Terms and Conditions

Information note regarding the processing of personal data within IHM TOTAL CONSULT SRL

1. How to contact us

IHM TOTAL CONSULT SRL

J35/3100/2014

VAT no. 16080618

Str. Ep. Augustin Pacha, nr. 1, ap. 31

Timişoara, Timiş county, ROMANIA

[email protected]

2. What does this information note cover?

2.1 This information note:

2.1.1 produces effects from: 25 May 2018

2.1.2 is published on: 25 May 2018

2.2 This information note describes your rights in relation to your personal data that we process and the way we take action to protect your personal data and applies to:

2.2.1 Our website: IHM.ro

2.2.2 Our email

2.2.3 The printed documents that we receive from you and which we store

2.2.4 All platforms or online environments on which we publish Information or ads or we operate.

3. Why and how do we process your personal data?

You are not required to provide your personal data, but it is impossible for us to provide you with our services in the absence of such data.

3.1 IHM Total Consult collects and processes personal data:

  • to find jobs in line with your education
  • to let you know about opportunities in the labour market, for direct marketing (career opportunities, training, etc.) with your agreement
  • to transfer data to third parties
  • to comply with any legal obligations
  • for studies, statistics, analysis on our field of activity – the labour market
  • for other aspects related to the activity carried out by us and the optimization of communications and systems used by us
  • to participate in any potential or actual acquisition or sale, total or partial

3.2 The personal data that IHM Total Consult collects include, but are not limited to:

  • your email for data registration and submission, so that we can communicate with you as an employee, candidate, client, business partner, etc.
  • your name, date of birth, and elements that prove your identity and the right to work for the purpose of performing our activity for you
  • your occupation and qualifications, as well as any other information that you mentioned in your description/CV
  • your professional office/address, so that we can communicate with you as an employee, candidate, client, business partner, etc.
  • your ID to allow you to log in, keep your log in as you browse through our site pages, and allow you to access the facilities of the IHM.ro account
  • the content of the messages written by you on the IHM.ro website, on your Linkedin account or any other social media or online media account as well as the data submitted by you, because this content is necessary for the specific performance of the activity of IHM total consult, to suggest you some jobs or career opportunities in accordance with your interests or to make it easier for you to visit our website or portal
  • the feedback from or about you from third parties or from our staff – they are personal opinions and will be treated as such
  • video or audio materials from courses, by virtue of our legitimate interest in transmitting in a variety of ways the materials produced by us. By enrolling on the course and, implicitly, by accepting this set of terms and conditions, the participant agrees that IHM TOTAL CONSULT SRL can use the photographs, video or audio materials created by the staff or contractors of IHM TOTAL CONSULT SRL during the courses, without the need for special request for a participant’s acceptance
  • if you contact us, we may be able to register the correspondence and collect information for analysis and marketing purpose and any other purpose related to our legitimate activity

The collection and display of these personal data and texts of your written messages in the online environment specified above is the result of an action by which you choose to make public those data manifestly, and the processing of such data will be in our legitimate interest to offer vacancies and to carry out the activity of selection and recruitment of staff for our clients, payroll and staff management, provision of temporary staff, provision of services to third parties, as well as any other activities specific to our activity.

4. Who is responsible for processing your personal data?

4.1 IHM TOTAL CONSULT SRL:

  • decide why your personal data are processed;
  • decide how your personal data are processed;
  • is responsible for processing your personal data.

4.2. We have a personal data protection officer and the contact details are [email protected]

5. From whom and how do we collect your personal data?

5.1 We collect your personal data directly from you.

5.2 We collect your personal information electronically using a web form.

5.3 We collect your personal data as a result of your voluntarily submission to us by any means, by virtue of our activity and of the advertisements published in any media, by display or online.

5.4 When you provide us with your personal data, your provision is:

5.4.1 allowed and voluntary – you can provide us freely: name, email, phone, content of the messages written on the website or email, professional office/home address, profession, date of birth

5.4.2 allowed and mandatory – you need to provide us: the contact data.

