SC SPATIO DESIGN_ARHITECTURA SRL guarantees the security and confidentiality of the data hosted and transmitted through its computer system. This information may be used by SC SPATIO DESIGN_ARHITECTURA SRL to send the user order confirmations, special offers, promotions, etc., only with the consent of the data subject. The provision of personal data to SC SPATIO DESIGN_ARHITECTURA SRL does not imply any obligation on the part of the users, and they may refuse to provide this data under any circumstances and may request its free deletion from the database. To delete the information provided by users from the database, it is sufficient to contact us and request this either by phone or by e-mail. We will provide the user with a form through which they can exercise their rights provided by the current legislation regarding the processing of personal data.

SC SPATIO DESIGN_ARHITECTURA SRL, as the owner of the platform, does not directly or indirectly intervene in the databases where customer information is stored. This information is only processed automatically within the following processes:

➢ Password reset

➢ Can only be requested by the user;

➢ Account activation link / password change directly by e-mail;

➢ Update / modification / deletion of information and/or user account

➢ Has the possibility to delete the account, modify and update information;

➢ Has full access to update the information necessary for receiving the delivered products;

➢ Has the possibility to give consent to be informed about stock updates, alerts for completing the order in the shopping cart, new offers, stock and price changes, etc.

We use the collected personal data for the following purposes:

  1. a) Invoicing of products/services ordered by the user;
  2. b) Delivery of these products/services;
  3. c) Processing online payments (if applicable);
  4. d) Request for a quote or contact request.

In order to enable the invoicing, shipping, and delivery of placed orders, the user must agree that SC SPATIO DESIGN_ARHITECTURA SRL collects and processes your data in accordance with the requirements of Law no. 679/2016 (GDPR).

In accordance with the requirements of Law no. 679/2016 (GDPR) for the protection of individuals with regard to the processing of personal data and the protection of privacy in the electronic communications sector, SC SPATIO DESIGN_ARHITECTURA SRL has the obligation to administer the personal data provided to us in a secure manner and only for the specified purposes.

In this regard, SC SPATIO DESIGN_ARHITECTURA SRL has developed a series of technical and organizational measures to prevent the risks that may arise in the processing of personal data.

The processing of personal data within the organization is conditioned by a series of technical and organizational measures to ensure their security.

These measures are aimed at protecting the information within the organization against security incidents.

From a processing standpoint, within SC SPATIO DESIGN_ARHITECTURA SRL, personal data is processed only for the purposes for which the consent of the data subjects has been obtained, including parallel purposes and for the conclusion of a contract or the delivery of a product to the client as requested by them.

Considering that this organization operates largely in the online environment, the processing of clients’ personal data is transmitted online through the applications and platform used for placing orders and requests for quotations. The collected data is minimized and directly related to the purpose for which consent has been obtained, and is necessary to contact the client in case of a quotation request or to deliver and provide the ordered product in accordance with the requirements, including returns.

SC SPATIO DESIGN_ARHITECTURA SRL, a legal entity registered with the Trade Registry, is a direct data controller, not a processor, and does not designate such entities. The purpose of processing personal data is to provide products through the online store, as well as parallel purposes of this activity: product returns, processing the information necessary for delivery, improving the user experience by retaining certain settings or preferences, upon obtaining their consent, price changes, product features, stock changes, promotions, and invoicing.

The categories of data subjects are: clients / potential clients, visitors, or registered members of the website / platform.

The methods through which data subjects are informed of their rights are:

➢ Privacy policy;

➢ Terms and conditions of platform/online store usage (document will be attached);

➢ On the website in a dedicated section (document will be attached).

 

➢ Via email following registration on the platform, as well as in the event that the client requests additional information or requests for quotations.

➢ Through the contact form on the website (document will be attached).

The exercise of rights provided by the law 679/2016 (GDPR) entirely falls within the responsibilities of the data controller, who has a legal obligation to designate a person responsible for the processing of personal data within the organization. This person will develop a set of technical and organizational measures to secure the processing of data and is obligated to inform the data controller about the nature of the processing operations, types of information, and how these processes are carried out within the organization. The controller has the responsibility and obligation to ensure that these measures are implemented, that there is no risk of security breaches or information leaks, as well as to comply with current legislation regarding data processing and the rights of data subjects.

