Privacy Policy
OTELINOX PRIVACY POLICY ON CUSTOMERS AND OTHER THIRD PARTIES
I. INTRODUCTION
- This Privacy Policy explains what we do with your personal data. It describes how we collect, use and process your personal data, and how we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your rights. Please do not provide us with any of your data if you do not want it to be used in the ways described in the Privacy Policy.
- This Policy applies to personal data of individuals working with or for our customers, other contractual partners or potential business partners, hereinafter referred to generically as customers as well as other third parties, such as family members of our employees or candidates for positions within our company.
- For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR“), the company responsible for your personal data is Otelinox S.A., a company organised and operating according to Romanian law, registered with the Dambovita Trade Register under number J15/288/1991, holder of the Sole Registration Number RO 921641, headquartered in Romania, 16 SoseauaGaesti Str.,Targoviste, Dambovita County – 130087, duly represented by Mr. Yong Deok Kim as General Director. (“Otelinox” or “us“).
- It is important to note that we may change this Policy from time to time keep yourself informed regarding such changes by visiting our website, where we will post any changes to this Policy.
- If you are dissatisfied with any aspect of our Privacy Policy, or how we have implemented it, you may have legal rights and so we have described these as well where relevant.
II. SHORT FORM “AT A GLANCE” SECTION
In case you are not interested in a summarized explanation, please click here (Detailed_section), and we will take you straight to a more detailed explanation.
- What kind of personal data do we collect, why, and what are our legal obligations towards you?
- If you are working for one of our customers or other contractual partners, we need to collect and use information about you in the course of the relationship with our customer to ensure that things run smoothly. For example, we need contact details of our customer’s employees so that we can communicate with them.
- If you are not working for our current customers or other contractual partners, we may collect and process your personal data (most of which you provided voluntarily) with the purpose of creating a business relationship with you or your employer, and in case we will succeed herewith, we will use your data for the purposes described in the bullet point above.
- We are making sure that we are in line with the relevant legal obligations that we have towards you while at the same time comply with applicable laws we are subject to. This means that we store as little information about you as possible and keep you in the loop at all times. Yet, we are storing as much information as necessary to protect our business interests.
- In certain situations, we may process your personal data because you are a family member of an Otelinox employee. In this case, we may process the following personal data: name, surname, telephone number, home address, age, CNP, photographs, email address, mailing address, health data (including diagnosis).
- If you are a family member of an Otelinox employee, we may process your data for the following purposes: (i) co-insurance in the national health insurance system, (ii) establishing and granting benefits in accordance with applicable law for dependents, (iii) being able to contact you in connection with emergency situations involving a family member; or (iv) granting certain benefits to you. or a family member, usually an Otelinox employee (e.g. paid days off, financial or other benefits, compensation), in connection with events occurring in your family (marriage, birth, death, medical interventions, etc.).
- In the case of recruitment of new employees by Otelinox, we collect and process the following categories of personal data for this or future recruitment processes: identification data (name, surname, gender, citizenship, date of birth, place of birth, image, signature); contact data (postal address, e-mail address, telephone number); professional data (your employment and educational history, diplomas, studies, position for which you are applying, length of service, your personal interests, skills, aspirations, plans and any other categories of professional data that you include in the CV you provide to us).
- We process your personal data for the purpose of dealing with the public interest whistleblower’s report and, where appropriate, remedying the reported breach. The basis for this processing is the Law No 361/2022 on the protection of whistleblowers in the public interest, the processing being necessary for the fulfilment of a legal obligation under Article 6 para. 1 lit. c) of the GDPR.
- If you would like a more detailed description of the personal data that we collect in this way, why we do that, and what the legal justification is for doing so, please click here (What_kind).
- How do we collect your personal data?
- There are different ways in which we collect your personal data. For example, this could be directly from work with you. This may include meetings, e-mail correspondence, or events you have attended (especially trade fairs and exhibitions). In part, we also collect information you have publicly shared, or made available to one of our group companies (i.e. Samsung C&T Deutschland GmbH).
- If you are a family member of an Otelinox employee, we may collect data either from the family member or directly from you.
- If you are a candidate, we will normally collect data directly from you or from other sources such as recruitment platforms or recruitment agencies.
- If you are a whistleblower in public interest , we collect your personal data directly from you when you make a report to Otelinox by using the public interest whistleblowing reporting form available on the Otelinox website.
- If you want to know more about how we collect your personal data, please click here (How_do_we_collect).
