or national law applicable to it; in that case, it shall notify this legal obligation to the operator before processing, unless that right prohibits such notification for important reasons relating to the public interest;
  2. ensure that persons authorized to process personal data, have undertaken to respect confidentiality or have an appropriate statutory obligation of confidentiality;
  3. adopts all the necessary measures regarding the security of the data processing, according to art. 32 of Regulation (EU) 679/2016;
  4. the person empowered by the operator shall not recruit another person empowered by the operator without first receiving written, specific or general authorization from the operator. In the case of a written general authorization, the person authorized by the operator shall inform the operator of any planned changes to the addition or replacement of other persons authorized by the operator, thus giving the operator the opportunity to object to such changes;
  5. where a person empowered by an operator recruits another person empowered to carry out specific processing activities on behalf of the operator, the same data protection obligations under the contract or other legal act concluded between the operator and the person empowered by the operator, as provided in art. 28 par. (3) of Regulation (EU) 679/2016, is the responsibility of the second person empowered, under a contract or other legal act, under Union or national law, in particular to provide sufficient guarantees for the implementation appropriate technical and organizational measures so that the processing meets the requirements of the Regulation. If this second authorized person fails to comply with his data protection obligations, the original authorized person shall remain fully liable to the operator for the fulfillment of the obligations of this second authorized person;
  6. provide assistance to the operator, through appropriate technical and organizational measures, as far as possible, in fulfilling the operator’s obligation to respond to requests for the exercise of his rights by the data subject;
  7. helps the operator to ensure the observance of the obligations provided in art. 32-36 of Regulation (EU) 679/2016, taking into account the nature of the processing and the information available to the person authorized by the operator;
  8. at the choice of the operator, delete or return to the operator all personal data after the cessation of the provision of processing services and delete existing copies, unless Union or national law requires their storage;
  9. allows the conduct of audits, including inspections, performed by the operator;
  10. In the case of cross-border processing of contract data, the requirements of Regulation (EU) 679/2016 and relevant national legislation on the disclosure of personal data abroad must be met. In particular, personal data from the European Economic Area (EEA) may be processed in a third country outside the EEA, only if the partner can prove that it has a data protection standard equivalent to this data protection policy. The appropriate tools can be:
  • Agreement on EU standard contract terms for processing data from contracts in third countries with the supplier / provider and any subcontractors;
  • Participation of the supplier / provider in an EU accredited certification system, to ensure a sufficient level of data protection;
  • Recognition of mandatory corporate rules of the supplier / provider, in order to create an adequate level of data protection, by the supervisory authorities responsible for data protection.

The person empowered by the operator shall notify the operator without undue delay, after becoming aware of a breach of the security of personal data, so that he can notify the competent supervisory authority without undue delay and, if possible, within no later than 72 hours from the date on which he became aware of it.

The operator shall keep documents relating to all cases of breach of personal data security, which shall include a description of the factual situation in which the breach of personal data breach took place, its effects and the remedial measures taken.

CHAPTER X. Record of processing activities (Mapping)

According to art. 30, par. (1) of Regulation (EU) 679/2016, each operator and, where applicable, his representative, shall keep a record of the processing activities carried out under their responsibility.

The inventory of personal data represents the process of locating and identifying personal data, within the specific activity of the data operator, thus achieving the mapping of personal data.

In order to effectively assess the impact of Regulation (EU) 679/2016 on the activity of the Company, it is necessary to identify the processing of personal data carried out and to keep records of the processing activities.

To this end, at least the following must be precisely identified:

  • the categories of personal / specially processed data;
  • the purposes pursued by the data processing operations;
  • the legal basis of the processing;
  • the categories of persons concerned;
  • the persons who have access to this data;
  • the period of storage of the processed data;
  • the categories of recipients to whom the personal data have been or will be disclosed;
  • the transfers of personal data to a third country or an international organization;
  • how to ensure the security of the processed data.

Maintaining a record of personal data processing activities is not a single undertaking, but a permanent exercise. The register of processing activities must be updated as often as necessary, with prior notice to the DPO, of the changes to be made. To this end, reviews of the data processed must be carried out periodically to ensure that the documentation remains correct and up-to-date.

