Policy on the processing of personal data on the website www.natureart.ro NET & MANAGE SRL
General information

NET & MANAGE SRL (hereinafter referred to as “natureart.ro”, “us” or similar) is a company from Romania, with registered office in jud. Arad oras Arad, STR. EPISCOP ROMAN CIOROGARIU, NR. 24, registered at the Trade Register under number J02/280/2002, fiscal code 14552161, email office@natureart.ro.

natureart.ro is an online shop. In order to achieve this goal, we get in touch with our visitors who wish, at their initiative, to place orders. We then process the data in order to deliver the orders registered on the site. We also carry out marketing/promotion campaigns to attract buyers for various products and other personal data processing operations which we explain below.

What is personal data?

According to the GDPR, “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

There is no list of personal data, and the GDPR does not require states to draw up such a list, for the simple reason that a piece of data can become personal data in one context and simply information without personal data value in another context.

Here are some examples of personal data:

  • name;

  • someone’s domicile or residence;

  • an e-mail address (including addresses such as andrei.popescu@firma.ro);

  • identity card, passport or ID card number;

  • location data (e.g. location data function available on a mobile phone)*;

  • an IP address;

  • a cookie ID;

  • someone’s silhouette from CCTV footage;

  • a car registration number;

As you can see, the definition of personal data contains some important elements:

Personal data concerns information about natural persons, not legal persons. The distinction is important because, for example, the Commercial Registry number, the Tax Code or other company identifiers are not personal data. Moreover, when an e-mail address or a telephone number is clearly targeted at a legal person (e.g. office@ e-mails or phone calls from a public call-centre of a company), then we are not talking about personal data.
It does not matter whether the processing of this personal data is done through an automated system or through a non-automated system (e.g. manual processing), if it is part of a structured data filing system. The only important thing is that we are talking about a processing of such type of data.

More information for understanding what personal data are can be obtained by reading Opinion No 4 of 2007 on the concept of personal data, issued by the Article 29 Working Party.

Simplifying the above definition, we could conclude that personal data means data relating to a living individual who can be identified using or building upon such data and using additional information which is or may be in the possession of the data controller.

The information we collect

Information provided directly by you, through forms (for example, as a result of registering as a member of the community, as a result of requesting a service, as a result of orders placed on the site).

Data provided by you directly

We use forms through which you can make an account, order, leave reviews. These forms include fields such as your name, email address, mobile phone number, password, delivery address details, billing details, etc.

We use this data to allow you access to the site and to be able to deliver the products and services you have chosen to receive (the product you ordered). The legal basis for this processing is the entry into and performance of a contract to which you are a party (whenever you perform the above operations, you agree to the terms and conditions of the provision of those services) or your consent, if we are talking about making commercial communications to you, other than about similar products and services you have already purchased from us, where we are entitled to send you commercial communications (but we will continue, at all times, to offer you the opportunity to unsubscribe from those kinds of communications).

We may also sometimes need to request additional tax information if we are required by law to file tax returns in connection with products and services ordered by you. In that case, we will refer to your address (required to be listed on the tax invoice), as well as other tax data that we are required by law to collect and process in connection with the transaction in question. In this situation, the legal basis for processing will be the obligation to comply with the provisions of the legislation.

We also offer the possibility to send us a message. The data you submit as a result of using this contact option is processed on the basis of our legitimate interest in responding to your request and/or keeping a record of your complaint, request for advice and the like. This data is stored for 5 years.

Using the site

We automatically collect certain information, which we store in traffic reports. The information we are talking about may include the IP of the device you are visiting us from, the region or general location from which you are accessing the site, and the type of browser, operating system or device you are accessing us from. In addition, we also collect a history of the pages you access.

We use this information pursuant to our legitimate interest in observing the extent to which the site’s pages match the display needs of your particular device, to diagnose possible problems our servers have when delivering pages to certain types of devices, to analyze trends, to observe how users can better navigate our pages.

We also collect statistical demographic information that helps us identify website visitor preferences. The website also uses cookies, which you can read about in the section below.