- With whom do we share your personal data, why and where do we transfer them to?
- In limited cases we may share your data with our external data service providers, only based on data processing agreements.
- We do not sell or trade your personal data.
- As a rule, if you are a family member of an Otelinox employee, we will not transfer your personal data that we collect and process to other natural or legal persons. The situations in which data may be transferred to other companies or individuals are those in which they act as authorized persons in relation to Otelinox and only for legitimate reasons related to the fulfilment of the purposes for which the data was collected or for the establishment, defense and exercise of our rights or legitimate interests. In all these cases, Otelinox will make all reasonable efforts to ensure that the recipients process the data in conditions of security and confidentiality, in accordance with the purpose for which they were transmitted and with respect for your rights.
- If you are registered, in view of the purpose mentioned, your personal data will be transmitted to the following categories of recipients who will process them according to their internal procedures and legal provisions: other companies in the group of which Otelinox is part; third parties such as educational institutions or former employers when we do checks;
- If you are a whistleblower in the public interest, the data can be transmitted to the National Integrity Agency as well as to other public authorities, as the case may be, in order to achieve the purpose of the processing and/or in other cases provided by law.
- Of course, we ensure that we comply with the legal obligations towards you and if you want to see a more detailed explanation of who we may share your personal data with and why, please click here (With_whom).
- How do we safeguard your personal data?
- We care about protecting your information. That’s why we put in place appropriate measures that are designed to prevent unauthorised access to and misuse of your personal data. We have committed ourselves to ensuring that in case of a transfer of your data, our affiliated companies as well as our external data service provider by the stipulations of the GDPR.
- For more detailed information on theprocedures we put in place, please click here (How_do_we_safeguard).
- For how long do we keep your personal data?
- We will keep your personal data at least for the term of the relationship with our customer. In some instances, it can even go beyond a given contract because we are obligated to keep informationa according to the law in force, such as accounting rules or to being able to respond adequately to legal claims brought against us or to exercise our rights, as needed. In case we have not established a contractual relationship yet, we will store and process your personal data for the time of our regular business cycle.
- If you are a family member of an Otelinox employee, in principle, we will not retain your personal data unless we have a legal obligation to do so or for our legitimate interests in providing or facilitating a particular service or benefit to you or the employee. The expected duration for the retention and deletion of the various categories of data collected will be as set out in the legislation in force including that on archiving, i.e. until the purpose for which the data was collected has been achieved, for the duration necessary for its use as set out in the legislation in force (including tax legislation) or by the competent authorities.
- For chosen candidates, we will retain your personal data for as long as you are an Otelinox employee and thereafter if we are required to do so by a legal provision or if we have a legitimate interest (e.g. a legal action has been brought against us). If you are not selected as a result of this recruitment process, we will retain your personal data for a period of up to 6 months from the end of the recruitment process for future recruitment by Otelinox (unless we have a legitimate interest or are obliged by a legal provision to retain it for a longer period);
- If you are a whistleblower in the public interest, your personal data are kept for the period necessary to achieve the purposes specified above, imposed by the legal provisions applicable in this field, respectively by the provisions on archiving.
- For more information on our policy for the retention period of personal data, please click here (For_how_long) .
- How can you access, amend or take back the personal data that you have given to us and what other rights do you have in this context?
Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us at dataprotect@otelinox.ro. We will seek to action your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Your statutory rights in this context are:
- Right to object
- Right to withdraw consent
- Data Subject Access Requests (DSAR)
- Right to erasure
- Right to restrict processing
- Right of rectification
- Right of data portability
A detailed description of your rights listed above can be found (Detailed_description)
Furthermore, you have the right to lodge a complaint with a supervisory authority. If you wish to complain about our behaviour, especially in the context of collecting, using and processing your data, you are entitled to lodge a complaint with the competent authorities. Contact details of the Romanian supervisory authority can be found (Competent_authority)
- Who is responsible for processing your personal data?
Otelinox controls the processing of personal data. If you’ve got any further questions, or want further details, please click (Who_is_responsable).
III. LONG FORM DETAILED SECTIONS
In the following we will provide a more detailed look at the information we collect, why we collect them, and the legal basis that allows us to do so. Additionally, we will tell you what rights you have in relation to the information we store about you.
- What kind of personal data do we collect, why, and what are our legal obligations towards you?
