Privacy Policy

1. OVERVIEW

This Policy on the protection of personal data (hereinafter the “Policy”) defines the procedures for processing and protection of personal data in FORCYBER, a limited liability company organized and operating in accordance Romanian legislation, headquartered in Romania, Bucharest, Calea Grivitei 190, registered at the Bucharest Trade Register under no. J40/11009/2021 CUI RO44495092 (hereinafter referred to as “FORCYBER” or “Controller”), and establishes the procedures aimed at preventing and identification of any violations of the applicable law regarding personal data.
This Policy has been developed in accordance with Romanian and European Union legislation, with particular reference to the following regulatory framework:

• General Data Protection Regulation (GDPR), adopted by the European Parliament and the European Council on 27 April 2016;
• Romanian Law 190/2018 for the application of the provisions of GDPR and{‘ ‘}
• any other decisions that can be issued by the National Authority for the Supervision of Personal Data Protection (Autoritatea Nationala de Supraveghere a Protectiei Datelor cu Caracter Personal – ANSPDCP) regarding personal data protection.{‘ ‘}
  
  

2. PURPOSE OF DATA PROTECTION POLICY

The main purposes of the data protection Policy are:

• To establish a procedure, including the terms and conditions, as well as the internal controls, to be implemented for personal data processing according to GDPR regulatory requirements, in order to prevent regulatory framework infringements.
• To establish and present the FORCYBER staff responsible for personal data processing and related responsibilities, the internal Policy regarding personal data processing and FORCYBER requirements for personal data processing.
• To establish the responsibilities of FORCYBER staff involved in personal data processing in case of violation of legal and regulatory provisions regarding personal data processing
• To observe the data subjects’ right to be informed regarding personal data processing by FORCYBER.

Thus, the purpose of this Policy is to explain what are the categories of personal data we process, why do we process/ need to process these data and how do we process it/ what do we do with it.  Considering that personal data belong to the data subject itself, we put our best efforts in processing it with maximum due professional care and secure storing. We do not transfer any data to third parties without a pre-determined legitimate ground and without previously fulfilling our obligation for prior information.

3. SCOPE AND SUBSEQUENT MODIFICATIONS OF DATA PROTECTION POLICY

This data protection Policy applies to FORCYBER and its employees and addresses all personal data processing activities within FORCYBER. This policy content can be modified only under the direct coordination and validation of FORCYBER Data Protection Officer (DPO). Any change shall be reported and approved by FORCYBER senior management, following the internal standard process for policies and procedures enforcement.

Last review in force of the FORCYBER{‘ ‘} Policy on the protection of personal data is available and can be consulted on the company’ website{‘ ‘} www.forcyber.net

4. DEFINITIONS

For the purpose of this policy, we use the following definitions:{‘ ‘}

“Data Protection Officer (DPO)” refers to the person responsible for monitoring the compliance with the GDPR and other legal and regulatory provisions regarding personal data protection within FORCYBER, who performs its attributions as stated by this Policy and the GDPR applicable legislation, provides advice and consultancy to FORCYBER management and internal staff involved in personal data processing and acts as a point of contact on GDPR topics with third parties and authorities, on FORCYBER behalf.

“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purpose of this Policy, Controller refers to FORCYBER
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Recipient” means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Health data” {‘ ‘} means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Cross-border processing” means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

5. PERSONAL DATA PROCESSING PRINCIPLES
   
   a. Lawfulness, fairness and transparency

FORCYBER protects the individual rights of natural persons (“Data Subjects”) during personal data processing, personal data being processed lawfully, fairly and in a transparent manner in relation to the data subject

“Lawfulness” – refers to identification of legal grounds for data processing, as defined by Art.6 of GDPR, before engaging in or initiating any activity that involves processing of personal data

“Fairness” – in order for personal data processing to be considered fair, it should be applicable similarly to similar target categories of data subjects, personal data categories and processing purposes.{‘ ‘}

“Transparency” – refers to prior information of data subject regarding how his/her personal data are processed. This principle applies no matter if the personal data is collected directly from the data subject or is obtained indirectly, from a third party. The data subject should be informed, at least, regarding the: (1) identity of the controller; (2) the purpose of personal data processing and the related legal ground; (3) the third parties (or third parties categories) to whom the personal data may be disclosed.