Cookies and similar technologies

In the early days of the Internet, websites had no memory. This is why, in the early versions of websites, it was not possible to authenticate visitors or to use aids such as shopping baskets in the case of online shops or other mechanisms that help the user and the website to recognise each other on other visits.

Cookies were invented precisely to remedy this problem. They are small text files, placed on a visitor’s terminal, that act as a memory for the site. Whenever a visitor accesses a website, he or she can write or read in the cookie placed on the terminal all kinds of information that the visitor has already sent to the website, directly or indirectly. Subsequently, other technologies have developed from this to serve the same purpose. We have tried to describe each of these technologies below.

Cookies are small text files placed on your computer or mobile devices when you visit websites. “Direct” cookies are set by the domains you are visiting at the time. “Third-party” cookies are set by domains other than those of the websites you visit.

The mobile advertising code is a unique identifier (ID) set by the operating system of your mobile device. This ID helps applications you install on your device that may contain ads to recognize you. Most devices allow applications to access the Mobile Advertising ID by default. However, you can change your device settings to prevent your device from sharing this code with various apps. Check the “Help” section for operating systems to learn more about managing Mobile Advertising IDs. On Android, Advertising means the Android Advertising ID, on iOS devices it means the Advertiser ID (IDFA).

Most cookies can be included in one of the categories below:

(a) Strictly Necessary: these cookies are essential in providing the services requested by you. Without them, the website cannot function or deliver the services provided (login, shopping cart, etc.).

(b) Performance: these cookies collect information about how visitors use a website, such as which pages are most popular, which method of linking between pages is most efficient, and whether users encounter error messages from web pages. These cookies allow us to provide a high quality experience to our visitors, as well as measure page audience. The information collected by these cookies does not identify users. They are designed to help improve the functioning of our website.

This website uses Google Analytics, a web traffic analysis program provided by Google, Inc. (“Google”). Google Analytics uses cookies to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google.

Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity. Google may also transfer this information to third parties where required to do so by law, or where such third parties are authorised to process the information on Google’s behalf. Google will not associate your address IP address with other data held by Google. You can refuse the use of cookies by selecting the appropriate settings in your browser. However, please note that if you do so, you may not be able to use the full functionality of this website.

(c) Functional: these cookies remember the choices you make to improve your experience.

(d) Targeting and advertising cookies: these cookies collect information about your browsing habits to make advertising relevant to you and your interests. They are also used to limit the number of views of an advertisement as well as to help measure the effectiveness of advertising campaigns.

Your choices about cookies

You can adjust your browser privacy settings to block all cookies; however, this could seriously affect your browsing experience as many websites may not function properly. Your browser may allow you to delete all cookies when you close your browser. This option, however, results in the deletion of persistent cookies, which may store your preferences and custom settings on sites you visit regularly. However, it is possible to keep the cookies you want, as your browser may allow you to specify which sites are always or never allowed to use cookies.

More details on how to delete cookies or how to manage cookies in different internet browsers can be found by clicking on the links below:

Cookie settings in Internet Explorer
Cookie settings in Firefox
Cookie settings in Chrome
Cookie settings in Safari

To opt out of being tracked by Google Analytics please visit:

http://tools.google.com/dlpage/gaoptout

The IAB has built the following website to provide specific information on privacy issues related to Internet advertising: http://www.youronlinechoices.com/ro/

Full information on how organisations use cookies is available at: www.allaboutcookies.org

To whom we transfer this information

We will only disclose your personal data for the purposes and to those third parties listed below. We will take appropriate steps to ensure that your personal data is processed, secured and transferred in accordance with applicable law.

Disclosure to website group companies

Your personal information may be disclosed to any company that is part of our group if we consider it in our legitimate interest to do so for internal administrative purposes or for auditing and monitoring our internal processes.

We may also transfer your personal information with companies in our group that provide products and services to us, such as information technology systems. Access to your personal information is limited to those employees who need to know your personal information and may include employees in marketing, information technology and security departments.

