Starting from 25.05.2018, Regulation 2016/679 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, also known under the acronym GDPR (General Data Protection Regulation), became applicable.
RODRAG RACING SPORTS CLUB ASSOCIATION, as the operator of personal data, hereinafter referred to as Provider, treats the protection of its customers' data seriously and wants them to feel comfortable when using this website. The protection of confidentiality regarding the collection, processing and use of personal data is an important concern, which is taken into account with great care in economic processes, of course respecting all legal requirements.1. General Information
The operator that processes personal data is RODRAG RACING SPORTS CLUB ASSOCIATION, with registered office in Arad, Calea 6 Vânători, no. 55, Arad county, Romania, unique identification code 49351489.
The provider has designated a Data Protection Officer (DPO) who can be contacted if there are concerns regarding any aspect related to the protection of personal data by submitting a written, dated and signed request.
The person responsible for data protection is Ștefănuț Mircea Dumitru, with the telephone number +40-722-295-329 and the e-mail address gdpr@rodrag.ro.
2. Definition of some terms
Personal data means any information relating to an identified or identifiable natural person (Data Subject) in particular by reference to an identification element such as a name, an identification number, location data, an online identifier, or to a or more specific elements, specific to his physical, physiological, genetic, psychological, economic, cultural or social identity.
The processing of personal data is any operation or set of operations performed on personal data or sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adapt or modify, extract, consult, use, disclose by transmission, disseminate or otherwise make available, align or combine, restrict, delete or destroy.
3. Data Collected
The provider collects the following data:
- identification data: name, surname, personal numerical code, series and no. of bulletin, series and no. driver's license, address, telephone number, e-mail address;
- access data for website visitors: date and time of access, duration of visit, IP address, browser type, operating system;
- other information derived from the processing carried out, such as: contractual history, financial history, specific information about contracted services and how they were used;
- electronic correspondence with the client;
- Google Analytics cookies (_ga, _gid);
- PHP-generated session cookie (PHPSESSID);
- cookie to keep the user logged in.
4. Cookies
Cookies are small files, generally made up of a string of characters, or parts of a file, which when accessing a website are saved in the browser used by the computer, phone, tablet or any other device through which the respective site is accessed online. At each subsequent access to the site, the browser used sends this file to the server of the respective site, in order to allow the identification of a visitor who has returned to the site.
In general, websites use cookies to facilitate offering visitors some functionalities that cannot be provided without them by the http protocol, a text-type protocol that is most often used to access online information from servers web. These functionalities consist of managing user sessions, keeping an authenticated session, keeping preferences on a visited page (for example, aspects related to the functionality or graphical display of pages), keeping products in a shopping basket and others.
When a person accesses the site as a visitor, a cookie is sent to their Internet browser and saved on their computer's hard drive, but they can block the saving of cookies by changing their browser settings.
Cookies can store information of a personal nature (for example, visitor identification code, personalized preferences or a history of visited pages). This information is not generated by cookies, but by the visitor, when he fills in the online forms, registers on the site, uses electronic payment systems, etc. Although cookies are stored in the memory of the computer, phone, tablet or any other device used to access a website, cookies cannot access or read other information stored in that device.
Cookies are not viruses, they are not compiled into code and cannot be executed. Consequently, they cannot self-copy, cannot spread to other networks to trigger certain actions, and cannot be used to spread viruses.
Depending on the duration, cookies can be session cookies or permanent cookies. Session cookies have a temporary storage duration, limited only to the duration of the session in which a certain visitor accesses the site. When you close your session or browser, all stored information is deleted.
Permanent cookies are stored in the device used by the visitor and are not deleted when the session or browser is closed.
Web browsers provide functionality to set the level of information security, allowing visitors to opt out of their preferences being recorded, so the use of any cookie can be blocked by changing their browser settings. To use the facilities for setting the cookie acceptance level, in most cases, access the "Settings" / "Internet options" section, the "Confidentiality and security" / "Privacy" sub-section from the browser menu (depending on browser used).
Disabling the option to accept cookies may result in the impossibility of accessing some of the most important sections of the website. For this reason, it is advisable to accept cookies belonging to sites that you consider trustworthy. At any time you wish, you can delete the cookies stored in the device you are using by accessing the "Settings" / "Safety" section, the "Privacy and security" / "Delete browsing history" sub-section in the browser menu (in depending on the browser used).
