Personal data protection policy

       1. Objective, purpose and users

TDP Partners SRL, hereinafter referred to as the “Company”, aims to comply with the applicable laws and regulations regarding the protection of personal data processing, in the countries in which the Company operates. This Personal Data Protection Policy (“Policy”) sets out the basic principles by which the Company processes the personal data of customers/consumers, suppliers, business partners, employees and/or other individuals and indicates the responsibilities of departments and employees with regard to the processing of personal data.

The users of this document are all employees, permanent or temporary, as well as all contractors working on behalf of the Company.

       2. Legislation and reference documents

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR);
  • Law No. 190/2018 on measures to implement the GDPR;
  • Decisions of the National Supervisory Authority for Personal Data Processing (ANSPDCP), as they may be adopted periodically;
    • Explore the savory world of Spanish tapas, from patatas bravas to gambas al ajillo.
  • The guideline for the application of the General Data Protection Regulation for operators, published by ANSPDCP on the authority's website;
  • The Company's cookie policy;
  • The Company's information security policies.

       3. Definitions

The following definitions of terms used in this document are provided in accordance with Article 4 of the GDPR:

Personal data: Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity. Special categories of personal data: Personal data which are, by their very nature, particularly sensitive in relation to fundamental rights and freedoms require specific protection because the context in which they are processed is likely to result in significant risks to the fundamental rights and freedoms of the data subject. Such personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying that natural person, data concerning health or data concerning the sex life or sexual orientation of the natural person.

Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Anonymization: The irreversible removal of the identification of personal data, so that the person cannot be identified using a reasonable period of time, cost and technology, either by the Operator or by any other person, to identify that natural person. The principles of personal data processing do not apply to anonymized data, as they are no longer personal data.

Pseudonymisation: The processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymisation reduces, but does not completely eliminate, the ability to associate personal data for the purpose of identifying a data subject. Since pseudonymised data is still personal data, the processing of pseudonymised data complies with the principles of personal data processing.

Profiling: any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Supervisory Authority: An independent public authority established by a Member State pursuant to Article 51 of the EU GDPR. The local supervisory authority is the National Supervisory Authority for the Processing of Personal Data (ANSPDCP).

Lead Supervisory Authority: The supervisory authority with the primary responsibility for acting in relation to cross-border data processing activity, for example when a data subject lodges a complaint regarding the processing of their personal data; is responsible, among other things, for receiving notifications of information breaches, for notifying of risky processing activity and will have full authority over its duties to ensure compliance with the provisions of the EU GDPR.

Each "Local Supervisory Authority" will still maintain in its own territory and monitor any local processing of data affecting data subjects or carried out by an EU or non-EU controller or processor, where the processing relates to data subjects residing in its territory. Their duties and powers include conducting investigations and imposing measures and fines, promoting public information about the risks, rules, security and rights regarding the processing of personal data, as well as obtaining access to any premises of the Controller and Processor, including any data processing equipment and means.

"Data Protection Officer": natural/legal person designated by the Company based on professional qualities and specialized knowledge, to fulfill the tasks provided for in art. 39 of the GDPR;

"Data filing system" means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or distributed according to functional or geographical criteria.

      4. Basic principles related to the processing of personal data

The Personal Data Protection Principles outline the basic responsibilities for organizations that handle personal data. The 7 (seven) principles, described in more detail in this Policy, can be summarized as follows:

  • Be open and transparent about what we do with data and why we use it;
  • To ensure that we have a legal basis for data processing;
  • To collect and use only the minimum necessary data;
  • To keep data accurate, complete and up-to-date;
  • Let's not keep data longer than necessary;
  • To process data securely;
  • To be responsible for the processing we do and to be able to demonstrate compliance with legal provisions at any time.

      4.1. Lawfulness, accuracy and transparency of processing

Personal data must be processed lawfully, fairly and transparently in relation to the data subject.

Thus, the Company will use personal data in such a way that the Data Subject who entrusted his/her personal data to it is aware of this use and meets his/her expectations regarding the use of the data by the Company.

      4.2. Purpose limitation

Personal data must be collected for specified, explicit and legitimate purposes and must not be processed in a way that is incompatible with those purposes.

Further processing by the Company for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes will not be incompatible with the initial processing, as long as it is done in compliance with the provisions of the GDPR (art. 89).

If any of the Company's departments, including departments with a support/administrative function, intends to use the personal data of customers/employees, etc. for secondary purposes (purposes other than those for which the personal data were initially collected), it will inform the Data Protection Officer in order to identify the possibility of using this personal data for these secondary purposes.

     4.3. Data minimization

Personal data must be adequate, relevant and strictly limited to what is necessary in relation to the purposes for which they are processed. Where necessary, the Company will take appropriate measures to anonymize and/or pseudonymize personal data, where possible, in order to reduce the risks to data subjects.

