Politica ATLANTIC TOUR
ATLANTIC TOUR
Personal Data Protection Policy
Introduction
The concept of personal data protection represents the right of the natural person to have those characteristics that lead to his identification protected and the correlative obligation of the state to adopt appropriate measures to ensure effective protection.
Personal data means that information that can be directly or indirectly linked to an identified or identifiable natural person, such as, for example, name, surname, personal code, address, telephone number, address of e-mail, the image, the voice, the economic-financial situation, the profession.
The company ATLANTIC TOUR is engaged in the provision of services, on a contractual basis, in the field of tourism. To provide these services, the employed staff processes personal data made available by various entities, on a contractual basis.
HEAD. I. Purpose
This policy provides the framework conditions necessary to ensure the appropriate level of data protection provided by Regulation no. 679 of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data by the company ATLANTIC TOUR.
HEAD. II. Scope and modification of the policy
The data protection policy extends to all personal data processing carried out by ATLANTIC TOUR and to all employees of this company. The policy will be revised annually or as often as necessary (in case of changes in domestic/EU legislation in the field of personal data protection
) and, after the approval of the company administrator, will be immediately available, both to employees and to customers and business partners. business.
HEAD. III. Principles for the processing of personal data
Art. 1. Fairness and legality
During the processing of personal data, the individual rights of the persons concerned must be protected. Data collected/transferred by another operator will be processed legally and correctly.
Art. 2. Restriction to a certain purpose
Personal data can only be processed for the purpose defined before their collection and communicated to the data subject. Subsequent changes of purpose are only possible to a limited extent and require a solid justification.
Art. 3. Transparency
The data subject must be informed about how his data are processed. In general, personal data must be collected directly from the individual concerned. At the time of collection, the data subject must be informed of:
Art. 4. Reduction and minimization of data
Before processing personal data, it must be determined whether and to what extent their processing is necessary to achieve the purpose for which it is carried out.
Personal data may not be collected in advance and stored for potential future purposes, unless this is required or permitted by national or EU law or with the data subject’s consent.
Art. 5. Deletion
Personal data that are no longer needed after the expiry of the legal process or stipulated by the contract must be deleted. There may be situations where legal provisions require the retention of this data for predefined periods. In this case, the data must be stored until the expiry of the legal obligations.
Art. 6. Data accuracy and timeliness
Personal data collected must be correct, complete and, if necessary, updated. Inaccurate or incomplete data will be updated, corrected, supplemented or deleted.
Art. 7. Data confidentiality and security
Within ATLANTIC TOUR, personal data are considered confidential information and are protected by appropriate organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as their accidental loss, modification or destruction.
HEAD. IV. Reliability of data processing
The processing and use of personal data is permitted on the basis of the following necessary legal grounds and also if the purpose of the collection, processing and use of personal data must be changed from the original purpose.
Art. 1. Data about customers and partners
1.1 Data processing for a contractual relationship
Personal data of potential customers, existing customers and partners may be processed for the purpose of concluding, executing and completing a contract.
This also includes consulting services for the partner where this is related to the contractual purpose.
Prior to a contract, during its initiation phase, personal data may be processed to prepare offers or other documents to fulfill various requests of the prospect related to the conclusion of the contract.
Individuals may be contacted during the contract preparation process using the personal information they have provided. Any restrictions requested by potential customers must be respected.
1.2 Data processing for advertising purposes
If the data subject contacts ATLANTIC TOUR to request information (e.g. to receive informative materials about a service offered by the company), data processing to respond to this request is permitted.
Advertising actions are subject to additional legal requirements. Personal data may be processed for advertising, market research and public opinion purposes, provided that this processing is carried out in accordance with the purpose for which the data was originally collected.
The data subject (data subject) must be informed about the use of his data for advertising purposes. If the data is collected for advertising purposes only, the disclosure from the data subject is voluntary. The data subject must be informed that the provision of personal data for processing for advertising purposes is voluntary and that consent must be obtained from the data subject in order to process said data for advertising purposes.
When consent is given, the data subject should be able to choose between the available forms, such as pre-defined printed forms, sending consent by e-mail or by telephone.
If the data subject refuses the use of his data for advertising purposes, his data can no longer be used for these purposes and must be blocked for use for these purposes.
1.3 Consent for data processing
The data may be processed according to the data subject’s consent. Before giving consent, the data subject must be informed of this data protection policy. The statement of approval – consent – must be obtained in writing or electronically and retained for documentation purposes.
In certain circumstances, such as telephone conversations, consent may be given verbally. Consent must be documented.
1.4 Data processing based on a legitimate interest
Personal data may also be processed based on a legitimate interest of ATLANTIC TOUR. Legitimate interests are generally legal in nature (eg collecting unpaid debts) or commercial in nature (eg avoiding breaches of contract). Personal data may not be processed
for the purpose of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject require protection and that this prevails. Before data processing, it is necessary to determine whether such a situation exists.
1.5 Processing of sensitive data
Sensitive personal data may only be processed if the law requires it or the data subject has given his express consent. This data may also be processed only if it is mandatory for the fulfillment, exercise or defense of legal claims concerning the data subject. If there is an intention to process sensitive data, the data protection officer must be informed in advance.
