Privacy and Personal Data Protection Policy of Casa Noastra SRL

Introduction

Thank you for your interest in our company, our products and / or services. When you start a partnership of any kind with us, you entrust us with your personal data.

The purpose of this Privacy Policy is to explain what kind of data we process, the reasons we process it and what we do with it. We take care of our clients’ privacy and we never sell lists that contain emails or other personal data. Being fully aware that personal information belongs to you, we do our best to safely store and process them carefully. We do not provide information to third parties without informing you.

This information is important. We hope you read it carefully.

This note informs you of the personal information we process about you in relation to our organization. In collecting this information we act as an operator and by law we are obliged to provide you with information about us, the reason and the way we use your data and the rights you have on your data.

 

Other Services

This Privacy Policy does not cover third party apps and sites that you can access by linking to our website (such as Facebook, Google+, YouTube). This goes beyond our control. We encourage you to review the Privacy Policy on any site and / or application before providing personal data.

 

Who we are?

CASA NOASTRA SRL, known as the QFORT brand, is a company headquartered in Pieleşti, Calea Bucureşti, no. 113, Dolj County, having registration number J16 / 857/1995 and fiscal code RO7510066 (hereinafter referred to as “CASA NOASTRA” or “Company”), e-mail office@qfort.ro, phone number 0251.439.532, responsible for processing your personal data that we collect directly from you or from other sources.

For your data to be processed safely, we have made every effort to implement reasonable measures to protect your personal information.

Casa Noastra complies with the EU General Regulation on the Protection of Personal Data no. 2016/679 (hereinafter referred to as “GDPR”) and national legislation.

 

Who are you?

According to the legislation in force, as the recipient of our services, or a person in any kind of relationship with our company (such as our client, our potential customer, the site visitor), you are “a target person”, an identified or identifiable individual. In order to be completely transparent with regard to data processing and to allow you to easily exercise your rights at any time, we have implemented measures to facilitate communication between us, the data operator and you, the data subject.

 

Objectives

This data protection policy ensures:

  • Compliance with data protection legislation and practices at this level;
  • Protection of the rights of the data subjects, such as partners, clients, employees;
  • How to store and process personal data of individuals;
  • Protect the company and personal data from possible risks of data breach.

 

Reference documents

The regulation (EU) No. 679/2016 describes how companies – including CASA NOASTRA SRL must process personal data. These rules apply regardless of whether the data is stored electronically, on paper, or on other media.

To be consistent with the legislation, personal information must be collected and used legally, fairly, transparently, appropriately and limited to the purpose of collection and must be stored securely.

 

Definitions

There are a total of 26 definitions listed in the GDPR. These include the most relevant definitions for this policy:

Personal data – any information about an identified or identifiable individual (“the data subject”);

The person concerned – an identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific elements, of its physical, physiological, genetic, psychic, economic, cultural or social identity;

Processing – any operation or set of operations performed on personal data or on personal data sets with or without the use of automated means such as collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Operator – individual or legal person, public authority, agency or other organization which, alone or with others, determines the purposes and means of processing personal data; where the purposes and means of processing are laid down by European Union or national law, the operator or the specific criteria for designating it may be laid down in Union or national law;

Person authorized by the operator – individual or legal person, public authority, agency or other body processing personal data on behalf of the operator.

 

Principles of processing personal data

There are a number of fundamental principles on which the processing of personal data is based on the GDPR Regulation.

Personal data are:

  • processed legally, fairly and transparently to the data subject (“legality, fairness and transparency”);
  • collected for specified, explicit and legitimate purposes and not subsequently processed in a manner incompatible with these purposes; further processing for purposes of archiving in the public interest for purposes of scientific or historical research or for statistical purposes is not considered incompatible with the original purposes in accordance with Article 89 (1) (“purpose limitations”);
  • appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
  • accurate and, where necessary, updated; all necessary steps must be taken to ensure that personal data which are inaccurate, in the light of the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • stored in a form that permits the identification of the data subjects for a period not exceeding the time required for the purposes for which the data are processed; personal data may be stored for longer periods to the extent that they will be processed solely for purposes of archiving in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) subject to the application of the appropriate technical and organizational measures provided for in this Regulation in order to guarantee the rights and freedoms of the data subject (“storage limitations”);
  • processed in a way that ensures the adequate security of personal data, including protection against unauthorized or unlawful processing and against loss, destruction or accidental damage by taking appropriate technical or organizational measures (“integrity and confidentiality”).

CASA NOASTRA SRL will ensure that it complies with all these principles both in its current processing and as part of the introduction of new processing methods such as new IT systems.

