in accordance with the provisions of EU Regulation no. 679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

The KUNDEN BROKER COMPANIE DE BROKERAJ S.R.L., with its headquarter in Cluj-Napoca, Str. Dambovitei nr. 12-18, scara 3, parter, etaj 1, 2, Cluj County, registered at ORC Cluj under no. J12 / 2085 / 07.06.2005, CUI 17662100, with the Operating Authorization 3946 / 07.10.2005, no. and the date of registration in the register of insurance brokers RBK-311 / 10.10.2005, Authorized by the Financial Supervisory Authority, e-mail: office@kundenbroker.ro, legally represented by Mr. BERNHARD NEUMAIER, as Administrator and General Manager, hereby establishes the Security Policies and Procedures in accordance with the provisions of EU Regulation no. 679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data:

1. Purpose of the procedure

The procedure describes the terms, conditions and procedures regarding the security of personal data processing.

2. Scope of the procedure

The procedure applies to the KUNDEN BROKER COMPANIE DE BROKERAJ S.R.L., hereinafter referred to as “Operator”, as well as for natural and / or legal persons, empowered by the “Operator”, who process personal data on behalf of Kunden Broker Companie de Brokeraj S.R.L.

3. Definitions of terms:

1. “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifying element, such as a name, an identification number, location data, an online identifier, or one or more specific elements relating to his/her physical, physiological, genetic, mental, economic, cultural or social identity;
2. “processing” means any operation or set of operations performed on personal data or personal data sets, with or without the use of automated means, such as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction;
3. “restriction of processing” means the marking of stored personal data in order to limit their further processing;
4. “profiling” means any form of automatic processing of personal data consisting in the use of personal data to assess certain personal aspects of an individual, in particular to analyze or predict performance issues in place of work, economic situation, health, personal preferences, interests, reliability, behavior, location of the individual or his travels;
5. “pseudonymisation” means the processing of personal data in such a way that they can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is stored separately and is subject to measures of a technical and organizational nature to ensure that such personal data are not assigned to an identified or identifiable natural person;
6. “data record system” means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or distributed according to functional or geographical criteria;
7. “operator” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law;
8. “ person authorized by the operator” means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9. “recipient” means the natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities to which personal data may be communicated in the course of a particular investigation in accordance with Union or national law shall not be considered as recipients; the processing of such data by the public authorities concerned shall comply with the applicable data protection rules, in accordance with the purposes of the processing;
10. “third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the controller or the persons who, under the direct authority of the controller or the controller, are authorized to process personal data;
11. “consent” of the data subject means any manifestation of the free, specific, informed and unambiguous will of the data subject by which he or she accepts, by an unequivocal statement or action, personal data concerning him or her to be processed;
12. “breach of security of personal data” means a breach of security which results, accidentally or unlawfully, in the unauthorized destruction, loss, alteration or disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to them;
13. “genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information on the physiology or health of that person and which result in particular from an analysis of a sample of biological material collected by to the person concerned;
14. “biometric data” means personal data resulting from specific processing techniques relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or dactyloscopic data ;
15. “health data” means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which disclose information about his or her state of health;
16. “head office” means:
a) in the case of an operator established in at least two Member States, the location of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another the seat of the Union operator, which shall have the power to order the implementation of those decisions, in which case the seat which took those decisions shall be deemed to be the principal place of business;
(b) in the case of a person authorized by the operator established in at least two Member States, the place where his central administration is located in the Union, or, where the person authorized by the operator does not have a central administration in the Union, Union of the processor in which the main processing activities take place, in the context of the activities of an establishment of the controller, in so far as it is subject to specific obligations under this Regulation;
17. “representative” means a natural or legal person established in the Union, appointed in writing by the controller or the person empowered by the controller, who represents the controller or the person empowered in respect of their respective obligations;
18. “enterprise” means a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations which regularly engage in an economic activity;
19. “group of enterprise” means an undertaking which exercises control and the undertakings controlled by it;
20. “binding corporate rules” means the policies on the protection of personal data which must be complied with by a controller or a person established by the controller, established in the territory of a Member State, in respect of transfers or sets of data transfers personal to an operator or a person authorized by the operator in one or more third countries, within a group of undertakings or a group of undertakings engaged in a joint economic activity;
21. “supervisory authority” means an independent public authority established by a Member State;
22. “supervisory authority concerned” means a supervisory authority which is subject to the processing of personal data because:
a) the controller or the person authorized by the controller is established in the territory of the Member State of the respective supervisory authority;
(b) the data subjects who reside in the Member State in which the supervisory authority is located are significantly affected or are likely to be significantly affected by the processing; or
c) a complaint has been submitted to the respective supervisory authority;
23. “cross-border processing” means:
a) the processing of personal data which takes place in the context of the activities of the premises of several Member States of an operator or of a person authorized by the controller in the territory of the Union, if the controller or controller is established in at least two Member States; or
b) the processing of personal data which takes place in the context of the activities of a single establishment of an operator or of a person authorized by the controller in the territory of the Union but which significantly affects or is likely to significantly affect data subjects at least two Member States.