Each Directorate / Office / Department / Service / Branch is directly responsible, both for the accuracy of the data in the Register of records of processing activities and for its permanent updating.

CHAPTER XI. Risk management

If personal data processing has been identified that may present high risks to the rights and freedoms of individuals, the operator will perform a data protection impact assessment (DPIA – Data Protection Impact Assessment), under the conditions of art. 35 of the General Regulation on Data Protection.

The assessment of the impact on data protection is performed prior to the collection of personal data and the processing.

Emphasis will be placed on estimating data protection risks from the point of view of concerned persons, taking into account the nature of the data, the scope, the context and purposes of the processing and the use of new technologies.

Data protection impact assessment involves:

  • a description of the data processing performed and its purposes;
  • an assessment of the necessity and proportionality of the data processing performed;
  • an estimate of the risks to the rights and freedoms of concerned persons;
  • the measures envisaged to address the risks and ensure compliance with the provisions of the RGPD.

The data protection impact assessment allows:

  • processing a personal data or a product that respects privacy;
  • estimating the impact on the privacy of the data subjects;
  • Demonstration that the fundamental principles of the General Data Protection Regulation are respected.

The assessment of the impact on data protection is required, especially in the case of:

(a) a systematic and comprehensive assessment of personal matters relating to natural persons, which is based on automatic processing, including profiling, and which is based on decisions which produce legal effects on the natural person or which affect him in a similar way in a significant measure;

(b) the large-scale processing of special categories of data referred to in Article 9(1) of the Regulation or of personal data relating to criminal convictions and offenses referred to in Article 10; or

(c) systematic large – scale monitoring of an area accessible to the public.

When the impact assessment indicates high risks, in the absence of measures taken by the operator to mitigate them, the National Supervisory Authority shall be consulted.

CHAPTER XII. Initiation of a new processing process

According to art. 25 of Regulation (EU) 679/2016, the operator, both when establishing the means of processing as well as of the processing itself, shall implement appropriate technical and organizational measures. In order to be able to demonstrate compliance with the Regulation, the operator must implement measures that comply in particular with the principle of data protection from the moment of design, but also with the principle of implicit data protection.

In essence, this means that the operator must integrate data protection, both in the initiation and implementation of systems, services, products and business practices that involve personal data processing activities, and throughout the process of their development. The integration of data protection in the event of the initiation of a new processing process ensures both compliance with the fundamental principles and requirements of Regulation (EU) 679/2016 and the anticipation of risks and invasive events before their occurrence.

Such measures could include, inter alia:

  • minimizing the processing of personal data (achieved by analyzing the types of personal data collected and the need for their processing);
  • establishing the storage period of the processed data;
  • establishing the methods of data destruction, after the expiration of the storage period;
  • establishing the entities to which the personal data are disclosed (their recipients);
  • establishing the security measures of the processed data;
  • establishing the persons who have access to the personal data processed.

In this regard, in case of initiating a new process of personal data processing, it is mandatory to consult the Personal Data Protection Officer.

CHAPTER XIII. The rights of the data subject

Each data subject shall, in accordance with the Regulation, have the following detailed rights, each request being processed by the Data Protection Officer, with the obligation to respond to the data subject’s requests without undue delay and at the latest within one month, and if he does not intend to comply with those requests, give reasons for his refusal.

Article 1. Right to be informed – If the personal data are obtained directly from the concerned person, SNTFC CFR Călători SA, is obliged to provide the concerned person with the information presented in Chap. V, art. 3, point 1 of this Policy, unless that person already possesses that information. If the personal data are obtained from other sources, SNTFC CFR Călători SA, is obliged to provide the concerned person with the information presented in Chap. V, art. 3, point 2 of this Policy, unless that person already possesses that information.