In this section, we will tell you what kind of personal data we possibly collect about you and why this is necessary for us. We will also explain why we are allowed to collect such information under the applicable laws. We are storing information because of legal obligations we are subject to and because we want to ensure that our business runs smoothly. This might be the case for information necessary for us to comply with our tax or legal commercial obligations. So please note that the information described below is, of course, in addition to any personal data we are obligated by law to process in any given situation. In addition, it is important for you to know that we have instructed our employees not to collect sensitive personal data such as listed in Art. 9 GDPR (e.g. family relation, race, sexual orientation etc.). If any such processing is brought to our attention, we strive to immediately erase such data.
| To which category do you belong? | What kind of personal data? | What is the legal basis? | Why do we collect them and why are we allowed to do so? |
| We have an existing customer/contractual relationship with you or your employer | Name, e-mail, mobile number, entity, job position, office address, office number, fax number,resignation, business homepage, EU residents | Art. 6 (1)(b),(c) and (f) from GDPR | Art. 6 (1) allows us to store information if the “processing is necessary for the performance of a contract“, “processing is necessary for compliance with a legal obligation“, or “processing is necessary for the purposes of the legitimate interests of [us]”. This means we are allowed to store information in the context of our business relationships. One of the main reasons for using your personal data is to ensure that our business operation may run uninterruptedly between us and our customers. In order for us to accomplish that, we need to know about the people we need to get in touch with within our customers to ensure that the contractual arrangements between our customers and us can be properly implemented. Additionally, we also need to comply with certain legal obligations that are not directly related to you. For example, documents necessary for tax purposes or possible legal claims need to be available for many years. Business related documents such as contracts, or notes of meetings that we held could be necessary for us to prove that we comply with our tax obligations or as circumstantial evidence. Sometimes these documents may include your name on them and it might be technically impossible, or would require a disproportionate effort to blacken this information. |
| Work scope, work history | Art. 6 (1)(b),(c) and (f) from GDPR | Our ultimate goal is that the relationship with our customers can run smoothly and we can capitalize on our network and connection with you. Business also entails to prepare for contractual arrangements in the future and to look for future business opportunities by expanding existing business relationships. Art. 6 (1)(f) GDPR allows us to use information if “processing is necessary for the purposes of the legitimate interests pursued” by us, unless our interests “are overridden by the interests or fundamental rights and freedoms” of you. This is why we may keep information about your work scope or work history. It helps us to understand who we can contact within one of our customers if we want to enquiry about possible business opportunities. For example, we are able to assess whether we can approach you with a new proposal, for example, because of the scope of your work or your previous work, or whether we should rather contact one of your colleagues. We believe that this is also in your interest, and that your interest in not keeping this information does not override ours. | |
| We have no existing customer/contractual relationship with you or your employer yet | Name, e-mail, mobile number, entity, job position, office address, office number, fax number,resignation, date of meetings, business homepage | Art. 6 (1) (f) GDPR | We do not only maintain existing business relationships but also try to create new business. That´s why we process data of people who are working for potential future customers/contractual partners. We always intend to prepare for contractual arrangements in the future and to look for future business opportunities. Art. 6 (1)(f) GDPR allows us to use information if “processing is necessary for the purposes of the legitimate interests pursued” by us, unless our interests “are overridden by the interests or fundamental rights and freedoms” of you. Data such as name, e-mail, mobile number, entity, job position, office address, date of meetings, business homepage can be considered as the basic information to be required to contact you in your specific function for your company and to create a relationship which may lead to a successful business relation. |
| Work scope, work history, | Art. 6 (1) (f) GDPR | In addition to the explanation in the box above we may also proceed additional data, as we are of the opinion that this would help us to create a business relationship with you or your employer. For example, we are able to assess whether we can approach you with a new proposal, for example, because of the scope of your work or your previous work, or whether we should rather contact one of your colleagues. We believe that this is also in your interest, and that your interest in not collecting and keeping this information does not override ours. | |
| You are a family member of an Otelinox employee | Name, surname, telephone number, home address, age, ID, photos, email address, mailing address, health data (including diagnosis). | Article 6(1)(c) and (f), Article 9(2)(a) and (b) from GDPR | We may process your data for the following purposes: (i) co-insurance in the national health insurance system, (ii) establishing and granting benefits in accordance with the applicable law for dependants, (iii) enabling us to contact you in connection with emergency situations involving a family member; or (iv) granting certain benefits to you. or a family member, usually an employee of Otelinox (e.g. paid days off, financial or other benefits, compensation), in connection with events occurring in your family (marriage, birth, death, medical interventions, etc.). |