b. “Purpose limitation” – personal data are collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; personal data is processed only for the processing purpose defined before starting to collect the data, any subsequent changes of processing purpose are allowed only on an exceptional basis, to a very limited extent and require adequate prior substantiation.

c. “Data minimization” – personal data processing should be adequate, relevant and limited to what is necessary in relation to the purposes for which they were collected; before starting any data processing, it should be determined whether and to what extent the processing of personal data is necessary for the processing purpose. When the processing purpose allows it and the involved costs are proportionate with the processing objective, anonymized or pseudonymized data shall be used. Personal data shall not be collected in advance and stored for potential future processing purposes, except when specifically required or allowed by applicable legislation.{‘ ‘}

d. “Storage limitation” (also known as “right to be forgotten”) – refers to the fact that personal data should not be kept, in a form which permits identification of data subjects, for longer than is necessary for the purposes for which the personal data was processed; personal data that is no longer necessary for the processing purposes it was initially collected is irreversibly deleted from Controller evidences immediately upon expiration of mandatory legal retention terms according to business processes for which it was used.{‘ ‘}

In case of certain private interest that require protection through further preservation of personal data after the expiration of the retention period according to the initial data processing purpose, or, in case of public interests related to the historical importance of such data, on a case-by-case basis, it may be possible that FORCYBER keeps such data until the protected interests are legally clarified, or, the data was assessed to determine whether it should be further stored for historical/ archivistic purposes.
When actual deletion may negatively impact on FORCYBER information systems, the personal data will be irreversibly anonymized, so that there is no available clue that may lead to data subject identification.{‘ ‘}

e. “Accuracy” – personal data processed must be accurate, correct and complete and, if the case, permanently updated; FORCYBER takes all reasonable measures to ensure that the personal data that is inaccurate, incorrect, incomplete or outdated is deleted or rectified without undue delay.

f. “Integrity and confidentiality” – personal data is processed in a manner that ensures appropriate data security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures; FORCYBER classifies all personal data “confidential”, and they are handled as such by all our employees, as per the legal obligations in force.

g. “Accountability” – the Controller is responsible for and must be able to demonstrate compliance with all data processing principles for each and every personal data processing activity. This principle addresses the Controller governance framework and promotes accountability, as a completement to transparency.

FORCYBER can prove compliance with data protection principles through – at least, but not limited to – implementation of data protection policies and procedures, observing and complying with the code of conduct, implementation of technical and organizational measures for data protection, adoption of specific techniques like data protection by design, data protection by default, data privacy impact assessment, data breach notification policy and security incident response plans.  

6. LEGAL GROUDS FOR PERSONAL DATA PROCESSING

Collection, processing and use of personal data is allowed only based on the following legal grounds: 

6.1. Data regarding our clients and business partners
a. Data processing is necessary for the performance of a contract{‘ ‘}

FORCYBER may process personal data belonging to the legal representatives and/ or contact persons assigned by our clients, suppliers, or any other business partners, in order to initiate, conclude, execute and terminate a business contract in relation with FORCYBER. Before contract signing – during contract initiation phase – personal data may be processed for preparing or negotiating business offers or purchase orders or for any other preliminary steps necessary prior to entering a contract. Contact persons assigned by our business partner (client/ supplier) can be contacted by us during pre-contractual phase using only the contact details we received in this regard. Any objections or limitations for contact requested by the respective contact persons must be observed and complied with.

b. Consent as a legal ground for data processing

When the processing purpose require data subject’ consent, personal data can be processed exclusively after receiving the express consent from the affected data subject for data processing for that explicit processing purpose.
In general, consent must be obtained in a documented form (in writing or electronically) so that the Controller may be able to demonstrate that the data subject has consented to processing of his or her personal data. Under certain circumstances, such as verbal consent by phone, the consent is considered legitimate provided adequate traceability is ensured. Documenting consent, as well as consent withdrawal (if the case) is mandatory, regardless the means of registration.

c. Data processing for compliance with a legal obligation of the Controller

Personal data processing is allowed when the applicable legislation requires, imposes, or allows the processing activity. The type and extent of personal data processing for compliance with a legal obligation the Controller is subject of must be (1) necessary for the related activity (required or imposed) and (2) performed in compliance with relevant legal provisions.
FORCYBER may process and store your data based on our legal obligation for the following processing purposes:

• in order to fulfil our legal documentation and storage obligations for purposes of financial and accounting management according to the tax legislation;{‘ ‘}
• for purposes of external audit or financial audit;
• for purposes of reporting to the authorities according to the applicable regulations;{‘ ‘}
• for purposes of controls and/or reply to the requests from the authorities (eg. ANAF, ANPC, ANSPDCP, etc.),{‘ ‘}
• for garnishment and distraint management purposes according to Civil and Penal Code,{‘ ‘}
• for business continuity purposes and for information security purposes within the systems (including data bases storage and back-up storage){‘ ‘}
• for keeping, storage and archiving of documents,
• for physical security purposes in our premises through CCTV video cameras located in our premises to ensure monitoring of people, location and goods security and guarding according to Law 333/2003.
  
  d. Persona data processing based on the legitimate interest of the Controller

Personal data may be processed also if the processing is necessary based on a FORCYBER legitimate interest. Our legitimate interests are, in general, either of a legal nature (for example, overdue debt collection, litigations, etc.) or business interests (for example, avoidance of contractual obligations breach). FORCYBER shall not process personal data for legitimate interests’ purposes if, for specific cases, there are evidences that the data subject’s personal interests prevail to our legitimate interest, and thus require additional protection. Before initiating any personal data processing based on legitimate interest, a legitimate interest assessment shall be performed to determine whether there are any personal interests of the data subject that can be affected and need to be protected.

e. Processing of special categories of personal data

FORCYBER does not process special categories of data (regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation) in relation to its clients/ suppliers or any other business partners.
Special categories of personal data can be processed only if the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject (for example, in the field of employment and social security and social protection law) or, if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes. Also, special categories of personal data ca be processed if the processing is necessary to protect the vital interests of the data subject or of another natural person (where the data subject is physically or legally incapable of giving consent) or, if processing is necessary for reasons of public interest in the area of public health. In case FORCYBER plans to involve in activities that require processing of special categories of personal data, DPO prior information and consultation is mandatory.

f. Processing of personal data for marketing purposes and/ or for service improvement purposes

If you wish to participate in our loyalty programs, satisfaction studies regarding the contracted services or receive newsletters or varied promotional materials by e-mail, we might need your express consent to be able to process your data for such purpose.
Once you gave us your consent, you are entitled to withdraw such consent at any time, for one or for all processing operations presented above, without indicating any reason, by e-mail to dpo@forcyber.net or office@forcyber.net.

In certain cases, under strict observance of your personal rights and freedoms, and only if you didn’t oppose expressively to such processing, we can also send you commercial content based on our legitimate interest to promote similar products or services as the ones you already have with us or to evaluate the quality of services provided by our sub-contractors that serve you on our behalf, if the case.

Also, in case of providing you with remote services, we keep records of the digital communications (eg. emails, website forms), in order to increase the effectiveness and improve the quality of our services, as well as for optimum execution of contracts, respectively for execution of phone, e-mail and web-based orders/ offers request. The legal ground for such processing activities is your express consent, if granted.

6.2. Data regarding our employees/recruitment candidates

a. Personal data processing for the purpose of the labor agreement

Within work relationship, personal data can be processed, if the case, for initiating, concluding, executing and termination of labor contract.{‘ ‘}

For initiation of a labor contract, personal data of the candidates will be processed for the purpose of the recruitment process. The personal data of the candidates that did not pass the recruitment and selection process must be deleted according to the retention period in force, except the candidate has given consent for his/ her data to be kept and used for future recruitment selection processes, for 12 months since the initial job request submission.    {‘ ‘}

If, during recruitment, it is necessary to obtain certain personal data regarding the candidate from third parties, applicable legal requirements in place must be complied with. In case of uncertain legitimate ground, data subject consent must be obtained.
In case of active labor relations, personal data processing must always regard the purpose of the labor contract, unless none of the following circumstances for authorized data processing apply. There must always exist a legitimate authorization for personal data processing in relation to labor relationship but that were not included initially in labor contract execution. These may include legal requirements, general collective agreements with employees’ representatives, employee consent or employer legitimate interest.

b. Data processing for compliance with a legal obligation of the Employer (Controller)