1.6 Automated individual decisions
Automated processing of personal data, which is used to evaluate certain aspects, cannot be the sole basis for decisions that have negative legal consequences or that could significantly affect the data subject. The data subject must be informed of the facts and results of individual automated decisions and have the opportunity to respond.
To avoid erroneous decisions, a test and a plausibility check must be done by an employee.
1.7 User data and the Internet
If personal data is collected, processed and used on websites or applications, data subjects must be informed about this in an information notice and, if applicable, cookie information- hate. The information notice and any information about cookies must be integrated in such a way that they are easily identifiable, directly accessible and constantly available to data subjects.
If usage profiles (tracking) are created to evaluate the use of websites and applications, the data subjects must always be duly informed in the information note.
Where websites or applications can access personal data in an area limited to registered users, the identification and authentication of the data subject must provide sufficient protection during access.
Art. 2. Employee data
2.1 Data processing for the employment relationship
In employment relationships, personal data may be processed if necessary to initiate, perform and close the employment contract. When initiating an employment relationship, applicants’ personal data may be processed. When the applicant is rejected, their data must be deleted (in accordance with the required retention period), unless the applicant has agreed to have their data remain on file for a future selection process. It is also necessary to give consent to use the data when it is desired to continue the application processes or before sharing the data with other companies.
If during the application procedure it is necessary to collect information about an applicant from a third party, the corresponding legal requirements must also be observed.
In the existing employment relationship, the purpose of the data processing must always correlate with the purpose of the employment contract if none of the following circumstances exist for authorized data processing.
2.2 Data processing based on a legitimate interest
Personal data may also be processed if it is necessary to support a legitimate interest of ATLANTIC TOUR. Legitimate interests are generally legal in nature (eg filing, enforcing or defending against legal claims, debt recovery, etc.).
Control measures that require the processing of employee data can only be taken if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must always be examined. The company’s legitimate interests in applying control measures (eg compliance with legal provisions and internal company rules and regulations) must be weighed against any employee interests that need to be protected so that the control measures are adequate.
2.3 Processing of sensitive data
Sensitive personal data may only be processed under certain conditions.
These are data about the racial and ethnic origin, political beliefs, religious or philosophical beliefs, as well as about the data subject’s health and sexual orientation or data relating to the legal record. Such data may be processed when there are legal obligations or when the express consent of the data subject is obtained.
2.4 Automated decisions
If, at a certain point, personal data are automatically processed as part of employment relationships and certain specific personal data are automatically evaluated (for example, in the context of personnel selection or the evaluation of skill profiles), this automatic processing cannot it is the only basis for decisions that could have a negative impact on that employee.
To avoid erroneous decisions, the automated process must be assisted by a natural person who evaluates the content of the situation and this evaluation is the basis of the decision. The data subject must also be informed of the results of individual automated decisions and of the possibility to make his point of view known/dispute the results.
2.5 Telecommunications and Internet
Telephone equipment, e-mail addresses, intranet and Internet together with internal applications are provided by the company primarily for work-related tasks. They are a tool and a resource of the company. They may be used within the framework of applicable legal regulations and internal company policies
. In the case of authorized use for personal purposes, the provisions of the regulation and internal procedures and the specific telecommunications legislation will be taken into account.
There will be no general monitoring of telephone and email communications or intranet/Internet usage. For protection against attacks on the IT infrastructure or individual users, safeguards may be implemented for connections to the ATLANTIC TOUR network that block technically harmful content or that analyze attack patterns. For security reasons, the use of telephone equipment, email addresses, intranet/internet and internal applications may be monitored for a temporary period. Evaluations of this data relating to a specific person can only be made in a specific case, justified by the suspicion of violation of laws or ATLANTIC TOUR policies and procedures.
Evaluations can only be carried out by the commission of inquiry, ensuring, at the same time, compliance with the principle of proportionality. The relevant national legislation must be followed in the same way as the internal regulation.
HEAD. V. Transmission of personal data
The transmission of personal data to recipients outside or within ATLANTIC TOUR is subject to the confidentiality requirements for the processing of personal data in accordance with this policy. The data recipient must use the data only for the defined purposes.
If the data is transmitted to a recipient in a third country, he must agree to maintain a level of personal data protection equivalent to this data protection policy and consistent with the provisions of the GDPR.
HEAD. VI. Data processing through proxies
Processing data through a proxy who is engaged to process personal data means that he will comply with Regulation 679/2016 and this Policy without assuming responsibility for related business processes. In these cases, a contract regarding the processing of personal data must be concluded. The authorized person can process personal data only according to the instructions of the operator.
Upon conclusion of the agreement, the following requirements must be met and the department placing the order must ensure that they are met:
In particular, personal data from the European Economic Area (EEA) may be processed in a third country outside the EEA only if the provider can prove that it has a data protection standard equivalent to this data protection policy.
HEAD. ARE YOU COMING. The rights of the data subject
Each data subject has the rights below and their assertion must be dealt with immediately by the personal data protection officer and cannot constitute a disadvantage for the data subject.
