GDPR

  1. introducere

    • Contextul Regulamentului general privind protecția datelor („GDPR”)

Regulamentul general privind protecția datelor, 679/2016, înlocuiește Directiva UE din 1995 privind protecția datelor și înlocuiește legislația fiecărui stat membru care a fost elaborată în conformitate cu Directiva privind protecția datelor 95/46/CE. Scopul său este de a proteja „drepturile și libertățile” persoanelor fizice (adică persoanele în viață) și de a se asigura că datele cu caracter personal nu sunt prelucrate fără știrea acestora și, ori de câte ori este posibil, că sunt prelucrate cu consimțământul lor.

  • Definiții utilizate de organizație (extrase din GDPR)

    • Domeniul material (articolul 2) – GDPR se aplică prelucrării datelor cu caracter personal, efectuată în întregime sau parțial prin mijloace automate, precum și prelucrării prin alte mijloace decât mijloacele automatizate a datelor cu caracter personal care fac parte dintr-o dată. sistem de înregistrare sau care sunt destinate să facă parte dintr-un sistem de înregistrare a datelor.

    • Domeniul de aplicare teritorial (Articolul 3) – GDPR se aplică prelucrării datelor cu caracter personal în contextul activităților sediului unui operator sau al procesatorului pe teritoriul Uniunii, indiferent dacă prelucrarea are sau nu loc pe teritoriul Uniunii. Prezentul regulament se aplică prelucrării datelor cu caracter personal ale persoanelor vizate care se află în Uniune de către un operator sau un operator care nu este stabilit în Uniune, în cazul în care activitățile de prelucrare sunt legate de:

  1. furnizarea de bunuri sau servicii către astfel de persoane vizate în Uniune, indiferent dacă persoana vizată solicită sau nu o plată; sau

  2. monitorizarea comportamentului acestora dacă are loc în cadrul Uniunii. Prezentul regulament se aplică prelucrării datelor cu caracter personal de către un operator care nu este stabilit în Uniune, dar într-un loc în care se aplică dreptul național în temeiul dreptului internațional public.

  • Definițiile articolului 4

„Sediul central” – sediul central al operatorului în UE va fi locul în care operatorul ia deciziile principale cu privire la scopul și mijloacele activităților sale de prelucrare a datelor. Sediul central al unei persoane autorizate în UE va fi centrul administrativ al acesteia.

„Date cu caracter personal” înseamnă orice informație referitoare la o persoană fizică identificată sau identificabilă („persoana vizată”); o persoană fizică identificabilă este o persoană care poate fi identificată, direct sau indirect, în special prin referire la un element de identificare, cum ar fi un nume, un număr de identificare, date de localizare, un identificator online sau la unul sau mai multe elemente specifice, specifice la identitatea sa fizică, fiziologică, genetică, mentală, economică, socială sau socială.

„Categorii speciale de date cu caracter personal” înseamnă date cu caracter personal care dezvăluie originea rasială sau etnică, opiniile politice, convingerile religioase sau filozofice sau apartenența la un sindicat și prelucrarea datelor genetice, date biometrice în scopul identificării unice a unei persoane fizice, date sau date de sănătate privind viața sexuală sau orientarea sexuală a unei persoane fizice.

„Operator” înseamnă persoana fizică sau juridică, autoritatea publică, agenția sau alt organism care, singur sau împreună cu alții, determină scopurile și mijloacele de prelucrare a datelor cu caracter personal; în cazul în care scopurile și mijloacele de prelucrare sunt determinate de dreptul Uniunii sau de dreptul național, operatorul sau criteriile specifice pentru desemnarea acestuia pot fi stabilite în dreptul Uniunii sau în dreptul intern;

Persoana vizată” înseamnă orice persoană în viață care face obiectul datelor cu caracter personal deținute de o organizație.

„Prelucrare” înseamnă orice operațiune sau set de operațiuni efectuate asupra datelor cu caracter personal sau asupra seturilor de date cu caracter personal, cu sau fără utilizarea mijloacelor automate, cum ar fi colectarea, înregistrarea, organizarea, structurarea, stocarea, adaptarea sau modificarea, extragerea, consultarea , utilizarea, dezvăluirea prin transmitere, diseminare sau punerea la dispoziție în alt mod, aliniere sau combinare, restricție, ștergere sau distrugere.

„Crearea unui profil” înseamnă orice formă de prelucrare automată a datelor cu caracter personal constând în utilizarea datelor cu caracter personal pentru a evalua anumite aspecte personale referitoare la o persoană fizică, în special pentru a analiza sau prevedea aspecte ale performanței la locul de muncă, situația economică, sănătatea, preferințele personale. , interese, fiabilitate, comportament, locul în care se află persoana fizică sau mișcările acesteia.