In this regard, as far as possible, the Company will ensure that its employees/collaborators will take and comply with the following organizational measures:

  • will limit the transfer of personal data both internally and externally and
  • will not use personal data in e-mail communications, instant messaging or in free fields in the Company's record systems, except to the extent necessary for the Company's business, in order to avoid potential reputational or litigious risks that the Company could be exposed to.

     4.4. Data accuracy

Personal data must be accurate and, where necessary, kept up to date. In this regard, the Company will take reasonable steps to ensure that personal data that are inaccurate in relation to the purposes for which they are processed are erased or rectified in a timely manner.

If any of the Company's employees/collaborators becomes aware of any such inaccuracy in the personal data processed by the Company, he/she will correct the identified inaccuracy or, if this is not possible, will inform the relevant person/team who can remove the inaccuracy found, in accordance with the Company's internal procedures for updating personal data.

    4.5. Limitation of storage period (retention)

Personal data must not be kept longer than is necessary to fulfill the purposes for which the data are collected and processed.

Personal data may be kept by the Company even after the purposes for which they were initially collected have been fulfilled, to the extent that the personal data will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in compliance with the provisions of the GDPR (art. 89), subject to the implementation by the Company of appropriate technical and organizational measures to respect and guarantee the rights and freedoms of the data subjects.

After fulfilling the purposes for which the personal data were collected (and in the absence of the applicability of the situations mentioned in the previous paragraph), the personal data will be destroyed, deleted or anonymized from the Company's databases/record systems (both electronic and in letter/paper format).

    4.6. Data integrity and confidentiality

Taking into account the state of the art and available security measures, the cost of implementation and the likelihood and severity of the risks to personal data, the Company is obliged to apply appropriate technical or organizational measures to process personal data in a manner that ensures appropriate data security, including protection against destruction, loss, accidental or unlawful alteration, unauthorized access or unauthorized disclosure. The Company takes appropriate technical and organizational measures to ensure the security of personal data, such as access controls, data encryption, transfer in strict compliance with confidentiality requirements, etc., according to the Company's security policies. 

     5. Implementing data protection in commercial activities

To demonstrate compliance with data protection principles, the Company is obliged to implement data protection in its commercial activities, from the moment of collection of personal data (or even before) until their destruction/deletion from the data record systems held and organized by the Company.

    5.1. Collection of personal data

The Company is obliged to collect the minimum necessary amount of personal data. If personal data is collected from a third party, the Company's employees are obliged to ensure that the personal data is collected in compliance with the applicable legal provisions set out in the GDPR and to inform the Data Protection Officer of the Company in advance. 

   5.2. Informing data subjects

At the time of collection or before collecting personal data for any type of processing activities, including but not limited to the sale of the Company's products and services or marketing activities, the Company will duly inform the Data Subjects of the following: (i) the identity and contact details of the controller and, where applicable, of its representative; (ii) the contact details of the Data Protection Officer, where applicable; (iii) the types of personal data collected; (iv) the purposes of the processing as well as the legal basis for the processing; (v) the legitimate interests pursued by the Company as the Controller, if it carries out processing based on this legal basis; (vi) the recipients or categories of recipients of the personal data; (vii) the rights of the Data Subjects with regard to their personal data; (viii) the data storage period or, if this is not possible, the criteria used to determine this period; (ix) the existence of the rights of the Data Subject, namely the right of the Data Subject to withdraw consent at any time; the right to lodge a complaint with the competent supervisory authority; informing the Data Subject whether the provision of personal data represents a legal or contractual obligation or an obligation necessary for the conclusion of a contract, as well as whether the Data Subject is obliged to provide such personal data and what are the consequences of failure to comply with this obligation; if applicable, the existence of an automated decision-making process including the creation of profiles and the expected consequences of such processing for the Data Subject. This information has been/is being communicated to the Data Subjects through the Information on the processing of personal data, transmitted by the Company to the Data Subjects through the established communication channels.

When collecting special categories of personal data, the Data Protection Officer will ensure that the Information on the processing of personal data explicitly specifies the purpose for which these personal data are collected and the legal basis for the processing.

    5.3. Legal grounds for processing. Consent of the data subject

The Company ensures that, whenever it collects and processes the personal data of the Data Subjects, the processing of personal data is based on one of the following legal grounds for processing:

  • the consent of the Data Subject;
  • execution of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject prior to the conclusion of a contract (for example, payment of salary by the Company to the Company's employees, as Data Subjects, as a result of the execution of the employment contract);
  • fulfillment of a legal obligation of the Company, as Operator (for example, fulfillment of occupational health obligations and those in the field of employment and social security and social protection, fulfillment of customer knowledge obligations and retention of relevant documentation, fulfillment of archiving obligations according to specific legislation, etc.);
  • protecting the vital interests of the Data Subject or another natural person;
  • fulfilling a task of public interest;
  • the legitimate interests of the Company or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail, which require the protection of personal data, in particular when the data subject is a child (for example, processing of personal data necessary for the purpose of fraud prevention).