Disclosure to third parties

We will transmit your personal data, where strictly necessary, on a need-to-know basis, to the following categories of third parties:

(a) companies that provide products and services to us (assignees);

(i) media agencies, such as those running promotional campaigns and those managing the website;

(ii) market research services: analysis, advertising, strictly for the needs of the site;

(iv) information technology systems providers and support, including email archiving, telecommunications providers, back-up and disaster recovery services and cyber security services.

(b) companies involved in the operation of our website, if they do not provide a service to us.

(c) other parties, such as public authorities and institutions, accountants, auditors, lawyers and other external consultants, whose work involves a need to know this data or where we are required by law to make this disclosure.

We will also disclose your personal data to third parties:

If you give us your consent for this disclosure;

To persons who demonstrate that they are acting lawfully on your behalf;
Where it is in the legitimate interest of the site to administer, grow and develop its business:

(a) If we sell the business or parts of it, we may disclose your personal data to the potential buyer of the business or parts of it, given the need to maintain the continuity of the business.


(b) If the website or a substantial part of its assets are acquired by a third party, in which case the personal data processed by the website will form part of the transferred assets.

(c) If we are required by law to disclose a particular type of information, in the case of lawful requests by government officials, or where we are required to comply with national security or law enforcement requirements or to prevent illegal activity.

(d) To respond to any complaints, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or

(e) To protect the rights, property or safety of the Website, our employees, customers, suppliers or others.

Some of these recipients (including our affiliates) may use your data in countries outside the European Economic Area. Please see the dedicated box below for more details on this.

Restrictions on use of information by third parties

Any third parties to whom we disclose your personal information in accordance with the above are limited (by law and by contract) in their ability to use your personal information only for the purposes specifically identified by us. We will always ensure that any third parties to whom we disclose your personal information are subject to confidentiality and security obligations in accordance with the contracts signed with them and applicable laws. However, for the avoidance of doubt, this may not be applicable where disclosure is not our decision.

Except in the situations expressly detailed above, we will never disclose, sell or rent your personal information to a third party without notifying you and, if applicable, obtaining your consent.

Transfer of information outside the European Union

Personal information may be processed by our staff operating outside the EEA, other members of our group or third party data processors for the purposes set out above.

If we provide any personal information about you to such entities located outside the EEA, we will take appropriate steps to ensure that the recipient adequately protects your personal information in accordance with this notice. These measures include:

– in the case of US-based service providers, entering into standard contractual agreements with them approved by the European Commission or ensuring that they have enrolled in the Privacy Shield program (see further https://www.privacyshield.gov/welcome); or

– in the case of service providers based in other countries outside the EEA (including Japan), entering into standard European Commission contractual agreements with them.

Further details of the steps we take to protect your personal information in these cases are available from us on request by contacting us (see section below) at any time.

What rights do you have as a website user?

The Regulation recognises a number of important rights for data subjects (it is up to the controller to ensure that they are respected):

  1. Right to information – Articles 13 and 14 GDPR. It allows data subjects to know, even at the time of collection, how the data will be used, to whom it will be disclosed or transferred, what rights data subjects have with regard to the data processed, etc.

  2. Right of access to data – Article 15 GDPR. Allows you to obtain, from us, confirmation as to whether or not personal data concerning you is being processed and, if so, access to that data and other useful information.

  3. Right to erasure of data – Article 17 GDPR. Allows you to obtain from us the deletion of personal data concerning you without undue delay. There are, however, exceptions to this rule, such as the idea that some data are processed to provide the public with the right to information, that they are processed for statistical or archiving purposes, that they are processed for the fulfilment of a legal obligation or that we process them for the establishment or defence of a right in court.

  4. Right to rectification of data – Article 16 GDPR. Allows you to obtain from us, without undue delay, the rectification or completion of inaccurate personal data concerning you.

  5. The right to restrict data – art. 18 GDPR. This is a right of a temporary nature. In some situations, between the time when, for example, we take the decision to delete certain data (we no longer need the personal data for processing purposes) and the actual deletion of the data, you send us a request objecting to the deletion, on the grounds that you need the data for the establishment, exercise or defence of a legal claim. Following such a request, we will “freeze” the data by stopping its processing for a certain period of time.

