top of page

Personal data protection policy

  1. Introduction

Montrepcom S.R.L. completely understood the amplitude and the consequences established by The new Regulation 2016/679 applicable from 25th of May 2018 and it’s engaging to protect the rights of natural persons and to safely process them, in accordance with the legal obligations.

We are processing personal data about our employees, our clients, our contractors and other people for different purposes, in order to maintain a smooth running of our business.

This policy establishes the way we are trying to protect personal data, and to assure that our employees understood the rules that regulate use of data, and they will proceed with caution to fulfill their tasks. This policy also imposes our employees to make sure that they will consult with their manager or a designated person before initiating any activity of personal data processing.




Montrepcom S.R.L. could use personal data for different purposes:

- Contractual relationships with employees, clients, contractors.

Our business objectives include:

- respect all legal obligations in order to fill us into the newest national and European regulations;

- cooperate with ANSPDCP;

- operational activities, like registering transactions, quality management, assure data confidentiality from a commercial point of view, security check, evaluation and examination of different methods of task fulfilling;

- investigate requests and complaints;

- ensure safe practice of work, monitor and evaluate our employees’ access to all systems and facilities provided by our society, manage personnel absences;

- monitor our personnel behavior and its disciplinary issues;

- Business marketing;

- improve our services.

Personal data

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR. We are collecting personal data such as: name, phone number, address, studies, financial data, and details regarding certifications, education, aptitudes, marital status, citizenship, job name and CV.

Particularly sensitive data

Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.

Data operator

“Data operator” means any person or public authority, agency or organism that can process personal data.

Personal data processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Data Protection Supervising Authority

Data Protection Authorities are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws. There is one in each EU Member State. In our country, the authority is ANSPDCP.


Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;


Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Personal data breach

A data breach occurs when the data for which your company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity.


  1. Purpose

This Regulation applies to the entire staff of Montrepcom S.R.L., which has to be familiarized with the regulations and has to respect its terms.

This Regulation also complements our other regulations and procedures. All technical and organizational actions made in order to get into compliance with the 2016/679 Regulation must be revised and updated recurrently.


  1. Principles

Montrepcom S.R.L. respects all personal data protection principles established by the 2016/679 Regulation. Thus, personal data should be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

  1. Responsibility and transparence

We must assure our responsibility and transparence when processing every personal data. We must demonstrate that we respect every principle listed above. We are responsible of keeping a clear evidence of every data processing activity that we are responsible of, and that should be constantly updated and approved by the general manager.

We decided to take technical and organizational measures in order to prove conformity. The people who we are working, our employees, partners must understand their part in our work in order to respect the following obligations regarding data protection>

- correct implementing of every technical and organizational measures that are adequate for our society;

- maintaining an updated documentation about every activity that requires processing personal data;

- Impact evaluation of data protection;

- Data minimization;

- Pseudo-minimization;

- Transparence;

- allowing natural person to monitor data processing;

- Creating and constantly improving security and confidentiality procedures.


  1. Useful information

  1. Legal and correct data processing

We must legally and correctly process personal data, in accordance with the natural person’s rights. That generally means that we should not process personal data if we don’t have a legal basis. If we cannot apply a legal basis, our processing wouldn’t conform with our first principle and it would be illegal. Natural people have the right to erase every personal data which is illegally processed.

  1. Operator vs. person empowered

Montrepcom S.R.L. is both data operator and person empowered, according to definitions established in the 2016/679 Regulation. As person empowered, we must comply with our contractual obligations and we must act based on documented instructions released by the data operator. If by any circumstance, we determine the purpose and the measures of data processing with operator’s instructions, we shall be considered an operator and therefore, we are breaking the agreement signed with the operator that provided us the data and we have the same responsibility. As person empowered,

- we must not subcontract an activity without a written authorization from the operator;

- we must assure processing security;

- we must keep a clear evidence of processing activities;

- we must notify the operator about any data breach;

- we must respect purposes and instructions provided by the operator.


  1. Legal basis for data processing

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  3. processing is necessary for compliance with a legal obligation to which the controller is subject;

  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;

  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. These are some of the most important rules of obtaining and managing consent:

- consent must be expressed in a clear and specific way; using implicit methods of expressing consent (e.g. pre-ticked box) is not legal;

- consent must be unconditioned; providing a service to a person cannot be conditioned by his/her consent (otherwise, the consent wouldn’t be freely expressed).

- consent must be separately requested from other terms and conditions or any other documents;

- consent must be documented and we must keep a proof of it; the operator must be able to prove who gave the consent, when the consent was given, the method by which it was given and what kind of information was provided;

- the subject has the right to withdraw his/her consent in every moment (also called “the right to be forgotten”), and the operator must provide an easy and quick withdrawing procedure.

b. Contractual basis

Processing is necessary when closing or executing a contract between the society and the data subject.

