Personal data processing policy collected from users/visitors of this website
BIA Human Capital Solutions S.R.L.
1. Presentation of the company
The website www.bia.ro (hereinafter referred to as the “website”) belongs to the company BIA Human Capital Solutions, hereinafter referred to as BIA HCS, a Romanian company with its registered office in Bucharest, Horia Macelariu str., no. . 61 – 81, floor 1, sector 1 and is registered at the Bucharest Trade Registry under no. J40/3290/2010, having fiscal code RO26715513. This website is used to present BIA HCS’s own services, but also those of its partner, BIA Human Resource Management Services (hereinafter referred to as BIA HR), with headquarters in Bucharest, str. Horia Macelariu, no. 61 – 81, floor 1, sector 1, which is registered at the Bucharest Trade Registry under no. J40/7707/2005, having fiscal code RO17521526.
2. The purpose of this Personal Data Processing Policy
This Personal Data Processing Policy of BIA HCS, displayed on this website, is applicable only to users/visitors of the www.bia.ro website and describes the principles of personal data processing, the categories of personal data that we process, the purpose and operations of processing, the legal basis of their processing and how BIA HCS fulfills its responsibilities as a personal data operator, to maintain the security of your information and full compliance with the requirements of the GDPR – i.e. Regulation (EU) 2016/ 679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation), here called GDPR and all legal requirements arising from this.
This Personal Data Processing Policy of BIA HCS is valid for all users/visitors of the website, with or without an account.
For other categories of persons concerned (who are not users/visitors of this website, but are partners of BIA HCS for the performance of BIA HCS services, as clients, suppliers, natural persons who will become/are employees of BIA HCS, natural persons whose personal data are processed by BIA HCS as the person authorized by the client companies, who appear as data operators or with whom BIA HCS shares the status of associated operators), information on how GDPR requirements are met are specified in contractual documents and or in Notes personalized information.
3. Definitions from the GDPR, used in this Personal Data Processing Policy of BIA HCS
- Personal data = means any information regarding an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, an identification number, location data, an online identifier, or to one or more many specific elements, specific to his physical, physiological, genetic, psychological, economic, cultural or social identity;
- Biometric data = means personal data resulting from specific processing techniques related to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or dactyloscopic data
- Processing = means any operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, extract, consult, use, disclose by transmission, disseminate or otherwise make available, align or combine, restrict, delete or destroy
- Operator = means the natural or legal person, public authority, agency or other body that, alone or together with others, establishes the purposes and means of personal data processing; when the purposes and means of processing are established by Union law or domestic law, the operator or the specific criteria for its designation may be provided for in Union law or domestic law;
- Person authorized by the operator = means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the operator;
- Recipient = means the natural or legal person, public authority, agency or other body to whom (to whom) the personal data is disclosed, whether or not it is a third party. However, public authorities to whom personal data may be communicated within a certain investigation in accordance with Union law or internal law are not considered recipients; the processing of this data by the respective public authorities respects the applicable data protection rules, in accordance with the purposes of the processing;
- Consent of the person concerned = means any free, specific, informed and unambiguous manifestation of the data subject’s will by which he/she accepts, through a statement or through an unequivocal action, that the personal data concerning him/her will be processed
- Personal data security breach = means a security breach that leads, accidentally or illegally, to the destruction, loss, modification or unauthorized disclosure of personal data transmitted, stored or otherwise processed or to unauthorized access to these.
