Black Sea Offshore Centre SRL must collect and use certain personal data of employees and collaborators.

This data refers to the personal data of clients, collaborators, contacts of employees and other people with whom the organization is related.

This procedure describes how personal data is collected, handled and processed to meet the company’s data protection standards, i.e. to comply with the law.

Why this procedure exists
This personal data protection procedure ensures that Black Sea Offshore Centre SRL:
● Complies with the legal provisions on data protection and establishes rules of good practice in the field
● Protects the rights of employees, clients and partners
● It is transparent regarding the storage and processing of personal data
● Protects against the risk of personal data loss or theft

Personal data protection law
GDPR 679/2016 describes how organizations – including Black Sea Offshore Centre SRL – must collect, manipulate and store personal information.

These rules apply regardless of storage mode, electronically, on paper or in other ways.

In order to comply with the legislation, personal information must be collected and used correctly, stored in secure places and not to be unlawfully disclosed.

GDPR is based on 8 important principles. They say that personal data must:
1. Be processed correctly and legally;
2. They are only obtained for legal and specific purposes;
3. Be either appropriate, relevant and not excessive;
4. Be correct and updated;
5. Do not be stored more than necessary;
6. Be processed in accordance with the rights of the persons involved;
7. Be properly protected;
8. They will not be transferred outside the European Economic Area, unless the country provides one
adequate level of protection.

Rights of individuals with regard to personal data
● Right to information – information on personal data processing may be requested at any time;
● Right to rectification – Inaccurate or incomplete personal data can be rectified;
● The right to delete the data (the “right to be forgotten”) – data can be erased if their processing was
not lawful or in other cases provided by law;
● Right to restrict processing – You may be required to restrict processing if it is disputed data accuracy, as well as in other cases provided by law;
● The right to object – may in particular oppose data processing that is based on the interest of the legitimate person;
● The right to portability of data – may, under certain conditions, receive the data provided in a format which may be read automatically or may be required to transmit that data to another operator;
● The right to file a complaint – one can complain about the way the data is processed personal data to the National Supervisory Authority for Personal Data Processing;
● Right of withdrawal of consent – in cases where processing is based on the consent of a person, it can be withdrawn at any time. Withdrawal of consent will only have effect for the future, processing prior to the withdrawal remaining valid;
● The right not to be subject to automatic or profiling decisions related to automated decisions: You
may require and obtain human intervention with respect to that processing, or you can express your
point of view about this type of processing.

People, risks and responsibilities

Purpose of the procedure
This procedure applies:
● Central Office of Black Sea Offshore Centre SRL;
● All of the secondary offices and departments of Black Sea Offshore Centre SRL;
● All employees and volunteers of Black Sea Offshore Centre SRL;
● All contractors, suppliers and other people working from Black Sea Offshore Centre SRL.

The procedure refers to all personal data owned by the company relating to individual / nominal persons.

These data include:
● Name and surname;
● Postal address;
● E-mail address;
● Phone numbers;
● Personal identification number;
● Date of birth;
● Identity Card Data;
● Civil status;
● Passport data;
● Statement;
● Studies, courses;
● Experience (CV);

Risks of data protection
This procedure protects Black Sea Offshore Centre SRL from personal data security risks, identifying these risks and taking the necessary steps to adequately protect your personal data. So, for this purpose, Black Sea Offshore Centre SRL highlights the main risks that may arise in protecting personal data:
● Violation of privacy rules. For example, mis-distribution of information;
● Deficiencies in offering alternatives. For example, everyone in the company must be free to choose how personal data is used by the company;
● Damage to reputation. For example, the company suffers when hackers have access to the sensitive data;

Responsibilities
All those who work for or with Black Sea Offshore Centre SRL have the responsibility of providing personal data from their collection to handling and storage, according to GDPR.

Each team handling personal data must ensure that they are processed and handled in accordance with this procedure and with the legal principles of data protection.

However, the following persons have key responsibilities in data protection:
● Directors are first responsible for ensuring the legal protection of data at Black Sea Offshore Centre SRL;
● Human Resources Officer: keeps the personal data safe and up-to-date, handling personal data of employees and collaborators, periodically updating the responsibilities of directors for data protection, risk and problems, periodic review of procedures and policies for personal data protection, informs employees and employees about the protection of personal data (see Annex 1 and Annex 2 Information on the protection of personal data of current and new employees), responds to questions from employees and collaborators about this procedure and GDPR, responds to employees and collaborators requests regarding data that Black Sea Offshore Centre SRL owns (data request) and verifies and approves any contract or agreement with third parties that involves the use of sensitive data.
● IT responsible: ensures systems, services and equipment used to store personal data so as to meet legal security standards, periodically checks and scans hardware and software equipment and systems to ensure data security, evaluates third party services used by the company for the storage and processing of personal data. For example, cloud storage services.

General rules

The only people who have access to personal data are those who need this data to exercise their job.