  6. Right to data portability – Article 20 GDPR. You have the right to receive personal data concerning you that you have provided to the controller (who processes it under a contract or on the basis of your consent, by automated means) in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller without hindrance from us. In other words, your personal data will be provided to you, in a structured format, so that you can decide whether to download it or, on the contrary, to send it to another controller.

  7. Right to object – Art. 21 GDPR. You have the right to object, for example, to the processing of your personal data when they are processed for direct marketing purposes. To make it clearer how you can exercise this right, it should be mentioned, for example, that in all newsletters coming from the website (whether we are talking about newsletters that only provide information or newsletters that promote services or products) you will always have the possibility to unsubscribe. We offer this possibility in absolutely all situations, whether or not the law obliges us to do so (not all mailings from us are considered to be direct marketing), because we think it is important that your interaction with the site exists only as long as you want it to.

  8. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects him or her to a significant extent.

  9. The site does not carry out such profiling that is followed by automated decisions with significant legal or similar effect on the data subject. At the time we carry out such profiling, we will notify you and amend this notice.

  10. The right to lodge a complaint with the National Supervisory Authority for Personal Data Processing. B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, cod posta/l 010336, Bucuresti, Romania. +40.318.059.211 / +40.318.059.212, anspdcp@dataprotection.ro.

Please consider the following:

Time period:

We will try to respond to your request within 30 days and may extend this period for specific reasons related to the complexity of your request. In all cases, if this period is extended, we will inform you of the extension period and the reasons for it.

Restricting access:

In certain situations, we may not be able to give you access to all or some of your personal data due to legal provisions. If we refuse your request for access, we will inform you of the reason for the refusal.

No identification:

In some cases, we may not be able to search your personal data due to the identifiers you provide in your request. In such cases, if we are unable to identify you as a data subject, we are unable to comply with your request to enforce your legal rights described in this section unless you provide additional identifying information. We will inform you and give you the opportunity to provide such additional details.

Exercising your legal rights:

To exercise your legal rights, please use any of the contact methods listed above.

In order to exercise these rights of information, access, rectification, restriction, deletion, opposition and/or portability of personal data, we provide you with two ways:

A secure online module stores information about your personal data associated with your account, which contains mechanisms to verify your identity in our reference system.

Verification of your identity as a holder of personal data may require the provision of additional personal data at a reasonable level, limited to the activity of confirming your identity.
This additional data will be retained temporarily, for a period of time appropriate to the stated purpose.

In the event that you do not have an account and do not wish to create one for the purpose of using the online tools provided for the management of your personal data or have failed to use the tools provided on the site after your login or your login has failed, you may send a written request, including a detailed and clear description of the right you wish to exercise regarding the protection of personal data, to office@natureart.ro.

Security

The Website is committed to protecting your personal data against loss, misuse, disclosure, alteration, unavailability, unauthorized access and destruction and takes all reasonable precautions to protect the confidentiality of such data, including the use of appropriate organizational and technical measures. Organisational measures include controlling physical access to our premises, training staff and locking physical files in storage lockers. Technical measures include the use of encryption, passwords for access to our systems, the use of SSL security certificates to encrypt data in transit, etc.

In the course of providing your personal data to you, personal data may be transferred over the internet. Although we make every effort to protect the personal data you provide to us, the transmission of information between you and us over the internet is not completely secure (it is possible that the terminal you are typing from, for example, may be monitored by third parties without us being able to do anything about it). Therefore, we cannot guarantee the security of your personal information transmitted over the Internet. You understand, therefore, that any such transmission is at your own risk. Once we receive your personal data, we will use strict procedures and security features to prevent unauthorized access to it.

Changes to the notice

We reserve the right, at our discretion, to change our privacy practices and to update and make changes to this notice at any time. For this reason, we encourage you to keep coming back to this notice. We will treat your personal data in a manner consistent with the privacy notice under which it was collected, unless we have your consent to treat it differently.

Complaints may be made to the National Supervisory Authority for Personal Data Processing.

You can find more information here:

http://dataprotection.ro/?page=procedura_de_solutionare_a_plangerilor.