Employees’ data processing is allowed also when national legislation requires or imposes such processing. The type and extent of personal data processing activities must be necessary according to legal requirements and must comply with related relevant legal provisions. If there is a certain legal flexibility in applying requirements in this regard, the employee’ interests that deserve protection must be taken into consideration.

c. Data processing based on employee’ consent

When it is necessary, persona data of the employee can be processed after obtaining express consent of the affected person. To be considered valid, consent statement must be freely given and unconditional.{‘ ‘}

Consent statement must be documented in written form or electronically and must be kept by the Controller. In certain circumstances, consent can be given verbally, in which case it must be subsequently documented accordingly. Providing, freely and informed, the personal data by the affected person, can be equivalent to processing consent if specific legislation does not impose express consent.

By “consent” it is understood that the data subject agreed to processing of his/ her personal data. Data subject can withdraw his/ her consent at any time by e-mail to dpo@forcyber.net.

d. Personal data processing based on legitimate interest

Personal data may be processed also if the processing is necessary based on a FORCYBER legitimate interest. Our legitimate interests are, in general, either of a legal nature (for example, defend our interests within litigations or legal actions , etc.){‘ ‘}

FORCYBER shall not process personal data for legitimate interests’ purposes if, for specific cases, there are evidences that the employee’s personal interests prevail to our legitimate interest, and thus require additional protection. Before initiating any personal data processing based on legitimate interest, a legitimate interest assessment shall be performed to determine whether there are any personal interests of the data subject that can be affected and need to be protected, as well the proportionality of the processing activity legitimacy compared to data subjects’ interests.

e. Processing of special categories of personal data

FORCYBER does not process the following special categories of data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data or data concerning a natural person’s sex life or sexual orientation in relation to its employees.

Certain types of special categories of personal, such as health data, can be processed only if the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject (for example, in the field of employment and social security and social protection law) or, if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes. Also, special categories of personal data ca be processed if the processing is necessary to protect the vital interests of the data subject or of another natural person (where the data subject is physically or legally incapable of giving consent) or if processing is necessary for reasons of public interest in the area of public health. In case FORCYBER plans to involve in activities that require processing of special categories of personal data, DPO prior information and consultation is mandatory.

f. Data processing over internet and telecommunication channels

Phone equipment, e-mail addresses, intranet and internet, together with internal social networks are made available by FORCYBER to its employees, in the first place, for work related activities, as instruments and resources of the Company. They can be used according to internal Company’ policies and applicable legal requirements. In case of use of FORCYBER electronic communication resources for personal purposes, the legislation regarding telecommunications’ secrecy and national legislation regarding telecommunication must be obeyed, if the case.

To ensure the confidentiality, integrity and availability of data, FORCYBER can implement automatic protection measures, including data traffic analysis, with the purpose of detecting attack vectors and attack models and preventing them, as well as for response to cyber and information security incidents.

To ensure a high level of information security, as well as to solve information security incidents, use of mobile phones, e-mail addresses, intranet/ internet networks and internal social networks can be temporarily recorded.

The analysis of these data and the identification/ profiling of a certain person behavior can be performed only for definite, specific cases and based on justified suspicions of breach on FORCYBER policies or applicable legislation. The analysis and assessment can be performed only by dedicated investigation teams, ensuring, at the same time, compliance with the principle of proportionality.
FORCYBER shall not process personal data in absence of one of the above reasonings. The same rule applyes, also, in case the purpose for collection, processing and use of personal data needs to be changed compared to the initial purpose.

7. PROCESSING OF PERSONAL DATA ON THE COMPANY WEBSITE

If personal data is collected, processed, or used through the company website or web-based applications, data subjects must be informed about this processing activity, including the use of cookies, by means of a data privacy notice/ declaration of confidentiality regarding personal data processing.

7.1 Data protection on our website

The protection of your private interests during the use of our website (www.forcyber.net) is of utmost importance for us.  Therefore, we further inform you in detail about the processing of personal data by this interaction means.{‘ ‘}

The responsibility for data protection regarding the website www.forcyber.net lies with FORCYBER. When using and processing personal data, we strictly observe the legal provisions on data protection. We reserve the right to use personal data and anonymized data that make the object of data subject rights under the limits imposed by the applicable legislation, as following detailed.

