Privacy policy
PO IT and T and C A D It is C A N F and D It is N T and A IT and T A yourself
Information document on the processing of personal data, prepared in accordance with Regulation (EU) 2016/679 (hereinafter referred to as "GDPR")
Through this " Confidentiality Policy ", KA&MA TRADING SRL assumes proactive responsibility for the protection of personal data, permanently ensuring compliance with European and national standards.
1. Introduction
1.1 This Privacy Policy sets out the legal framework on how KA&MA TRADING SRL (“Company”, “Operator”, “We”) collects, uses, transfers and protects personal data, in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), as well as applicable national legislation (Law 190/2018 on implementing measures for Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [General Data Protection Regulation]).
1.2 The main purpose of the document is to ensure transparency, compliance and effective protection of the rights of data subjects, in the context of the processing of personal data by KA&MA TRADING SRL, in all its activities, regardless of the capacity in which the data is processed (client, contractual partner, employee, collaborator, etc.).
1.3 The policy applies to all customers, contractual partners, employees and other individuals who interact with KA&MA TRADING SRL.
2. Operator Identification and Contact Details
2.1 Personal data controller: KA&MA TRADING SRL , with registered office in Str. Riga, no. 4, loc. Moșnița Nouă, Timiș County, registered with the Trade Register under no. J35/105/2011, tax code RO27921414.
2.2 Contact details for exercising rights (indicated in point 8) and requests regarding the processing of personal data:
· postal address: str. Riga, no. 4, loc. Moșnița Nouă, Timiș County
· email: office@bestsleep.ro
3. Categories of Personal Data Processed
3.1 Depending on the relationship with the data subject, KA MA Trading processes the following categories of personal data:
· identification data: name, surname, identity card/passport series and number, home address/residence, citizenship, gender, date of birth.
· contact details: telephone number, email address, postal address.
· professional data: professional and/or social experience, education and training, skills, information from CV and cover letter, interview results.
· financial data: bank account number.
· technical data: IP addresses, browser type, operating system, internet provider, device used, pages and files accessed, cookies and similar technologies.
· data regarding website activity: location, duration of visit, pages accessed.
· consent data: choices expressed for marketing communications.
· other data: any other information voluntarily provided through forms, correspondence or direct interactions.
2.3 Processing of personal data in the context of employment relationships :
In accordance with the provisions of art. 5 of Lg. 190/2018, in the case where they are used video surveillance means at the workplace, KA MA Trading processes employees' personal data exclusively for the purpose of achieving legitimate interests and in compliance with the following conditions:
· the legitimate interest pursued is thoroughly justified and prevails over the interests or rights and freedoms of employees.
· mandatory, complete and explicit prior information of employees was provided.
· the employee representative was consulted before the introduction of monitoring systems.
· The duration of storage of personal data is proportional to the purpose of processing, but not longer than 30 days, except for situations expressly regulated by law or in duly justified cases.
4. Purposes and Legal Grounds of Data Processing
4.1 Personal data are collected and processed strictly for the purposes determined in point 4.2, explicit and legitimate, in accordance with art. 5 para. (1) letter b) GDPR and will not be further processed in a manner incompatible with these purposes.
4.2 The processing of personal data is carried out in the context of:
· conclusion and execution of contracts [ art. 6 para. 1 lit. b) GDPR]: management of contractual relationships with customers, partners, collaborators, employees, including recruitment, order processing, invoicing, delivery of products/services.
· fulfillment of legal obligations [art. 6 para. 1 letter c) GDPR]: archiving, accounting, reporting to authorities, compliance with legal requirements.
· consent of the data subjects [art. 6 para. 1 lit. a) GDPR]: sending commercial and marketing communications, promotional campaigns, other activities for which explicit consent is required.
· legitimate interests [art. 6 para. 1 letter f) GDPR]: ensuring information and infrastructure security, preventing fraud, protecting the rights and interests of the Company, optimizing services, internal control and audit.
4.3 For the conclusion and execution of service and partnership/collaboration contracts, the following types of personal data are mainly processed: name, surname, ID card/passport series and number, gender, home/residence address, bank account number, e-mail address, phone number, IP addresses, operating system used, type of browser from which you access our sites or control panels, internet provider, pages
4.4 In the context of personnel recruitment, we process the following types of personal data: name, surname, address, date of birth, citizenship, gender, phone number, e-mail address, data regarding professional and/or social experience, education and professional training, skills and other personal data that emerge from the information contained in the CV and the letter of intent submitted, and, where applicable, following discussions during the job interview.