Article 2. Right of access  when processing personal data concerning the applicant SNTFC “CFR Călători”-S.A. is obliged to communicate to him, together with the confirmation, at least the following: a) Information on the purposes of the processing, the categories of data envisaged and the recipients or categories of recipients to whom the data have been or shall be disclosed, in particular recipients from third countries or international organizations; b) communication of data which are the subject of the processing shall be provided in an intelligible form as well as any available information regarding the origin of the data; c) where possible, the period for which personal data are expected to be stored or, if this is not possible, the criteria used to establish this period; d) information on the principles of operation of the mechanism by which any automatic processing of data concerning the respective person is performed; e) information on the existence of the right to request the carrier to rectify or delete personal data or to restrict the processing of personal data concerning the data subject or the right to oppose the processing, as well as the conditions under which they may be exercised; f) information on the possibility of submitting a complaint to the supervisory authority, as well as to go to court to appeal the decisions of the carrier in accordance with the provisions of the law;

Article 3. The right to intervene on the data Any data subject shall have the right to obtain from SNTFC “CFR Călători”-S.A., on the basis of an application and free of charge, where appropriate, the rectification, updating, blocking or deletion of data the processing of which does not comply with the law, in particular incomplete or inaccurate data;

Article 4. Right of opposition The data subject has the right to oppose at any time, for justified and legitimate reasons, related to his particular situation, processing data concerning him, unless there are contrary legal provisions. In case of justified opposition, the processing may no longer target the data in question;

Article 5. The right to not be subjected to an individual decision –  any person has the right to request and obtain the withdrawal / cancellation / reassessment of any decision which produces legal effects concerning it, adopted solely on the basis of the processing of personal data, carried out by automatic means, intended to assess certain aspects of its personality, such as professional competence, credibility, conduct or other such matters;

Article 6. The right to delete the data – The data subject has the right to request the carrier to delete without delay, the personal data concerning it, in the following cases: a) personal data that are no longer necessary for the purposes for which they were collected or processed; b) when the data subject withdraws the consent on the basis of which the processing takes place and there is no other legal basis for the processing; c) when the data subject opposes the data processing and there are no legitimate reasons prevailing for the processing; d) personal data have been processed illegally; e) personal data must be deleted in order to comply with the law;

Article 7. The right to restrict data processing According to the Art. 18 the Regulation, the data subject has the right to obtain from the carrier the restriction of processing in the following cases: a) the data subject disputes the accuracy of the data, for a period which allows the carrier to verify their accuracy; b) the processing of data is illegal and the data subject opposes the deletion of personal data, requesting in return the restriction of their use; c) the carrier no longer needs the personal data for the purpose of processing, but the data subject requests them for finding, exercising or defending a right in court; d) the data subject objected to the data processing in accordance with art. 21 paragraph (1) of the Regulation, for the time interval in which it is verified whether the legitimate rights of the carrier prevail over those of the data subject.

If the processing has been restricted on the basis of the above situations, such personal data may, except in the case of storage, be processed only with the consent of the data subject or for the establishment, exercising or defending a right in court or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject which has obtained the processing restriction on the basis of the situations set out above shall be informed by the carrier before the processing restriction is lifted.

 Article 8. The right to data portability – Art. 20 of the Regulation stipulates: The data subject has the right to receive personal data of which it is interested in and which it has provided to the carrier, in a structured format, which is currently used and which can be read automatically, and has the right to transmit this data to another carrier, without hindrance from the carrier to whom the personal data were provided.

Personal data must be provided to the data subject, in a structured format, so that it can decide whether to download them or, conversely, whether to send them to another carrier. This right applies only to the extent that the data are processed under a contract or with the consent of the data subject, as well as (cumulatively), when the processing is done by automatic means. The right to data portability applies both to the data provided directly by the data subject and to the data collected subsequently. Data derived or deduced about data subjects are excluded from portability;

Article 9. The right to file a complaint – The data subject has the right to file a complaint to the National Authority for the Supervision of Personal Data Protection (ANSPDCP) and to address the court.

All these rights can be exercised by the data subject through a written request, signed and dated, submitted to the Company’s headquarters, stating: “Responsible for the protection of personal data” or to the following e-mail address: dpo.calatori@cfrcalatori.ro.