 

Our Commitment

Protecting your personal information is very important to us. That is why we are committed to complying with European and national legislation on the protection of personal data, in particular Regulation (EU) 679/2016, also known as GDPR, and the following principles:

Legality, fairness and transparency

We process your data legally and correctly. We are always transparent about the information we use, and you are properly informed.

Control belongs to you

Within the limits of the law, we offer you the opportunity to examine, modify, delete the personal data that you have shared with us and exercise your other rights.

Data Integrity and Purpose Limitation

We use the data only for the purposes described at the time of collection or for new purposes compatible with the original ones. In all cases, our goals are compatible with the law. We take reasonable steps to ensure that personal data is accurate, complete and up-to-date.

Security

We have implemented reasonable security and encryption measures to help protect your information. However, it notes that no website, application or internet connection is completely secure.

 

Changes

We may change this Privacy Policy at any time. All updates and changes to this Policy apply immediately upon notice, which we will make by displaying on the site and / or by email notification.

 

What are the legal basis for personal data processing?

Your data processing can be based on:

  • signing and executing a contract (establishing your identification and billing information, the address where the installation will be done);
  • the legitimate interest of the Operator (customer satisfaction questionnaires, management of the agreement for commercial purposes)
  • the consent of the person concerned (such as the transmission of marketing communications, cookies)
  • the legal obligation of the Operator (for example, reports and information to public authorities);
  • the defence and / or the exercise of a right in court;
  • the steps to conclude the employment contract;

For the conclusion or performance of a contract or for the application of certain measures, at your request, before the conclusion of a contract, we need some personal data to fulfil contractual obligations (invoicing, delivery, installation, customer service) and / or compliance with the legislation, such as accounting legislation.

As far as data processing for marketing purposes is concerned, the legal basis for the processing of personal data is your agreement, which you can withdraw at any time, as outlined in this document.

Please note that in certain circumstances, if you do not provide us with the above data, we will not be able to provide our services and products as your data is necessary for the conclusion of the contract, invoicing, installation, etc.

 

What kind of personal data do we process about you?

As we apply the minimization principle, we are committed to collecting only those data that are really needed. We hereby inform you that personal data that the Company processes are personal data that we collect from you or from other sources, such as:

  • identification data, for example: first and last name, home / residence address, personal numeric code, unique identification code, serial number and identity card number, passport serial number / passport for non-resident or other data with identification function;
  • financial data (e.g., bank account).
  • contact details (fixed / mobile phone number, e-mail address, mounting address), and other personal data (CVs, medical certificates, diplomas, skills, studies).

These data are required for activities such as: preparation of the offer, execution, modification or termination of the Contract, remedy of possible non-compliance, receipts and payments in bank accounts, resolution of complaints.

We may also collect data through cookies or other similar technologies, such as IP address, internet browser, location, web pages you visit on our site. For more information on using cookies, you can access our Policy at https://qfort.com/use-of-cookies/.

 

For what purposes do we collect the personal data?

CASA NOASTRA collects personal data for the following purposes:

General Operations

We collect personal data to conduct business with individuals or legal entities (such as organizing work visits at the company’s headquarters for partners, agencies, etc.)

Response to Target Person Requests

The person concerned provides personal data, including name, e-mail address or other contact information when contacted by phone, e-mail, mail, or using our digital platforms. This personal information allows us to respond to inquiries about CASA NOASTRA products, details of measurements and price offers for fitting CASA NOASTRA products, to set up a service visit, or to respond to complaints under CASA NOASTRA guarantee policy. The information provided may be sent to CASA NOASTRA or to other CASA NOASTRA commercial representatives, independent installers or distributors in order to assist clients in their requests or to provide services or a price offer.

Customers and potential customers

We may collect personal data of customers and potential clients including names and surnames, contact information, payment information and credit cards, credit information, and other information that is required to conduct our business with that individual or organization. This information may be disclosed to distributors and logistics partners in order to process a customer’s order, including in order to determine the delivery of our products to our customers or to respond to requests.

Business development

The personal information provided by the Individual and the personal information we collect on our digital platforms will be used to increase the level of understanding of our customers and to ensure relevant communication in all aspects of your relationship with our CASA NOASTRA (QFORT). Personal data will also be used to develop new products and services or to improve existing ones.

Surveys of customers and visitors

We may collect personal data from visitors to our digital platforms or from our customers for the purposes of processing surveys on our products and services. Your personal data will not be used for marketing communications without your consent.