4.5 In order to complete and submit the contact form ("Contact") and order form ("Order") on the website www.bestsleep.ro (hereinafter "the website"), we process the following types of personal data: name, surname, email, telephone number, address and, where applicable, other data if left at the initiative of the data subject.
4.6 For website visitors, we may collect data through cookies or other similar technologies, such as: IP address, internet browser, location, web pages accessed on our website, time spent on the website, internet network, device used.
For more details in this regard, see the Cookie Policy – https://www.bestsleep.ro/pages/politica-confidentialitate (see on the website)
4.7 We do not use personal data to send marketing communications, such as newsletters, unless you expressly consent to such communications by checking a box to that effect.
In this regard, we only process your: email, first and last name and we ensure that you have a simple option to unsubscribe at any time, respectively to withdraw your consent to receiving these types of communications.
4.8 In the case of processing of special categories of data (art. 9 GDPR: " reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation "), an additional basis will be provided, according to art. 9 para. (2) GDPR, as well as according to the strict interpretation of the derogations given by the CJEU.
4.9 Data will not be processed for purposes incompatible with those mentioned above.
5. Data Recipients and International Transfers
5.1 Any transfer of data to third countries or international organizations shall only be carried out in strict compliance with Articles 44-49 of the GDPR. The transfer shall only take place if there are adequate safeguards and enforceable rights for the data subjects.
5.2 Personal data may be communicated to the following recipients, exclusively within the limits imposed by law:
· Public authorities and institutions, based on a legal obligation or to defend the legitimate rights of KA MA Trading (consultants, lawyers).
· Contractual partners and collaborators, for the development of contractual relationships or the provision of services. The list of entities to which we provide your information is as follows: EuPlatesc, Google, Microsoft, CloudFlare, DIGITALCLOUDER SERVICES SRL, ROTLD, Meta (/Facebook, Instagram), TikTok, Courier company responsible for transporting the order (Dragon Star, Fan Courier, Sameday).
List of authorized operators:
|
Company |
Service |
|
EuroPayment Services |
Online Card Payments |
|
Google Analytics |
Analytics: Control panel. Anonymous data reporting. |
· Other third parties, exclusively based on the express and timely consent of the data subject.
5.3 The list of recipients may be subject to change, and the Policy will be updated accordingly.
6. Data Storage Period
6.1 The duration of data storage will be established in accordance with art. 5 para. (1) letter e) GDPR (“ storage limitation ”), as well as legal obligations to archive or retain certain documents.
6.2 Personal data are retained for the period necessary to achieve the purposes for which they were collected, respecting the applicable legal criteria and deadlines (e.g. archiving deadlines, accounting records, legal prescriptions) as required:
a) The accounting data and registers (accounting/fiscal records, invoices, orders) regarding the commercial activity of KA MA Trading, to the extent that they contain personal data, will be kept for a (legal) period of 5 years calculated from June 1 of the year following the end of the financial year in which these documents were drawn up/issued.
b) employee data and records, payroll used by KA MA Trading, to the extent that they contain personal data, will be kept for a (legal) period of 5 years.
c) Personnel files, to the extent they contain personal data, will be kept for a (legal) period of 75 years.
d) the data (email addresses, telephone numbers, mailing addresses) used in marketing campaigns, the holding of events (commercial) for the purpose of promoting KA MA Trading products, regardless of their format (physical and/or online) will be kept for the duration of those campaigns/events or series of campaigns/events with the possibility of extending the retention period until at the latest when that product/products are no longer part of KA MA Trading's commercial portfolio.
e) the data (e-mail addresses, telephone numbers, correspondence addresses) used by KA MA Trading in business relations with customers, suppliers, collaborators or other third parties will be kept for a period at least equal to that indicated in point a) or b) if their keeping is in connection with the actions referred to in point a) or b) or for a period exceeding the periods in point a) or b) in the event of administrative and/or judicial procedures that exceed the period in point a) or b), but no later than 5 years from the final conclusion of those administrative and/or judicial procedures (this last term takes into account the limitation period in civil or fiscal matters).
