CERTSIGN S.A., headquartered in Bucharest, District 4, 107A Olteniței road, Building C1, Floor 1, room 16, registered at the Trade Register under no. J40/484/2006, CUI 18288250, Telephone: (+40) 311 011 870, E-mail: hello@certme.ro, (hereinafter referred to as “certSIGN”) as a personal data controller processes your personal data in order to issue and enable use of the certME electronic identification means, in accordance with the provisions of Regulation (EU) 2014/910 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS), the provisions of Implementing Regulation (EU) 2015/1502, and in accordance with Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("GDPR") and other provisions of Union or national law relating to data protection and remote electronic identification using video means.
Your personal data is processed in the context of the contract concluded between you and us ("Terms and conditions for the use of the certME application and certME electronic means of identification") regarding your use of the means of identification provided through the certME application.
The purposes of processing your personal data are:
a) Issuance and usage of an electronic identification means ("EIM"), in accordance with the provisions of Regulations (EU) 2014/910 and 2015/1502, which you can use when purchasing products or services, in order to identify yourself in relation to suppliers who accept authentication / registration with the certME means of identification, according to Article 6 (1) (b) of the GDPR.
To use the electronic identification means, through the certME application, certSIGN, either directly or through our partners (generically called "Identity Validators") will process your personal data in order to create an electronic identity, which is a numerical representation made using the proprietary certME solution. The list of Identity Validators certME can be found online at www.certme.ro.
This numerical representation allows the validation of your identity at the request of a service or product provider in relation to which you will use the certME identification means and only if you want this validation. The list of Service Providers or products enrolled in the certME platform can be found online at www.certme.ro.
b) Your identity proofing and verification, as a user of EIM in order to issue, suspend, revoke and reactivate certME EIM, according to art. 6 (1) (c) of the GDPR, in conjunction with Regulation (EU) 2014/910 and art. 2.1.2 of the Annex to Regulation (EU) 2015/1502;
c) Taking screenshots of your identity document and image in case of your remote identification by video means according to art. 6 (1) (a) of the GDPR and art. 16 (1) of the Norms of the Authority for the Digitization of Romania regarding the regulation, recognition, approval or acceptance of the remote person identification procedure using video means approved by the Decision of the Authority for the Digitization of Romania no. 564/2021 (ADR Norms);
d) Your unique identification through the processing of biometric data, respectively the processing of the facial image transposed into biometric data, in case the identification was made by video means, according to art. 6 (1) (a) and art. 9 (2) (a) of the GDPR;
e) Recording the video session in case the identification is done remotely by video means in accordance with art. 6 (1) (a) of the GDPR, using this method of identifying yourself in order to obtain a certME EIM carried out with your consent;
f) Your authentication in relation to the Service Providers or products enrolled in the certME system, according to Article 6 (1) (b) of the GDPR;
g) Suspension, revocation and reactivation of the certME EIM, in accordance with Article 6 (1) (b) of the GDPR;
h) Technical support provided by certSIGN to you, the Service Providers or products or the Identity Validator in the use of the certME system, according to Article 6 (1) (b) of the GDPR;
i) Ensuring the continuity of the certME service, according to art. 6 (1) (c) of the GDPR, in conjunction with art. 8 para. 3 of Regulation (EU) 2014/910 and the Annex to Regulation (EU) 2015/1502;
j) Ensuring the security of systems and databases, according to art. 6 (1) (c) of the GDPR, in conjunction with art. 8 para. 3 of Regulation (EU) 2014/910 and the Annex to Regulation (EU) 2015/1502;
k) Demonstrating/proving the creation and use of the electronic identification means, in conjunction with Regulation (EU) 2014/910 and the Annex to Regulation (EU) 2015/1502;
l) Compliance with the legal obligations of certSIGN (e.g. transmission of information representing personal data at the request of the competent state authorities, auditing or verifying the processes related to the issuance, suspension, revocation and reactivation of certME EIM), according to Article 6 (1) (c) of the GDPR;
m) prevention and/or identification of frauds according to art. 6 (1) (c) of the GDPR in conjunction with the eIDAS Regulation
n) Data storage, including a copy of the identity document, according to art. 6 para. (1) lit. (c) GDPR in conjunction with eIDAS Regulation and Regulation (EU) 2015/1502, as well as with art. 16 paragraph (2) and art. 22 of the ADR Norms
o) The transmission of newsletters, promotional materials, marketing communications, commercial offers or any other relevant information regarding certSIGN products and services in case you have given your consent in this regard according to art. 6 (1) (a) GDPR or for pursuing the legitimate interests of certSIGN to inform you about similar services art. 6 para. (1) lit. (f) of the GDPR;
p) To pursue the legitimate interests of the Data Controller or a third party - such as, where appropriate, the internal reports of the controller, to manage contracts or supporting documents accounting, for resolving complaints, for defending the rights of the Data Controller in the event of a possible dispute, according to art. 6 para. (1) (f) of the GDPR.