The following personal data is processed through the online platform:

➢ First and last name;

➢ Banking information in the case of payments through the secure debit/credit card platform provided in a unified, centralized, and secured manner to the provider of this solution (MOBILPAY);

➢ Email, phone/Fax.

 

SC SPATIO DESIGN_ARHITECTURA SRL does not process special categories of data. SC SPATIO DESIGN_ARHITECTURA SRL does not transfer data abroad or to third parties.

The processing of personal data is not related to other record-keeping systems. The actual activity of the company is to receive orders initiated by clients through the online platform (the online store), to store and process them for invoicing, shipping, and providing the ordered products.

The processing of the information entered by the client into the platform is strictly carried out in line with the purposes for which the client has provided consent:

➢ Invoicing;

➢ Delivery;

➢ Processing returns (in accordance with legal procedures);

➢ Automatic return if the package is not received by the client;

Retention of data in the user account for an improved experience (the client’s personal account is secured by them logging in using their email address and a password of their choice).

Within the organization, the following security measures have been implemented to reduce risks:

➢ Technical measures:

SSL certificate – this has the role of securing the exchange of information over the internet. It encrypts the information before it circulates over the internet. Encrypted information can only be decrypted by the server to which it is addressed. This ensures that information sent to a website/online platform will not be stolen, intercepted, or processed.

Information about bank cards, passwords, and in general, any information that is intended to remain private, is secured by this SSL certificate. The SSL certificate of the online platform SC SPATIO DESIGN_ARHITECTURA SRL is also used to secure email correspondence, ensuring that the personal data of clients circulates in a secure environment regulated by a series of security measures that ensure the confidentiality of information.

Automatic backup – set at regular intervals to ensure information and to assure all clients that the information and preferences provided by them do not disappear, are not destroyed, lost, or become incorrect in the event of a server error.

Anti-spam and antivirus filters that prevent the infiltration of malicious content or viruses that may process data unauthorized or transmit it to other entities or individuals who have not obtained the consent of the data subjects.

Protection of the client profile content by introducing a rule for generating a more complex password. The client is requested, when creating an account, to choose a password that meets higher complexity criteria (alphanumeric + special characters);

Securing modules and scripts that communicate within the platform. The functioning of the elements involved in client-server, server-client interactions is constantly verified.

Verification and optimization of modules to keep them up-to-date to prevent vulnerabilities. This measure prevents the identification of global vulnerabilities in the used platforms, including 0-day vulnerabilities that can intercept data exchange and, implicitly, personal data during client interactions with the platform or with the data controller and the platform.

 

Classification of access types by the data controller – administration groups, the ability to add or remove certain rights for a user with full access – customization of access based on necessity.

Password protection of the device from which the data controller performs data processing to prevent unauthorized intervention.

Firewall – software program and hardware component installed in the company’s server location that provides hosting for the online platform, designed to protect the server and network equipment against cyber-attacks, unauthorized intrusion attempts, and the installation of malicious software applications that could jeopardize the personal data of platform users. The firewall blocks unauthorized access to the information stored on the Internet-connected equipment.

Access to the data processing systems where personal data is processed is only possible after the authorized person has been successfully identified and authenticated (e.g., with a username and password or a chip/PIN card), using the most advanced security measures. In the absence of authorization, access is denied.

All access attempts, both successful and rejected, are logged (user ID, computer, IP address used) and archived in an audit-compliant format for 3 months. In order to detect inappropriate use, the server performs repeated, random checks;

Access is blocked after repeated incorrect authentication attempts.

 

Constant verification of platform vulnerabilities that could allow the extraction of information and personal data. The hosting service has security measures and solutions that recurrently scan processed files and the data flow circulating within the platform;

Mitigation of security breach risks by taking technical and organizational precautions to secure the platform and constantly update it with stable versions.

Password securing the equipment that has direct access to the order table and customers’ delivery/billing data to prevent unauthorized access and unauthorized processing by unauthorized personnel.

