1. ABOUT THIS POLICY

SC RHEIN VISION SRL is obliged, as part of its social responsibility, to comply with international data protection law, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. This policy is based on current valid European legislation and Romanian data protection directives. Protecting data protection is a basis for trusting relationships – both at the employee level and for relationships with business partners.

This directive contains an overview of the most relevant data protection regulations that must be complied with by management and employees within RHEIN VISION. The RHEIN VISION data protection procedure is also available to all employees for information and explanations on the subject of data protection.

2. TERMS AND DEFINITIONS

The applicable regulations for data protection legislation (hereinafter referred to as: Data Protection Act) use their own terminology. This allows for concise explanations in the text and improves readability.

In this data protection policy, we use the following terms:

Personal data – any information relating to an identified or identifiable natural person (the „data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.

Data protection law refers to the use of "personal data", i.e. all information about a natural person whose identity is specified or can be determined. Such information may be name, date of birth, address, telephone number, IP address, etc. Details about a person's general behavior or habits (e.g. value judgments), as well as photographs and images recorded by a surveillance camera are also personal data.

Therefore, whenever information can be attributed to a natural person, the application of data protection law must be assumed.

  • The person concerned –each natural person whose data is processed.

Data Processing – Processing of personal data means any procedure, with or without the aid of automated processes, for the collection, storage, organization, alteration, retrieval, use, transmission, dissemination or combination and matching of data. It also includes the removal, erasure and blocking of data and data controllers.

  • Processing – pprocessing, processing, storage, adaptation or alteration, retrieval, consultation, use, processing, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Restriction of processing – rRestriction of processing is the marking of stored personal data with the aim of limiting its processing in the future.
  • Profiling – pProfiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of the natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • Pseudonym – processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • Controller or person responsible for processing – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for his appointment may be provided for by Union or Member State law.
  • Processor – natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Recipient – Recipient, a natural or legal person, a public authority, an agency or another body, to whom personal data are disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing.
  • Third party – natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
  • Consent – any specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her.

Consent is a written statement in clear and plain language. The data subject is informed that he or she has the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

If personal data of minors of the data subjects are also processed, consent of minors over 16 years of age is required; in the case of others, the guardian is the one who grants consent.

  • Cookies –text files that are stored in a computer system via an Internet browser.

Many websites and servers use cookies. Many cookies contain a cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters by which websites and servers can be assigned to the Internet browser in which the cookie was stored. This allows the visited websites and servers to differentiate the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified using the unique cookie ID.

By using cookies, we can offer users of this website more user-friendly services that would not be possible without the prior setting.

By means of a cookie, the information and offers on our website can be optimized for the user. Cookies allow us, as mentioned above, to recognize users of our website. The purpose of this recognition is to make it easier for users to use our website. The user of the website that uses cookies, e.g. does not have to enter access data every time the website is accessed, because this is taken over by the website and the cookie is thus stored on the user's computer system.

Data protection incident – an event in which there is a reasonable suspicion that personal data has been discovered, collected, modified, copied, transmitted or used unlawfully. This can refer to actions carried out by both third parties and employees.

3. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

  • Fairness and legality

Personal data must be collected and processed lawfully.

  • Scope

The processing of personal data may only pursue the purposes for which the data were collected. Retrospective changes to the purposes are only possible within limits and require justification.

  • Transparency

The data subject must be informed about the handling of his/her data. In principle, personal data must be collected from the data subject himself/herself. When collecting the data, the data subject must at least be aware of the following or be informed accordingly:

  • the identity of the responsible authority
  • purpose of data processing
  • specified storage periods
  • third parties or categories of third parties to whom the data is transmitted

The controller shall provide the data subject with information on the action taken on a request without undue delay and in any event not later than one month from the receipt of the request. This period may be extended by two months where necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of the receipt of the request, giving the reasons for the delay. Where the data subject submits a request in electronic format, the information shall be provided in electronic format where possible, unless the data subject requests another format.

