PERSONAL DATA PROCESSING SECURITY POLICY

PURPOSE:

The purpose of this policy is to establish the necessary measures and responsibilities of Bloomilu employees to fulfill obligations regarding the guarantee and protection of the fundamental rights and freedoms of individuals, especially the right to privacy, family, and private life, in relation to the processing of personal data.

SCOPE OF APPLICATION:

This policy applies to all Bloomilu employees with responsibilities related to personal data processing and, where applicable, authorized persons.

TERMS AND DEFINITIONS:

  • ANSPDCP: National Authority for the Supervision of Personal Data Processing.
  • Personal data: Any information relating to an identified or identifiable individual. An identifiable person is someone who can be identified, directly or indirectly, particularly by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.
  • Anonymous data: Data that, due to its origin or specific processing method, cannot be associated with an identified or identifiable person.
  • Operator: Any individual or legal entity, private or public, including public authorities, institutions, and their territorial structures, which determine the purpose and means of personal data processing. If the purpose and means of personal data processing are determined by a regulatory act, the operator is the individual or legal entity, public or private, designated as the operator by or based on that regulatory act.
  • Person responsible for personal data security policy: The person responsible for the proper functioning of the complex information protection system containing personal data, as well as for developing, implementing, and monitoring compliance with the data holder’s security policy provisions.
  • Processing of personal data: Any operation or set of operations performed on personal data, either by automatic or non-automatic means, such as collecting, recording, organizing, storing, adapting or modifying, extracting, consulting, using, disclosing to third parties by transmission, dissemination, or any other means, combining, blocking, deleting, or destroying.
  • Storage: Keeping personal data collected on any type of medium.
  • User: Any person acting under the authority of the operator, authorized person, or representative, with recognized rights of access to personal data databases.

REFERENCE DOCUMENTS:

  • Legea nr. 677/2001 for the protection of individuals regarding the processing of personal data and the free movement of such data, with subsequent amendments and completions.
  • Ordinul Avocatului Poporului nr. 52 of 18/04/2002 approving the minimum security requirements for the processing of personal data.
  • Decizia ANSPDCP nr. 90 of 18/07/2006 regarding the establishment of cases where notification of personal data processing is not required.
  • Decizia ANSPDCP nr. 100 of 23/11/2007 regarding the establishment of cases where notification of personal data processing is not required.
  • Decizia ANSPDCP nr. 132 of 20/12/2011 regarding the conditions for processing personal identification numbers and other personal data with a general applicability identification function.

SPECIFICATIONS:

GENERAL RULES:

  • Bloomilu has adopted appropriate technical and organizational measures to protect personal data against accidental or illegal destruction, loss, alteration, disclosure, or unauthorized access. In this regard, Bloomilu has designated personnel responsible for complying with the provisions of Legea nr. 677/2001.
  • Bloomilu has taken measures to securely store information related to personal data to ensure an adequate level of protection and security as per Legea nr. 677/2001.
  • To meet the associated legal provisions and ensure the safety of data and information, the institution has developed and implemented organizational and technical measures focusing on specific action directions:
  1. User Identification and Authentication
  2. Type of Access
  3. Data Collection
  4. Computers and Access Terminals
  5. Access Files
  6. Personnel Training

SPECIFIC PROCEDURES:

  1. User Identification and Authentication:
    • To gain access to personal data, users must authenticate in Bloomilu’s IT systems using unique and non-transferable authentication credentials obtained through the electronic identity enrollment and management process, governed by applicable security policies.
    • Each user has a unique identification code (username). The same code is never assigned to multiple users, and it cannot be shared.
    • Unused identification codes (or user accounts) are deactivated and destroyed after a prior check. The period after which codes must be deactivated and destroyed is determined by Bloomilu’s policy.
    • Any user account is accompanied by an authentication key, such as a password.
    • Passwords are character strings of adequate length and composition from a security standpoint. When entered, passwords are not displayed in plain text on the screen. Passwords are changed periodically in accordance with Bloomilu’s security policies, and only authorized users can perform such changes.
    • The system automatically blocks a user’s access after a fixed number of incorrect authentication key entries.
    • Any user who receives an identification code and authentication key is required, per their job description, to maintain the confidentiality of this information and is accountable to the operator.
  2. Type of Access:
    • Users are only allowed to access personal data necessary to fulfill their job responsibilities. Different types of access are established based on functionality (administration, entry, processing, storage, etc.) and the actions applied to personal data (writing, reading, deleting), along with procedures regarding these access types.
    • The technical support department may access personal data for resolving system issues and incidents.
  3. Data Collection:
    • Bloomilu designates authorized users for collecting and entering personal data into the information systems.
    • Any modification to personal data can only be made by designated authorized users.
    • Bloomilu ensures that the information systems record who made modifications to personal data, along with the date and time of the modification. Systems will be set up to retain deleted or modified data for better administration.
  4. Computers and Access Terminals:
    • Computers and other terminals accessing personal data located at Bloomilu’s premises will be installed in restricted-access rooms.
    • If such conditions cannot be ensured, computers will be installed in lockable rooms. If personal data is displayed on a screen and no action is taken for a set period, the session will automatically close. The length of this period is determined based on the operations that need to be performed.
    • Servers hosting personal data can only be accessed in a controlled manner, based on access rights.
    • It is not allowed to remove mobile storage media (CD/DVD, USB Stick, Portable HDD/SSD) containing personal data from the organization without prior approval from management.
  5. Access Files:
    • Bloomilu ensures that any access to the personal data database is recorded.
    • For automated processing, this information is stored in a general access file or separate files for each user. Any unauthorized access attempts will also be recorded.
    • Bloomilu keeps access files for at least 2 years, to be used as evidence in investigations. If the investigations are prolonged, these files will be kept as long as necessary.
  6. Personnel Training:
    • Bloomilu personnel are informed about the provisions of Law no. 677/2001 regarding the protection of individuals with respect to personal data processing and the free movement of such data, the minimum security requirements for processing personal data, and the risks associated with processing personal data.
    • Users with access to personal data will be trained on confidentiality and will be reminded of this through messages displayed on screens during work.
    • Users are required to close their work session when leaving their workstation.

DATA SUBJECT RIGHTS:

  1. Right to be Informed:
    • Bloomilu is obliged to provide the data subject with information about the purpose of processing, rights available, and any other information required by the supervisory authority.
    • The data subject’s consent is requested before collecting personal data.
  2. Right of Access to Data:
    • Any data subject has the right to obtain confirmation from Bloomilu (as the operator) about whether their personal data is being processed.
  3. Right to Intervene on Data:
    • Data subjects have the right to request the rectification, blocking, or deletion of their personal data if the processing is not in accordance with the law.
  4. Right to Object:
    • The data subject has the right to object, at any time, for legitimate reasons, to the processing of their data, except in cases where legal provisions dictate otherwise.
  5. Right to Appeal:
    • Data subjects can appeal to the courts for the protection of their legally guaranteed rights.

COMMUNICATION OF PERSONAL DATA:

  1. Personal data may be communicated between Bloomilu and its authorized persons, or between Bloomilu and other institutions or public or private entities, in one of the following situations: 1.1 The data subject has given their explicit and unequivocal consent; or 1.2 Communication is required by law.
  2. Data communication can also take place online, with compliance to security measures.

FINAL PROVISIONS:

For more information, anyone can contact OPREAN PAULA-MONICA P.F.A. at info@bloomilu.ro.

COMPANY DETAILS
OPREAN PAULA-MONICA P.F.A.
Tax ID: RO45582952
Reg. com.: F05/155/2022
Sat Saldabagiu de Munte, Com. Paleu, str. Gheorghe Doja, nr. 6, Bihor County