CHAPTER XIV. Confidentiality of processing

Personal data is considered confidential. Any unauthorized collection, processing or use of this data by employees is prohibited. Heads of departments can determine the level of access to personal data for each subordinate. Any data processing, performed by an employee who has not been authorized to perform it, as part of his legitimate duties, is unauthorized. The “Need to know” principle applies. Employees may have access to personal data only as appropriate for the type and purpose of the service task in question. This requires a careful breakdown and separation, as well as the implementation of roles and responsibilities. Employees are prohibited from using personal data for private or commercial purposes, disclosing it to unauthorized persons or making it available in any other way. Heads of departments and the Human Resources department must inform their employees, at the beginning of the employment relationship, about the obligation to protect the confidentiality of personal data and information.

The general responsibilities of the employees of SNTFC “CFR Călători”-S.A., within Regulation (EU) 679/2016 on the protection of personal data, include:

  • to process personal data in accordance with, and within the limits of their duties in the job description;
  • to maintain the confidentiality of the personal data they process, throughout the individual employment contract and after its termination, for an unlimited term;
  • not to disclose personal data which they process to persons other than those in respect of whom they are permitted to do so by internal procedures, by the employers’ internal regulations, by the individual employment contract and by the job description;
  • to process personal data, only for the fulfilment of the service attributions provided in the job description, in the individual employment contract and in the internal regulations;
  • to comply with the technical and organizational measures put in place to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access, in particular if such processing involves the transmission of data within a network and against any other forms of illegal processing;
  • to inform the person in charge of personal data protection, as soon as possible, of any situation of unauthorized access to the personal data they process.

Failure to comply with the aforementioned obligations, as well as the confidentiality of personal data and information processed, attracts the disciplinary liability of the employee, in accordance with the provisions of labour law and legislation in the field of personal data protection.

Any employee of the organization has the obligation to immediately inform the Personal Data Protection Officer of any incident or event that adversely affects the confidentiality, interactivity and availability of data or that may harm the organization.

Any damage, of any nature, brought to the organization with or without intention, by non-compliance with the provisions of the legislation and the Regulation, regarding personal data, may attract disciplinary or civil liability (where appropriate).

CHAPTER XV. Security of processing

Personal data must be protected against unauthorized access and illegal processing or disclosure, as well as accidental loss, alteration or destruction. This applies whether the data is processed electronically or on paper.

In order to fulfil the related legal provisions and to satisfy the requirements for the safe storage of data and information, the company has developed and implemented organizational and technical measures, regarding the security and control of information systems, in order to ensure the confidentiality of data and information, as well as to keep them safe, in the current activity, performed by the Company’s employees.

Manual processing of personal data:

  • Documents containing personal data are kept in locked files or lockers or with another security mechanism. Documents containing personal data, used for carrying out certain operations, will be handed over to the competent persons or will be closed immediately after their completion.
  • Manual processing of personal data, which belong to the category of data with a special or sensitive character, will be performed only by persons who have specific responsibilities in this regard.

All documents containing personal data follow the rules of storage, processing, multiplication, transport, transmission, destruction and archiving, established by the legislation in the field of vocational training, the law on archiving, legislation in the field of accounting, labour legislation, etc. and through the existing internal procedures of SNTFC “CFR Călători”-S.A.

CHAPTER XVI. Control of processing and protection of personal data

Monitoring of compliance with the Personal Data Processing and Protection Policy and applicable data protection laws is regularly verified through data protection audits and other inspections.

Performing these checks is assigned to the Person in charge of Data Protection, according to art. 39 paragraph (1) letter b), of Regulation (EU) 679/2016. The results of the data protection inspections must be reported to the General Director of SNTFC “CFR Călători”-S.A.

Upon request, the results of data protection inspections will be made available to the National Supervisory Authority for Personal Data Processing.

The National Supervisory Authority for Personal Data Processing may carry out its own inspections, according to the national legislation.

CHAPTER XVII. Security incidents

A security incident can be defined as follows:

– as an event through which it is attempted or achieved the access to a computer system, an attack on the integrity, availability or confidentiality of information from an automated computer system or a manual system (any paper document containing personal data which is accessed by an unauthorized persons);

– any action or lack of action contrary to security regulations, the consequences of which have determined or are likely to cause, the compromise of data security;

– any type of event, in which there are justified suspicions, that personal data are being captured, collected, modified, copied, transmitted or used illegally. This refers to the actions of third parties or employees.