4. Principles of personal data processing, according to GDPR
- Personal data are processed in a legal, fair and transparent manner towards the data subject (“legality, fairness and transparency“)
- Personal data are collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes (“purpose limitations“)
- Personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization“)
- Personal data are kept in a form that allows the identification of the persons concerned for a period that does not exceed the period necessary to fulfill the purposes for which the data are processed (“storage limitations“)
- Personal data are processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, through appropriate technical and/or organizational measures (“integrity and confidentiality”)
5. Purpose of processing, processed data and description of processing operations, legal basis of information processing, recipients, archiving period of personal data
I.BIA HCS collects and processes only the personal data that you provide as a user/visitor of the website, for the following purposes:
- Communication of information about our services, to initiate the bidding process
- Communication of information regarding the services of the BIA HR partner, based on a partnership agreement between BIA HCS and BIA HR
- Participation in the recruitment process, by accessing the open posts/positions – with or without a user account on the website
- Participation in courses & webinars
- If you are the representative of a company and want to receive more information about the services provided by BIA HCS regarding recruitment and consultancy for labor and immigration legislation, the personal data collected from you, as a user/visitor of the website are: name, surname, company, city/sector, telephone, e-mail (CONTACT section – individual option or connected with SERVICES section – Personalized information). In the communication process in order to present the services and offer, it is possible to use the ZOOM or TEAMS platforms. In order to protect your biometric data, BIA HCS guarantees that the meetings organized through these platforms will not be recorded, nor will screenshots be taken (print screen).
Processing operations: collection (at the time of provision, through voluntary registration by users/visitors), registration and storage (in the BIA HCS database), use (for the communication desired by users/visitors), deletion (when not are still needed or when expressly requested by users/visitors).
Legal basis: the consent given by users/visitors [art. 6 para. (1) lit. a) of the GDPR.], in order to initiate a communication process, in order to conclude a service contract between BIA HCS and potential clients, who wish to use the recruitment and/or consulting services for labor and immigration legislation of BIA HCS [art. 6 para. (1) lit. b) of the GDPR].
Recipients: the internal staff of BIA HCS, who will develop the communication process. Your personal data is not transferred outside the EU.
Archiving period: for the entire duration of communication in order to offer and conclude a contract, but also for the duration of the possibly concluded contract, if necessary. If the conclusion of a contract is not reached, the data subject is requested, by e-mail, to consent to the retention of data by BIA HCS for a longer period of time (5 years from the end of the contractual relationship), for marketing purposes, with the amendment that the data subject may request at any time the deletion of the data from the BIA HCS database, together with the withdrawal of consent. These operations are carried out through a written request to the e-mail address biaoffice@bia.ro
Important note: If the communication with you, as a user/visitor of the website, will result in the concretization of a service provision relationship by BIA HCS to the company on whose behalf you communicated, all the information e relating to how the GDPR requirements are respected will be the subject of an Annex to the service contract concluded between BIA HCS and the company you represent.
If you are the representative of a company and you want to receive more information about the services provided by our partner, BIA HR, regarding payroll and personal administration, the personal data collected from you, as a user/visitor of the website are: name, surname, company, city/sector, telephone, e-mail (CONTACT section – individual option or connected with SERVICES section – Request a personalized offer).
Processing operations: collection (at the time of provision, through voluntary registration by users/visitors), registration and storage (in the BIA HCS database), transmission to BIA HR of your data in order to enter them into the database of BIA HR and the use by BIA HR for the communication desired by users/visitors), deletion (when they are no longer needed or when expressly requested by users/visitors) from the databases of BIA HCS and BIA HR. BIA HCS and BIA HR act as independent operators regarding the processing of your personal information, both assuming compliance with GDPR requirements.
Legal basis: the consent given by users/visitors [art. 6 para. (1) lit. a) of the GDPR.], in order to initiate a communication process, with a view to concluding a service contract between the BIA HR partner and potential clients, who wish to use the payroll and personal administration services of BIA HR [art. 6 para. (1) lit. b) of the GDPR].
Recipients: the internal staff of BIA HCS, who will forward them to the internal staff of BIA HR, who will develop the communication process with the concerned persons. Your personal data is not transferred outside the EU.