If the controller does not take action on the request of the data subject, it shall inform the data subject, without undue delay and no later than one month from receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and of seeking a judicial remedy.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive nature, the controller may:

(a) either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested;

(b) or refuse to comply with the request.

In these cases, the controller bears the burden of demonstrating that the request is manifestly unfounded or excessive. The controller may request the provision of additional information necessary to confirm the identity of the data subject.

The information to be provided to data subjects may be provided in combination with standardised pictograms in order to provide a meaningful overview of the intended processing in an easily visible, intelligible and clearly legible manner. Where pictograms are presented in electronic format, they must be machine-readable.

  • Data avoidance and data economy

Before processing personal data, it must be verified whether and to what extent it is necessary to achieve the purpose associated with the processing. If possible to achieve the purpose and the measure is appropriate in relation to the intended purpose, anonymised or statistical data should be used. Personal data may not be stored for future purposes, unless this is prescribed or permitted by national law.

  • Deletion and storage limitation

Personal data that is no longer required after the expiry of the statutory storage periods must be deleted. If, in individual cases, there are reasons for interests in this data worthy of protection, the data must remain stored until the interest worthy of protection is legally clarified.

  • Accuracy of the data protection process

Stored personal data must be accurate, complete and – to the extent necessary – kept up to date. Appropriate measures must be taken to ensure that irrelevant, incomplete or outdated data is deleted, corrected, completed or updated.

  • Data privacy and security

Confidentiality applies to personal data. It must be treated confidentially and protected by appropriate organizational and technical measures against unauthorized access, unlawful processing or transmission, as well as accidental loss, alteration or destruction.

4. ADMISSIBILITY OF DATA PROCESSING / CIRCUMSTANCES OF ADMISSION

The collection, processing and use of personal data is only permitted if one of the authorization circumstances mentioned below is given. 

  • Data processing for a contractual relationship

The personal data of the customer, supplier or other business partner may be processed for the purpose, execution and performance of a contract. In the so-called contract initiation phase (elaboration of an offer, contact with interested parties using the data provided by them), the processing of personal data is also permitted.

  • Data processing agreement

Data processing may take place with the consent of the affected person. Before consenting, the Data Subject must be informed of the regulations. The declaration of consent must be given in writing or electronically, for evidentiary reasons. In certain circumstances, for example, a telephone consultation, the consent may also be provided in spoken form. The issuance must be documented.

NOTE! A consent may be withdrawn at any time by the person who is the subject of personal data processing.

  • Data processing based on legal permission

The processing of personal data is also permitted if national legal regulations require, require or permit the processing of data. The type and extent of data processing must be necessary for the lawful processing of the data and be oriented towards these regulations.

  • Data processing based on a legitimate interest

Processing of personal data may also take place if it is necessary for the pursuit of a legitimate interest of the company. Processing of personal data on the basis of a legitimate interest may not take place if, in an individual case, there are reasons for the interests of the affected person worthy of protection that outweigh the interest in processing. The interests worthy of protection must be verified and documented for each processing.

  • Processing of special categories of personal data

The processing of such personal data, particularly sensitive data, may only take place if this is legally required or if the data subject has explicitly consented to it. The processing of such data is also permitted if it is absolutely necessary for the establishment, exercise or defence of legal claims against the data subject.

  • Automated individual decisions

Automated processing of personal data, through which individual personal characteristics are evaluated, cannot be the sole basis for decisions with negative legal consequences or significant compromises for the Data Subject. The Data Subject must be informed of the fact and the result of an automated individual decision and be given the opportunity to make a statement. In order to avoid incorrect decisions, a control and plausibility check by an employee must be ensured.

  • User data and the Internet

If personal data are collected, processed and used on websites, those affected are informed about this in data protection statements and, where applicable, cookie notices. Data protection and, where applicable, cookie notices must be integrated in such a way that they are easily recognizable, accessible and available to the Data Subject at all times.