This notification regarding data protection on our company website is applied only for www.forcyber.net, and its related sub-domains, but not for the sites controlled or operated by third parties (eg webpages of our partners published on our website). Please, verify the policies and notifications on the protection of the data related to the webpage controlled or operated by third parties, as such are not under our control, and we assume no liability for their content and measures regarding data protection.

Our partners are carefully selected and they ensure, by proper technical and organizational measures, the processing of your data according to the applicable legal provisions on data protection and ensuring the observance of your rights. Partners are interdicted to use personal data to which they have access based on the authorizations received from us, for own or business purposes or transmit such to third parties.

7.2 Data security on our website

For the protection of your data on our website, we took technical and organizational measures to protect it, especially against the loss, handling, or unauthorized access. The measures we took are verified on a regular basis and constantly adapted to the current state of the art. In case of data breach on your personal data, we will notify you in case the data breach proves to expose your rights and freedoms to high risk.

In case you own a password that allows your access to our applications, you are responsible for keeping the security and confidentiality of the password.

Use by minors

It should be taken into consideration the fact that all data processing instruments can be used exclusively by persons of age above 14 years old. The use of systems and data processing instruments by users under this age is forbidden without express consent of parents or tutors. In case such processing activities take place, we will withdraw access and stop the processing immediately we become aware of such a situation.

7.3 Collection and processing of personal data on our website

a. Data supplied by you

The personal data are processed by us according to the legal provisions in force regarding data protection. If your exchange correspondence with us or if you fill in a form with personal data by our Contact webpage, please consider that the data provided by you in the concerned form shall be processed for the purposes they were submitted for or for the purpose of processing a contact request, for the concluding and execution of a contract, respectively to perform the pre-contractual formalities on your request.
Even if, during using one of the offered services, you are requested to insert your personal data (eg. fill in the Contact form), the correlation of your personal data with the data from the accessing protocol by the IP address (collected anyway in anonymized form) to profile a user with personal data is absolutely excluded.
For how long do we store your data on our webpage?
We shall store your data for 30 (thirty) days as of the collection date through the website, , then it shall be definitively erased from our webpage.

b. Data collected by us

If you visit our webpage, the data are registered automatically by means of cookies. For more information on the cookies used on our webpage, see the page  Cookie Policy.

7.4 Your rights on personal data protection

As a data subject according to the provisions of GDPR, the rights regarding the protection of the personal data described in the section below Data Subjects Rights shall be fully applicable, inclusively for personal data collected and processed by the webpage

8. PERSONAL DATA TRANSFER

Transfer of personal data to third parties and recipients other than FORCYBER is subject of data processing authorization as detailed in thin section. Data recipient has the obligation of using the received information only for the defined, specific purposes established before the transfer.

All data transfers mentioned above are handled in strict alignment with personal data processing principles, especially data minimization – we may transfer towards third parties only the data that is strictly necessary for fulfilling the processing purposes mentioned above.

In general, for processing activities mentioned above, the personal data is transferred towards entities in CEE (European Economic Community). Yet, in case the processing activity requires data transfer towards a third party or an international organization outside CEE, we make sure to apply adequate guaranties as per the requirements of article 44-49 of GDPR.

9. PERSONAL DATA PROCESSING BY DATA PROCESSORS

Personal data processing on behalf of the Controller means that a supplier/ provider is contracted to perform activities that require processing of personal data without actually taking responsibility for the related business process towards the customer. In this case, a data processing agreement must be signed by FORCYBER, acting as Controller, and the related third party (supplier/ provider), acting as Data Processor. FORCYBER keeps full responsibility towards its customer regarding the adequacy of data processing. The third party can process personal data only according to FORCYBER specific instructions. When contracting services that imply processing of personal data belonging to FORCYBER customers, FORCYBER must ensure that:

• The selected supplier/ provider is chosen based on capacity to fulfill technical and organizational measures for adequate data protection.
• The data processing contracting terms must be documented in written, including the personal data processing instructions and parties’ responsibilities.
• The contractual standards for personal data protection, provided by DPO, must be considered.
• Before starting any personal data processing, FORCYBER must ensure the data processor will comply with its obligations in terms data security. This should be documented either through assessment results performed directly by FORCYBER, or by documented proof provided by the supplier itself (for example, by providing a relevant certification). Depending on data processing risk, the review must be performed regularly during the contract execution.
• In case of cross-boarding data processing agreements, the relevant national legal requirements for data disclosure abroad must by complied with. In particular, personal data from CEE can be processed in a third country (outside SEE) only if the third party can prove it has implemented a data protection standard at least equivalent with this Policy for personal data protection. Among the appropriate safeguards to be considered, may be:
  • EU Standard Contractual Clauses
  • Participation of the supplier in a certification mechanism authorized by UE for ensuring an adequate level of data protection
  • Binding corporate rules of the supplier authorized by responsible data protection authorities for ensuring an adequate level of data protection.