Archiving period: for the entire duration of communication in order to offer and conclude a contract with the BIA HR partner, but also for the duration of the possibly concluded contract, if necessary. If the conclusion of a contract is not reached, the data subject is requested, by e-mail, to consent to the storage of data by BIA HCS (in its own name and/or in the name of BIA HR) for a longer period of time (5 years from completion of the contractual relationship), for marketing purposes, with the amendment that the data subject may request at any time the deletion of data from the BIA HCS database, respectively BIA HR, with the withdrawal of consent. These operations are carried out through a written request to the e-mail address biaoffice@bia.ro
Important note: In case the communication with you, as a user/visitor of the website, will result in the concretization of a service provision relationship by the BIA HR partner to the company on whose behalf you communicated, all the information regarding how comply with GDPR requirements will be the subject of an Annex to the service contract concluded between the BIA HR partner and the company you represent.
If you are an individual user/visitor of the website and you want to apply for a certain post/position opened by a BIA HCS client, in the JOBS section, your data collected voluntarily, through the website, are: first name, last name, e-mail, telephone, city. All the information you document in your CV (studies, qualifications, professional experience, foreign languages, PC knowledge, holding a driving license, biometric data such as photos, etc.), but also the related documents, which certify the information in your CV (diplomas, certificates , identity documents, references from previous jobs, etc.), requested later, if the recruitment process in which you will be involved advances, will be protected against any security incidents. Of all the documents and information you provide us, those that are not necessary for the recruitment process will be deleted, as far as possible. In the interview stage, carried out with the internal staff of BIA HCS and/or with the staff of the BIA HCS client, the one who generated the recruitment process, the ZOOM or TEAMS platforms can be used to facilitate communication. In order to protect your biometric data, BIA HCS guarantees that interviews organized through these platforms will not be recorded, nor will screen captures (print screens) be taken and encourages you to request the same guarantee in the case of interviews organized directly by BIA clients HCS, in which representatives of BIA HCS will not participate.
Important observation: Please do not include in your CV or other attached documents information of a special nature such as bank accounts or data about your and your family’s health, racial or ethnic origin, political opinions, religious confession or philosophical beliefs, data regarding life or sexual orientation, genetic data of you or those in your family, photos of your children or those in your family!
Personal data processing operations: collection (at the time of provision, through the voluntary registration carried out by users/visitors), registration and storage (in the BIA HCS database), extraction and structuring (to configure the correspondence between the job criteria and the candidate’s profile at job, without a discriminatory profiling based on age, sex, etc.), dissemination and disclosure by transmission (to the BIA HCS client who managed the recruitment process), deletion (when they are no longer needed or when expressly requested by users/ visitors).
Legal basis: the consent given by users/visitors [art. 6 para. (1) lit. a) from the GDPR.], in order to carry out a service contract between BIA HCS and the clients who have started the personal recruitment actions [art. 6 para. (1) lit. b) of the GDPR].
Recipients: BIA HCS internal staff, who mediate communication between candidates and BIA HCS clients for the recruitment service, as well as client staff, who await candidate proposals for employment. Your personal data is not transferred outside the EU.
Archiving period: for the entire duration of communication within the recruitment projects and another 12 months from the end of the respective projects. BIA HCS requests, through an information note sent by e-mail, to the persons concerned in the category of candidates, the consent to keep the data of those who were not recruited by BIA HCS clients, in order to use this data in other recruitment projects. Consent to keep the data by BIA HCS for a longer period of time (5 years) is requested, with the amendment that the data subject may request at any time the deletion of the data from the BIA HCS database, together with the withdrawal of consent. If they wish to keep their data in the BIA HCS database, the concerned persons interested in the recruitment process can correct their contact data at any time, in order to update them. All these operations are carried out through a written request to the e-mail address biaoffice@bia.ro
If you want to participate in courses & webinars, as individuals or as representatives of some companies, the data collected are: name, surname, position, e-mail, phone (section COURSES & WEBINARS, within each webinar – Registration form).