Potential employees or contractors

When a person signs up to occupy a position at CASA NOASTRA or concludes a contract with us, we can collect certain personal data such as name, contact information, job history information, study diplomas, relevant reviews files and information on professional interests. They may be collected directly from the person concerned, from a recruitment consultant and from the previous employer of the person or other persons, including references and sources made public. This information is used to inform or assist us in making the decision to make an offer of employment or to conclude a contract with that person.

In order to comply with the law

We may collect personal data in accordance with the requirements or permissions of the applicable law, such as the provision of your personal information to the police, the courts and other authorized bodies of the State, on the basis of and within the limits of the legal provisions, and following explicit requests.

Other purposes we process the data are the following:

  • to answer questions and requests;
  • for marketing purposes, but only if we have your prior consent;
  • to offer and improve the services and products we offer;
  • to diagnose or fix technical issues;
  • to defend against cyber-attacks;
  • for creating and / or maintaining accounts;
  • for finding or claiming a right in court;

 

No automatic decision-making process

We do not make automated decisions with legal or other similar effect on you, but to the extent that this will change in the future, we will inform you accordingly and allow you to exercise all legal rights.

 

To whom do we submit your personal data?

In order to always ensure the quality of our products and services, we have constant partnerships with various suppliers to which we can transmit your data, which they process either as authorized agents or as associated operators, and in the latter case they are directly responsible for complying with the legislation in the field of personal data protection.

We are continually making reasonable efforts to ensure that these third parties have implemented appropriate safeguards and security measures. With these third parties (empowered persons) we have contractual terms so that your data is protected.

The categories of recipients of personal data can be:

  • suppliers of products and / or subcontractors of the Operator for the performance of the Contract (e.g. PVC joinery supplier);
  • IT solutions providers (such as Google Analytics, e-mail marketing vendors -Mailchimp,)
  • sales agents;
  • resellers;
  • independent experts subcontracted by the Operator to evaluate and remedy any product and / or assembly nonconformities;
  • companies providing postal / courier services;
  • payment service providers;
  • market research / customer satisfaction studies;
  • public authorities (ANAF, Ministry of Public Finance, National Authority for Consumer Protection);
  • court or arbitral tribunals and competent authorities to investigate criminal offenses;
  • other Subcontractors of the Operator (Travel Agencies, Hotels);

We could also share your data with business partners as a result of a joint effort to offer a product or service.

Although unlikely, we may sell the business or part of the business in the future, which will include the transfer of your data.

We may also transmit the data to other parties with your consent or instructions (for example, when you direct us to transmit your personal data to third-party platforms or websites, such as social media pages or where we handle a request data portability).

We will also be able to provide your personal information to the police, the courts and other authorized institutions of the State, on the basis of and within the limits of the legal provisions and as a result of expressly formulated requests

We will ensure, within reasonable limits that your data do not leave the European Economic Area, but as we transfer data to non-EEA countries, we will ensure in all cases that transfers are legitimate based on your consent explicit or otherwise legal basis. For example, as mentioned above, we may send data to the US through Google Analytics and Mailchimp platforms, but these providers are included in Privacy Shield and your data is safe, under European law. For more information, please visit https://policies.google.com/privacy and https://mailchimp.com/legal/privacy/.

 

How long do we store personal data?

The company does not have a “We keep everything” approach. This is neither practical nor cost-effective nor does it comply with the storage limitation principle set out in Regulation (EU) 679/2016. However, some personal data will be kept, among other things, because it forces us to enforce the law or protect our commercial interests. Among the reasons, we mention:

  • Litigation;
  • Compliance with the law;
  • Protecting intellectual property;
  • Protecting business secrets;
  • Survey on security incidents.

In order to determine the period for which the data will be processed, we take into account the contractual duration until the contractual obligations and the archiving deadlines, both legal and domestic. Also, in order to exercise and defend our rights in the case of a legal procedure, the 3-year general limitation period is also included in the calculation of the storage period.

Customers’ personal data: 10 years from signing the contract, during the warranty period. After this period, the data will be deleted or anonymized for historical, statistical or research purposes.

Personal Data of Potential Customers: 3 years from bidding. After this period, the data will be deleted or anonymized for historical, statistical or research purposes.

Personal data of jobseekers: 3 years from the interview. After that time, the data will be deleted or anonymized for historical, statistical or research purposes.

Employee personal data: 3 years after the termination of the employment contract, except for employment contracts (75 years) and payroll (50 years). After this period, the data will be deleted or anonymized for historical, statistical or research purposes.

Accounting documents: 10 years. After this period, the data will be deleted or anonymized for historical, statistical or research purposes.

Data from business partners or external collaborators: 10 years after termination of the contract. After this period, the data will be deleted or anonymized for historical, statistical or research purposes.

