PERSONAL DATA PROCESSING NOTICE

CERTSIGN SA , headquartered in Bucharest, Sector 4, Șos. Olteniței, no. 107A, Building C1, Floor 1, room 16, registered at the Trade Register under no. J40 / 484/2006, CUI 18288250, Telephone: (+40) 311 011 870, E-mail: hello@certme.ro (hereinafter referred to as “certSIGN”), as a personal data processing operator processes your personal data in accordance with EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”) and other provisions of Union or national law relating to data protection.

Your personal data is processed in the context of the contract concluded between you and us (“Terms and conditions for the use of the certME application and certME electronic means of identification”) regarding your use of the means of identification provided through the certME application.

Purpose and basis for the processing of personal data

certSIGN processes your personal data for the purpose of creating and using (including suspending, revoking / reactivating) an electronic means of identification, in accordance with the provisions of Regulations (EU) no. 910/2014 and 1502/2015, which you should use when you want to purchase products or services, to identify yourself in relation to their suppliers who accept authentication / registration with the certME means of identification.

To use the electronic identification means, through the certME application, our partners (generically called “Identity Validators”) will process your personal data in order to create an electronic identity, which is a numerical representation made using the proprietary certME solution. The list of certME Identity Validators can be found online at www.certme.ro.

This numerical representation allows the validation of your identity at the request of a service or product provider in relation to which you will use the certME means of identification and only if you want this validation. The list of service providers or products enrolled in the certME platform can be found online at www.certme.ro.

To create and use the electronic means of identification, certSIGN will process your personal data for the following secondary purposes:

  • verification of your identity as a user of the electronic means of identification;
  • your authentication in relation to the suppliers enrolled in the certME system;
  • technical support provided to you, the Supplier of products and services or the Validator by certSIGN in the use of the certME system;
  • ensuring the continuity of the certME service;
  • demonstration / testing of the creation and use of the electronic means of identification.

The legal basis for data processing for the purpose of creating and using (including suspension, revocation / reactivation) of a means of electronic identification is art. 6 para. (1) lit. b) of the GDPR, respectively steps taken at the request of the data subject before concluding a contract or executing the contract to which the data subject is a party.

The legal bases of data processing for the secondary purposes mentioned above are art. 6 para. (1) lit. c) of the GDPR, respectively the legal obligation of certSIGN as issuer of the means of identification and validator of identity in accordance with EU Regulation 910/2014 and EU Regulation 1502/2015, as well as art. 6 para. (1) lit. b) of the GDPR, respectively steps taken at the request of the data subject before concluding a contract or executing the contract to which the data subject is a party.

certSIGN, Identity Validators and Providers of services or products (generically called “CertME Partners”) jointly process the references resulting from the processing of personal data, in compliance with art. 26 of the GDPR.

The categories of personal data we process

For the purposes mentioned above, certSIGN will process the following categories of personal data:

  • Name and surname
  • Name and surname at birth
  • Date of birth
  • Place of birth
  • Sex
  • Home address
  • Period of validity of the identity document (date of issue and date of expiry)
  • Residence address
  • CNP
  • How to verify identity
  • Copy of identity card
  • email or phone
  • References – encrypted codes generated by the certME validation application, the certME mobile application, and the Service and Product Provider application
  • The IP address of the phone from which requests are made to the certME server
  • The manufacturer and model of the phone on which the certME mobile application is installed
  • Phone operating system (iOS or Android)
  • Phone registration token for notifications (shared with Firebase FCM – Google)
  • logs.

Identity data is retrieved through the certME system (which does not contain personal data) by the certME validation application. Also, the identity data from the certME mobile application is stored only on your phone and controlled only by you.

The certME system does not store your identity data, but only non-personal data, respectively references – encrypted codes generated by the certME mobile application installed on your phone and by the certME validation application. Codes encrypted by the certME system cannot be used to reverse the process by which they were generated so that the personal data on which they were created can be known.

Providing data and the consequences of non-compliance

Your refusal to provide the data listed above (in whole or in part) leads to the impossibility of creating the electronic identifier and your use of the electronic means of identification.

Duration of personal data processing

Personal data processed for the purposes mentioned above will be stored for the entire period of validity of the means of identification, plus 10 years to demonstrate / prove the creation and use of the electronic means of identification. The basis for storing data for a period of 10 years from the end of the validity of the electronic means of identification is art. 6, para.1, lit. f) GDPR, respectively the legitimate interest of certSIGN to be able to demonstrate / prove the creation and use of the means of electronic identification.

The data may be processed after this date, when there is a legal obligation or a legitimate interest in this regard.

References resulting from the processing of data by the certME system will be stored indefinitely. These references may not in any way lead to the personal data which formed the basis for their creation.

Transmission of personal data for the purposes of processing

Your personal data may be disclosed to the following categories of recipients:

  • you, for the exercise of your rights under the GDPR,
  • the auditors, for the performance of the audit obligations to which we are subject,
  • certSIGN contractual partners to achieve the above objectives,
  • the supervisory body in accordance with the applicable law,
  • public authorities and institutions on the basis of public law obligations,
  • lawyers to represent us in the event of a dispute or for advice,
  • in any other situations justified with your prior notice, but only for the purpose of fulfilling the purposes mentioned above.

Data transfer outside the European Union

certSIGN does not transfer your personal data outside the European Union. As an exception, references – encrypted codes generated by the certME system – are stored on a globally distributed public blockchain infrastructure.

The rights of the data subject

As a data subject, you have the following rights under the General Data Protection Regulation:

  • Right to information: the right to be informed about the identity and contact details of the controller, of certME Partners as certSIGN associate operators and of the Data Protection Officer, the purposes for which the data are processed, the categories of personal data data subjects, the recipients or categories of recipients of the data, the existence of the rights provided for by the legislation on the protection of personal data for the data subject and the conditions under which they may be exercised.
  • Right of access to data: the right to obtain confirmation that personal data concerning you are processed or not by certSIGN.
  • Right to rectification: the right to obtain the rectification of inaccurate data concerning you, as well as the completion of incomplete data. If you request the rectification of the data that formed the basis for the issuance of the electronic means of identity, the electronic means of identity will be revoked and another means of identification with the new data will be issued, if you wish.
  • The right to restrict processing if you dispute the accuracy of the data for the period during which the operators verify the data. In this case, the electronic means of identification shall be suspended or revoked. 
  • The right to delete data when your data is no longer necessary for the purposes for which it was processed or when the data must be deleted in order to comply with a legal obligation incumbent on certSIGN, except for references – encrypted codes generated by the certME system – which will not be deleted. These references may not in any way lead to the personal data which formed the basis for their creation. 
  • The right to portability of the data you have provided to us.
  • The right to oppose, for reasons related to your particular situation, the storage of data for a period of 10 years from the date of expiry of the means of electronic identification, storage based on the legitimate interest of certSIGN.
  • The right to address the ANSPDCP for the protection of any rights guaranteed by the applicable legislation in the field of personal data protection, which have been violated.

To exercise these rights, you can address a written request, dated and signed, sent to the Department of Personal Data Protection certSIGN:

  • email address: dpd@certsign.ro  
  • fax: (+4021) 3119905 
  • Bd. Tudor Vladimirescu, no. 29A, AFI Tech Parc 1 building, et. 2, Bucharest, sector 5.

If you submit a request regarding the exercise of your rights regarding the protection of personal data, you will receive a response within a maximum of 30 days, under the conditions provided by the GDPR.