Personal data processing operations: collection (at the time of provision, through voluntary registration by users/visitors), registration and storage (in the BIA HCS database), extraction and structuring (for the transmission of information related to access to online platforms in which webinars will take place), deletion (when they are no longer needed or when they are expressly authorized by users/visitors).
Legal basis: the consent given by users/visitors [art. 6 para. (1) lit. a) from the GDPR.]
Recipients: the internal staff of BIA HCS, who organize the webinars and access to them. Your personal data is not transferred outside the EU.
Archiving period: 12 months from the first registration of participation in a course&webinar, with the amendment that the data subject may request at any time the deletion of the data from the BIA HCS database, together with the withdrawal of consent. These operations are carried out through a written request to the e-mail address biaoffice@bia.ro.
The provider of website hosting services/web server management services automatically collects and stores information in the so-called server records, which the browser used by the user/visitor transmits to us automatically. This stored information may include:
- The type and version of the browser used, as well as the installed plugins;
- Type of operating system used;
- URL reference;
- The hostname or the device from which the access was made;
- Date and time when the server received the information.
The information mentioned above cannot be linked to a specific person individually. Also, we do not associate the collected data with information from other sources. However, we reserve the right to analyze the information, if a suspicion of illegal or unauthorized use is brought to our attention.
III. Processing of personal data, by association with Facebook, LinkedIn, Instagram, You Tube, Zoom, Teams platforms
INFORMATION NOTE REGARDING THE PROCESSING OF PERSONAL DATA ON THE FACEBOOK PAGES OF BIA HUMAN CAPITAL SOLUTIONS S.R.L.
INFORMATION NOTE REGARDING THE PROCESSING OF PERSONAL DATA ON THE LINKEDIN PAGES OF BIA HUMAN CAPITAL SOLUTIONS S.R.L.
INFORMATION NOTE REGARDING THE PROCESSING OF PERSONAL DATA ON THE INSTAGRAM PAGES OF BIA HUMAN CAPITAL SOLUTIONS S.R.L.
INFORMATION NOTE REGARDING THE PROCESSING OF PERSONAL DATA ON THE YOUTUBE CHANNELS OF BIA HUMAN CAPITAL SOLUTIONS S.R.L.
For more details regarding the privacy policies and the way in which the ZOOM platform processes your personal data during online courses & webinars and/or during information meetings about our services, please access, please access: https://zoom.us/docs/en-us/privacy-and-security.html. If you do not agree with the policies of the ZOOM platform, please do not register for the Events organized by BIA or refuse meetings through this platform.
For more details on privacy policies and the way in which the TEAMS platform processes your personal data during online courses & webinars and/or during information meetings about our services, please access: TEAMS – https:/ /privacy.microsoft.com/en-gb/privacystatement and https://account.microsoft.com/privacy/third-party-ads?scrolltonewtoggle=true If you do not agree with the policies of the TEAMS platform, please do not register for the Events organized by BIA HCS or refuse meetings through this platform.
6. Rights of data subjects, from the category of website users/visitors
- The right to information = allows access to concrete information regarding why personal data is collected and how it is processed by BIA HCS, so that there is a guarantee of compliance with the legal requirements in force;
- The right of access = allows obtaining confirmation that personal data are processed by BIA HCS and the relevant details of these processing activities;
- The right to rectification = allows the rectification (modification/correction/completion, updating…) of personal data, if they are inaccurate;
- The right to delete data = allows the deletion of personal data in certain cases (when they are no longer necessary for the purpose of processing, when the data subject withdraws his consent, when the data subject opposes the processing, when the personal data were processed illegally, etc.);
- The right to restriction of processing = allows the restriction of processing of personal data in certain cases (when the data subject disputes the accuracy of the data, when their accuracy is verified, when it is verified which rights prevail – of the operator or of the data subject, etc.);
- The right to data portability = allows receiving the personal data provided, in a structured format, commonly used and which can be read automatically or the transmission of this data to another data operator, upon request (when it is technically feasible);
- The right to opposition and the automated individual decision-making process = allows opposition to the further processing of personal data, under the established conditions and limits by law; for the situations of using personal data in marketing activities or in the interests of the operator, explicit consent is requested, the persons concerned being able to object at any time to the processing of data for those purposes, by notifying the operator; you therefore have the right to withdraw your consent when there is a processing based on it; the withdrawal of the consent does not affect the legality of the processing carried out on the basis of the consent before its withdrawal.