5.5 If you fail to provide us with your personal data and this is voluntary, then this can not affect you.

5.6 If you fail to provide us with your personal data and this is mandatory, then it may affect you: You will not be able to benefit from the services we provide, because it is related to the activity of the company.

5.7 The mandatory provision of personal data is:

5.7.1 a legal requirement.

5.7.2 a contractual requirement.

5.7.3 a requirement to enter into a contract or recruitment project.

6. What are our legal basis for processing your personal data?

6.1 We process:

6.1.1 “non-sensitive” personal data.

6.1.2 “sensitive” personal data.

6.2 The legal basis for processing your “non-sensitive” personal data is:

6.2.1 your consent.

6.2.2 a contract to which you are a party.

6.2.3 a request from you before entering into a contract. The request justifies the processing of your personal data.

6.2.4 the need to comply with a legal obligation to which we are subject.

6.2.5 our legitimate interest or the legitimate interest of a third party.

6.3. We process your personal data based on some interests that are:

6.3.1. legitimate;

6.3.2. real;

6.3.3. present.

6.4. Processing your personal data is necessary for the legitimate interests we are pursuing.

Our legitimate interests can be removed from your interests and your fundamental rights.

We adequately protect your interests and rights and freedoms.

We provide a link to a document that explains that our legitimate interest takes precedence over your interests or fundamental rights and freedoms: www.ihm.ro

6.5. The legal basis for processing your “sensitive” personal data is that processing refers to personal data that you make public clearly and voluntarily.

7. In what situations do we process your personal data?

7.1 We collect personal data:

7.1.1 of partners and/or clients.

7.1.2 jobseekers, employees, readers, site users, members of the community, registered consultants, participants in events, etc.

7.2 We are a private enterprise.

7.3 We process your personal data from the private sector.

7.4 We process your personal data in a situation involving:

7.4.1 an activity that is professional or commercial.

7.4.2 a service provision activity.

7.4.3 an online activity.

7.4.4 a contract or relating to an entry into a contract.

7.4.5 your personal data, provided directly as a partner, beneficiary or client.

8. Do we use automated profiling processes and automated decisions?

8.1 We use your personal data to automatically evaluate aspects of your personal profile. The automated evaluation is done, for example, when, in order to provide out clients with the right candidates according to the job requirements (experience, availability, salary, skills, etc.), we use automated systems to obtain a list of people from the database that meet the criteria.

  • can include an analysis of your characteristics.
  • can include predictions about your behaviour.
  • is made exclusively with electronic means.
  • is made without human involvement.
  • will be hereinafter referred to by reference to the term “fully automated profiling”.

8.2 We use your personal data to make automated or voluntary decisions about you.

The automated decisions can include:

  • your “fully automated profiling”;
  • are made only by a computer;
  • are made without human intervention;
  • are hereinafter referred to as “fully automated decision-making processes”.

8.3 Our “fully automated” decisions about you are based on your “automated profiling”.

8.4 We base the “fully automated decision” process about you on the following processing logic:

  • To customize the content and resources according to your preferences
  • To communicate Information from your interest area
  • To improve and develop the website and IT systems to make their use more efficient for your benefit

8.5 Our “fully automated” decisions have no impact on your rights or legal status. Our “fully automated” decisions do not have a significant impact on:

  • the circumstances of your situation;
  • your behaviour;
  • your choices and requests.

8.6 The legal basis for our processing regarding the “fully automated” decisions about you is for the purpose of our legitimate interests or the legitimate interests of a third party.

8.7 Your personal data on which it is based our system when making “fully automated decisions” are “non-sensitive” personal data.

8.8 Our “fully automated” decisions cannot affect you.

8.9. We hereby notify you that, besides the automated profiling, we also carry out profiling processes with human intervention through the use of your personal data in order to carry out our legitimate activity.

9. About the purposes for which we process personal data

9.1 We process your personal data for the purposes described in Section 3.

Our purposes for which we process personal data are:

  • real;
  • present;
  • legitimate.