Black Sea Offshore Centre SRL will inform all employees and collaborators of how their personal data is used by the company and third parties, through an information note, making this procedure available, etc. (see Annex 1 – Initial Information of Employees on the Protection of Personal Data and Annex 2 – GDPR Agreement of New Employees).

Black Sea Offshore Centre SRL processes the personal data of employees and collaborators who have given their consent for this purpose, being properly informed of how data is used.

Personal data will not be distributed for informal purposes. When access to confidential information is required, employees can ask the manager directly.

Black Sea Offshore Centre SRL will ensure that employees are properly and fully informed in order to help them understand the responsibility of handling the personal data.

Employees will keep their personal data safe, will be cautious and follow the specific procedure.

In addition, strong passwords will be used on any device with which they work and these passwords
should not be shared with others.

Personal data should not be disclosed to unauthorized persons, either within the company or outside.

Personal data must be updated periodically when it is found to be outdated. If they are no longer needed, they can be deleted from the database or destroyed.

Employees will seek the help of the direct manager or human resource manager when they are not sure about certain aspects of data protection.

Black Sea Offshore Centre SRL nu proceseaza date personale sensibile (religie, orientare sexuala, date genetice sau biometrice etc.).

Personal data processed by Black Sea Offshore Centre SRL are required by law and can only be accessed by authorized persons or by state institutions.

Everyone has the right to access their own personal data collected by Black Sea Offshore Centre SRL
following a written request and at reasonable intervals to verify the lawfulness of the process.

Everyone has the right to update their personal data and the right to “forget” upon request, if the law
permits.

In Black Sea Offshore Centre SRL personal data of employees and collaborators are analyzed manually,
they are not subject to automatic processing.

At Black Sea Offshore Centre SRL, personal data is processed anonymously for direct marketing purposes.
Only marketing data and experience are used in marketing.

Principles of personal data protection by design and by default applies whenever personal data is processed.

As soon as Black Sea Offshore Centre SRL finds out that it happened a breach of personal data protection, it will notify the competent authorities of this breach, without delay and within 72 hours of observation, if possible.

Black Sea Offshore Centre SRL will communicate to the competent authorities and individuals involved a personal data security breach, especially when this breach poses a high risk to a person’s rights and freedoms, allowing him to take the necessary precautions.

The processing of sensitive personal data relating to race, ethnic origin, political opinions, religion,
philosophical beliefs of genetic or biometric data for the purpose of identifying a person, health or sex
life data is forbidden at Black Sea Offshore Centre SRL.

Personal data storing

This paragraph describes how and where personal data should be kept so that it is safe. Questions about keeping personal data can be addressed directly to the IT manager or data processor (executives, accountants, human resources).

The data stored on the paper will be kept in a folder placed in a safe place, inaccessible to unauthorized persons.

This guide applies to electronically stored data but also to data printed on paper for various reasons:
● When not required, staff records are held in a safe, inaccessible, possibly locked place;
● Employees will be instructed not to leave behind documents that contain personal data, such as the
printer;
● When they are no longer needed, the papers containing personal data will be destroyed and discarded.

Electronically retained data will be protected from unauthorized access, accidental deletion, and hacker attack:
● Personal data will be protected with strong passwords that will be changed periodically and will not be
shared with other employees;
● When data is stored on mobile media (CD, DVD, USB), they will be locked securely when not in use;
● Personal data will be stored on specific drivers and servers and will only be saved on an approved cloud
storage service;
● Servers containing personal data are located in a safe place outside the office;
● Data is saved periodically on the server. These backups are regularly tested according to company
standards;
● Personal data will not be saved directly on your laptop or other mobile devices (tablets, smart phones);
● All servers and computers that contain personal data are protected by approved security software and
firewalls.

Using personal data

Personal data is irrelevant if Black Sea Offshore Centre SRL can not use them. However, it will be taken into account that accessing personal data may result in their loss, theft or alteration.

When working with personal data, employees will ensure that they lock the computer / screen when they
are not around.

Personal information will not be shared for information purposes.

Data will be encrypted before being transferred electronically. The IT manager can explain to employees
how to send data to authorized external contacts.

Personal data is not transferred outside of the European Economic Area.

Employees will not save personal data in personal computers. Always access and update the centralized data copy.

Data accuracy

The legislation in force requires Black Sea Offshore Centre SRL to assume responsibility for the accuracy and correctness of personal data.

The accuracy and correctness of personal data is the responsibility of all employees.

Personal data will be kept in as few places as possible. Employees will not create unnecessary extra
copies.

Employees will benefit from every opportunity to ensure that personal data is accurate and complete. For example, they will update customer data when they call.

Black Sea Offshore Centre SRL will make it easier for you to update your personal data whenever possible. For example, through the company’s website.

Incorrect data will be erased. For example, when a customer can not be found at the phone number in
the database, it will be deleted.

The marketing manager or company directors will update the database every six months.