Related rights of website users/visitors:
- The right to be informed about the existence or not of an automated decision-making process for the creation of profiles (in case of existence – information about the reason and the consequences of such processing on the concerned persons).
- The right to lodge a complaint with the supervisory authority – you can send any complaints regarding the GDPR to the e-mail address biaoffice@bia.ro, but also to the National Authority for the Supervision of Personal Data Processing: e-mail anspdcp@ dataprotection.ro and telephone +40 21 252 5599.
- The right to exercise a judicial appeal if he considers that the rights he benefits from under the GDPR have been violated.
For other information on how to exercise the GDPR rights of users/visitors of this website and the effective application of rights, please contact us at the e-mail address biaoffice@bia.ro We may ask you to prove your identity, by sending – a copy of a valid means of identification, in order to comply with the security obligations we have and to prevent the unauthorized disclosure of data.
7. Liability of the operator
BIA HCS, as a personal data operator, assumes, according to the GDPR, the following main obligations in relation to the users/visitors of this website:
- ensuring an organizational framework so that the concerned persons (users/visitors of this website) can exercise their rights;
- recording the personal data processing operations of the persons concerned;
- assessment of the impact of the loss of personal data security and assessment of risk factors that may affect the security of personal data type information (in special situations, prior consultation of the National Authority for the Supervision of Personal Data Processing can be accessed);
- the application of technical and organizational measures to protect personal data and prevent their destruction, loss, modification or unauthorized disclosure; in the application of these measures, BIA HCS assumes compliance with data protection assurance starting from the moment of conception (by designing) and implicitly (by default); for the effectiveness of these measures, BIA HCS assumes exclusive partnership with companies that, in turn, comply with GDPR requirements;
- informing the persons concerned about possible violations of personal data;
- notification of the National Supervisory Authority for the Processing of Personal Data in case of possible personal data security incidents;
- handling Security incidents through actions that lead to their elimination or decrease the probability of their recurrence; internal monitoring of the degree of compliance with the GDPR requirements and the continuous improvement of the security measures of the personal data type information of the persons concerned, in the category of users/visitors of the website.
8. Ensuring data protection
BIA HCS applies two categories of measures for the processing of personal data of users/visitors of the website for all categories of information, including for the personal data that it processes (collected through the website and/or during the provision of services its):
A. Technical measures, such as those provided in the following Policies:
– Information Security Policy, which also involves personal data type information
– Cryptographic Policy – a) encryption techniques for data storage in the cloud, data protection on removable media, password protection on systems, e-mail protection, remote access, etc., which are tested and revised in order to increase their effectiveness; b) rules for managing cryptographic keys, so that they are protected
– Anti Malware Policy – a) antivirus platform installed in key locations – firewall, e-mail servers, other servers, users’ computers (users do not deactivate their protection); b) spam filtering; c) installing only permitted software on computers and periodically scanning computers to identify unauthorized software; d) information reported by ITC service providers regarding the vulnerability and, including threat monitoring and alerting, of malware incidents, which will generate, after the analysis, additional protective actions
– Access control policy to IT systems and applications – a) requirements for access control, depending on the level of security imposed on various categories of classified information (including personal information); b) user access management
– Network security policy – a) characteristic of the network; b) network security management.
– Cloud systems policy – with rules for the relationship with service providers that use the cloud.
