Policy on the processing of personal data on the THENSPACE website SRL.

Art. 1. General Information

In the course of its business, THENSPACE SRL, with its registered office in Bucharest, Sector 1, EMANOIL PORUMBARU Street, No. 93-95, processes your personal data when you access the website https://thenspace.ro/ (“Website”).

The company ensures, at all times, compliance with all principles and legislation regarding the protection of personal data, in terms of the processing, collection, storage, and transfer of personal data, as regulated by the legislation in force, as well as by the provisions of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”).

This policy sets out the key principles regarding data protection and how the Company manages the personal data you provide to us when accessing the Website. The Company will ensure that this policy is updated and will publish the latest version on the website.

DEFINITIONS

The following definitions of terms used in this document are taken from Article 4 of the GDPR:

Personal data: Means any information relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing: Means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

DPO: Means the data protection officer, more specifically the person responsible for data protection.

Art. 2. Categories of personal data

We understand the importance of your personal data and are committed to protecting its confidentiality and security. Therefore, it is important for us to inform you about the processing of your personal data as a user of our Website through this policy.

The categories of personal data processed by the Company vary depending on your interaction and relationship with the Website. Thus, your personal data may be provided by you in various sections of the Website, in particular in the following situations: when you fill in the contact form on the Website https://thenspace.ro/contact, as well as other forms on the website.

Art. 2.1. Categories of data that may be processed:

  1. a) When filling in the contact forms available on the Website: name, surname, email address, media files, etc.;

The data you provide must be real, accurate, and up-to-date, and you must have the right to provide it. The data mentioned in points a) – c) above are provided by you voluntarily when interacting with the Company for the purpose you have communicated. You are therefore responsible for the data you provide on the website, both to us and to any third party who may be harmed by the provision of such data.

The website may also collect certain information about your browsing and interactions with its various sections. We will store or access information and cookies on your terminal equipment (computer, phone, tablet, etc.) only under the conditions described in the corresponding Cookies section. The categories of personal data that are processed include: the time and date of access to the site, as well as the IP address of the terminal from which the website was accessed.

Art. 2.2. The company may process the data mentioned in Art. 2.1 above for the following purposes:

  1. For the purpose of managing requests, complaints, suggestions: processing data for completing contact forms; the processing of such personal data is carried out based on your consent, as well as in the legitimate interest of the Company in order to resolve complaints, improve services, manage suggestions and requests sent to the Company;
  2. In the context of processing the data of Website visitors, in order to ensure the proper functioning of the Company’s website; the legal basis for the collection is the legitimate interest of the Company in improving the services offered;

Art. 3. Basic principles regarding the processing of personal data

The processing and management of your personal data is carried out in accordance with the following principles:

  • It is open and transparent about what it does with the data and why it uses it;
  • It keeps the data secure;
  • It ensures that it always has a legal basis for managing the data;
  • It collects and uses the minimum amount of data necessary, thus complying with the principle of minimization;
  • It keeps data up to date, accurate, and complete;
  • It does not keep data longer than necessary, ensuring the implementation of data retention periods where there is no mandatory period provided by law;
  • Respects the legal rights of data subjects with regard to their personal data;
  • Does not transfer data abroad without taking the measures provided for data transfer, and not before informing the data subjects thereof.

Art. 3.1. Fairness and transparency

Personal data is processed lawfully, fairly, and transparently in relation to the data subject. This is the basic principle and means that we only use personal data to the extent that the persons who entrust it to the Company have been informed in advance about how it will be used. You may request information from the Company at any time regarding the following main aspects:

  • What kind of data will be collected;
  • For what purpose it will be used;
  • With whom it will be shared (if applicable);
  • Whether it will be transferred to other countries;
  • How long it will be stored;
  • What rights individuals have regarding their personal data;
  • Indication of the contact channels through which data subjects can exercise these rights.
  • Personal data will be processed only for the purpose communicated to the data subject.
  • Subsequent changes to the purpose of processing will be communicated to the data subject prior to the use of their personal data.

Art. 3.2. Legality

The Company understands that it must carry out all processing activities for a specific purpose related to its activity, but also within the limits of a corresponding legal justification, as well as in order to fulfill the legitimate interests of the Company in the context of carrying out its object or activity, as follows:

  • providing responses when completing the contact and accommodation form;
  • participating in competitions and campaigns organized online by the Company;

Art. 3.3. Consent of the data subject

Obtaining the consent of the person whose data we are going to collect and process is another legal basis provided by the GDPR, and the Company will process personal data only on the basis of your express and unequivocal consent, in all situations where it is necessary.

Art. 3.4. Data minimization

Personal data will only be used when absolutely necessary and relevant to a specific process or project task. If the use of personal data cannot be avoided, the Company will only use the minimum data necessary to fulfill that purpose.