5. Obtaining Personal Data
The Provider processes personal data relating to the Client, to the Client's mandates, legal or conventional, as well as to the persons whose data are provided by the Client to the Provider, in order to carry out an operation - annual licensing within the National DragRacing Championship. The natural persons whose personal data are processed are called Data Subjects.
The data are obtained directly from the Client and/or from an authorized representative of the Client (at the moment the Provider's forms or documents are filled in, an Internet page is accessed, or through other means of communication). In addition, the Provider can also obtain the above data by consulting external sources (public institutions and authorities, public registers, electronic databases, information available online or authorized third parties).
6. Purpose of Personal Data Processing
6.1. The main purpose of data processing is:
- online registration of athletes at Drag Racing type competitions;
- online payments for licensing, insurance and registration within the DragRacing Stages;
- promoting organized sports competitions.
For this purpose, the Provider collects the name of its client of the client's representatives, their identification data (surname, first name, cnp, series and number of bulletin, series and number of driver's license) and their contact data (telephone, email address, mailing address) and billing).
Also, to make the provision of the services possible, the Provider creates and manages unique accounts for its customers. For this, the following data are processed: email address, unique customer code, authentication data and access to the online platform (IP address, time and date, operations log).
6.2. To improve the services offered, the Provider uses a contact form through which it collects the following data: name, e-mail address, telephone number, message sent.
6.3. In order to carry out service provision activities, the Provider processes the personal data of customers for:
- providing services and goods through all available channels in this regard (physical locations, Internet, telephone, etc.);
- performing human resource management operations;
- performing economic, financial and/or administrative management activities;
- the centralization of operations and the maintenance of an internal database in which the information about the concerned persons is stored, so that it can be used by the departments and structures in their activities;
- customer identity verification;
- contacting the Client / other Targeted Person through the means of communication in order to inform them of information about the contracted products (e.g. expiration of term, non-fulfillment of obligations, modification/completion of characteristics, costs, functionalities, benefits);
- the provision of support services for the requests of the Client / Data Subject (e.g. additional information about products, updating some of the identification data, solving requests, complaints and petitions), both in the Provider's physical locations and through the means of communication (phone / email / post);
- analyzing the behavior of the Client / any other Targeted Person who accesses the site, through the use of cookies, both of the Provider and of third parties, with the aim of providing general or customized content, offers adapted to the interests of users;
- performing internal analyzes (including statistical analyses), both with regard to products / services, and with regard to the client portfolio;
- archiving both physical and electronic documents;
- the resolution of disputes, investigations or any other petitions/complaints/requests to which the Provider is a party;
- fulfillment of legal obligations (drafting of documents, reporting to the entitled public institutions).
6.4. There may be situations in which the Provider will use or transmit information to protect rights and commercial activity. These may include:
- analyzing the behavior of the Client / other Data Subject who accesses the site, through the use of cookies, both of the Provider and of third parties, with the aim of providing general or customized content, offers adapted to the interests of users;
- performing internal analyzes (including statistical analyses), both regarding products/services and regarding the client portfolio;
- site protection measures against cyber attacks;
- measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities;
- various other risk management measures.
7. Basis for Personal Data Processing
The provider processes personal data for the purposes mentioned above, based on the following grounds:
- for the execution of a contract to which the Client / Target Person is a party, to take pre-contractual steps at the Client's request or to provide the Client with information about the products and services offered by the Provider;
- on the basis of a legal obligation incumbent on the Provider (e.g. fraud detection and prevention);
- on the basis of the Provider's legitimate interest (e.g. centralization of operations, operation of an internal database, performance of current operations for carrying out activities, development and improvement of services, ensuring a high level of security both at the level of IT systems and at the level of physical locations , especially regarding the discovery and minimization of risks that may affect the Provider);
- based on the Client's consent, explicitly granted.
8. Refusal to Communicate Personal Data
The processing of personal data requested by the Provider through forms / other communication channels is mandatory, except for the case where the processing is based only on the Client's consent. In this case, the Client will be informed that providing the data, respectively the agreement, is optional. In the other cases, the refusal will determine the impossibility of providing services or products by the Provider.
9. Recipients of Personal Data
Data recipients can be:
- service providers: IT services (maintenance, software development), archiving in physical/electronic format, courier, marketing service providers, traffic and user behavior monitoring;
- accounting service providers, lawyers, authorities and courts;
- third-party operators in the EU that offer services mediated by the Provider;
- third-party operators from outside the EU that offer services mediated by the Provider and that operate in accordance with the rules imposed by Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
- providers of financial information processing services (card payment processors);
- Internet domain registration service providers;
- IT service providers;
- central and/or local public authorities.