4. Principles related to the processing of personal data

Personal data are:
a) processed lawfully, fairly and transparently in relation to the data subject (“legality, fairness and transparency”);
b) collected for specified, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with those purposes;
c) appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“minimization of data”);
d) accurate and, if necessary, updated; all necessary measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay (“accuracy”);
e) kept in a form which permits identification of data subjects for a period not exceeding the period necessary to fulfill the purposes for which the data are processed;
f) processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures (“integrity and confidentiality”) .

5. Legality of processing

Processing is lawful only if and to the extent that at least one of the following conditions applies:
a) the data subject has given his/her consent for the processing of his/her personal data for one or more specific purposes;
b) the processing is necessary for the execution of a contract to which the data subject is a party, or to take steps at the request of the data subject before concluding a contract;
c) the processing is necessary in order to fulfill a legal obligation incumbent on the operator;
d) the processing is necessary to protect the vital interests of the data subject or of another natural person;
e) the processing is necessary for the performance of a task which serves a public interest or which results from the exercise of the public authority with which the operator is vested;
f) the processing is necessary for the purpose of the legitimate interests pursued by the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail, which require the protection of personal data, especially when the data subject is a child.

6. Information on the protection of personal data

The Operator will manage in safe conditions and will collect in order to conclude contracts, the data that the Client provides regarding his own person or his family. The requested information will be processed by the Operator and / or the contractual partners of the operator and may be communicated to public authorities, at their request, according to law. The provision of the requested information is mandatory according to the law, and the refusal to provide them makes it impossible to conclude the insurance contract brokered by the Operator.

7. Conditions of consent

If the processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of his or her personal data. Where the consent of the data subject is given in the context of a written statement which also covers other matters, the request for consent must be presented in a form which clearly distinguishes it from the other aspects, in an intelligible and easily comprehensible form, using clear and simple language. The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. Withdrawal of consent is as simple as giving it. When assessing whether consent is given freely, account shall be taken as far as possible of, inter alia, whether or not the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data which is not is required for the performance of this contract.

8. The rights of the data subject

8.1. Information and access to personal data

8.1.1. Information to be provided if personal data are collected from the data subject

If personal data concerning a data subject are collected from the data subject, the controller/authorized person shall, at the time of obtaining such personal data, provide the data subject with all the following information:
a) the identity and contact details of the operator and, as the case may be, of his representative;
b) the contact details of the data protection officer, as the case may be;
c) the purposes for which the personal data are processed, as well as the legal basis of the processing;
d) where the processing is carried out pursuant to Article 6 (1) (f) of the Regulation, the legitimate interests pursued by the controller or a third party;
e) the recipients or categories of recipients of personal data;
f) where applicable, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a Commission decision on the appropriateness or, in the case of transfers, a reference to appropriate or appropriate safeguards and means to obtain a copy of them, if they have been made available.