Art. 3.5. Data accuracy

Data protection legislation requires that personal data be kept accurate, complete, and up to date. The Company will ensure that inaccurate or incomplete data is corrected, supplemented, updated, or deleted, as appropriate.

Art. 3.6. Data retention and storage period

We will retain your personal data for a period not exceeding the period necessary to fulfill the purposes for which the data is processed, except in situations where legal provisions provide or require otherwise.

Thus:

  • with regard to the contact form, we will retain your personal data for the period necessary to respond to your messages and requests and to prove the correspondence with you, but no longer than 1 year from receipt thereof;
  • in order to participate in contests and campaigns organized online by the Company, we will retain your personal data for the period necessary to run these programs and prove your participation in them, in accordance with the Regulations communicated for each event separately;
  • with regard to the analysis of website navigation and user interactions with the website, we will retain data regarding your interactions for a period of up to 3 years.

The Company may delete your personal data when it considers that it is no longer necessary for the purposes for which it was collected.

We do not store information and do not access the information stored on your terminal equipment (computer, phone, tablet, etc.) without your prior consent or when these operations are carried out exclusively for the purpose of transmitting a communication over an electronic communications network, or are strictly necessary for the provision of an information society service expressly requested by you (for example, to store information about your activities on the website or in the mobile or tablet application, so that you can easily use the website or mobile or tablet application on a subsequent visit).

For the use of cookies that require your prior consent, the website will ask for your consent via a banner displayed on the website when you access them. This banner contains a link to this Personal Data Protection Policy and gives you the option to accept cookies or refuse them. If you have given your consent but later change your mind, you can use your internet browser settings to delete the stored information or to refuse cookies.

If you want to know what cookies are, please refer to the Privacy Policy on our website.

Art. 3.7. Data security

The company ensures and implements the technical and organizational security measures required by law and industry standards to protect your personal data against accidental or illegal destruction, loss, alteration, disclosure, or unauthorized access, as well as against any other form of illegal processing. We also take steps to ensure that we use your personal data exactly as described in this Policy and to respect the choices you make regarding the processing of your personal data.

Art. 3.8. Disclosure to third parties

Except as described below, we will not disclose any information about your data without your authorization. Based on your express and unequivocal consent, provided in accordance with applicable law or for the purpose of fulfilling a legal obligation and/or protecting a legitimate interest, we may transfer your personal data to:

  • Service providers in the following areas: marketing, administrative services, and transaction processing;
  • Other service providers, all of whom have signed confidentiality agreements; ü Organizations or companies that coordinate specific studies and agree to keep the information received confidential;
  • State and government agencies, if required by law;
  • Other authorities and bodies, for the purpose of fulfilling our legal obligations and/or protecting our legitimate interests;
  • Other companies with which we may develop joint programs to market our products and services;

The transfer of your personal data to the above-mentioned recipients will only be made on the basis of a confidentiality commitment and assurance of an adequate level of security on their part, guaranteeing that personal data is kept safe.

Art. 4. Rights of individuals

In accordance with the legal provisions in force, data subjects have the following rights:

  • The right to be informed about how and why personal data is used;
  • The right to request copies of personal data held by an entity (including information contained in emails, instant messages, notes, etc.);
  • The right to request the correction of any inaccuracies in their personal data;
  • The right to order the deletion of personal data (including permanent deletion from the Company’s systems and any systems of an outsourcing provider to which the Company has granted access);
  • The right to request that the Company cease processing personal data;
  • The right to object to the use of their personal data for direct marketing purposes;
  • The right to have any personal data that has been provided to the Company transferred to another party (e.g., another banking service provider) “in a structured, commonly used, and machine-readable format”;
  • The right not to be subject to a fully automated decision-making process (i.e., a system-generated decision without human input) where the outcome has a legal or similarly significant effect on the individual concerned;
  • The right to withdraw consent where it has been given for the purpose of processing;
  • The right to lodge a complaint with the National Supervisory Authority for Personal Data Processing, if deemed necessary.

If the Company receives a request from you exercising any of the above rights, we will respond to the request within 30 days, with the possibility of extending this period, only after informing the data subject and provided there is a valid reason justifying the impossibility of responding within 30 days.

Art. 5. Data security breach

In the event that personal data is lost, damaged, stolen, compromised, or following a complaint about how the Company has handled personal data, the Company will report the breach to the National Supervisory Authority for Personal Data Processing within 72 hours of becoming aware of the breach and notify the relevant persons without delay if they are likely to be affected by the incident. In addition, the Company will make reasonable efforts to limit the damage caused by the data breach.

Art. 6. Organization and responsibilities

The responsibility for ensuring the proper processing of personal data lies with any person who works for or is in any form of collaboration with the Company and who has access to the personal data being processed.