Data processed for direct marketing: until withdrawal of consent. After this period, the data will be deleted or anonymized for historical, statistical or research purposes.

Other personal data will be kept for as long as required by law, and in the absence thereof for a period of 3 years from the last interaction of any kind with the data subject.

 

Data processing for direct marketing purposes

We may only use your personal data with your consent and at your request to inform you of our operations, products, services, promotional offers and other news. However, if you are already our client, we may transmit to you, pursuant to law no. 506/2004, offers on similar goods and services offered by our company, but you have in all cases the right to oppose and then the commercial communications will cease. As long as you do not want to receive further information, you can easily unsubscribe from our marketing communication at any time. For this, please send an email to unsubscribe@qfort.com with the subject UNSUBSCRIBE. If you unsubscribe from our marketing communications, we will delete your personal information within 30 days if these data are not processed for other purposes as specified in this document.

 

What are your rights?

The right of withdrawal of consent

The person concerned has the right to withdraw consent if it is the legal basis for the processing of his or her personal data (if the processing is not based on any other legal basis, such as the contract, legal obligation, legitimate interest, vital interests or public interest).

Before we give up processing the personal data of the person concerned, we will verify that we have no other legal basis on which to process the data. If we do not have another legal basis, we will respond to the request. We will not tacitly migrate from consent to another legal basis, but we will ensure in all cases that the additional basis has been established in the first place. If processing concerns the personal details of a minor (defined by the GDPR as a person under 16), the grant or withdrawal of consent must be authorized by the holder of the parental responsibility.

Most of the time, consent and withdrawal of consent will be available electronically, online.

Regardless of the decision we will make, we will inform you accordingly within a reasonable time.

The right to information

When personal data is collected from the data subject or obtained from another source, we have an obligation to inform the data subject about the use of this data and the rights thereon.

The right of access

The person concerned has the right to request the Company a confirmation that the personal data are being processed and, if so, has the right to obtain a copy of this data as well as the following information:

  • Purposes of processing;
  • Categories of personal data concerned;
  • Recipients or categories of data recipients, if any, in particular any third country or international organization;
  • The storage period of personal data (or the criteria used to determine that period);
  • The rights of the person concerned to rectify or erase his or her personal data and to restrict or oppose the processing;
  • The right of the person concerned to file a complaint with a supervisory authority;
  • Information on the source of the data, if not directly from the data subject;
  • If personal data are subject to automated decisions, including the creation of profiles and, if so, the logic of that decision or profiling and the possible consequences involved;
  • Where the data is transferred to a third country or to an international organization, information on the applicable safeguards.

We will not be able to respond to such a request when the claim is manifestly unfounded or excessive, or when we are in a position of legal confidentiality.

The right to rectification

If personal data is inaccurate, the data subject is entitled to request the correction and completion of incomplete personal data on the basis of the information he provides.

If necessary, the Company will take additional steps to verify that the information provided by the person is correct before making the change.

The right of removal (“the right to be forgotten”)

The person concerned has the right to request the Company to delete without delay the personal data concerning it in the following cases:

  • personal data are no longer required for the purposes for which they were collected or processed;
  • the data subject withdraws his consent on the basis of which the processing takes place and there is no other legal basis for the processing;
  • the data subject opposes the processing and there are no legitimate reasons for the processing;
  • personal data has been processed illegally;
  • personal data must be erased in order to comply with a legal obligation incumbent upon the operator under Union or national law to which the operator is subject;
  • personal data has been collected in connection with the provision of information society services to children;

The company will have to make a decision on such a request. Deleting data will not occur if:

  • the data are necessary for the exercise of the right to free expression and information;
  • data are required to meet a legal obligation;
  • for reasons of public interest in public health;
  • for purposes of archiving in the public interest;
  • to establish, exercise or defend a right in court;

The right to Restrict Processing

The person concerned may exercise the right to restrict processing in the following situations:

  • the data subject contests the accuracy of the data for a period that allows the operator to verify the accuracy of the data;
  • processing is illegal and the data subject opposes the deletion of personal data, but instead calls for restrictions on their use;
  • the operator no longer requires personal data for processing, but the data subject requests them to find, exercise or defend a right in court;
  • the data subject opposed the processing in accordance with Article 21 (1) of the GDPR Regulation for the period of time to verify that the legitimate rights of the controller prevail over the data subject’s privacy;

If a restriction request is received, it will be checked to see if it falls into one of the above cases.

If data is restricted, it will remain stored but cannot be processed without the consent of the person. They may be processed for the purposes of establishing, exercising or defending a right in court or for the protection of the rights of another natural or legal person or of a major public interest of the Union or of a Member State.