In addition to the information referred to in paragraph 1, when personal data are obtained, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing:
a) the period for which the personal data will be stored or, if this is not possible, the criteria used to establish this period;
b) the existence of the right to request from the controller, regarding the personal data of the data subject, the access to them, their rectification or deletion or the restriction of the processing or the right to oppose the processing, as well as the right to data portability;
c) where the processing is based on consent, the existence of the right to withdraw the consent at any time, without affecting the legality of the processing carried out on the basis of the consent before its withdrawal;
d) the right to lodge a complaint with a supervisory authority;
e) whether the provision of personal data is a legal or contractual obligation or an obligation necessary for the conclusion of a contract, as well as whether the data subject is obliged to provide such personal data and what are the possible consequences of non-compliance with this obligation;
f) the existence of an automated decision-making process including the creation of profiles, as well as, at least in those cases, pertinent information on the logic used and on the importance and expected consequences of such processing for the data subject.

If the controller intends to further process personal data for a purpose other than that for which they were collected, the controller shall provide the data subject, before such further processing, with information on that secondary purpose and any relevant additional information.
Paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already holds that information.

8.1.2. Information to be provided if personal data have not been obtained from the data subject

If personal data have not been obtained from the data subject, the controller / authorized person shall provide the data subject with the following information:
a) the identity and contact details of the operator and, as the case may be, of his representative;
b) the contact details of the data protection officer, as the case may be;
c) the purposes for which the personal data are processed, as well as the legal basis of the processing;
d) the categories of personal data concerned;
e) the recipients or categories of recipients of personal data, as the case may be;
f) where applicable, the intention of the controller to transfer personal data to a recipient from a third country or an international organization and the existence or absence of a Commission decision on the adequacy or, a reference to appropriate safeguards and means to obtain a copy of them, if they have been made available.

In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
a) the period for which the personal data will be stored or, if this is not possible, the criteria used to establish this period;
b) where the processing is carried out pursuant to Article 6 (1) (f) of the Regulation, the legitimate interests pursued by the controller or a third party;
c) the existence of the right to request from the controller, regarding personal data regarding the data subject, access to them, their rectification or deletion or restriction of processing and the right to oppose the processing, as well as the right to data portability;
d) the existence of the right to withdraw the consent at any time, without affecting the legality of the processing carried out on the basis of the consent before its withdrawal;
e) the right to lodge a complaint with the supervisory authority;
f) the source from which the personal data come and, if applicable, if they come from publicly available sources;
g) the existence of an automated decision-making process including the creation of profiles, as well as, at least in those cases, pertinent information on the logic used and on the importance and expected consequences of such processing for the data subject.

The operator shall provide the information referred to in paragraphs 1 and 2:
a) within a reasonable time after obtaining personal data, but not more than one month, taking into account the specific circumstances in which personal data are processed;
b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to the data subject concerned; or
c) if it is intended to disclose personal data to another recipient, at the latest on the date on which they are first disclosed.
If the controller intends to further process personal data for a purpose other than that for which they were obtained, the controller shall provide the data subject, before such further processing, with information on that secondary purpose and any relevant additional information.

Paragraphs 1 to 4 shall not apply if and to the extent that:
a) the data subject already holds the information;
b) the provision of this information proves to be impossible or would involve disproportionate efforts, especially in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes. In such cases, the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including making the information available to the public;
c) the obtaining or disclosure of data is expressly provided for by Union or national law under which the controller falls and which provides for appropriate measures to protect the legitimate interests of the data subject; or
d) if the personal data must remain confidential under a statutory obligation of professional secrecy, including a legal obligation to maintain secrecy.

8.1.3. The right of access of the data subject

The data subject has the right to obtain from the controller a confirmation that personal data concerning him or her are being processed or not and, if so, access to those data and to the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom personal data have been or are to be disclosed, in particular recipients from third countries or international organizations;
d) where possible, the period for which personal data are expected to be stored or, if this is not possible, the criteria used to establish this period;
e) the existence of the right to request the operator to rectify or delete personal data or to restrict the processing of personal data relating to the data subject or the right to oppose the processing;
f) the right to lodge a complaint with the supervisory authority;
g) in case the personal data are not collected from the data subject, any available information regarding their source;
h) the existence of an automated decision-making process including the creation of profiles, as well as, at least in the respective cases, pertinent information on the logic used and on the importance and expected consequences of such processing for the data subject.