{‘ ‘}

10. DATA SUBJECTS’ RIGHTS

Data subjects have the following rights with regard to personal data processed by FORCYBER:

• The right to be informed – to obtain from FORCYBER:
  (a) the identity and the contact details of FORCYBER and, where applicable, of its representative;
  (b) the contact details of the data protection officer, where applicable;
  (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;{‘ ‘}
  (d) the categories of personal data concerned;
  (e) data retention period for personal data and the criteria used to establish it, provided that FORCYBER processes and keeps the personal data for the term required by legal requirements in force. Personal data processing stops immediately when there is no reason for further processing;{‘ ‘}
  (f) the source of obtaining the personal data (in case the personal data is not obtained directly from the data subject)
  (g) if providing the personal data for processing is a legal requirement or a contractual obligation, or whether it is necessary for concluding a contractual agreement, as well as if the data subject has the obligation to provide the personal data and the possible consequences if objected.
  (h) the recipients or categories of recipients of the personal data, if any;
  (i) where applicable, that FORCYBER intends to transfer personal data to a recipient in a third country or international organization and the existence or absence of an adequacy decision by the Commission, and reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
• The right to access the personal data – the data subject has the right to obtain from FORCYBER the confirmation if his/ her personal data are processed by FORCYBER and/ or the right to receive a copy of his/ her personal data processed by FORCYBER;
• The right to rectification – the data subject has the right to obtain from FORCYBER, without undue delay, the rectification, or the completion, of his/ her inaccurate, or incomplete data,{‘ ‘}
• The right to be forgotten – the data subject has the right to obtain from FORCYBER the deletion of his/ her personal data, without undue delay, if: the personal data is no longer necessary for the purpose they were collected, if the data subject withdraws his/ her consent (for personal data processed based on consent), if the personal data was processed illegally, etc.
• The right to restrict processing if: (1) the personal data processed is inaccurate; (2) the data processing is performed illegitimately and the data subject requests restricting the data processing instead of deletion; (3) the personal data are no longer necessary for the processing purpose, but they are still required to ascertain, exercise or defend a certain right in the court of law; (4) the data subject opposed to data processing, for the time necessary to verify if the controller legitimate interest prevail over the private interests of the data subject;
• The right to personal data portability – the data subject has the right to receive his/ her personal data in a structured form, currently used and that can be automatically interpreted, and, also has the right to request that these data are sent directly to another controller, without any limitations from FORCYBER (only if the personal data processing is based on consent or contract execution and provided the data processing is performed with automated means of processing)
• The right to oppose to data processing at any time (including profiling, for example for direct marketing purposes){‘ ‘}
• The right to withdraw consent at any time, without affecting the legitimacy of consent based data processing performed before the consent was withdrawn.
• The right to file a complaint with the supervisory authority (ANSPDCP), in case the data subject considers there is any abuse or breach of his/ her rights.;
• The right to address the court against a decision of the supervisory authority, FORCYBER or other data processor;{‘ ‘}
• The right to obtain compensation from FORCYBER or other data processor for the proven prejudice.

11. CONFIDENTIALITY OF PERSONAL DATA PROCESSING

Personal data is considered confidential information and shall be treated as such. Any unauthorised collection, processing or use of such data by FORCYBER employees in strictly forbidden. Personal data processing is also confidential and will be performed only by authorized persons acting under FORCYBER authority and only based on FORCYBER specific processing instructions.{‘ ‘}

Any personal data processing performed by an FORCYBER employee, that was not prior authorized to be performed as part of his/ her job requirements, is considered unauthorized processing. The “need to know” principle shall apply. The employees may have access to personal data only based on strict separation and segregation of duties that require implementation of specific roles and responsibilities for each FORCYBER employee.