| You are applying for a position at Otelinox | Name, surname, gender, citizenship, date of birth, place of birth, picture, signature; contact data (postal address, e-mail address, telephone number); professional data (your employment and educational history, diplomas, studies, position for which you are applying, length of service, personal interests, skills, aspirations, plans and any other professional data you include in the CV you provide). | Article 6, paragraph 1, letter b and f from GDPR | Otelinox has a legitimate interest to process the personal data of candidates for positions within the company, this process being necessary for the performance of its activities. Also, in the case of selected candidates, Otelinox needs to process personal data for the conclusion of the employment contract. The identification data is necessary for the purpose of getting to know you, for verifications in relation to studies and former employers, as well as for the completion and conclusion of the individual employment contract if you are chosen following the recruitment process. The contact details are used for the transmission of documents necessary for the conclusion of the individual employment contract (e.g. offer of employment). Professional data are necessary to know your employment and educational history for the purpose of assessing you for the job for which you are applying. |
| You are a whistleblower in accordance with Law no. 361/2022 on the protection of whistleblowers in the public interest | Name and surname, contact details, signature of whistleblowers in the public interest, as well as any other personal data resulting from the documents/evidence sent by the whistleblower in supporting the report | Article 6, paragraph 1, letter c from GDPR | Otelinox processes your personal data for the purpose of dealing with whistleblower’s report the public interest and, where appropriate, remedying the reported breach based on the Law No 361/2022 on the protection of whistleblowers in the public inter |
- How do we collect your personal data?
As we have outlined in our short form, there are various ways in which we collect data. Your personal data that we collect is mainly obtained through the work that we do with you and our customers directly. This may include things written in e-mails, direct business correspondence, or information brought to our attention by way of presentations, business meetings, or work with your colleagues, or exchange of business cards with our employees or representatives.
In part, we also collect information you have publicly shared, or made available to one of our group companies (e.g. Samsung C&T Deutschland GmbH).
If you are a family member of an Otelinox employee, we will collect your data either from the employee or directly from you.
If you are a candidate, we will normally collect data directly from you or from other sources such as recruitment platforms or recruitment agencies.
- With whom do we share your personal data, why and where do we transfer them to?
In limited cases we may share your data with our external data service providers, only based on data processing agreements. Currently, we do not transfer you data outside the European Union. However, if we decide to do so we will duly inform you about such transfer and we will take any necessary measures to assure that we transfer your data in accordance with the GDPR.
In principle, where you are a family member of an Otelinox employee, we will not transfer your data outside Otelinox unless this is necessary for the fulfilment of a legitimate purpose.
As a rule, if you are a candidate, your personal data will be transmitted to recipients such as other companies in the Otelinox group or third parties such as educational institutions or former employers when we do checks.
Also, the personal data indicated in this Policy may be made available or transmitted (i) to public authorities, financial or legal auditors or institutions with powers to carry out inspections and controls on Otelinox’s activity and assets, which request Otelinox to provide information, in accordance with their legal obligations; (ii) to comply with a legal requirement or to protect the rights and assets of our Otelinox or other entities or persons, such as courts, bailiffs; (iii) third party acquirers, to the extent that Otelinox’s activity would be transferred (in whole or in part), and data subjects would be part of the assets that are the subject of such a transaction.
- How do we safeguard and store your personal data?
Currently we store your data on Otelinox systems or servers and other Otelinox data bases.
We care about protecting your information. That is why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data. These include measures to deal with a suspected data breach.
We are committed to taking all reasonable and appropriate steps to protect the personal data that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures.
If you suspect any misuse or loss of or unauthorised access to your personal data please let us know immediately using our contact details specified in Section 7 below.
- For how long do we keep your personal data?
We seek to store as little information about you as possible and keep you in the loop at all times. Yet, we are storing as much information as necessary to protect our business interests. The period of storing personal data starts with us obtaining information, including your personal data. The end of the storing period depends on the purpose for which we still need your personal data. This means we are storing your personal data at least for the time of a contractual relationship with our customer. However, we are permitted to store information, including your personal data, for longer if necessary to bring or defend ourselves against legal claims in court. This retention period relates to the respective periods set forth by a given statute of limitation. At the same time, we may need to keep your data for more than the period of the statute of limitations to ensure that we would be able to reach out to our commercial partners for maintenance work, or for follow up or additional acquisitions. We expect that this is understandable, given the particularity of the Romanian market where operators have little visibility.Hence, we keep your data for a general term of up to 10 years after the year of contract expiration, or for the duration of the product warranty period (whichever period is longer).
