Privacy policy

SECURITY POLICY FOR THE PROCESSING OF PERSONAL DATA

PURPOSE

The purpose of this policy is to establish the necessary measures and responsibilities of Drops Parfums employees in fulfilling their obligations to guarantee and protect the fundamental rights and freedoms of individuals, particularly the right to private and family life, with regard to the processing of personal data.

SCOPE

This policy applies to all Drops Parfums employees involved in the processing of personal data and, where applicable, to authorized representatives.

TERMS AND DEFINITIONS

  • ANSPDCP – National Supervisory Authority for Personal Data Processing (Romania).
  • Personal data – any information relating to an identified or identifiable individual; an identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or one or more factors specific to their physical, physiological, psychological, economic, cultural, or social identity.
  • Anonymous data – data which, due to its origin or specific processing method, cannot be associated with an identified or identifiable person.
  • Controller – any natural or legal person, public or private, including public authorities and institutions, which determines the purposes and means of processing personal data.
  • Data security officer – the person responsible for the proper functioning of the personal data protection system, as well as for drafting, implementing, and monitoring compliance with this security policy.
  • Processing of personal data – any operation performed on personal data, whether automated or not, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, combination, blocking, deletion, or destruction.
  • Storage – keeping personal data on any type of medium.
  • User – any person acting under the authority of the controller or an authorized representative, with recognized rights of access to personal data.

REFERENCE DOCUMENTS

  • Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, with subsequent amendments.
  • Order of the Ombudsman no. 52/18.04.2002 on approving minimum security requirements for personal data processing.
  • ANSPDCP Decision no. 90/18.07.2006 regarding cases in which notification of processing is not required.
  • ANSPDCP Decision no. 100/23.11.2007 regarding cases in which notification of processing is not required.
  • ANSPDCP Decision no. 132/20.12.2011 regarding conditions for processing the national identification number and other personal data with general applicability.

GENERAL RULES

Drops Parfums has adopted appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Specific staff members are designated to ensure compliance with these rules. We store personal data securely to ensure an adequate level of protection and confidentiality.

Key measures include:

  • User identification and authentication
  • Access control
  • Data collection procedures
  • Securing computers and access terminals
  • Access logs
  • Staff training

SPECIFIC PROCEDURES

User Identification and Authentication

  • Users must authenticate with unique, non-transferable credentials.
  • Each user has their own username; accounts are not shared.
  • Inactive accounts are deactivated and deleted after review.
  • Authentication requires a password or security key, which must meet security standards and be changed periodically.
  • Systems automatically block accounts after repeated failed login attempts.
  • Users are responsible for maintaining the confidentiality of their credentials.

Access Control

  • Users may only access personal data necessary for their duties.
  • Access types are established based on functionality (administration, processing, saving, etc.).
  • Technical support staff may access data only to resolve incidents.

Data Collection

  • Only authorized users may collect or input personal data.
  • All modifications to data are logged (who, when, what change).
  • Deleted or modified data is archived for accountability.

Computers and Access Terminals

  • Computers with access to personal data are located in restricted or lockable rooms.
  • Sessions close automatically after a period of inactivity.
  • Servers are accessible only under controlled access rights.
  • External storage devices (USB, HDDs, CDs, DVDs) containing personal data may not be removed without prior approval.

Access Files (Logs)

  • All access to personal data is recorded.
  • Unauthorized access attempts are also logged.
  • Logs are kept for at least two years and longer if required for investigations.

Staff Training

  • Employees are trained on data protection laws, risks, and confidentiality obligations.
  • Warning messages appear during system use.
  • Users must close sessions when leaving their workstation.

Computer Usage

  • Unauthorized software installations are prohibited.
  • Antivirus, malware protection, and IT security systems are implemented.
  • Copying or printing data outside business workflows is restricted.

Printing of Data

  • Printing personal data is allowed only for authorized staff.

Manual Data Processing

  • Documents containing personal data are kept in locked cabinets.
  • Documents must be stored or handed over immediately after use.

PROCESSING OF PERSONAL DATA WITH GENERAL IDENTIFICATION FUNCTION

Personal data processing or disclosure to third parties is permitted only if:

  • The data subject has given explicit consent; or
  • Processing is required by law; or
  • With ANSPDCP approval, under strict guarantees.

Data must be:

  • Processed only for explicit, legitimate purposes;
  • Stored only as long as necessary;
  • Protected with appropriate organizational and technical measures;
  • Used strictly within the defined scope.

RIGHTS OF DATA SUBJECTS

  • Right to be informed – You will be informed before your data is collected or processed.
  • Right of access – You may request confirmation if your data is being processed and obtain a copy (free once per year).
  • Right to rectification – You may request correction, update, blocking, or deletion of incomplete or inaccurate data.
  • Right to erasure – You may request deletion of data when no longer needed or if consent is withdrawn.
  • Right to object – You may object at any time to the processing of your data for legitimate reasons.
  • Right to legal remedies – You may file complaints with ANSPDCP or take legal action if your rights are violated.

DISCLOSURE OF PERSONAL DATA

Personal data may be shared only when:

  • The data subject has given explicit consent;
  • Disclosure is required by law.

Data may also be communicated online if secure communication systems are used. Before disclosure, Drops Parfums verifies data accuracy and informs recipients of restrictions regarding its use.

FINAL PROVISIONS

For more information or to exercise your rights regarding personal data, you may contact us at: Drops Parfums