Art. 1. The data subject may request information regarding which personal data concerning him/her have been stored, how the data were collected and for what purpose. If there are additional rights to view the employer’s documents (for example, the personnel file) in the case of employment relationships under the relevant employment laws, these will not be affected.
Art. 2. If personal data are transmitted to third parties, information must be provided about the identity of the recipient or categories of recipients.
Art. 3. If the personal data are incorrect or incomplete, the data subject may request their correction or completion.
Art. 4 . The data subject may object to the processing of his data for advertising or market research or opinion purposes. Data must be blocked for these types of use.
Art. 5. The data subject may request the deletion of his data if the processing of this data has no legal basis or if the legal basis has ceased to apply. The same applies if the purpose of data processing has expired or ceased to be applicable for other reasons. Consideration will be given to retention periods and potential conflicts of interest.
Art. 6. The data subject has the right to object to the processing of his data and this must be taken into account if the protection of his interests takes precedence over the interest of the data controller following a specific personal situation. This does not apply if there is a legal provision that requires the data to be processed.
HEAD. VIII. Confidentiality of processing
Personal data are considered confidential. Any unauthorized collection, processing or use of this data by employees is prohibited. Any data processing carried out by an employee who has not been authorized to perform it, as part of their legitimate duties, is unauthorized.
The “need to know” principle applies . Employees may only have access to personal data as is appropriate for the type and purpose of the job in question. This requires careful breakdown and separation and enforcement of roles and responsibilities. Employees are prohibited from using personal data for private or commercial purposes,
disclosing it to unauthorized persons or making it available in any other way. Heads of departments must inform their employees at the beginning of the employment relationship about the obligation to protect the confidentiality of personal data and information. This obligation remains in effect even after the employment period ends.
HEAD. IX. Security of processing
Personal data must be protected against unauthorized access and unlawful processing or disclosure, as well as against accidental loss, alteration or destruction. This applies regardless of whether the data is processed electronically or on paper. Before the introduction of new data processing methods, especially new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of the processing and the need to protect the data (determined in the information classification process).
In particular cases, the responsible department may consult with the information security officer. Technical and organizational measures for the protection of personal data are part of the company’s information security management and must be continuously adapted to technical developments and organizational changes.
HEAD. X. Data protection control
Compliance with the personal data protection policy and applicable data protection laws is checked regularly through data protection audits and other controls. The performance of these controls is the responsibility of the personal data protection officer and other entities of the company with audit rights or hired external auditors. The results of data protection checks must be reported to the ATLANTIC TOUR administrator.
Upon request, the results of data protection checks will be made available to the Data Protection Supervisory Authority, which may carry out its own checks in accordance with EU/national law.
HEAD. XI. Data protection security incidents
All employees must immediately inform the head of department or the data protection officer about cases of violation of this Data Protection Policy or other regulations on the protection of personal data (data protection incidents) .
In cases of:
reports mandated by the firm through its information security incident management and reporting procedures must be made immediately so that all reporting obligations under national/EU law can be met.
HEAD. XII. Responsibilities and sanctions
Executive functions (heads of departments) are responsible for data processing in their area of responsibility. Therefore, these employees are obliged to ensure that the legal requirements for data protection and those contained in the personal data protection policy are met. Management is responsible for ensuring organizational, technical and human resources measures for any data processing to be carried out in accordance with data protection. Compliance with these requirements is the responsibility of each relevant employee. If the
Supervisory Authority carries out a data protection audit, the personal data protection officer must be informed immediately.
The personal data protection officer is the contact person for data protection relations. It can carry out checks and must familiarize employees with the content of data protection policies.
Departments responsible for business processes and projects must inform the personal data protection officer in good time about a new processing of personal data. For the processing of data that may present special risks to the individual rights of data subjects, the personal data protection officer must be informed before
the processing begins. This is especially true for highly sensitive personal data.
Improper processing of personal data or other violations of data protection laws leads to sanctions provided by internal regulations, national legislation in force and EU Regulation no. 679/2016.
HEAD. XIII. The person responsible for the protection of personal data
The person responsible for the protection of personal data, being internally independent from the professional subordination, works to comply with national and international regulations on data protection. He is responsible for the data protection policy and oversees its compliance.
The personal data protection officer is appointed by the ATLANTIC TOUR administrator.
Heads of departments have the obligation to promptly inform the personal data protection officer about the occurrence of any personal data protection risks.
Any data subject may contact the personal data protection officer at any time to ask questions, request information or file complaints related to data protection or personal data security issues. If there are requests, complaints will be treated confidentially.
If the data protection officer concerned is unable to resolve a complaint or remedy a breach of the data protection policy, the Supervisory Authority will be consulted.
Decisions taken by the data protection officer to remedy data protection breaches must be supported by the company’s management. Investigations and controls carried out by the Supervisory Authority must always be reported to the management of the company.
HEAD. XIV. Definitions
HEAD. XIV. Final provisions
The Data Protection Officer (DPO) is appointed to review this policy in accordance with internal requirements.
This policy has been approved by the administrator of ATLANTIC TOUR. Str. George Enescu 8A, Bucharest, Romania