In all cases, the data subject who has obtained the restriction of processing is informed by the operator before lifting the processing restriction.

The right to data portability

The data subject has the right to require personal data to be provided in a “structured, machine-readable and commonly used format” (Article 20 of the GDPR Regulation) and to transfer the data to another party, for example another services provider. This applies to personal data for which the processing is based on the consent of the data subject, on the legal basis of the contract or when the processing is carried out by automated means.

Where technically feasible, the data subject may also require personal data to be transferred directly from one operator to another. At present, CASA NOASTRA does not have technology for direct portability from one operator to another, but we are doing reasonable diligence to implement it.

The right to opposition

The data subject has the right to oppose the processing that is based on the legitimate interest of the operator or a third party or on the public interest.

Once the objection has been made, the Company must justify the reasons on which the processing is based and suspend the processing until the decision has been taken. The company no longer processes personal data unless it demonstrates that it has legitimate and compelling reasons justifying the processing and which prevails over the interests, rights and freedoms of the data subject or that the purpose is to establish, exercise or defend a right in court.

If personal data is used for direct marketing, the Company will cease processing.

Rights related to automated decisions, including profile creation

The person concerned has the right not to be the subject of an automatic decision, including the creation of profiles where the decision has a significant or legal effect on it. The person concerned also has the right to express his / her point of view, to request human intervention and to challenge the decision.

There are exceptions to this right, which are where the decision:

  • It is required for the conclusion or performance of the contract;
  • It is authorized by national or European law;
  • It is based on the explicit consent of the person concerned;

Right to lodge a complaint with ANSPDCP;

The right to appeal to justice.

Please note that:

  • You can withdraw your consent to direct marketing at any time by following the unsubscribe instructions in each email / text message or other electronic message.
  • If you wish to exercise your rights, you can do so by submitting a written request, signed and dated to our Data Protection Officer at dpo@casanoastra.ro.
  • The rights listed above are not absolute. There are exceptions, so each request received will be analysed so that we can decide whether it is founded or not. To the extent that the application is well founded, we will facilitate the exercise of your rights. If the application is ungrounded, we will reject it, but we will inform you of the reasons for the refusal and the rights to file a complaint with the Supervisory Authority and to address the law.
  • We’ll try to respond to the request within 30 days. However, the deadline may be extended depending on different aspects such as the complexity of the application, the large number of requests received or the impossibility to identify yourself within a useful time.
  • If, although we make every effort, we fail to identify you, and you do not provide us with additional information in order to identify you, we are not required to comply with the request.

 

Integrity and confidentiality of personal data

The security, integrity, and confidentiality of your personal data are especially important to us. We have implemented technical, administrative, and physical security measures to protect your unauthorized personal access, disclosure, use and modification data. At certain intervals, we review our security procedures to include appropriate new date technologies and methods.

We also inform you that any person acting under the authority of CASA NOASTRA who has access to personal data will process the data only to the Operator’s instructions.

However, no computer mechanism offers total security, a risk element that always exists, a risk that is independent of our will and / or possibilities. The security of this site may be subject to vulnerabilities and, as such, for such situations, we cannot be held responsible for any breach of security.

 

Changes in privacy policy

Occasionally, we may modify this Privacy Policy to update our processing changes such as adopting new technologies, changing industry practices, complying with the new legal requirements. On our platforms you will always find the latest version. All updates and changes to this Policy apply immediately upon notice, which we will make by displaying on the site and / or by email notification. In situations where we are bound by law, we will ask for your agreement.

CASA NOASTRA reserves the right to modify this Privacy Policy at any time, but within the limits of the applicable legal, domestic and community law.

This privacy statement and privacy policies here are not intended to create contractual or other legal rights or on behalf of any party.

 

Questions, requests and exercise of rights

If you have any questions or concerns regarding the processing of your information or wish to exercise your legal rights or any other privacy concerns, you may contact our data protection officer at dpo@casanoastra.ro. We will try to respond to the request within one month. However, the deadline may be extended depending on various aspects, such as the complexity of the application, the large number of requests received or the impossibility to identify yourself within a useful time. When submitting a request, we may request additional information for your identification. This information differs on a case-by-case basis, and to ensure that your personal information is not disclosed to unauthorized persons, we will take all measures to identify you. If, although we make every effort, we fail to identify you, and you do not provide us with additional information in order to identify you, we are not required to comply with the request.

 

Additional information

This website is owned and operated by QFORT through the company CASA NOASTRĂ SRL.

This Privacy Policy was last updated in July 2018.