If personal data are transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.
The operator shall provide a copy of the personal data subject to processing. For any other copies requested by the data subject, the operator may charge a reasonable fee, based on administrative costs. Where the data subject submits the application in electronic format and unless the data subject requests another format, the information shall be provided in a commonly used electronic format.
The right to obtain a copy referred to in paragraph 3 shall be without prejudice to the rights and freedoms of others.

8.2. Rectification and deletion

8.2.1. The right to rectification

The data subject has the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him/her. Taking into account the purposes for which the data were processed, the data subject has the right to obtain the completion of personal data that are incomplete, including by providing an additional statement.

8.2.2. The right to delete data (“the right to be forgotten”)

The data subject has the right to obtain from the controller the deletion of personal data concerning him/her, without undue delay, and the controller has the obligation to delete personal data without undue delay if one of the following reasons applies:
a) personal data are no longer necessary for the purposes for which they were collected or processed;
b) the data subject withdraws his/her consent on the basis of which the processing takes place, and there is no other legal basis for the processing;
c) the data subject opposes the processing and there are no legitimate reasons to prevail regarding the processing;
d) personal data have been processed illegally;
e) personal data must be deleted in order to comply with a legal obligation incumbent on the controller under Union or national law to which the controller is subject;
f) personal data have been collected in connection with the provision of information society services;

If the controller has made his personal data public and is required under paragraph 1 to delete them, the controller shall, taking into account available technology and the cost of implementation, take reasonable steps, including technical measures, to inform operators who processes the personal data that the data subject has requested the deletion by these operators of any links to those data or of any copies or reproductions of such personal data.

Paragraphs 1 and 2 shall not apply in so far as processing is required:
a) for exercising the right to free expression and information;
b) for the observance of a legal obligation which provides for processing under Union or national law applicable to the controller or for the performance of a task performed in the public interest or in the exercise of an official authority with which the controller is vested;
c) for reasons of public interest in the field of public health;
d) for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as the right referred to in paragraph 1 is likely to make it impossible or seriously affect the achievement of the objectives of that processing; or
e) for ascertaining, exercising or defending a right in court.

8.3. The right to restrict processing

The data subject has the right to obtain from the controller a restriction on the processing if one of the following cases applies:
a) the data subject disputes the accuracy of the data, for a period that allows the operator to verify the accuracy of the data;
b) the processing is illegal, and the data subject opposes the deletion of personal data, requesting in return the restriction of their use;
c) the controller no longer needs the personal data for the purpose of processing, but the data subject requests them for the establishment, exercise or defense of a right in court; or
d) the data subject has objected to the processing, for the time interval in which it is verified whether the legitimate rights of the operator prevail over those of the data subject.

Where processing has been restricted pursuant to paragraph 1, such personal data may, except in the case of storage, be processed only with the consent of the data subject or for the establishment, exercise or defense of a right in court or for the protection of the rights of another natural or legal person, or for reasons of public interest.
A data subject who has obtained a processing restriction pursuant to paragraph 1 shall be informed by the controller before the processing restriction is lifted.

8.4. Obligation to notify the rectification or deletion of personal data or the restriction of processing

The controller shall communicate to each recipient to whom the personal data have been disclosed any rectification or deletion of personal data or restriction of the processing carried out, unless this proves impossible or involves disproportionate efforts. The operator shall inform the data subject of those recipients if the data subject so requests.

8.5. The right to data portability

The data subject has the right to receive personal data concerning him and which he has provided to the controller in a structured, commonly used and automatically readable format and has the right to transmit this data to another controller without obstacles on the part of the controller to whom the personal data were provided, if:
a) the processing is based on the consent or performance of a contract to which the data subject is a party, and
b) the processing is performed by automatic means.
In exercising his right to data portability pursuant to paragraph 1, the data subject shall have the right to have personal data transmitted directly from one controller to another where this is technically feasible.
The exercise of the right referred to in paragraph 1 shall not apply to the processing necessary for the performance of a task performed in the public interest or in the exercise of an official authority with which the operator is vested.
The right referred to in paragraph 1 shall be without prejudice to the rights and freedoms of others.