9.2 We do not process your personal data for secondary purposes that are incompatible with the primary purposes for which your personal data are originally collected:

  • without your prior consent;
  • without a legitimate interest in this regard;
  • without a legal basis.

9.3 We inform you before processing your personal data for secondary purposes:

  • if we initially collect your personal data for a primary purpose;
  • if our secondary purpose is incompatible with the primary purpose.

10. How long do we keep your personal data?

10.1. We limit the duration of storing your personal data to what is required for our processing purposes.

10.2. We periodically review the need to keep your personal data: we analyze the collected and processed data each year for filtering, sorting, and maintaining processing only for the data for which the purpose of the processing is current.

10.3. The company may keep your personal data for up to 5 years after you have registered with us. If you are successful in finding a job through us, IHM Total Consult will have to keep your personal data for a longer period of time in order to comply with its ongoing legal and contractual obligations. The company keeps your personal data as an employee for 10 years and your personal data included in the payroll for 50 years according to the legislation in force.

10.4. We delete your data at the time you request this, except for the data whose supply and processing is required by a legal provision, which we delete within the period provided for by law (invoice data within 5 years).

10.5 If keeping your personal data is required for the purposes specified by law, we may keep your personal data.

11. Do we disclose your personal data?

11.1 We disclose your personal data to recipients/beneficiaries/clients.

11.2 The legal framework on which the disclosure of your personal data to recipients is based is your consent.

11.3 If in the future we disclose your personal data to a recipient, then we will inform you of the moment of the disclosure and the name of the recipients.

12. Do we transfer your personal data outside the EU or EEA?

12.1 We may transfer your personal data

  • In countries outside the EU or EEA.
  • To international organizations.
  • Your data can be transferred and processed in one or more countries, inside or outside the European Union.
  • We will transfer your data only to non-EU countries in relation to which the European Commission believes that it offers you an adequate level of protection or where the client demonstrates to have implemented appropriate security devices to keep the confidentiality of your information (for which we usually use one of the forms of data transfer contracts approved by the European Commission, which are available here: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm).

13. Are your personal data safe?

13.1 We keep your personal data safe:

  • with appropriate technical measures;
  • with appropriate organizational measures;
  • with an adequate level of security;
  • against unauthorized processing;
  • against illegal processing;
  • against accidental or unlawful loss;
  • against accidental or unlawful destruction;
  • against accidental or unlawful damages. www.ihm.ro/politica-securitatea-datelor

13.2 We have implemented measures:

  • 13.2.1 to discover security breaches.
  • 13.2.2 to document the causes of the security incident.
  • 13.2.3 to document which personal data are affected by the security incident.
  • 13.2.4 to document the actions (and reasons for actions) to remedy the breach of security.
  • 13.2.5 to limit the consequences of the security incident.
  • 13.2.6 to recover personal data.
  • 13.2.7 to return to a normal state of processing personal data.

13.3 If we have a reasonable degree of certainty that there has been a breach of the security of the processing of your personal data, then:

  • 13.3.1 we report the security incident to the management of our company.
  • 13.3.2 we designate a person responsible:
    • to consider whether the breach of security may have unfavourable effects for you;
    • to inform the relevant staff in our organization;
    • to determine the extent to which it is necessary to notify the Supervisory Authority of the security incident;
    • to determine whether we need to communicate information about the security incident.
  • 13.3.3 we investigate the security incident.
  • 13.3.4 we try to prevent the security incident from leading to:
    • accidental or unlawful destruction of personal data;
    • accidental or unlawful loss of control of personal data;
    • accidental or unlawful loss of access to personal data;
    • accidental or unlawful alteration of personal data;
    • unauthorized disclosure of personal data;
    • unauthorized access to personal data.
  • 13.3.5 we make every effort to mitigate the immediate risk of damage.
  • 13.3.6 we notify the Supervisory Authority of the security incident if the breach is likely to lead to a high risk for your rights and freedoms.
  • 13.3.7 we inform you of the breach of security:
    • if the violation is likely to lead to a high risk for your rights and freedoms;
    • as soon as possible;
    • via suitable contact channels, e.g. by email, SMS, prominent banners on our website, postal communications, prominent advertisements in the media, etc.
  • 13.3.8 we are not obliged to inform you directly if:
    • we have taken action to make your personal data incomprehensible to anyone who is not authorized to access them;
    • immediately after the security incident, we have taken action to ensure that the high risk for your rights and freedoms is no longer possible;
    • it involved disproportionate efforts. In such a case, we will inform you through public networks.

