Personal data protection (GDPR)

1. General Presentation

1.1. Introduction
SC CATALYST ADVISORY SRL, as a personal data operator, processes personal data relating to the natural persons with whom they interact, for the stated purpose.
This may represent data relating to customers, suppliers, business contacts, employees and other persons with whom the company has entered into a contract or with whom it is in a relationship: identification data (name and surname, series/CI no./passport, CNP), contact data (postal and e-mail addresses, telephone numbers), studies, position held.
This policy describes how personal data must be collected, used and stored in order to be consistent with the company’s data protection standards – and also meet the condition of legality. This control applies to all systems, people and processes that make up the organisation’s IT systems, including board members, directors, employees, suppliers and other third parties who have access to SC’s systems CATALYST ADVISORY SRL.

1.2. Existence of the policy
This data protection policy ensures within SC CATALYST ADVISORY SRL:
• Compliance with the legal requirements at European and national level regarding the protection of applicable personal data and good practices in this field;
• Protection of the rights of the persons concerned: for example partners, customers, employees/collaborators;
• How to store and process personal data collected directly or from third parties;
• Protection of the company from possible risks related to the violation of data security;
• Increasing the degree of trust of the external environment, in relation to SC CATALYST ADVISORY SRL.

1.2.1. The legislation regarding the protection of personal data
Regulation (EU) no. 679/2016 describes how companies – including SC CATALYST ADVISORY SRL – must process personal data. Significant fines are applicable if a breach is deemed to have been enacted under the GDPR Regulation, which is designed to protect data of European Union citizens.
These rules apply regardless of whether the data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used correctly, stored securely, and not allowed to be used illegally.
Regulation (EU) no. 2016/679 transposes the fundamental principles on the basis of which data processing is permitted, with companies having the obligation that the personal data they collect:
1. To be processed legally, fairly and transparently towards the data subject (“lawfulness, fairness and transparency”);
2. Be collected for specific, explicit and legitimate purposes and are not subsequently processed in a way incompatible with these purposes (“purpose limitation”);
3. Be adequate relevant and limited to what is necessary in relalation to the purposes for which they are processed (“data minimization”);
4. To be accurate and, if necessary, to be updated; all necessary steps must be taken to ensure that personal data that is inaccurate, having regards to the purposes for which it is processed, is deleted or rectified without delay (“accuracy”);
5. Not to be kept longer than necessary (“storage limitation”);
6. To be processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing against accidental loss, destruction or damage, by taking appropriate technical or organizational measures (“integrity and confidentiality”);
7. To be processed in accordance with the rights of the persons concerned;
8. Not to be transferred outside the European Economic Area, unless the tritory/country where they are to be transferred ensures an adequate level of personal data protection.

1.2.2. Definitions
The GDPR’s definition of Personal data is broad:
Personal data = any information relating to an identified or identifiable natural person.
In order to make a correct interpretation of this definition policy, it is necessary to know the fundamental terms in the field of data protection:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

1.3. Principles regarding the processing of personal data
Regulation (EU) No. 2016/679 transposes the fundamental principles on the basis of which data processing is permitted, with companies having the obligation to process personal data under certain conditions.
In order to comply with the applicable legislative framework, the personal data within SR CATALYST ADVISORY SRL are:
• processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
We will always make all necessary efforts to ensure that we comply with all these principles both in the current processing process and as part of the introduction of new processing process and as part of the introduction of new processing methods, such as possible new IT systems.

1.4. The rights of the data subject
The data subject has several rights under the GDPR Regulation. They consist of:
• The right to withdraw consent;
• The right to information;
• The right of access;
• The right to rectification;
• The right to delete data (“the right to be forgotten”);
• The right to restrict processing;
• The right to data portability;
• The right to object to processing;
• The right not to be the subject of a decision based exclusively on automatic processing, including the creation of profiles;
• The right to submit a complaint to the Authority;
• The right to apply to justice.
Each of these rights is supported by appropriate forms in SC CATALYST ADVISORY SRL that allow the necessary action to be taken within the terms established by the GDPR Regulation.
Data subjects can exercise some of the above rights by e-mail, addressed to the data operator at Applications will be exempt from any fee. The operator will be obliged to provide an answer within a maximum of one month, and in certain exceptional cases within two months after receiving the request.
We will always verify the identitiy of any data subject who addresses us with a request regarding their data processed by us. In order to respond to requests and allow the exercise of rights, the legal department or external legal consultants will have a say on the merits of the request.

1.5. Basis of processing
Processing of personal data at SC CATALYST ADVISORY SRL is based on the following legal grounds contained in Regulation (EU) 679/2016:
1. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
2. processing is necessary for compliance with a legal obligation to which the controller is subject;

The personal data collected and processed are necessary to conclude or execute a contract with the data subject, in which case their explicit consent is not required. This is because the contract cannot be concluded without the personal data in question, for example an appointment cannot be made without a telephone number where the customer can be contacted.
Given that personal data must be collected and processed by us in order to comply with the law, explicit consent is not required. This may be applicable to certain employment and taxation data, for example.