Applications for access to the database

All persons whose data appear in the Black Sea Offshore Centre SRL database are entitled to:
● Ask what information the company has about them and why;
● Request access to personal data;
● Be informed about how to keep these accurate and updated data;
● Be informed about the company’s privacy policy.

When a person contacts the company asking for this information, the action is called an access request
(see Annex 3 – Application for Access to Personal Data).

Requests for access to personal data can be made by email addressed to the personal data processor (responsible human resources, accountants, directors) at office@bsoc.eu. The data processor may require a standard access form to be filled in.

Requests for access to personal data are not paid. The person processing the personal data will issue a response to the request within 14 business days.

The Data Controller will verify the identity of the person requesting the data before handing him any information.

Disclosure of personal data for other reasons

Under certain circumstances, the Personal Data Protection Act allows disclosure of personal data to legal institutions without the consent of the holder.

In such circumstances, Black Sea Offshore Centre SRL will disclose the personal data requested by legal entities. In this case, the data controller will ensure that the request is legal.

Providing information

Black Sea Offshore Centre SRL will ensure that company employees and collaborators understand how the
company processes personal data and understand:
● How to use personal data;
● How to exercise their rules.

Black Sea Offshore Centre SRL owns the Privacy Statement that sets out how personal data is used by the company. This Statement is available on request. A version of this Statement, as well as the Privacy Policy, can be found on the company’s intranet and printed at the Reception Desk.

Initial information

Regarding the protection of personal data

Subordinated Black Sea Offshore Centre SRL, with headquarters in Năvodari City, D17 Street, no. 21, Constanta County, J13/1385/2018, CUI 39379474, phone +40745518933, based on art. 13 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL/27 April 2016, we will inform you that we will collect and process your personal data requested for employment (name, email address, telephone number, home address, CNP, marital status, studies, experience, etc.) for the purpose of concluding the employment contract between you and the subscriber.

The legal basis for processing your personal data is – the conclusion and execution of a contract, and – the processing required to comply with the obligation, a legal obligation governed by labor law.

We inform you that the recipients of your personal data are the subscribed employees, the accounting department and human resources, but also the clients (who will be provided with your name, email address and telephone number when applicable), as well as state institutions and that we DO NOT intend to transfer these data to another company (marketing and advertising company).

The data will be stored for a specified period as long as there is a contract of employment in force and, in the case of a dispute, during the settlement of the dispute and in accordance with the legislation in force as long as we have a legal obligation to keep contracts work, states and other legal documents in the accounting records and company archive.

We inform you that you have the right to request access to your personal data as well as rectification or erasure or restriction of processing under the law, as well as the right to complain to the supervisor if you believe that your rights have been disregarded.

We will establish technical and procedural measures to protect and ensure the confidentiality, integrity and accessibility of your personal data processed; prevent unauthorized use or access, and prevent personal data breach, in accordance with applicable law.

All details on the collection, processing and storage of your personal data are in the GDPR Data Protection Procedure that can be accessed at any time in electronic or paper form.

Data Processing Agreement According to GDPR

679/2016

Subordinated Black Sea Offshore Centre SRL, with headquarters in Năvodari City, D17 Street, no. 21, Constanta County, J13/1385/2018, CUI 39379474, phone +40745518933, based on art. 13 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL / 27 April 2016, we will inform you that we will collect and process your personal data requested for employment (name, email address, telephone number, home address, CNP, marital status, studies, experience, etc.) for the purpose of concluding the employment contract between you and the subscriber.

The legal basis for the processing of your personal data is the conclusion and performance of a contract as well as the processing necessary to comply with the legal obligation, a legal obligation governed by labor law.

We inform you that the recipients of your personal data are the subscribed employees, the accounting department and human resources, but also the clients (who will be provided with your name, email address and telephone number) and state institutions, and that NO we intend to transfer these data to another company (marketing and advertising company). Also, CV data, especially those related to studies and experience, will be processed anonymously in case of collaborations with other companies (not marketing and advertising companies).

The data will be stored for a specified period as long as there is a contract of employment in force and, in the case of a dispute, during the settlement of the dispute and in accordance with the legislation in force as long as we have a legal obligation to keep contracts work, states and other legal documents in the accounting records and company archive.

We inform you that you have the right to request access to your personal data as well as rectification or erasure or restriction of processing under the law, as well as the right to complain to the supervisor if you believe that your rights have been disregarded.

We will establish technical and procedural measures to protect and ensure the confidentiality, integrity and accessibility of your personal data processed; prevent unauthorized use or access, and prevent personal data breach, in accordance with applicable law.

Mentionam ca detaliile privind stocarea si procesarea datelor cu caracter personal pot fi accesate oricand in
Procedura GDPR (afisata pe intra-net si disponibila la Receptie).

Head office
Năvodari, D17 street, no. 21, Romania
Telephone: +40 745 518 933
Landline: +40 371 193 962
E-mail: office@bsoc.eu
Website: bsoc.eu