14. Are we certified and have we adhered to a code of conduct?

14.1 We do not use an authorized certification body to certify that we comply with the law, for the sole reason that in Romania there is no such certified body yet.

14.2 We have not adhered to an approved code of conduct that demonstrates that we comply with the law when processing your personal data for the sole reason that there is no such code approved by the Romanian Supervisory Authority. As soon as this code is in force, we will adhere to its principles.

15. Which are your rights?

15.1 We respect your rights regarding the protection of your personal data.

15.2 You have the right to access your personal data.

If you ask us to confirm whether we process your personal data or not, then you have a right that obliges us to confirm that:

  • we process your personal data;
  • we do not process your personal data.

Your right to obtain confirmation from us that we process (or do not process) your personal data:

  • does not include anonymous data;
  • includes only personal data that concern you;
  • includes pseudonym data that may be clearly related to you.

We need to give you access to your personal data if:

  • you request to confirm whether or not we process your personal data;
  • we process your personal data;
  • you request access to your personal data.

We need to provide you with a copy of your personal data if:

  • you request to confirm whether or not we process your personal data;
  • we process your personal data;
  • you request a copy of your personal data.

If you request additional copies of your personal data, then we can charge you a reasonable fee, which is based on the administrative costs necessary to meet your request.

You are entitled to the information regarding the guarantees we have implemented for the transfer of your personal data to a country outside the EU and EEA if:

  • you request to confirm whether or not we process your personal data;
  • we transfer your personal data to a country outside of the EU and EEA.

15.3 You have the right to rectify your personal data.

The right to obtain the rectification of your personal data that are inaccurate:

  • does not include anonymous data;
  • includes only personal data that concern you;
  • includes pseudonym data that may be clearly related to you.

We need to rectify your personal data if:

  • we process your personal data;
  • your personal data are inaccurate;
  • you request to obtain the rectification of your personal data.

We need to complete your personal data if:

  • we process your personal data;
  • your personal data are incomplete;
  • you request to obtain the completion of your personal data.

You have the right to provide us with an additional statement.

We need to communicate the rectification of your personal data to the recipients of your personal data (if any).

We do not communicate the rectification of your personal data to the recipients of your personal data if the communication to the recipient:

  • is impossible;
  • involves a disproportionate effort.

15.4 You have the right to delete your personal data.

We need to delete your personal data without undue delay if:

  • you request the deletion of your personal data;
  • we process your personal data;
  • your personal data are not necessary for our purposes of processing your personal data.

We need to delete your personal data without undue delay if:

  • you request the deletion of your personal data;
  • we process your personal data;
  • you withdraw the consent on which the processing of your personal data are based;
  • there is no other legal basis for processing your personal data.

We need to delete your personal data without undue delay if:

  • you request to obtain the deletion of your personal data;
  • we process your personal data;
  • the processing of your personal data is necessary to carry out a task we perform in the public interest;
  • the processing of your personal data is necessary in the exercise of an official authority with which it is invested;
  • the processing is necessary for the legitimate interests we pursue;
  • the processing is necessary for the legitimate interests which a third party pursues;
  • you object to our processing of your personal data;
  • the processing of your personal data has a legitimate reason that does not prevail over your objection.

We need to delete your personal data without undue delay if:

  • you request the deletion of your personal data;
  • we process your personal data;
  • you contest our processing of your personal data for direct marketing purposes;
  • the processing of your personal data has a legitimate reason that does not prevail over your objection.