If we obtain your data for prospective business with you or with your employer, we will conserve your data for up to three years as of the moment when we establish contact and we will delete your data after three years if no business is started between you or your employer and us. We believe that this is justified considering the limited development of the Romanian market and the limited visibility of companies on the market, which makes business contacts very useful.
If you are a family member of an Otelinox employee, we will only attempt to retain your personal data if we have a legal obligation to do so or for our legitimate interests in providing or facilitating a particular service or benefit to you or your employee. The duration of retention is in principle set by law but where your data is not required after the termination of the employment relationship, we will delete your data after the termination of the employment relationship in which Otelinox is the employer.
If you are a selected candidate, we will retain your personal data for as long as you are an Otelinox employee and thereafter if we are required by a legal provision or if we have a legitimate interest (e.g. a legal action has been brought against us).
If you are not selected as a result of this recruitment process, we will retain your personal data for a period of up to 6 months from the end of the recruitment process for future recruitment by Otelinox (unless we have a legitimate interest or are obliged by a legal provision to retain it for a longer period).
In case you are whistleblower in public interest your personal data are kept for the period necessary to achieve the purposes specified to the data processing, imposed by the legal provisions applicable in this field, respectively by the provisions on archiving.
- Your rights regarding data processed by us:
If you want to exercise any of the rights below, please contact us at dataprotect@otelinox.ro.
- Right to object
If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Should such prolongation be necessary, we will inform you about this within 30 days. If we agree with your request, we will no longer process you data. Generally, we will only disagree with you if certain limited conditions apply. This may only be the case if we can demonstrate compelling legitimate grounds for the processing which override your interests or if the processing is required for the establishment, exercise or defence of legal claims.
- Right to withdraw consent
Where we have obtained your consent to process your personal data for certain activities (for example, for certain marketing arrangements or profiling), you may withdraw your consent at any time. As of this moment, we will no longer process your personal data.
- Data Subject Access Requests (DSAR)
Just so it’s clear, you have the right to ask us to confirm what information we hold about you at any time, and you may ask us to modify, update or delete such information. We will provide you with the following information regarding your personal data:
- the purpose of the processing;
- the categories of the personal data concerned;
- to whom we have disclosed or will disclose your data (if any);
- if possible, the envisaged period for which your data will be stored;
- where the data are not collected from you directly, any available information to their source;
- the existence of automated decision-making, the significance of such methods and envisaged consequences of such processing for yourself;
- in case we transfer your data outside the EU, how we safeguard this transfer.
We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Should such prolongation be necessary, we will inform you about this within 30 days. At this point we may do one of the following:
- we may ask you to verify your identity, or ask for more information about your request; and
- where we are legally permitted to do so, we may decline your request, but we will explain why if we do so.
- Right to erasure
In certain situations you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Should such prolongation be necessary, we will inform you about this within 30 days. The situations in which you may be entitled to demand such erasure are (inter alia):
- the data is no longer necessary for the purpose for which we collected and processed them;
- if you withdraw your consent to process your data;
- if you use your right to object (as described above);
- if we processed your data unlawfully;
- if we are obliged by law to erase your data.
- Right to restrict processing
You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.
The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
- Where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
- Where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
- Where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
- Where we have no further need to process your personal data but you require the data to establish, exercise, or defend legal claims.
If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
- Right to rectification
You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you, including by means of providing a supplementary statement. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
- Right of data portability
If we processed your data on the basis of your consent, you have the right to transfer your data from us to another data controller. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Should such prolongation be necessary, we will inform you about this within 30 days. We will help with this – either by directly transferring your data for you, or by providing you with a copy in a commonly used machine-readable format so you can transfer them yourself.
- Right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with the supervisory authority in Romania at the following contact details:
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal
Address: Bucharest, Romania, 28-30 G-ral Gheorghe Magheru Bld., District 1, post code 010336
E-mail: anspdcp@dataprotection.ro
Phone: +40.318.059.211
Fax: +40.318.059.602.
If you would like to exercise any of these rights, or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), please use our contact details specified in Section 7 below. Please note that we may keep a record of your communications to help us resolve any issues that you raise.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
- Who is responsible for processing your personal data?
Otelinox is the controller of your personal data in the European Union, meaning that it is responsible for the processing of your personal data. If you wish to contact us, please use the following contact details:
Otelinox S.A.
- Address
Soseaua Gaesti nr. 16, Targoviste, Dambovita District;
- e-mail : dataprotect@otelinox.ro