An IT incident may refer: to the unauthorized examination of information and data, interruption of the operation of services or products, altered or destroyed data, unauthorized processing, storage or extraction of information, modification of information and data from computer systems, malware or software, with or without the user’s knowledge or intent.

Information is considered compromised when it loses its integrity, confidentiality or availability.

Deviation from security regulations represents a violation that leads to compromising information.

The person in charge of personal data protection (DPO), is accountable to the management regarding the handling of security incidents, in relation to the National Supervisory Authority for Personal Data Processing.

Managing security incidents applies without discrimination to all persons using the information resources of the organization.

Reporting the security incident aimed at compromising personal data must include:

  • description of the compromised data, the date of issue, the issuer, the subject it refers to, the person or department that managed them;
  • a brief presentation of the circumstances in which the compromise took place, including the date of the finding, the period in which the data were exposed to the compromise, the unauthorized persons who had or could have had access to them, if known;
  • other details regarding the possible information of the issuer.

If the security incident involves the application of civil or criminal law, DPO will recommend notifying the law enforcement bodies of the state and will act as a liaison officer with them.

The operator shall keep the documents relating to all cases of breach of personal data security, which contain a description of the factual situation in which the breach of personal data breach took place, its effects and the remedy measures taken.

Any security incident involving personal data shall be reported immediately to the DPO by any employee of the organization in which the compromise occurred, so that all reporting obligations can be complied with in accordance with national law.

CHAPTER XVIII. Responsibilities and sanctions

Heads of departments within the Company are responsible for the processing of data in their area of responsibility. Therefore, they are obliged to ensure that the legal requirements for data protection and those contained in the personal data processing policy are met.

The management staff is responsible for ensuring the organizational, technical and human resources measures so that any processing of personal data is carried out in accordance with REGULATION (EU) 2016 / 679. Compliance with these requirements is the responsibility of each relevant employee.

The Personal Data Protection Officer is the contact person for information regarding the processing and protection of data. It may carry out inspections of compliance with the Personal Data Processing Policy and the provisions of Regulation (EU) 2016/679.

All employees must inform immediately the Personal Data Protection Officer about cases of violation of this Data Protection Policy or other personal data protection regulations.

The departments responsible for business projects involving major managing processes must inform the Personal Data Protection Officer in a timely manner about a new processing of personal data.

For the processing of data which may present special risks for the individual rights of data subjects, the Personal Data Protection Officer must be informed before the processing begins. This applies in particular to highly sensitive personal data.

Improper processing of personal data or other violations of data protection laws leads to the application of sanctions provided by the internal regulations, by the EU Regulation no. 679/2016 and the in force legislation.

CHAPTER XIX. Personal Data Protection Officer (DPO)

The DPO, being internally independent to professional subordination, works to comply with national and international data protection regulations. It is responsible for the Data Protection Policy and oversees compliance with it and the Regulation. The person responsible for the protection of personal data is appointed by the management of SNTFC “CFR Călători”-S.A.

The heads of departments have the obligation to promptly inform the person in charge of personal data protection about the occurrence of any risks regarding the processing and protection of personal data (security breaches).

Any data subject may contact the DPO at any time to ask questions, request information or file complaints related to data protection or personal data security issues. If requested, complaints will be treated confidentially.

If the Personal Data Protection Officer is unable to resolve a complaint or remedy a breach of the Data Protection Policy, advice will be sought from the Supervisory Authority.

The decisions taken by the Personal Data Protection Officer to remedy the data protection breaches must be reported to the company’s management. Investigations and inspections carried out by the Supervisory Authority must always be reported to the company’s management.

The Data Protection Officer (DPO) is the owner of this document and is responsible for reviewing this policy in accordance with internal requirements.

The current version of this document is available to all employees of SNTFC “CFR Călători”-S.A., as well as partners / consultants / third parties.

This document is the property of SNTFC “CFR Călători”-SA, copying, distribution, publication, usage (partial or total), exposure, inclusion of any content in any context other than the original intended by SNTFC CFR Călători SA, is allowed only with the express written consent of SNTFC “CFR Călători”-SA.