We need to delete your personal data without undue delay if:

  • you request the deletion of your personal data;
  • the processing of your personal data is illegal.

We need to delete your personal data without undue delay if:

  • you request the deletion of your personal data;
  • the personal data must be deleted in order to comply with a legal obligation under European Union law or the domestic law of a Member State.

We need to delete your personal data without undue delay if:

  • you request the deletion of your personal data;
  • your personal data have been collected in connection with the provision of services of the information company.

We need to communicate the deletion of your personal data to the recipients of your personal data (if any).

We do not communicate the deletion of your personal data to the recipients to whom we disclose them if the communication to the recipient:

  • is impossible;
  • involves a disproportionate effort.

15.5 You have the right to obtain from us the restriction of the processing of your personal data.

Your right to obtain restrictions on the processing of your personal data

  • does not include anonymous data;
  • includes personal data that concern you;
  • includes pseudonym data that may be clearly related to you.

We need to restrict the processing of your personal data for a period of time in order to verify the accuracy of your personal data if:

  • you request to obtain the restriction of the processing of your personal data;
  • you contest the accuracy of your personal data.

We need to restrict the processing of your personal data if:

  • you request to obtain the restriction of the processing of your personal data;
  • the processing of your personal data is illegal;
  • you oppose the deletion of your personal data.

We need to restrict the processing of your personal data if:

  • you request to obtain the restriction of the processing of your personal data;
  • we do not need your personal data for our processing;
  • you request your personal data to establish a legal complaint;
  • you request your personal data to make a legal complaint;
  • you need your personal data to defend yourself against a legal complaint.

We need to restrict the processing of your personal data if:

  • you request to obtain the restriction of the processing of your personal data;
  • you object to the processing of your personal data that are necessary to carry out a task we perform in the public interest;
  • you oppose the processing of your personal data that are necessary in the exercise of an official authority entrusted to us;
  • you oppose the processing of your personal data that is necessary for the legitimate interests we pursue;
  • you wait to verify if the processing of your personal data has a legitimate reason that does not exceed your objection.

We need to communicate the restriction of your personal data to the recipients of your personal data (if any).

We do not communicate the restriction of the processing of your personal data to the recipients of your personal data if the communication to the recipient:

  • is impossible;
  • involves a disproportionate effort.

If we restrict the processing of your personal data, then we can:

  • store your personal data;
  • process your personal data based on your consent;
  • process your personal data to establish a legal complaint;
  • process your personal data to make a legal complaint;
  • process your personal data to defend ourselves against a legal complaint;
  • process your personal data to protect a person’s rights;
  • process your personal data for reasons of public interest of the Union or of a Member State.

If you obtain a restriction on the processing of your personal data, we need to inform you before removing the restriction.

15.6 If we process your personal data for direct marketing purposes, including profiling (to the extent that it is related to such direct marketing), you have the right to object to the processing of your personal data for that purpose.

Your right to object to the processing of your personal data for direct marketing purposes:

  • is a right that you have at all times;
  • does not include anonymous data;
  • includes personal data that concern you;
  • includes personal data that do not concern you;
  • includes pseudonym data that may be clearly related to you.

If you object to the processing of your personal data for direct marketing purposes then we must omit the processing of your personal data for that purpose.

If we process your personal data for direct marketing purposes, including profiling (insofar as it is related to such direct marketing), then:

  • we must inform this right explicitly to you at the latest at the time of your first communication with you;
  • we must present this right clearly and separately from any other information.

16. How can you exercise your rights?

16.1 We invite you to communicate with us about the exercise of your rights regarding the protection of your personal data.

16.2 We accept only written requests, because we cannot deal with verbal requests immediately, without first considering the content of the request and without identifying you first.

Your request must contain a detailed and precise description of the right you wish to exercise.

You need to provide us with a copy of an identification document to confirm your identity as, for example:

  • ID card;
  • passport.

The document must contain:

  • an identification number;
  • the country of issue;
  • the period of validity;
  • your name;
  • your address;
  • your date of birth.