10. Data Retention Period
In order to achieve the above-mentioned purposes, personal data will be processed by the Provider throughout the contractual relationship and after its completion, in order to comply with the law applicable in the field, including, but not limited to, the provisions on archiving.
Personal information related to the purchase of services, financial transactions (invoicing) will be kept for a minimum of 10 years, according to Romanian legislation.
The information collected by cookies is stored for 26 months in order to carry out analyzes and reports related to the site's performance. They will be deleted after this period.
11. The Rights of Data Subjects
The data subject has the following rights:
- the right to information - the right to receive detailed information on the processing activities carried out, according to the provisions of this document;
- the right of access - he can request and obtain confirmation of the fact that his personal data is processed or not by the Service Provider, and if so, he can request access to them, as well as certain information, the Service Provider issuing a copy of the personal data upon request personal processed;
- the right to rectification - the right to obtain the rectification of inaccurate personal data and the completion of incomplete ones;
- the right to data deletion - in the situations expressly regulated by law (especially in the case of withdrawal of consent or in the case that it is found that the processing of personal data was not legal), the data subject can obtain the deletion of said data, and as a result of to such a request, the Provider can anonymize the data, depriving them of their personal character and thus continue processing for statistical purposes;
- the right to restrict processing - in the situations expressly regulated by law (especially if the accuracy of the respective data is contested for the period necessary to determine this inaccuracy or if the processing is illegal, and the deletion of the data is not desired, but only the restriction );
- the right to opposition - can oppose at any time, for reasons related to the particular situation in which he is, processing based on the legitimate interest of the Provider (including the creation of profiles) or carried out in the exercise of a public interest or an authorization with which he is invested the Provider;
- the right to data portability - can receive personal data in a structured format, which can be read automatically, or can request that said data be transmitted to another operator, this right being applicable only for personal data provided by the Client or if the processing of personal data is carried out by automatic means and if the processing has a legal basis (execution of a contract or consent of the data subject);
- the right to file a complaint - can file a complaint against the manner of processing personal data to the National Authority for the Supervision of Personal Data Processing;
- the right to withdraw consent - in cases where the processing is based on consent, it can be withdrawn at any time, this having effects only for the future, the processing carried out prior to the withdrawal still remaining valid;
- additional rights related to automatic decisions used in the process of providing services and products - if the Provider makes automatic decisions in connection with personal data, the data subject may request and obtain human intervention regarding the said processing, may express his point opinion regarding the respective processing and can appeal the decision.
The customer can exercise these rights either individually or cumulatively, by sending a written, dated and signed request to the Provider's headquarters or by e-mail to office@rodrag.ro.
12. Protection of Personal Data
We are committed to ensuring the security of personal data by implementing appropriate technical and organizational measures in accordance with industry standards.
The transmission of personal data is done using state-of-the-art encryption algorithms and is stored on secure servers, while ensuring data redundancy.
In particular, the following technical and organizational measures are implemented to ensure the security of personal data:
Dedicated policies
Adopt and review customer and third party data processing practices and policies, including physical and electronic security measures, to ensure systems are protected from unauthorized access and other potential threats to their security. We constantly check the application of our own personal data protection policies, which comply with data protection legislation.
Data minimization
The personal data processed are limited to those necessary, appropriate and relevant for the purposes stated in this note.
Restricting access to data
Access to personal data is strictly restricted to employees and collaborators who need to carry out the necessary processing. All these companies and individuals are subject to strict confidentiality obligations, and we will not hesitate to hold them accountable and stop working with them if they do not take data protection very seriously.
Specific technical measures
Technologies are used to ensure customers that data security is protected.
Control of service providers
Clauses to ensure the protection of personal data, within the limits imposed by law, are introduced in the contracts with the service providers that process data for the Provider or together with the Provider.
Despite the measures taken to protect personal data, its transmission over the Internet in general or through other public networks is not completely secure, and there is a risk that the data may be seen and used by unauthorized third parties. The provider cannot assume responsibility for such vulnerabilities of systems that are not under its control.
13. Statement of Compliance
The provider declares on its own responsibility that it has taken all the measures it considered necessary in order to comply with the instructions of the EU Regulation 2016/679 (GDPR) regarding the collection, use and storage of personal data in the member countries of the European Union.
Provider certifies that it adheres to notice, choice, transfer, data security and integrity, access and enforcement requirements.