B. Organizational measures:
-Physical security policy – a) secure areas; b) rules for the use of documents in written format, which contain personal data, including the archiving of these documents
– Electronic Messaging Policy – with information about the rules for using e-mail
– the training of BIA HCS internal users regarding the access control elements to IT systems and applications (by user and password), including password-protected communication by e-mail – with the signing of the Declaration of Acceptable Use
-training of BIA HCS internal users regarding the physical access elements (via card) – with the signing of the Declaration of Acceptable Use
-training of BIA HCS internal users on the methods of spreading malware (phishing, mobile codes, hacking/cracking, the use of USB, CD, DVD, etc.) and how to protect themselves
9. Solving the requests and/or complaints of the persons concerned
Any requests and/or complaints can be addressed:
- to BIA HCS, in writing, at the e-mail address biaoffice@bia.ro; please specify – the identity of the applicant/complainant, the subject of the request/complaint, with appropriate details and evidence, if applicable; BIA HCS will confirm receipt of the message within 4 hours of receiving it and will respond, after analysis, within a maximum of 48 hours of receiving your message (the message may contain the results of the analysis and/or the actions decided and/or the measures implemented and/or which are to be implemented, with the deadline; as the case may be, the applicant/complainant will receive further information regarding the status of the announced actions)
- to the National Supervisory Authority for the Processing of Personal Data, with headquarters in B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, either in the form of a written address, at the institution’s headquarters, or by e-mail at anspdcp@dataprotection.ro; additional information can be found on the website www.dataprotection.ro to the competent courts.
10. Management of information security incidents
*Security incidents can be: destruction, loss, modification, unauthorized disclosure of personal data or unauthorized access to it.
Both BIA HCS and its partners, who provide ITC services as support for this site or for other social media tools to which the site is connected, monitor the effectiveness of the technical and organizational measures implemented.
When it identifies security incidents, directly or through its partners (who immediately announce the occurrence of incidents, if they have detected them), BIA HCS follows the steps:
- records the incidents in the internal documents, within 2 hours at the most from its detection
- together with his partners, if they were involved in the occurrence of the incident, apply, within a maximum of 48 hours from the discovery of the incident, the necessary corrective actions to eliminate or reduce the effects of the incidents
- together with his partners, if they were involved in the occurrence of the incidents, identify, after a maximum of 48 hours from the detection of the incident, their cause/causes, evaluate the risk (in terms of the severity of the impact of the incident and the number of affected persons and decide on the application of corrective actions, so that the incidents do not recur (the implementation period differs, depending on the nature of the actions); all these actions must not exceed 72 hours from the detection of the incidents
- informs the supervisory authority, within a maximum of 72 hours from the moment it became aware of it, except in the case where it is likely to generate a risk for the rights and freedoms of natural persons; if the notification does not take place within 72 hours, it is accompanied by a reasoned explanation for the supervisory authority
- in the event that the security incidents present a high risk for the natural persons affected, inform, within a maximum of 72 from their occurrence, the respective targeted persons, communicating to them the context of the occurrence of the incident, this type (according to the above *) and what personal data has been affected; if the notification does not take place within 72 hours, it is accompanied by a reasoned explanation; does not also inform natural persons if effective technical and organizational protection measures have been applied or other measures that ensure that the risk is no longer likely to materialize informs, within a maximum of 2 hours from the moment when he became aware of the incident, the companies for which BIA HCS acts as an authorized person or acts, together with BIA HCS, as associated operators.
11. Other information
PRIVACY POLICY UPDATES
This Privacy Policy was updated in May 2024. We reserve the right to periodically update and modify this Privacy Policy, to reflect any changes in the way we process your personal data or any changes in legal requirements. In case of any such modification, we will display the modified version of the Privacy Policy on our website and/or make it available in another way.
CONTACT
If you wish to contact us regarding any questions related to this privacy policy, as well as the processing of your data, please send us an e-mail at biaoffice@bia.ro.