Any other data contained in the copy of the identification document, such as a photo or any other personal characteristics, may be masked.

We will not accept other means of ensuring your identity.

If you want to propose alternatives, we will evaluate them on a case-by-case basis.

The use of the information in your identification document:

  • is limited to the activity of confirmation of your identity;
  • will not generate a storage of your personal data more than it is necessary for that purpose or for the purpose of our legitimate activity to which you have consented by submitting the document.

You may send your request for the protection of your personal data at:

  • the email address: [email protected];
  • the email address of the contact person and/or responsible for the protection of personal data;
  • directly at headquarters or at the work points of the company, which are registered with the Trade Register Office;
  • other contact details communicated in this respect. To you

16.3 You will receive our response to your requests for the protection of your personal data directly to your contact addresses communicated officially to us: email, home address, place of work, etc.

16.4 We have appointed a person in charge of handling your requests for the protection of your personal data.

16.5 We have implemented policies that ensure that a request for the protection of your personal data is recognized and resolved within the lenght of time prescribed by law.

16.6 We inform you about how we deal with your request (exercising your rights) with regard to the protection of your personal data within one month after receiving your request.

17. Do you have the right to file a complaint?

17.1 You can file a complaint with a supervisory authority.

  • at your usual domicile in the EU and the EEA;
  • at your place of work in the EU and the EEA;
  • at the place of the alleged infringement in the EU and the EEA.

The supervisory authority must inform you within a reasonable length of time regarding the progress of the complaint and the outcome of the complaint.

17.2 You can authorize an organization to file a complaint on your behalf with a supervisory authority.

The supervisory authority must inform you within a reasonable length of time regarding the progress of the complaint and the outcome of the complaint.

17.3 You have the right to appeal in the EU and the EEA against an operator, an authorized person and a Supervisory Authority.

17.4 You can authorize an organization to exercise, on your behalf, the right to an appeal and to compensation for damage resulting from a breach of the law on the personal data protection.

18. Can you choose the privacy settings?

18.1 At the moment, you cannot declare your choice regarding the processing your personal data.

19. Will you be informed about the changes of the privacy policy?

19.1 If we change our privacy policy, we will publish a new version of it.

19.2 We do not provide the previous versions of our privacy policy.

20. Explanation of the terms and expressions used in this information note

20.1 All terms and expressions used in this Information Note will have the meaning given below, unless otherwise specified in the Information Note:

20.1.1 personal data means any information regarding an identified or identifiable natural person (“the data subject”):

  • An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as:
    • a name
    • an identification number
    • location data
    • an online identifier
    • the physical identity of a natural person
    • the physiological identity of a natural person
    • the genetic identity of a natural person
    • the psychological identity of a natural person
    • the economic identity of a natural person
    • the cultural identity of a natural person
    • the social identity of a natural person

20.1.2 The sensitive personal data are – according to the GDPR – called special categories of personal data:

  • The personal data are sensitive if the processing of such personal data reveals:
    • the racial origin;
    • the ethical origin;
    • the political opinions;
    • the religious beliefs;
    • the philosophical beliefs;
    • the membership in a trade union.
  • The personal data are also sensitive if:

    • the genetic data are processed for the purpose of uniquely identifying a natural person;
    • the biometric data are processed for the purpose of uniquely identifying a natural person.
  • The sensitive personal data also includes:
    • data on the health condition;
    • data on the sexual life of a natural person;
    • data on the sexual orientation of a natural person.

20.1.3 The usual personal data are – in the GDPR – personal data that are not special categories of personal data. There is no exhaustive list of this personal data.

20.1.4 The Pseudonymisation of Personal Data means the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

20.1.5 Processing means any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as:

  • the collection;
  • the recording;
  • the organization;
  • the structuring;
  • the storage;
  • the adaptation;
  • the alteration;
  • the extraction;
  • the consulting;
  • the use;
  • the deletion or destruction;
  • etc.

20.1.6 The restriction of the processing means the marking of personal data stored in order to limit their processing in the future.