 

Organizational measures:

Destruction of unnecessary documents (previous waybills, erroneous invoices, etc.) using a document shredder available to the data controller;

Elimination of the risk generated by the human factor by prohibiting the processing of information outside the secure platform, except for drawing up waybills within the courier company’s platform, which is also a secure environment;

Adoption of security measures without differentiation between types of clients (new/existing/potential);

Adoption of an internal policy for verifying processes and processing when delivering the product or acquiring information about an order or potential offer;

Avoiding differentiation between clients through mechanisms that might positively or negatively profile the individual. For this reason, we do not request personal data related to sexual orientation, sexual interests, gender, religion, membership in movements or groups, etc. Clients are free to order and choose what they desire. With this measure, we believe we respect individuals’ integrity and avoid any form of analysis/profiling based on these criteria.

Updating the privacy policy and Terms and Conditions of SC SPATIO DESIGN_ARHITECTURA SRL.

Informing clients about the delivery, return, and order processing procedures.

Securing documents containing personal data. This measure ensures a secure location for storing and archiving these documents in compliance with legal and fiscal regulations, preventing unauthorized processing.

Training the data processing officer about the risks of processing personal data outside the online platform.

Training the data processing officer about the necessity of notifying in the event of a major security incident.

Training the data processing officer on managing situations that may arise during data processing within the platform (errors, misuse errors).

Training the data processing officer on the use of the processed information and awareness of the personal nature of the information.

Prohibiting data processing outside the platform by managing orders directly within the platform’s user interface, eliminating the need for processing data in other unsecured and vulnerable environments.

The data processing officer receives periodic training on:

Data protection principles, including technical and organizational measures.

The requirement to maintain data secrecy and confidentiality regarding organizational secrets and trade secrets, including transactions.

The correct and careful use of data, data environments, and other documents.

Telecommunications secrecy.

Other specific confidentiality obligations as necessary.

The purpose of collecting data is to invoice orders, send correspondence, and fulfill orders. Your refusal to provide the data makes it impossible for your order to be placed on this site and processed.

 

In accordance with Law no. 679/2016 (GDPR), the user has the right of access, the right to be forgotten, the right to data portability, the right to intervene in the data, the right not to be subject to an individual decision, and the right to seek justice. Additionally, they have the right to object to the processing of personal data and request the deletion of data. To exercise these rights, the user can submit a written request, dated and signed, to the email address contact@ralucanedelcu.ro . Also, if any of the user data is incorrect, we kindly request that you notify us, so that necessary corrections can be made.

SC SPATIO DESIGN_ARHITECTURA SRL does not transfer data abroad or to third parties.

Copyright: The content of the website www.ralucanedelcu.ro is the property of SC SPATIO DESIGN_ARHITECTURA SRL and is protected under copyright law and laws related to intellectual and industrial property. Unauthorized use of any elements on the website without the written consent of SC SPATIO DESIGN_ARHITECTURA SRL is punishable by law.

The personal data of buyers may be transmitted to the competent authorities in accordance with the laws in force, to carry out any verification of commercial transactions or any other justified verifications based on the law.

GLOSSARY OF TERMS

DATA SUBJECT ACCESS

This is the right of the data subject to obtain from the data controller, upon request, certain information regarding the processing of their personal data, as detailed in Chapter III Section 2 of the GDPR.

SUPERVISORY AUTHORITY/LEAD AUTHORITY

Supervisory authorities are national data protection authorities empowered to enforce the GDPR in their own member state. The concept of the “one-stop shop”: if an enterprise is established in multiple member states, it will have a “lead authority” determined by the location of its “main establishment” in the EU. A supervisory authority that is not a lead authority may also have a regulatory role, for example, if the processing affects the data subjects in the country where the supervisory authority is the national authority.

SPECIAL CATEGORIES OF DATA

Often known as “sensitive data”. The GDPR has expanded the definition to include both biometric and genetic data.

EDPB (European Data Protection Board)

The European Data Protection Board; it will replace the Article 29 Working Party, and its functions will include ensuring the consistent application of the GDPR, advising the European Commission, issuing guidance, codes of practice, and recommendations, accrediting certification bodies, and providing opinions on the draft decisions of supervisory authorities.

 

MINIMUM SECURITY REQUIREMENTS

A set of rules adopted by the Ombudsman to ensure the security/confidentiality and integrity of personal data, covering aspects such as user identification and authentication, access control, data collection, execution of backup copies, computer and access terminals, access files, telecommunications systems, staff training, use of computers, and data printing.

Each entity has the obligation to approve its own security system, taking into account these minimum security requirements for personal data processing, and depending on the importance of the processed data, additional security measures will be imposed.