„Încălcarea securității datelor cu caracter personal” înseamnă o încălcare a securității care duce, accidental sau ilegal, la distrugerea, pierderea, modificarea sau dezvăluirea neautorizată a datelor cu caracter personal transmise, stocate sau prelucrate în alt mod sau la accesul neautorizat la acestea.

‘Consent’ of the data subject means any expression of the data subject’s free, specific, informed and unambiguous will by which the data subject accepts, by a statement or by an unequivocal action, that the personal data concerning him or her be processed.

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

“Data recording system” means any structured set of personal data accessible according to specific criteria, whether centralised, decentralised or distributed according to functional or geographical criteria.

  1. CONFIDENTIALITY DECLARATION

The management of the HTTPS://AMADEUSUK.COM/based incom. Kemp House 160 City Road,  London /United Kingdom  undertakes to comply with all relevant EU and Member State laws with regard to personal data and the protection of the “rights and freedoms” of persons whose information it collects and processes, in accordance with the General Data Protection Regulation (GDPR).

Compliance with the GDPR is described by this policy and other relevant policies, such as the Information Security Policy, together with related processes and procedures.

The GDPR will be applied by all persons within the HTTPS://AMADEUSUK.COM/who processpersonal data, including all persons within the HTTPS://AMADEUSUK.COM/ who process the personal data of customers, employees, suppliers and partners, as well as any other personal data that the organization processes from any source.

The Data Protection Officer shall be responsible for the annual review of the processing register on any changes to HTTPS://AMADEUSUK.COM/ activities (as a result of changes in the data inventory register) and any additional requirements identified by data protection impact assessments. This register must be available at the request of the supervisory authority.

This policy applies to all employees/staff and stakeholders within the HTTPS://AMADEUSUK.COM/,  such as outsourced suppliers. Any breach of the GDPR will be dealt with in accordance with the disciplinary policy of the HTTPS://AMADEUSUK.COM/ and may also be a contravention, in which case the matter will be reported as soon as possible to the competent authorities.

Partners and any third parties working with or for HTTPS://AMADEUSUK.COM/ who have or may have access to personal data are expected to have read, understood and comply with this policy. No third party may access personal data held by the HTTPS://AMADEUSUK.COM/ without having previously entered into a data confidentiality agreement, which imposes no less onerous obligations on the third party than those which the  HTTPS://AMADEUSUK.COM/ comply with and which confers  HTTPS://AMADEUSUK.COM/ the right to verify compliance with the agreement.

  1. SCOPE OF PRELUCRARIATION

The personal data we collect from you will be used for the following purposes:

  1. for the conduct of the contractual relationship between you and HTTPS://AMADEUSUK.COM/respectively for the taking, validation, dispatch and invoicing of the order placed on the Site, your information on the status of the order, the organization of the return of ordered products, etc.

  • The basis: The processing of your data for this purpose is based on the contract concluded between you and HTTPS://AMADEUSUK.COM/defined in the Terms and Conditions. The provision of your personal data is necessary for the performance of this contract. Refusal to provide data may result in the impossibility of contractual relations between you and HTTPS://AMADEUSUK.COM/

  1. for the fulfilment of legal obligations that incumba HTTPS://AMADEUSUK.COM/ in the context of the services provided through the Site, including tax obligations, as well as in archiving matters.

  • Theme: The processing of your data for this purpose is necessary on the basis of legal obligations. Providing your data for this purpose is necessary. Refusal to provide data may result in the impossibilityof HTTPS://AMADEUSUK.COM/comply with its legal obligations and therefore unable to offer your services through the Site.

  1. for marketing activities, i.e. for the transmission, via remote means of communication (e-mail, sms, telephone, videochat, chat) of commercial communications regarding the products and services offered by HTTPS://AMADEUSUK.COM/through the Site.

  • The basis: The processing of your data for this purpose is based on your consent, if you choose to provide it.

  • Providing your data for this purpose is voluntary. Refusal to provide consent for the processing of your data for this purpose will not have any negative consequences for you. If you wish your data not to be used for marketing purposes, please email us at: contact@amadeusuk.com

  1. for the purpose of carrying out various analyses, reporting on the functioning of the Site, making consumer preference profiles, mainly in order to improve the experience offered on the Site.

  • The basis: The processing of your data for this purpose is based on the legitimate interest of HTTPS://AMADEUSUK.COM/ to continuously improve the customer experience on the Site. Providing your data for this purpose is voluntary. The refusal to provide data for this purpose will have no negative consequences for you.

By your consent you give us permission to use them for the purposes mentioned above.

You may withdraw your consent at any time, either in writing, by requesting the consent form or online by a request to do so at the contact@amadeusuk.com.