If usage profiles (tracking) are compiled to evaluate the usage behavior of websites and apps, the affected persons must in any case be informed in the data protection declarations. If the tracking is done under a pseudonym, the Data Subject must have the possibility to object (opt-out) in the data protection declarations.

  • Data processing for the employment relationship

For the employment relationship, personal data that is necessary for the conclusion, execution and termination of the employment contract may be processed.

During the initiation of an employment relationship, personal data of applicants may be processed. In the event of a rejection of the candidate, the applicant's data must be deleted, taking into account legal probation periods, unless the applicant has consented to further storage for a subsequent selection process.

In the existing employment relationship, data processing must always relate to the purpose of the employment contract, to the extent that one of the following authorization conditions for data processing does not apply.

During the initiation of the employment relationship or in the existing employment relationship, if it is necessary to collect additional information about the applicant from a third party, the respective legal regulations must be taken into account. In case of doubt, consent must be requested from the data subject.

  • Data processing based on legal permission

The processing of personal data of employees is also permitted if national legal directives require, require or permit the processing of data. The type and scope of data processing must be necessary for the lawful processing of the data and be oriented towards these regulations. If there is legal freedom, the interests of the employee worthy of protection must be taken into account.

(1) Processing is lawful only if and to the extent that at least one of the following conditions applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject's request prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject override those interests and require protection of personal data, in particular where the data subject is a child.

  • Collective regulations for data processing

If the processing goes beyond the purpose of the performance of the contract, it is permitted if it is granted by a collective regulation. Collective regulations are collective wage agreements or agreements between employers and employee representatives within the context of the possibilities of the respective labor law. The regulations must extend to the specific purpose of the requested processing and can be established in relation to national data protection law.

  • Consent for data processing

The processing of employee data may take place with the consent of the affected person. Declarations of consent must be given voluntarily. Involuntary agreements are invalid. The declaration of consent must be given in writing or electronically, for evidentiary reasons. If circumstances do not allow this as an exception, consent may be given in spoken form. Consent must, in all cases, be appropriately documented. In the case of voluntary informed declaration of data by the Data Subject, consent may be assumed if a national law does not provide for explicit consent. Before consent, the Data Subject must be informed in accordance with this data protection guideline.

  • Data processing based on a justified interest

The processing of employees' personal data may also take place if it is necessary for the achievement of a legitimate interest of the company. Legitimate interests are usually based on legal (e.g. the establishment, exercise or defence of legal claims) or commercial reasons.

Processing of personal data on the basis of a legitimate interest may not take place if, in an individual case, there are reasons to believe that the interests of the employee worthy of protection outweigh the interest in the processing. The presence of legitimate interests must be verified for each processing.

Control measures that require the processing of employee data may only be carried out if there is a legal obligation or a justified reason. Even in the case of a justified reason, the proportionality of the control measure must be checked. The legitimate interests of the company in carrying out the control measure (e.g. compliance with legal directives and internal company regulations) must be balanced against a possible legitimate interest of the employee affected by the measure and may only be carried out if they are proportionate. The legitimate interest of the company and the possible legitimate interests of the employees must be established and documented before each measure. In addition, any other requirements existing in accordance with national law.

  • Processing of data worthy of protection

Company does not process personal data that reveals racial or ethnic originpolitical opinionsphilosophical beliefs or union membership and processing of genetic data, data on sexual life or sexual orientation of a natural person.

Employee health data is processed by the healthcare provider; the company is informed of the data subject's fitness/unfitness to perform an activity. The interpretation of health data is processed by the company, with the employee's consent. The processing is necessary for purposes related to preventive or occupational medicine, to assess the employee's work capacity

Equally, data on convictions (e.g. criminal records) can often only be processed under special conditions set out in national law.

Processing must be explicitly permitted or prescribed under national law. In addition, processing may be permitted if necessary so that the responsible function can fulfil its rights and obligations in the field of employment law.

  • Automated decisions

To the extent that the employment relationship involves automated processing of data by which individual personality traits are assessed (e.g. as part of personnel selection or assessment of qualification profiles), such automated processing cannot be the exclusive basis for decisions with negative or significant consequences.