After these deadlines expire, the data will be deleted, anonymized or destroyed securely.
6.3 Where KA MA Trading has made personal data public and is obliged, in accordance with point 6.2, to erase them, taking into account available technology and the cost of implementation, it will take reasonable steps, including technical measures, to inform controllers processing the personal data that the data subject has requested erasure by such controllers of any links to those data or of any copies or reproductions of those personal data.
7. Security Measures
7.1 KA&MA TRADING SRL implements appropriate technical and organizational measures, in accordance with art. 32-34 GDPR, to ensure a level of security appropriate to the risks.
7.2 The Operator implements appropriate technical and organizational measures to ensure the security and confidentiality of personal data, including:
· Methods and technologies for securing information systems and communications.
· Internal procedures regarding data access, control and audit.
· Training and coaching of staff on data protection.
· Periodic evaluation and updating of security measures to prevent unauthorized access, loss, destruction or unauthorized disclosure of data.
· Collaborating with providers that comply with similar data protection standards.
8. Rights of Data Subjects
8.1 In accordance with Chapter iii of the GDPR, data subjects have the following rights:
· Right of access to personal data held: the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed [art. 15 GDPR] .
· Right to rectification of inaccurate or incomplete data: the data subject has the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her [Art. 16 GDPR].
· Right to erasure (“ right to be forgotten ”) under the conditions provided by law: The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller has the obligation to erase personal data without undue delay. The right to erasure of personal data applies to the following situations: (i) the data are no longer necessary for the purposes for which they were collected or processed; (ii) the data subject who has given consent to the processing of the data withdraws this consent or objects to the further processing of these data; (iii) the personal data were collected in connection with the provision of information society services [art. 17 GDPR].
· Right to restriction of processing : the data subject has the right to obtain from the controller restriction of processing if: (i) the data subject contests the accuracy of the data, for a period enabling the controller to verify the accuracy of the data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iv) the controller no longer needs the personal data for the purposes of the processing, but the data subject requests them for the establishment, exercise or defence of legal claims; (v) the data subject has objected to the processing, for the period of time during which it is verified whether the legitimate rights of the controller override those of the data subject [art. 18 GDPR].
· Right to data portability to another controller : the data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and has the right to transmit these data to another controller without hindrance from the controller to whom the personal data were provided [Art. 18 GDPR].
· Right to object to processing for marketing purposes or on the basis of legitimate interest : the data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions, based on Article 6(1)(e) or (f) GDPR. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims [Article 21 GDPR].
· The right not to be subject to a decision based solely on automated processing, including profiling : the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her [art. 21 GDPR].
· Right to file a complaint: to the National Supervisory Authority for Personal Data Processing (“ANSPDCP”) or to address the competent courts:
9. Contact Methods and Procedure for Exercising Rights
9.1 To exercise any right provided for by the GDPR, data subjects may submit a written, dated and signed request to the postal address or addresses mentioned below:
· email: office@bestsleep.ro
· postal/courier address: Str. Riga, no. 4, loc. Moșnița Nouă, Timiș County
9.2 KA MA Trading will analyze and respond within the legal deadline, in compliance with art. 12 para. (3)-(4) GDPR.
9.3 For further clarifications, you can also contact ANSPDCP at ansdpdc@dataprotection.ro, B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania, telephone: +40.318.059.211.
10. Policy Changes and Updates
10.1 This Privacy Policy may be reviewed and updated periodically to reflect changes in legislation, internal practices or services provided.
10.2 Any change will be published on the website www.bestsleep.ro , taking effect from the date of posting, in compliance with the legal requirements regarding the information of the data subjects.
10.3 It is recommended to periodically consult the Policy to be aware of any updates.
10.4 For further details, it is recommended to consult the following normative acts and case law decisions:
· Regulation (EU) 2016/679 (GDPR).
· Law No. 190/2018 on measures to implement the GDPR.
· Case C-131/12, Google Spain v. EDPS and Mario Costeja González.
· Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.
· Case C-13/16, Rīgas Satiksme.
· Case C-136/17, GC and others;
· Case C-287/22, SCHUFA Holding AG.
· Case C-634/21, SCHUFA Holding AG.
· Case C-340/21, National immigration agency.
Do you need help?
You can send us a message using the form below:
Featured in:
Several national publications that talked about us.