DATA PROCESSING CONSENT (OPT-IN)

The process of collecting personal information, through which the individual voluntarily and deliberately gives consent for the processing of their personal data.

DATA CONTROLLER

An organization or company that collects personal data and makes decisions regarding the way they are managed.

PERSONAL DATA

This refers to any information relating to an identified or identifiable natural person, a “data subject”. The data subject is a natural person who can be directly or indirectly identified.

DATA PROTECTION DIRECTIVE

The European Directive 95/46/EC previously governed the processing of personal data in the EU and will now be replaced by the GDPR.

DOUBLE OPT-IN

The process by which an individual must go through a two-step mechanism to give consent for the processing of their personal data.

RIGHT TO BE FORGOTTEN

The existing right to erasure of an individual’s personal data, in certain circumstances, has been extended to a new “right to erasure” in the circumstances detailed in Chapter III Section 3 of the GDPR. Viewing data hosted in another location would constitute a transfer within the meaning of the GDPR.

ARTICLE 29 WORKING PARTY

The Article 29 Working Party (“A29WP”) is composed of representatives from the EU’s national supervisory authorities, the European Data Protection Board (“EDPB”), and the European Commission. It has been transformed into the “European Data Protection Board” (“EDPB”), with a similar composition but with an independent Secretariat – refer to the chapter on the “European Data Protection Board”.

UNDERTAKING

This term is used in a variety of contexts in the GDPR, most often to refer to a legal entity involved in “economic activity”. The term has particular significance in the context of GDPR provisions on financial penalties. Undertakings will be subject to penalties calculated as a percentage of their annual worldwide turnover. In this context, the term borrows principles developed in the context of competition law in the Union.

DATA CONTROLLER

A person or entity, alone or jointly, who determines the purposes and means of processing personal data.

PASSIVE OPT-IN

The process of gathering personal data that uses an implicit opt-in. For example, a pre-selected checkbox that a user would need to deselect if they do not want to consent to the processing of their personal data.

DPIA (DATA PROTECTION IMPACT ASSESSMENT)

The GDPR imposes a new obligation on data controllers and data processors to carry out an assessment of the impact on data protection (also known as a privacy impact assessment or PIA) before conducting any processing that presents a specific risk to privacy by virtue of its nature, scope, or purposes. Chapter IV Section 3 provides a non-exhaustive list of processing activities that will fall under this provision.

PRIVACY BY DESIGN

Privacy by design means that any actions of a company involving the processing of personal data must be undertaken with the utmost care for the protection of personal information. This includes internal projects, product developments, software developments, IT systems, and more. In essence, it means that the IT department or any other department processing personal information must ensure that any new project has a data protection system throughout its entire creation and implementation process. In essence, adding data protection features at the end of a long development process is no longer legal.

PRIVACY BY DEFAULT

Privacy by default means that once a product or service has been publicly launched, the strictest data protection settings have already been implemented by default, without requiring the user to take any actions or purchase additional features.

PROCESS

This is broadly defined to cover any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means. Examples of processes include collection, recording, organization, storage, use, and destruction of personal data.

DATA PROCESSOR

An entity that processes data on behalf of the data controller.

PSEUDONYMISATION

The technique of processing personal data in such a way that it can no longer be attributed to a specific person without the use of additional information, which must be kept separately and be subjected to technical and organizational measures to ensure non-attribution.

GDPR (General Data Protection Regulation)

The General Data Protection Regulation was finally adopted as Regulation (EU) 2016/679 on April 27, 2016.

DPO (Data Protection Officer)

A person responsible for data protection – whose appointment is mandatory under the GDPR when: (i) the processing is carried out by a public authority or body; or (ii) the “core activities” of a data controller/processor: (a) require “regular and systematic monitoring of data subjects on a large scale” or; (b) consist of processing special categories of data or data relating to criminal convictions and offenses “on a large scale.”

EEA (European Economic Area)

The European Economic Area comprises all 28 EU member states, Iceland, Liechtenstein, and Norway. It does not include Switzerland.

DATA SUBJECT

The individual or person whose personal data is being processed.

TRANSFER

The transfer of personal data to countries outside the EEA or to international organizations, which are subject to detailed restrictions in Chapter V of the GDPR. As with the Data Protection Directive, data does not have to be physically transported to be transferred.