8.6. The right to opposition and automated individual decision-making

8.6.1. The right to opposition

At any time, the data subject has the right to object, for reasons related to his or her particular situation, to processing of personal data concerning him or her, including the creation of profiles on the basis of those provisions. The controller will no longer process personal data, unless the controller demonstrates that he has legitimate and compelling reasons justifying the processing and prevailing over the interests, rights and freedoms of the data subject or that the purpose is to establish, exercise or defend a right in court. When the processing of personal data is for the purpose of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning him for this purpose, including the creation of profiles, insofar as it is related to marketing.
If the data subject objects to the processing for the purpose of direct marketing, the personal data are no longer processed for this purpose. At the latest at the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
In the context of the use of information society services, the data subject may exercise his right to object by automatic means using technical specifications. If personal data are processed for the purposes of scientific or historical research or for statistical purposes, the data subject shall, for reasons related to his or her particular situation, have the right to object to the processing of personal data concerning him or her, except where the processing is necessary for the performance of a task for reasons of public interest.

8.6.2. Automated individual decision making, including profile creation

The data subject has the right not to be subject to a decision based solely on automatic processing, including profiling, which produces legal effects concerning the data subject or similarly affects him or her to a significant extent.
Paragraph 1 shall not apply if the decision:
a) it is necessary for the conclusion or execution of a contract between the data subject and a data controller;
b) is authorized by Union or national law applicable to the controller and which also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or
c) is based on the explicit consent of the data subject.
In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least his right to obtain human intervention from the controller, to express his point of view and challenge the decision.

For the exercise of these rights, the Client will address a written request, dated and signed, to the headquarters of the Operator, located in Cluj-Napoca, Str. Dambovitei nr. 12-18, scara 3, parter, etaj 1, 2, Cluj County.
In the event of non-compliance with the rights of data subjects, the Regulation confers on the natural persons concerned the right to lodge a complaint with the National Supervisory Authority.
If the complaint is admissible, it may be followed by an investigation by the requested data controller.

9. Responsibility of the operator

Taking into account the nature, scope, context and purposes of the processing, as well as the risks with varying degrees of probability and seriousness for the rights and freedoms of individuals, the controller shall ensure and be able to demonstrate that the processing is carried out in accordance with with the provisions of the EU Regulation, implements the following appropriate technical and organizational measures necessary to maintain the confidentiality and integrity of personal data:

9.1. User identification and authentication

User means any person acting under the authority of the Operator, the authorized person or the representative, with a recognized right of access to personal databases. Users, in order to gain access to a personal database, must identify themselves. The identification is done by entering the individual code from the keyboard accompanied by the user’s own password. Each user has a unique identification code, which can never be attributed to another user either concomitantly or subsequently. Identification codes (or user accounts) that have not been used for an extendedperiod of time will be deactivated and destroyed after a prior check by the Operator and/or the responsible person designated by the operator. Every user account is accompanied by an authentication method. Authentication is done by entering a password. Passwords are strings. The longer the string, the stronger the password is. When entering passwords, they should not be clearly displayed on the monitor. Personal passwords will be changed in the first working week of every month. Periodic change of passwords is done only by users authorized by the Operator. The operator must request the creation of an information system that automatically denies a user access after 5 wrong password entries. The use of the computer system requires maximum attention and accuracy. Each newly entered information will be made with complete and correct data. Each employee operating in the system is held accountable if entering false or incomplete data or improperly modifying existing information. Any user who receives an identification code and a means of authentication must maintain their confidentiality and be accountable to the Operator.
A specific procedure for the administration and management of user accounts will be established. Operators authorize certain users to revoke or suspend an identification and authentication code if their user has resigned or been fired, has entered into a contract, has been transferred to another service and the new tasks do not require access to personal data, abused the codes received or if he will be absent for a long pre-established period. Users’ access to manually made personal databases will be based on a list prepared by the data protection officer and approved by the operator’s management.