When processing personal data based on the consent of the Data Subject, the Company is responsible for retaining the record of such consent. The Company is responsible for providing Data Subjects with the options to grant consent and is obliged to inform them and ensure that their consent (when used as a legal basis for processing) can be withdrawn at any time.

When requests are made to correct, amend or destroy personal data records, the Company is obliged to ensure that these requests are handled in compliance with internal procedures and applicable law. The Company is also obliged to ensure that these requests are recorded.

Personal data must be processed only for the purpose for which they were initially collected. If the Company wants to process the collected personal data for another purpose, and has no other legal basis than the consent of the Data Subject, the Company is obliged to request the consent of the Data Subject for the secondary (new) purposes. Any such request must include the original purpose for which the data were collected and also the new or additional purpose(s).

 The company has an obligation to ensure that collection methods comply with relevant law, good practices and industry standards.

     5.5. Use, storage and destruction/deletion

The purposes, methods, storage limitation and storage period of personal data must be consistent with the information contained in the Information on the processing of personal data, communicated to the data subjects. The company is obliged to maintain the accuracy, integrity, confidentiality and relevance of personal data based on the purpose of processing. It is mandatory to use appropriate security mechanisms, designed to protect personal data, to prevent personal data from being stolen, misused or abused and to prevent breaches of personal data security.

    5.6. Disclosure to third parties

The Company uses various service providers/business partners who access, store, transfer or otherwise process personal data in the name and on behalf of the Company. These service providers/business partners have the capacity of Company Processor.

In this situation, the Company ensures that the Processor will implement appropriate security measures to protect the relevant personal data from associated risks (e.g. misuse of personal data, unauthorized disclosure of personal data, data security breaches, etc.). For this purpose, the Company may use the GDPR Compliance Questionnaire for the Processor.

     5.7. "Privacy by design" and "Privacy by default"

The company ensures that personal data protection is taken into account from the moment of conception (Privacy by design) of an application or processing, by applying appropriate technical and organizational measures and taking into account the following elements: minimization of data collection depending on the purpose, cookies, storage period, information provided to data subjects, obtaining consent from data subjects, security and confidentiality of personal data, guaranteeing the role and responsibility of the parties involved in carrying out data processing.

The Company also applies appropriate technical and organizational measures to ensure that, by default, only personal data that is necessary for each specific purpose of the processing is processed (Privacy by default), taking into account: the volume of data collected, the degree of their processing, the storage period and their accessibility, so that personal data are not accessed, without the person's intervention, by an unlimited number of persons.

     6. Rights of data subjects

     6.1. General aspects

When acting as an Operator, the Company is responsible for ensuring a reasonable access mechanism for data subjects to enable them to exercise their rights in relation to the processing of their personal data, namely: (i) the right to receive information regarding the personal data processing operations concerning the data subject; (ii) the right to request access to the personal data held and processed by the Company and also, (iii) the right to rectify/complete this data if it is inaccurate/incomplete; (iv) the right to object to the processing of personal data, under certain conditions, including the right to withdraw the consent given; (v) the right to request the deletion of personal data, under certain conditions; (vi) the right to request the restriction of the processing of personal data, under certain conditions; (vii) the right to the portability of personal data, under certain conditions; (viii) the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her.

Given the new elements brought by the GDPR compared to the previous personal data protection legislation, details regarding the right to data portability and the right to data erasure ("right to be forgotten") are presented below.

     6.2. Data portability

Data subjects have the right to receive, upon request, the data they have transmitted to the Company in a structured, commonly used and machine-readable format and to transmit those data to another operator, free of charge, without hindrance from the Company.

The company ensures that such requests are processed within a maximum of one month, are not excessive (for example, of a data subject who sends requests to a company every day) and do not affect the personal data rights of other individuals.

    6.3. Right to erasure of data ("right to be forgotten")

Upon request, Data Subjects have the right to obtain from the Company the deletion of their personal data. When the Company acts as an Operator and when it can proceed with the deletion of personal data (there being no other legal grounds for retaining the personal data mentioned in the deletion request), the Company will initiate the necessary actions (including technical measures) to inform third parties, who use or process those data, to comply with the deletion request received from the Data Subject.

    7. Risk management. Data protection impact assessment

    7.1. General aspects

If the Company identifies personal data processing likely to present high risks to the rights and freedoms of natural persons, it will carry out a data protection impact assessment, under the conditions of art. 35 of the GDPR.

The data protection impact assessment is carried out prior to the collection of personal data and the processing. The Company focuses on estimating the risks to data protection from the point of view of the Data Subjects, taking into account at least the following elements: (i) the nature of the data, (ii) the scope, (iii) the context and purposes of the processing and (iv) the use of new technologies.