  1. WHAT IS PERSONAL DATA?

For the purposes of the General Data Processing Regulation (EU GDPR), Personal Data is defined as “any information concerning an identified or identifiable natural person (“target person”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, an identification number, location data, an online identifier, or to one or more specific elements, specific to his physical, physiological, genetic, mental, economic, cultural or social identity.’

 

Consent is required for HTTPS://AMADEUSUK.COM/  to process personal data, but it must be given explicitly.

 

  1. Why HTTPS://AMADEUSUK.COM/ need to collect and store information provided and what time the PASTRAM?

HTTPS://AMADEUSUK.COM/ is obliged to process and store personal data in order to provide you with legal and high quality services. During the provision of services, with your consent, we will transfer your data to third parties. for the purpose of fulfilling legal obligations (ANAF, ANC, LAOFM).

Your data will be kept as long as required by the legislation in force. If no express mention is made to this effect, under security conditions (according to the Data Privacy Policy) and for a storage period according to the Internal Data Retention Procedure, but not more than 10 years.

  1. WHO HAS ACCESS TO THE DATA PROVIDED?

Access to the data is only the employees HTTPS://AMADEUSUK.COM/  .. We do not give anyone access to personal data without your consent.

  1. WHERE ARE YOUR DATA PROVIDED?

The personal data provided are stored on the SEE territory in accordance with the requirements of the General Data Processing Regulation (EU GDPR). How to secure your personal data can be found in the privacy policy of HTTPS://AMADEUSUK.COM/ .

  1. SECURITY OF YOUR DATA

All employees are responsible for ensuring that all personal data that HTTPS://AMADEUSUK.COM/  holds and is responsible for is kept safe and is not disclosed in any way to a third party unless that third party has been specifically authorized by  HTTPS://AMADEUSUK.COM/ to receive this information and has entered into a confidentiality agreement.

All personal data is accessible only to those who need to use it. All personal data is processed securely and is kept:

  • password-protected in accordance with the organization’s requirements in the Access Control Policy and/or

  • stored on (removable) media that are encrypted

All employees have entered into a user agreement before being allowed access to organizational information of any kind. As soon as physical records are no longer required for everyday customers, they must be destroyed safely in accordance with a certain procedure

Personal data may be deleted or deleted in accordance with the registration procedure and in accordance with the legislation in force. Physical records that have matured are shredded and discarded as confidential “waste”.

  1. RIGHTS OF PERSONS

Data subjects shall have the following rights with regard to the processing of data and the records of such data:

  • Request access to the information held and those to whom it has been disclosed.

  • To oppose processing that could cause damage or damage.

  • To oppose processing for the purpose of direct marketing.

  • Be informed about automated individual decision-making, including profiling.

  • The data subject shall have the right not to be the subject of a decision based solely on automatic processing, including profiling, which produces legal effects concerning the data subject or similarly affects him to a significant extent.

  • Claim compensation if they suffer damages through any violation of the GDPR.

  • Take action to rectify, block, delete, including the right to be forgotten or destroy inaccurate data.

  • Ask the supervisory authority to assess whether a provision of the GDPR has been breached.

  • The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and automatically readable format and shall have the right to transmit such data to another controller, without any obstacles from the controller to whom the personal data have been provided.

  • The data subject has the right to object to the creation of profiles without the existence of a

11.   Consent

  • HTTPS://AMADEUSUK.COM/ means ‘consent’ as being of the data subject any expression of free, specific, informed and unambiguous will of the data subject by which he accepts, by a declaration or by an unequivocal action, that the personal data concerning him or her be processed. The data subject may withdraw his consent at any time.

  • HTTPS://AMADEUSUK.COM/ means that by ‘consent’ the data subject has been fully informed of the processing of personal data and has requested consent while in an appropriate state of mind to do so and without putting pressure on him. Consent obtained under pressure or on the basis of misleading information will not constitute a valid basis for processing.

  • There must be active communication between the parties to demonstrate active consent. Consent cannot be inferred from a lack of response to a communication. The operator must be able to demonstrate consent for the processing operation.

  • For sensitive data, an explicit written agreement of the data subjects must be obtained, unless there is a legal alternative processing basis.

  • In most cases, consent to the processing of personal and sensitive data is typically obtained by HTTPS://AMADEUSUK.COM/ using standard consent declarations.

  • If the HTTPS://AMADEUSUK.COM/ provides online services to children, the consent of the parent or legal representative of the child must be obtained. This requirement applies to children under 16 years of age.

12.   Disclosure of data

  • HTTPS://AMADEUSUK.COM/ must ensure that personal data is not disclosed to unauthorized third parties, which include family members, friends, government bodies and, in certain circumstances, the Police. All employees should be careful when asked to disclose personal data held by another person to a third party [and will be required to participate in specific training to enable them to effectively manage such risks]. It is important to take into account whether or not disclosure of information is relevant to the conduct of the activity HTTPS://AMADEUSUK.COM/.