9.2. Type of access

Users should only access the personal data necessary for the performance of their duties. For this, operators must establish the types of access by functionality (such as: administration, input, processing, saving, etc.) and by actions applied to personal data (such as: write, read, delete), as well as procedures related to these types of access. The programmers of personal data processing systems will not have access to personal data. The operator will only allow programmers access to personal data after it has been transformed into anonymous data. The department that provides technical support may have access to personal data to resolve exceptional cases. Anonymous data will be used for the activity of preparing users or for making presentations. Employees who teach training courses will use personal data during their own training. The operator will establish the strict ways in which personal data will be destroyed. Authorization for this processing of personal data must be limited to a few users.

9.3. Data collection

The operator shall designate and train authorized users for the collection and input of personal data into an information system. Any modification of personal data may be made only by authorized users designated by the operator, based on a supporting document. The information system records who made the change, the date and time of the change. For better administration, the Operator will take measures for the information system to keep the data deleted or modified.

9.4. Execution of backups

Once every six months, backups of personal databases, as well as programs used for automated processing, will be backed up. Users performing these backups will be called by the operator in a limited number. The backups will be stored in other rooms, in locked files, where access is monitored.

9.5. Computers and access terminals

Computers and other access terminals will be installed in rooms with restricted and monitored access. If these conditions cannot be ensured, the computers will be installed in rooms that can be locked or measures will be taken to ensure that access to the server or access terminals is done with the help of keys or magnetic cards. If personal data appears on the screen that is not acted upon for a given period, set by the operator, the work session must be closed automatically. The length of this period is determined by the operations to be performed. The access terminals used by various collaborators, on which personal data appear, will be positioned in such a way that they cannot be seen by anyone other than the authorized user, and after a period of 10 minutes in which they are not acted upon, they must be hidden.

9.6. Access files

The information system allows any access to the personal database to be recorded in an access file (called a log for automatic processing) or in a register for manual processing of personal data. The information recorded in the access file or in the register will be:

• the identification code (username for manual personal databases);
• the name of the accessed file (file);
• the number of registrations made;
• the type of access;
• the code of the executed operation or the used program;
• the date of access (day, month, year);
• the time (second, minute, hour).

This information will be stored for automatic processing in a general access file or in separate files for each user. Any attempt at unauthorized access will also be recorded. The operator shall keep the access files for at least 5 years, to be used as evidence in case of investigations. If an investigation is prolonged, these files will be kept for as long as deemed necessary. The access files must make it possible for the Operator or the authorized person to identify the persons who have accessed personal data without a specific reason, in order to apply sanctions or notify the competent bodies.

9.7. Telecommunication systems

The company periodically controls the authentications and types of access to detect malfunctions in the use of telecommunications systems. The operator has designed the telecommunications system so that personal data cannot be intercepted or transmitted from anywhere. If the telecommunications system cannot be thus secured, the operator is obliged to impose the use of the encryption method for the transmission of personal data. Only strictly necessary personal data will be transmitted through telecommunications systems.

9.8. Staff training

During the training courses as well as on the occasion of the meetings organized within the company, the employees are informed about the provisions of the legislation for the protection of persons regarding the processing of personal data and the free movement of these data, the minimum data processing security requirements, as well as about the risks involved in the processing of personal data, depending on the specifics of the user’s activity. Users who have access to personal data will be instructed by the Operator on their confidentiality and will be warned by messages that will appear on the monitors during the activity. Users are forced to log out when they leave work.

9.9. Using computers

In order to maintain the security of the processing of personal data (especially against computer viruses) the operator will take measures which will consist of:
a) prohibiting the installation of any programs and saving them on the computer by employees;
b) prohibiting the use by users of software programs that come from external or dubious sources and that are not licensed;
c) informing users about the danger regarding computer viruses;
d) implementation of automatic devirus and security systems for information systems;
e) deactivation, as far as possible, of the “Print screen” key, when personal data are displayed on the monitor, thus forbidding their printing to the printer.

9.10. Data printing

The personal data will be taken out to the printer only by users authorized for this operation by the Operator.
Operators are required to approve specific internal procedures regarding the use and destruction of these materials.
Each entity will approve its own security system, taking into account these minimum security requirements for the processing of personal data, and depending on the importance of the personal data processed, will impose additional security measures.