    7.2. What does a data protection impact assessment entail?

In the event that the Company carries out a data protection impact assessment, it will ensure that this assessment covers the following aspects:

  • description of the data processing carried out and its purposes;
  • assessment of the necessity and proportionality of the data processing carried out;
  • assessment of the risks to the rights and freedoms of data subjects;
  • the measures provided to address risks and ensure compliance with the provisions of the GDPR.

Data protection impact assessment allows:

  • carrying out personal data processing or a product that respects privacy;
  • estimating the impact on the privacy of data subjects;
  • demonstrating that the fundamental principles of the GDPR are respected.

     7.3. When should a data protection impact assessment be carried out?

Data protection impact assessment is required, especially in the case of:

(a) a systematic and comprehensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and which is the basis for decisions which produce legal effects concerning the natural person or similarly significantly affect him or her;

(b) the processing on a large scale of special categories of data, referred to in Article 9(1), or of personal data relating to criminal convictions and offences, referred to in Article 10; or

(c) systematic, large-scale monitoring of a publicly accessible area.

When the impact assessment indicates high risks, in the absence of measures taken by the Company to mitigate them, the Company consults the local supervisory authority (ANSPDCP) in accordance with the requirements of the GDPR.

      8. Responding to personal data breach incidents

When the Company becomes aware of a personal data breach, the Company will conduct an investigation and take appropriate remedial action in a timely manner in accordance with the Company's Data Breach Policy. When there is a risk to the rights and freedoms of Data Subjects, the Company is obliged to notify the competent data protection authorities without undue delay and, where possible, within 72 hours.

     9. Organization and responsibilities

The responsibility for ensuring the appropriate processing of personal data lies with each person who works for or with the Company and has access to personal data processed by the Company.

The main areas of responsibility for the processing of personal data fall within the following organizational roles:

The Board of Directors makes decisions regarding the Company's general strategies regarding the protection of personal data and approves them.

The Data Protection Officer (DPO), together with the Information Security Manager, Information Security Officer or any other relevant employee, is responsible for managing the personal data protection program and is responsible for developing and promoting comprehensive personal data protection policies, as defined in the job description.

The main role of the Data Protection Officer will be:

  • to inform and advise the Company, as well as its employees, regarding the existing obligations in the field of personal data protection;
  • to monitor compliance with GDPR and national data protection legislation;
  • to advise the Company on the conduct of data protection impact studies and to verify their conduct;
  • to cooperate with the data protection authority and to represent the point of contact in relation to it.

The IT department is responsible for:

  • Ensuring that all systems, services and equipment used for data storage comply with acceptable security standards.
  • Performing periodic checks and scans to ensure that security hardware and software are functioning properly.

The Marketing Department is responsible for:

  • Approval of any data protection statements attached to communications, such as email messages or addresses.
  • Responding to any data protection questions from journalists or media outlets such as newspapers.
  • Where appropriate, collaborating with the Data Protection Officer to ensure that marketing initiatives comply with data protection principles.

The Human Resources Department is responsible for:

  • Improving the information of all employees about the protection of users' personal data.
  • Organizing competency and information training on personal data for employees who work with personal data.
  • Complete protection of employees' personal data. He has the obligation to ensure that employees' personal data is processed for the employer's legitimate business purposes and according to its needs.

The Procurement Manager is responsible for advancing data protection responsibilities to suppliers and improving suppliers' levels of information on personal data protection, as well as the requirements for down-stream transmission of personal data to any third party used by a supplier. The Procurement Department is responsible for ensuring that the Company reserves the right to audit suppliers.

    10. Audit and accountability

The Audit Department is responsible for auditing how departments implement this Policy.

Any employee who violates this Policy will be subject to disciplinary action and the employee may also be liable civilly or criminally if their conduct violates laws or regulations.

    11. Conflicts of laws

The purpose of this Policy is to comply with the laws and regulations in force at the location of the Company’s headquarters and in the countries in which the Company operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.

    12. Validity and document management

This document is valid from 09.02.2022.

This document will be updated annually, if necessary.

Regarding the Communication on Collaboration Protocols concluded between the National Tax Administration Agency and non-banking financial institutions based on the Order of the President of ANAF no. 3,731/2016 and amended by the Order of the President of ANAF no. 3,194/2019.

About UsTeamContactNewsletter
ServicesState Aid&CapialEnergy&CO₂ ImpactM&A & Due Diligence
Contactoffice@tdppartners.roLinkedIn Facebook
AdressTDP PARTNERS SRLmyhive S-Park, 11–15 Tipografilor Bucharest 013714, RomaniaCompany ID: 21165737Registration No.:J2007003644404
© 2025 TDP Partners Privacy Policy

|

Data Protection