  • All requests for data provision for one of these reasons must be supported by appropriate documentation, and all such disclosures must be specifically authorised by the Data Protection Officer.

13.   Data retention and removal

  • HTTPS://AMADEUSUK.COM/ will not keep the personal data in a form that allows the identification of data subjects for a longer period than necessary in relation to the purpose(s) for which the data were originally collected.

  • HTTPS://AMADEUSUK.COM/ may store data for longer periods where personal data will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of the data subject.

  • The retention period for each category of personal data will be set out in the Record Retention Procedure together with the criteria used to determine that period, including the legal obligations of the HTTPS://AMADEUSUK.COM/ which the data must be retained.

  • Data retention procedures and data deletion procedures for HTTPS://AMADEUSUK.COM/ will apply in all cases.

  • Personal data must be safely disposed of in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thereby protecting the ‘rights and freedoms’ of data subjects. Any deletion of the data shall be done in accordance with the deletion procedure.

14.   Data transfers

  • All data transfers from the European Economic Area (SEE) to non-European Economic Area countries (referred to in the GDPR as ‘third countries’) are illegal, unless there is an ‘adequate level of protection of the fundamental rights of data subjects’.

The transfer of personal data outside the EEA shall be prohibited unless one or more specified safeguards or exceptions apply:

  • An adequacy decision

The transfer of personal data to a third country or an international organisation may be effected where the Commission has decided that the third country, a territory or one or more specified sectors of that third country or the international organisation concerned provides an adequate level of protection. Transfers made under these conditions do not require special authorisations. Countries that are members of the European Economic Area (SEE) but not of the EU are accepted as meeting the conditions of an adequacy decision.

A list of countries currently meeting the Commission’s adequacy requirements is published in the Official Journal of the European Union. http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm

  • Privacy Shield

If HTTPS://AMADEUSUK.COM/  wishes to transfer personal data from the EU to an organization in the United States, it should verify that the organization is enrolled in the Privacy Shield with the U.S. Department of Commerce. The U.S. Department of Commerce is responsible for the management and administration of Privacy Shield and for ensuring that organizations comply with their commitments. In order to be certified, companies must have a privacy policy in accordance with the privacy principles, e.g. use, storage and transfer of personal data in accordance with a strong set of data protection rules and safeguards. The protection of personal data applies regardless of whether the personal data relates to an EU resident or not. Organisations must renew their “membership” within the Privacy Shield every year. If not, they can no longer receive and use personal data from the EU.

Assessment of fitness by the data controller

In assessing suitability, the data transferring controller from the UK should take into account the following factors:

  • the nature of the information transferred;

  • the country or territory of origin and the final destination of the information;

  • how the information will be used and for how long;

  • the laws and practices of the transferee’s country, including relevant personal data protection practices and international obligations; and

  • security measures to be taken with regard to external location data (valid only for UK)

    • Mandatory corporate rules

HTTPS://AMADEUSUK.COM/ may adopt binding corporate rules approved for the transfer of data outside the EU. This requires the submission to the competent supervisory authority for approval of the rules on which it seeks to rely  HTTPS://AMADEUSUK.COM/

  • Standard contract clauses

HTTPS://AMADEUSUK.COM/ may adopt standard contractual clauses approved for the transfer of data outside the EEA. If  HTTPS://AMADEUSUK.COM/ adopt the standard contract clauses approved by the competent supervisory authority, then there is automatic recognition of adequacy.

  • Exceptions

In the absence of a decision of adequacy, membership of Privacy Shield, binding corporate rules and/or standard contract clauses, the transfer of personal data to a third country or an international organization shall take place only under the following conditions:

  • the data subject has explicitly given his consent to the proposed transfer, after being informed of the possible risks of such transfers to the data subject, due to the lack of an adequacy decision and adequate safeguards;

  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of the pre-contractual measures taken at the request of the data subject;

  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

  • the transfer is necessary for important reasons of public interest;

  • the transfer is necessary for the establishment, exercise or defence of legal claims; and/or

  • the transfer is necessary to protect the vital interests of the data subject or other persons, if the data subject is not physically or legally capable of consent.

HTTPS://AMADEUSUK.COM/ assures data subjects that they can exercise these rights:

  • Persoanele vizate pot face cereri gratuite de acces la datele personale, HTTPS://AMADEUSUK.COM/ furnizându-le aceste informații în termen de 30 de zile de la data înregistrării cererii, la adresa de email contact@amadeusuk.com.

  • Persoanele vizate au dreptul de a depune o plângere la HTTPS://AMADEUSUK.COM/ în legătură cu prelucrarea datelor lor personale, solicitările de la persoanele vizate și modul în care au fost soluționate plângerile vor fi făcute în conformitate cu procedura de reclamații. .