1.6. Purposes of processing
As part of our professional acitivty, we process personal data to implement the company’s object of activity – the sale of specific company products.
We also process personal data to honor the legal obligations that regulate our field of activity, such as the Civil Code, the Fiscal Code, the Labour Code.

2. Policy Applicability Limits

2.1. The scope of the policy
This policy applies to:
• To all departments of SC CATALYST ADVISORY SRL;
• To all the staff and volunteers of SC CATALYST ADVISORY SRL;
• To all contractors, suppliers and other persons working on behalf of SC CATALYST ADVISORY SRL.
It applies to all data that the company holds in relation to identifiable natural persons.
The categories of personal data processed are those that you provide when filling out the contact form. This data includes: name, email address and telephone number.
In addition to providing products from the electrotechnical industry, we reserve the right to process personal data for marketing purposes. To update you on the latest news related to the products of SC CATALYST ADVISORY SRL.

2.2. Risks
This policy helps protect SC CATALYST ADVISORY SRL from real security risks, including:
• Violations of confidentiality.
• Damage to reputation. For example, the company could be harmed if this data were obtained by interested parties from the inside through a security breach.

3. Data Storage
These rules describe how and where personal data should be stored. When data is stored on paper, it should be kept in a secure place where unauthorized persons cannot gain access. These instructions also apply to data that is normally stored electronically but has been printed for some reason:
• Papers or files should be kept in a closed place or in a closed drawer;
• Employees should ensure that paper or printouts are not left with unauthorized people who may see them, such as on the printer;
• Prints should be destroyed when no longer needed.
When data is stored electronically, it must be protected from unauthorized access, accidental deletion or intentional hacking attacks:
• Data should be protected by strong passwords that are changed regularly and never shared between employees, while sensitive data should be encrypted;
• When data is stored on removable media (such as CD, DVD), it is kept safe when not in use;
• Data will only be stored on dedicated servers or units and should be uploaded to an approved cloud computing service;
• Servers containing personal information should be placed in a safe place, away from the general office space;
• Data must be saved directly on laptops and not on other mobile devices such as tablets or smartphones.
• The data has a periodic back-up;
• All servers and computers containing data are protected by Security and firewall software.

4. Use of data
SC CATALYST ADVISORY SRL does not process personal data on a large scale and neither sensitive data. Even so, we want to keep your data safe. In order to prevent risk situations such as those of corruption or even theft, we have established a series of rules that must be followed when using this data:
• When working with personal data and remaining even for short periods of time unattended, staff ensure that computer screens are closed;
• Personal data is processed at the headquarters and/or at the workplace of our beneficiaries. All documents containing personal data, in electronic format, on paper and on any other storage and transfer medium of personal data are processed/ collected/ kept/ stored/ archived/ destroyed, etc., by the beneficiary, under the terms of the law;
• We reduce, as much as possible, the transmission of personal data by e-mail, considering that this way of communication is not secure. As an exception, the only transmission of sensitive data by e-mail is that intended for the person concerned, at their express request;
• Sensitive data should be encrypted before being transferred outside the European Economic Area;
• Workers are prohibited from saving personal data on their personal devices;
• Data will be kept in few places; the staff must not create any additional places that are not necessary, such as unecessary copies;
• Staff are trained to take every opportunity to ensure data is up to date. For example, by confirming some details when the customer calls;
• Data is updated when inaccuracies are discovered. For example, when a customer can no longer be contacted via a phone number, it is recommended to remove them from the database.

5. Disclosure of data for other reasons
In certain circumstances, the law allows personal data to be disclosed to law enforcement without the data subject’s consent.
In these circumstances, SC CATALYST ADVISORY SRL will disclose the necessary data. The data controller will ensure that the request is legitimate, seeking assitance from the company’s legal advisors where neccessary.

6. Provisioning of information
SC CATALYST ADVISORY SRL aims to ensure that the data subjects know how the data is processed, making sure they understand:
• How their data is used;
• How they can exercise their rights.
For this purpose, the company has a Cookies Policy, establishing how personal data is used within it.

7. Consequences
Failure to comply with this data Policy by company employees or other external collaborators may lead to disciplinary sanctions (including termination of the employment contract), termination of contracts and, depending on the circumstances, action in court for the full recovery of damages caused to the organization as a result of failure to comply with this Policy.
When there is suspicion of illegal activities (such as, for example, the theft of documents, copying, distribution, transfer of databases), the Company will report the criminal activity to law authorities for the prosecution of the perpetrator.
This Policy will be made known by the company’s management to all employees, collaborators, business partners or other third parties, including by publishing it on the company’s website