FORCYBER employees are strictly forbidden to use personal data for private or commercial purposes, to disclose them to unauthorized persons or to make the available in any way. FORCYBER Employees are informed about their obligation to protect data secrecy, by their direct managers, at the beginning of labor contract.{‘ ‘}

In case of unauthorized or miss-use of personal data, employees may be subject of sanctions, as established by FORCYBER internal regulatory framework and applicable legislation in force.

The obligation to protect the confidentiality of personal data remain valid also after the termination of the labor contract, subject of confidentiality breach related sanctions, as provided by applicable legislative framework in force.

12. SECURITY OF PERSONAL DATA PROCESSING

Personal data is protected against unauthorized access and against illegal/ illegitimate processing or disclose, as well as against accidental loss, modification or destruction. This protection is implemented regardless the data is processed electronically, on paper or through any other means. Before implementing any new means for processing the personal data, especially information systems, the technical and organizational measures for personal data protection must be defined. These measures rely on technologic evolution level, the risks identified regarding the personal data processing and the related necessity to protect the data (as determined during information classification process).

In particular, the organizational structure responsible for the processing activity may consult the DPO and the Information Security Officer (CISO). The technical and organizational measures for personal data protection are an integral part of the corporate information security management and are continuously adapted to technical evolution and organizational changes.

Access to personal data is granted only to those employees of FORCYBER that need access to such data to perform their operational tasks related to any of the data processing purposes defined above (eg. Human Resources, Legal, Accounting, IT, Sales, Business Administration staff/ departments). Any access to personal data for other employees, not explicitly granted with access rights according to the present Policy, is strictly forbidden.{‘ ‘}

FORCYBER employess that have access to personal data have the right to process only those data that are necessary for performing their job related operational tasks and responsibilities in relation to the personal data processing purposes mentioned above.
The documents that contain personal data are stored by the FORCYBER organizational departments who’s employees are granted access to personal data for fulfilling their job related operational tasks and responsibilities, being also fully responsible for handling the relevant data in relation to data subjects.

Any person that processes personal data on behalf of FORCYBER shall comply with processing principles and rules, as detailed within the present Policy.{‘ ‘}

Once FORCYBER authorizes a person to process personal data on its behalf, FORCYBER is fully responsible towards the data subject for all data processing activities, including any actions or omissions of that person. The person who processes the personal data on behalf of FORCYBER is responsible for his/ her processing actions and omissions towards FORCYBER.

All personal data must be treated with the highest degree of security and must be kept in a separate, dedicated, restricted, closed storage facility, either physical (room/ cabinet/ drawer, etc.), under strict access control (by physical or electronical access key), or, if computerized, access password must be protected according to access control policy provisions and the (removable) storage media must be encrypted according to applicable security standards.  

13. PERSONAL DATA PROTECTION CONTROLS

Compliance with personal data protection policy and related legislation in force is subject of regular review, through data protection and/ or information security audits and other specific controls in place. Performing these controls on a regular basis is under the responsibility of the DPO, either directly or involving specialized external auditors.{‘ ‘}

The results of any controls performed with impact on personal data protection shall be reported to DPO.

The management of FORCYBER is regularly informed regarding the controls’ results, as part of DPO reporting responsibilities. On request, the results regarding data protection elated controls shall be made available to the data protection supervisory authority. Also, data protection supervisory authority can perform its own compliance controls in relation to the provisions of this Policy, according to national regulatory framework.

14. PERSONAL DATA RETENTION AND DELETION

FORCYBER shall not keep the personal data in a form that allows the direct or indirect identification of data subjects longer than it is necessary for the processing purposes for which the personal data was collected in the first place.

FORCYBER can store the data after the termination of the actual processing activity according to legal general prescription terms in force, provided the implementation of adequate technical and organizational measures to protect the data subjects’ rights and interests.{‘ ‘}

Personal data must, and shall be deleted / destroyed securely, in compliance with the 6th GDPR principle, ensuring an adequate level of protection for the data subjects’ rights and interest. Any deletion/ destruction shall be performed in compliance with secure asset destruction procedure.{‘ ‘}

15. PERSONAL DATA SECURITY INCIDENTS (DATA BREACHES)

All employees have the obligation to report immediately, to their direct supervisor, any breach of this Policy or any other regulations regarding the protection of personal (security incidents regarding data protection), regardless it is a matter of confidentiality, integrity or availability breach. The manager or the supervisor of the organizational structure involved has the obligation to immediately inform the DPO regarding any data protection incidents.