20.1.7 The purpose of the processing is the reason for the processing of personal data.

20.1.8 Profiling:

  • (1) must be an automated form of processing, including:
    • automated exclusive processing (to which Art. 22 of the GDPR refers);
    • automated partial processing (if a natural person is involved in the processing of personal data it does not necessarily mean that processing is not profiling).
  • (2) must be carried out with regard to the personal data;
  • (3) the objective of profiling must be to evaluate the personal aspects related to a natural person, in particular to analyse or to make predictions about people.

Note that the simple evaluation or classification of people automatically based on characteristics such as their age, gender, and height could be considered automated profiling, regardless of the predictive purpose.

20.1.9 Decisions based exclusively on the automated processing:

  • (1) means making decisions by technological means without human involvement;
  • (2) is based on personal data:
    • provided directly by the persons concerned (such as answers to a questionnaire);
    • observed about people (such as location data collected through an app);
    • derived or deduced, such as the profile of the person that has already been created (e.g. A credit score). They can be made with or without profiling; the profiling can take place without making automated decisions.

20.1.10 Operator means the natural or legal person, the public authority, the agency or other body which, alone or with others, establishes the purposes and the means of processing personal data; where the purposes and the means of processing are laid down by the Union or national law, the operator or the specific criteria for designating it may be laid down in the Union or national law.

20.1.11 Authorized person means the natural or legal person, the public authority, the agency or other body processing personal data in the name and on behalf of the operator.

20.1.12 Recipient means the natural or legal person, the public authority, the agency or other body to which personal data are disclosed, whether or not it is a third party. However, the public authorities to whom personal data may be communicated in a particular investigation under the Union or national law are not considered recipients; the processing of such data by the respective public authorities complies with the applicable data protection rules in accordance with the purposes of the processing.

20.1.13 Third Party means a natural or legal person, public authority, agency or body other than the data subject, the operator, the person authorized by the operator and the persons who, under the direct authority of the operator or the person authorized by the operator, are authorized to process personal data.

20.1.14 Representative means a natural or legal person established within the Union, designated in writing by the operator or the person authorized by the operator under Art. 27, that represents the operator or the authorized person regarding the obligations incumbent upon them under this regulation.

20.1.15 Supervisory authority means an independent public authority set up by a member state pursuant to Art. 51 of the GDPR.

20.1.16 Mandatory corporative rules means the policies on the protection of personal data to be respected by an operator or a person authorized by the operator established in the territory of a Member State in respect of transfers or sets of personal data transfers to an operator or a person authorized by the operator in one or more third countries within a group of enterprises or a group of enterprises engaged in a joint economic activity.

20.1.17 EU-U.S. Privacy Shield:

  • The EU-U.S. Privacy Shield was set up by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic trade. On 12 July 2016, the European Commission approved the EU-U.S. Privacy Shield as appropriate to allow data transfer in accordance with the EU law.

20.1.18 Suitability Decisions of the Commission:

  • The European Commission has the power to determine, on the basis of Art. 45 of the GDPR, whether a non-EU country offers an adequate level of data protection either through its internal legislation or through the international commitments it has concluded.
  • The effect of such a decision is that personal data may come from the EEA (EU and Norway, Liechtenstein and Iceland) in that third country, without any further protection measure.
  • The European Commission has recognized so far an adequate level of protection for Andorra, Argentina, Canada (commercial organizations – PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the USA (limited to Privacy Shield).

20.1.19 Personal data breach means a breach of security leading accidentally or unlawfully to the destruction, loss, alteration, or unauthorized disclosure of personal data transmitted, stored or processed in another way, or to the unauthorized access to them.

20.1.20 Enterprise means a natural or legal person carrying on an economic activity, irrespective of its legal form, including partnerships or associations which regularly carry out an economic activity.

20.1.21 A group of enterprises means an enterprise which controls and the enterprises controlled by it.

20.1.22 International Organization means an organization and its subordinate bodies governed by the public international law or any other body established by an agreement concluded between two or more countries or pursuant to such an agreement.