In order to avoid incorrect decisions, it must be ensured in automated procedures that a natural person carries out an assessment of the factual content and that this assessment is the basis for the decision. The affected employee shall be informed of the fact and the result of an automated individual decision and be given the opportunity to make a statement.

  • Telecommunications and Internet

Telephone systems, e-mail addresses, Intranet and Internet, as well as internal social networks, are provided in the first instance by the company for the purpose of company tasks. They are work supports and a company resource. They may be used in accordance with applicable legal regulations and internal company guidelines.

There is general monitoring of telephone and e-mail communication, as well as the use of the intranet and the internet. In order to prevent attacks on the IT infrastructure or on individual users, protective measures have been implemented at the company's network interfaces, which block technically harmful content or analyze attack patterns. For security and traceability reasons, the use of telephone systems, e-mail addresses, the intranet, the internet and internal social networks is documented.

Personal assessments of this data may only take place in the event of a concrete and justified suspicion of a violation of laws or company guidelines. These checks may only take place in accordance with the principle of proportionality. National laws must be observed in conjunction with existing company regulations.

5. TRANSMISSION OF PERSONAL DATA

The transmission of personal data to recipients outside RHEIN VISION is subject to the conditions of authorization for the processing of personal data. The recipient of the data is obliged to use it only for the stated purposes.

In the event of data transfer to a recipient outside the group of companies in a third country, the recipient must ensure a level of data security equivalent to this data protection regulation. This does not apply if the transfer is due to a legal obligation.

In the case of data transmission by third parties to the company group, it must be ensured that the data can be used for the intended purposes.

6. ALLOCATED PROCESSING (in case of assignment, transfer, merger, etc.)

Subcontracted processing is where a contractor is entrusted with the processing of personal data without the transfer of responsibility for the associated business process. In these cases, a subcontracted processing agreement must be concluded with the external contractors.

The assigning company retains full responsibility for the correct performance of the data processing. The contractor may process personal data only in connection with the contractor's instructions.

  1. The contractor must be selected based on its suitability to provide the necessary technical and organizational protection measures.
  2. The assignment must be issued in writing. The instructions for data processing and the responsibilities of the contractor and the contractor must be documented.
  3. The contractor must be satisfied before starting data processing that the obligations have been fulfilled. Compliance with data security requirements can be proven by a contractor, in particular by presenting an appropriate certification. Depending on the risk of the data processing, the verification must be repeated regularly, if necessary during the contract period.
  4. In the case of data processing for a cross-border assignment, the respective national requirements for the transmission of personal data abroad must be met. In particular, the processing of personal data from the European Economic Area in a third country may only take place if the contractor can prove a level of data security equivalent to this Data Protection Directive.

7. RIGHTS OF THE DATA SUBJECT

Each affected person may exercise the following rights. Their assertion shall be processed immediately by the responsible area and may not result in any disadvantage for the Data Subject.

  1. The data subject may request information about which personal data from which source are stored for which purpose. If additional rights of inspection of the employer's documents (e.g. personnel file) are envisaged in the employment relationship, these are not affected.
  2. If personal data are transmitted to third parties, information about the identity of the recipient or the categories of recipients must also be provided.
  3. If the personal data is incorrect or incomplete, the Data Subject may request their correction or completion.
  4. The data subject may object to the processing of his or her personal data for advertising or market research and survey purposes. The data must be blocked for these purposes.
  5. The data subject has the right to request the erasure of his or her data if the legal basis for the processing of the data is absent or no longer applicable. The same applies if the purpose of the processing of the data no longer applies due to the passage of time or for other reasons. Existing storage obligations and interests worthy of protection that outweigh the erasure must be taken into account.
  6. The data subject has the fundamental right to object to the processing of his or her data, which must be taken into account if his or her legitimate interest in protection outweighs the interest in processing due to a particular personal situation. This does not apply if a legal regulation requires the processing to be carried out.