The legal bases for data processing operations refer to Article 6 (1) (a), (b), (c) and (f) of the GDPR and Art. 9 (2) (a) of the GDPR, as detailed above.
For the purposes mentioned above, certSIGN will process the following categories of personal data, as applicable:
Identity data is taken over and processed through the certME system, in encrypted form. Also, the identity data from the certME mobile application is stored only on your device and controlled only by you.
The certME system does not store your identity data, only non-personal data, respectively references - encrypted codes generated by the certME applications. References - Codes encrypted by the certME system cannot be used to reverse the process by which they were generated so that the personal data on which they were created be known.
The processing of the biometric data mentioned above involves obtaining and comparing biometric templates from the photo of the identity card and the photo of your face and is done through the VideolD application (https://www.signicat.com/products/identity-proofing/id-document-and-biometric-verification).
The biometric template is the digital reference of the distinct features that were extracted from a biometric sample. Biometric templates are used during the video identification process. Basically, what was being compared are not the photos (of your identity card and that of your image obtained in the video session, but the biometric templates of the two photos).
The processing of personal data is mainly necessary for the issuance of certME EIM and for its use in your relationship with the Service or Product Providers. The personal data are thus necessary to identify you for the issuance of the certME EIM.
The personal data mentioned above are processed directly by certSIGN or with the help of other data controllers we associate with (Identity Validators and Providers of services or products) in order to identify you for the purpose of issuing and using certME EIM, in compliance with art. 26 of the GDPR.
CertSIGN may also process personal data for the purpose of your identification in order to issue certME EIM and through authorized persons who provide adequate guarantees, in accordance with art. 28 of the GDPR. Such persons may be legal entities to whom we will outsource the activity of identity verification or providers of the identification solution by video means.
The refusal to provide the necessary data leads to the impossibility of issuing and using the certME EIM.
If you do not agree with the processing operations of your data involved in the remote identification of the person using the video means referred to in Section 1 (c) to (e), you can go to the headquarters of certSIGN or an Identity Validator to obtain a certME EIM by way of in-person/ physical identification – (face to face) with an Agent of the Data Controller.
Personal data processed for the purposes mentioned above will be stored for the entire period of validity of the means of identification, plus 10 extra years to demonstrate/prove the creation and use of the electronic identification means. The basis for storing data for a period of 10 years from the end of the validity of the electronic identification means is art. 6, para. 1, let. f) ot the GDPR, i.e. the legitimate interest of certSIGN to be able to demonstrate/prove the creation and use of the electronic identification means.
The data may be processed after this date, when there is a legal obligation or a legitimate interest in this regard.
References resulting from the processing of data by the certME system will be stored indefinitely. These references may in no way lead to the personal data from which they were created/derived.
Please note that biometric data is not stored and is automatically deleted as soon as the result of the comparison operation described in Section 2 above on data categories has been generated.
If the process of remote identification of you by video means is rejected, the personal data within the recording of the video-audio session shall be kept for a period of 3 years from the date of recording for the purpose of documenting the reasons for rejection for internal records, for future external controls/audits, in accordance with the provisions of the ADR Norm, as well as in the event of a possible dispute.
If the user does not complete the identity verification procedure for issuing a certME EIM, their data will be deleted after a period of 48 hours.
Your personal data may be disclosed: to you for the exercise of your rights under the GDPR, to the auditors for the performance of the audit obligations to which certSIGN is subject, to the supervisory body under applicable law, to public authorities and institutions under legal obligations, lawyers to represent us in the event of a dispute or for consulting, certSIGN's contractual partners for the purposes mentioned above (such as: courier companies, video identification service providers or maintenance and support service providers).
certSIGN does not transfer your personal data outside the European Union / European Economic Area.
As a data subject, you have the following rights under the General Data Protection Regulation (art. 13 – 22 from GDPR):
You, as the data subject, also have the right to withdraw your consent at any time, to the extent that the data processing operation is based on your consent without affecting the lawfulness of the processing carried out on the basis of the consent before its withdrawal (Article 7 (3) of the GDPR).
At the same time, we inform you that you have the right to contact the National Authority for the Supervision of Personal Data Processing - ANSPDCP for the protection of any rights granted by the applicable legislation in the field of personal data protection, which have been violated and to appeal to the competent courts.
To exercise these rights provided by Art. 13-22 and Art. 7 (3) of the GDPR, you can address a written request, dated and signed, sent to the certSIGN Personal Data Protection Department:
If you submit a request regarding the exercise of your rights under personal data protection legislation, you will receive a response within a maximum of 30 days, under the conditions provided by the GDPR.