Based on applicable law and internal regulations, Kunden Insurance Broker S.R.L. processes personal data, depending on the purpose, according to the requirements of EU Regulation no. 679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, of Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data, amended and supplemented, of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, for:

• drawing up employment contracts for employees, collaboration contracts, insurance contracts brokered by the Operator and contracts with various clients;
• monitoring the access of persons in the Office spaces of the Operator;
• security of persons and office space;
• video monitoring and security, in the Office spaces of the Operator.

The monitored persons include clients or potential clients; visitors; employees; any person who enters the space used by the Operator to carry out its activity.
The processing of personal data by video monitoring is necessary to achieve the legitimate interests of the Operator (e.g., record of potential visitors insured, execution of employment contracts for employees, respectively fulfilling their obligations at work, security of employees and customers, respect for data confidentiality processed by them, etc.) and the fulfillment of the legal obligations provided by Law 31/1990 on companies, by Law no. 333/2003 on the protection of objectives, goods, values, protection of persons, GD 301/2012 for approving the methodological norms for applying the Law 333/2003. The company’s employees enjoy the right to information, the right to access data, the right to intervene in data, the right to object, the right not to be subject to an individual decision and the right to go to court.

The operator undertakes to rectify, update, block, delete or transform into anonymous data, free of charge, data whose processing does not comply with the provisions of the legislation in the field of personal data processing.

The stored data is kept in the electronic archives (hard memory of the video recording device) for a maximum of 30 days. Upon expiration of the term, the Operator undertakes to delete the records.

The registered information is intended for use by the Operator and is communicated upon request only to the following recipients: data subject, employees of the Operator, judicial authority, police, criminal investigation bodies, as well as at the request of any other legal authorities.

According to the legal provisions, the personal data intended to be processed must be:

• processed by the Operator’s employees and/or the authorized natural or legal persons, in good faith, in accordance with the legal provisions in force;
• collected for specific, explicit and legitimate purposes;
• adequate, relevant and not excessive in relation to the purpose for which they are collected and subsequently processed;
• accurate and, where appropriate, up to date;
• stored in a form that allows the identification of the data subjects strictly for the time necessary to achieve the purposes for which the data are collected and for which they will be subsequently processed.

9.11. Monitoring Systems via Electronic Communications and/or Video Surveillance

The company processes personal data (images) through video surveillance means and/or through an electronic communications monitoring system, collected when entering the company’s premises and workplaces. The legitimate interests pursued by the company are thoroughly justified and prevail over the interests or rights and freedoms of individuals entering the company’s premises. The purpose of processing these images is to monitor access to premises, ensure the security of company spaces, goods, and information, as well as the safety of individuals (employees, brokerage assistants, clients, and visitors) present in the company’s premises. The recorded images are not disclosed to third parties, except in cases of violations of applicable laws. In such situations, the respective data may be provided to judicial authorities and other institutions empowered by law to request such information, upon their explicit request.

The storage period for data obtained through the video surveillance system is a maximum of 30 (thirty) calendar days, except for situations expressly regulated by law or thoroughly justified cases. At the end of the storage period, the data are automatically erased in the order they were recorded. According to the provisions regarding the protection of personal data, you have the right to request from the company regarding your personal data, access to them, rectification or erasure, or restriction of processing, the right to object to processing, as well as the right to data portability.

Since the processing of data (images) through the video surveillance system is deemed necessary and considering the notice provided by the company through the relevant Information Notes displayed in monitored locations, positioned so that they can be seen by anyone intending to enter the company’s premises, it is considered that the individuals intending to enter the monitored video space implicitly express their consent to the processing of their personal data (images) by entering and remaining in the monitored spaces. Additionally, employees, brokerage assistants, and company collaborators have been clearly, expressly, and fully informed by the company about the existence of monitoring systems.

In case the person in question does not agree to the processing of their data (image) or refuses to provide the respective data, they have the option NOT to enter the company’s premises/spaces, or, if they have entered the monitored video space, to leave the monitored area.

These internal procedures are complemented by law with the other provisions of the legislation on the processing of personal data.