8. CONFIDENTIALITY OF PROCESSING

Personal data is subject to data confidentiality. Unauthorized collection, processing or use by employees is prohibited.

Any processing that an employee carries out without being duly designated and entitled to do so in the performance of their tasks is considered unauthorized. The need-to-know principle applies: employees may only be granted access to personal data if and to the extent necessary for their respective tasks. This requires the careful allocation and separation of roles and responsibilities, as well as their implementation and maintenance as part of authorization concepts.

Employees may not use personal data for private or commercial purposes, transmit it to unauthorized persons, or make it accessible in any other way.

9. PROCESSING SECURITY

Personal data must be protected at all times against unauthorised access, unlawful processing or transmission, and against loss, falsification or destruction. This applies regardless of whether the data processing is electronic or paper-based. Before introducing new data processing procedures, in particular new IT systems, technical and organisational measures for the protection of personal data must be established and implemented. These measures must be geared to the current technology, the risks associated with the processing and the data protection requirements (determined by the information classification process).

Taking into account the current state of development, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk with varying degrees of probability and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, inter alia, where applicable:

(a) pseudonymisation and encryption of personal data;

(b) the ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for periodically testing, evaluating and assessing the effectiveness of technical and organisational measures to ensure the security of processing.

Technical and organizational measures to protect personal data are part of company-wide information security and data protection management and must be continuously adapted to technical developments and organizational changes.

10. DATA PROTECTION CONTROL

Compliance with data protection directives and applicable data protection laws is regularly verified through data protection audits and additional controls.

The results of data protection audits must be notified to management.

11. DATA PROTECTION INCIDENT

Every employee should immediately inform the Data Protection Officer of any breach of this Data Protection Directive or other regulations for the protection of personal data (data protection incidents). The notification can be sent by e-mail to dpo@rhein-vision.com in cases of:

  • illegal transmission of personal data to third parties,
  • illegal access by third parties to personal data or
  • loss of personal data

Notifications within the company must be made without delay so that existing reporting obligations for data protection incidents can be fulfilled in accordance with national law.

Notification of the supervisory authority in the event of a personal data breach

Where a personal data breach occurs, the controller shall notify the personal data breach to the supervisory authority competent pursuant to Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless it is likely to result in a risk to the rights and freedoms of natural persons. Where notification is not made within 72 hours, it shall be accompanied by a reasoned explanation from the supervisory authority where.

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The notification referred to in paragraph:

(a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or another contact point where further information can be obtained;

(c) describes the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to remedy the personal data breach, including, where applicable, measures to mitigate its possible adverse effects.

(4) when and to the extent that it is not possible to provide the information at the same time, it may be provided in several stages, without undue delay.

(5) The controller shall keep records of all personal data breaches, including a description of the factual circumstances in which the personal data breach occurred, its effects and the remedial measures taken. This documentation shall enable the supervisory authority to verify compliance with this Article.

12. RESPONSIBILITIES AND SANCTIONS

Management is responsible for the processing of personal data in accordance with the directive.

It is therefore obliged to ensure that legal data protection requirements (e.g. national reporting obligations) are complied with.

In the event of data protection checks by authorities, the Data Protection Officer must be informed immediately.

The management has appointed a data protection officer. The data protection officer may carry out checks and must familiarise employees with the content of the data protection guidelines. The management is obliged to support the data protection coordinator in their task.

Management must ensure that employees are informed to the necessary extent about data protection. Inappropriate processing of personal data or other violations of data protection legislation have legal consequences in many countries and may lead to claims for damages. Violations for which individual employees are responsible may lead to disciplinary action.

13. DATA PROTECTION OFFICER

As a specialized internal entity, the data protection officer ensures compliance with data protection regulations. He is responsible for monitoring compliance with data protection regulations. The data protection officer immediately informs management of data security risks.

Any affected person may contact the data protection officer with suggestions, questions, requests for information or complaints regarding data protection or data security issues. Requests and complaints are treated confidentially upon request.

14. IMPLEMENTARE

This document must be accessible to all persons concerned.