In case of:

• Erroneous/ unauthorized transfer of personal data to third parties;
• Unauthorized access to personal data; or
• Loss, destruction, or alteration of personal data

the manager of the organizational structure involved shall prepare, as a matter of urgency, the notification reports, according to the rules stated by the Information security incidents management policy, so that all emergency measures to limit the exposure and impact on data subject can be implemented in due time, as well as for timely fulfilling the company obligations with regard to incident reporting and notification to the supervisory authority. 

16. RESPONSIBILITES AND SANCTIONS

FORCYBER management, its employees and its contractors, are responsible for personal data processing in their own area of responsibility. Thus, they have the obligation to ensure that both legal requirements regarding personal data protection, and the ones detailed within the Policy regarding the protection of personal data (for example, national obligation for incident reporting) are complied with. Management structures are responsible to ensure there are adequate organizational measures, human and technological resources in place so that any personal data processing is performed in compliance with regulatory provisions. Compliance with these requirements is under responsibility of the managers of each organizational structure.{‘ ‘}

FORCYBER DPO is informed immediately of the controls performed by the data protection supervisory authority. FORCYBER DPO is the single point of contact, having a consultation/ advisory role, regarding GDPR topics in relation to FORCYBER management, employees, customers, suppliers or data protection supervisory authority{‘ ‘}

The departments responsible for business projects and processes shall inform the DPO in due time regarding new personal data processing activities. If planned to process personal data that may present special risks for the data subjects’ rights and interests, or, if special categories of personal data may be involved, DPO shall be informed and consulted before engaging into the processing activity. Direct managers are responsible to ensure their employees are sufficiently trained regarding personal data processing.
Inadequate processing of personal data, or other breaches of personal data legislation in force, may lead to compensations to be paid by FORCYBER for the prejudice. Data breaches due to individual employee fault may be subject of personal sanctions, as per the labor legislation in force.

17. DATA PROTECTION OFFICER (DPO)

FORCYBER Data Protection Officer (DPO) was designated based on professional qualities and expert knowledge of data protection law and practices necessary to successfully fulfil his specific tasks:

(a) to inform and advise FORCYBER and the employees in charge of personal data processing of their obligations pursuant to GDPR and FORCYBER Policy regarding protection of personal data;{‘ ‘}

(b) to monitor FORCYBER compliance with GDPR and internal Policy in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;{‘ ‘}

(c) to provide advice where requested (as regards the data protection impact assessment, legitimate interests assessment, etc.) and monitor their performance;{‘ ‘}

(d) to cooperate with the supervisory authority;

(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.
(f) to have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing, in the performance of his or her tasks
FORCYBER shall ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data and shall support the DPO in performing the tasks by providing the necessary resources and access to personal data and processing operations, and to maintain his or her expert knowledge.{‘ ‘}

FORCYBER DPO:

• is independent from business or operational conflict of interests in performing his or her tasks and does not receive any instructions or conflictual pressure regarding the exercise of those tasks in compliance with legal and regulatory provisions in force.{‘ ‘}
• reports directly to the highest management level of the Company, and{‘ ‘}
• is bound by secrecy or confidentiality concerning the performance of his or her tasks.

Data subjects may contact the DPO at any time with regard to all issues related to processing of their personal data and to the exercise of their rights under GDPR.

Within FORCYBER, the DPO shall be consulted for any personal data complaint and for each data breach incident within the company; any investigation from the data protection authority shall be immediately reported to DPO.

DPO shall inform FORCYBER management, without undue delay, regarding any potential or existing risk regarding the protection of personal data within the Company. DPO decisions for remediation of data breach incident have to be supported and sustained by  FORCYBER management.

Data Protection Officer contact details:
MAXSYS TECH CORE S.R.L, Data Protection Officer (DPO).
E-mail: dpo@forcyber.net

18. PRIVACY POLICY REVISIONS – ENTERING INTO FORCE. SUBSEQUENT UPDATES

This Privacy Policy takes effect starting December 2023.
FORCYBER can update or change the present Policy on a regular basis, due to, for example, legislative changes or internal operational and organizational changes at FORCYBER level.