Data processing it’s legal if:

- we have a valid contract which specifies the necessity of personal data processing;

- when in pre-contractual phase, at the subject’s request, it is necessary to process personal data in order to conclude a contract.

Data processing cannot be concluded based on a contract set-up if:

- we must process data from another person than the one who we are concluding the contract;

- the initiative of concluding a contract belongs to the operator or to a third-party.


c. Legal basis

We have a legal obligation to process personal data (excepting a contract), such as registering individual employment contract into REVISAL, completing Declaration no. 112 etc.

Data processing based on legal basis assumes that there is a legal rule that can be applied to the operator. Also, a processing imposed by an administrative decision/ court order could only be justified by the necessity of complying with a legal obligation.

d. Vital interests

Data processing is necessary for protecting the subject’s life or for any medical issue.

e. Public interest

Data processing is necessary to fulfill a task that serves a public interest or a task that results from the exercise of the operator’s official authority.

f. Legitimate interest

Data processing for the purpose of legitimate interest are followed by the operator or a third part, excepting the case which it prevails the rights and interests of the data subject.

Legitimate interest it’s the most flexible basis of data processing and therefore, its use must be calibrated adequately. It can be used only when the whole processing has a minimal impact over the subject.

In order to fit into this category, data processing must fulfill three types of requests:

  1. test of the legitimate purpose – operator must follow a legitimate interest (his interest or a third-party one) The interest could be commercial, professional or a must wider scope.

  2. test of necessity – data processing must be proportionate and limited in order to reach the legitimate purpose. If the interest cannot be reached by a minimum invasive processing, we cannot use this basis.

  3. test of reference to the subject’s interests – data processing must be predictable for the subject and it must not create an injury to it.


  1. What kind of legal basis shall we chose?

If we are evaluating the legal basis, we must establish first that the processing is absolutely necessary. This means that the processing must be adequate, targeted to reach the declared purpose. We will analyze if we could reach the same purpose by any methods.

We will consider the following factors:

What is the purpose of data processing?

Can we make it in a reasonable, different method?

Is there any possibility of choosing or not data processing?

Who benefits the processing?

After selecting the legal basis, is it the same that the subject was expected?

What is the impact of data processing over the subject?

Are the data subjects vulnerable?

Could it be any possibility that the subjects will oppose the processing?

Do you have the possibility to stop the processing anytime, at request, and have you considered how to do that?


Our commitment to the first principle is making us to document the process and to show that we have analyzed which kind of legal basis applies better to our processing purpose.

We must also assure that the data subject is informed about both the legal basis of data processing, and our purpose. This should be made through a written notification.


  1. Special categories of personal data

Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.  These are some examples of sensitive personal data:

- race;

- ethnic origin;

- political opinions;

- religious opinions;

- syndicate membership;

- genetic data;

- biometric data;

- health history;

- sexual orientation.

In most cases that require sensitive personal data, we will request the subject’s consent. Any consent of this kind must identify the relevant data, the reasons for processing it and the people to whom we will provide the information.


  1. Responsibilities

  1. Responsibilities of Montrepcom S.R.L.

- analyzing and documenting the type of personal data that we possess;

- verifying the procedures to make sure that the subject’s rights are followed;

- identifying the legal basis for personal data processing;

- implementing and revising procedures in order to detect, report and investigate data breach;

- data will be stored in secured places;

- risk analysis in order to detect the manner in which the rights and individual freedoms could be affected if data will be compromised.


  1. Responsibilities of employees

- fully understanding of their duties in matter of data protection;

- verifying if any data processing is justified and it respects the policies and procedures approved by Montrepcom S.R.L.

- not using personal data illegally;

- keeping the data correctly, understanding the importance of data storage in order to avoid breaking laws against data protection;

- questioning any point of concern, notifying errors and reporting without delay any suspicious actions.


  1. Responsibilities of the IT Manager

- assuring that any system, service, software and equipment fulfill the accepted security standards;

- constantly verifying and scanning hardware and software components to make sure that the are working properly;

- searching services provided by third-parties, such as cloud services that the company aims to use in order to store process data or video-surveillance services.


  1. Responsibilities of the Procurement Manager

- transmitting to the general manager/DPO questions or requests concerning data protection raised by clients or providers;

- coordinating with a DPO in order to make sure that every marketing initiative respects the rules of data protection and the company’s data protection regulation.


  1. Precision and relevance

We will assure that every personal data that we gather is correct, adequate, relevant and not excessive, since the purpose for collecting them. We will not process personal data if the person didn’t accept it or if it doesn’t imply a legal or contractual obligation.

  1. Data security

We are protecting personal data against loosing or incorrect using. If we are transmitting data to empowered people in order to fulfill some obligations, we will verify them in accordance with the 2016/679 Regulation and if we could offer protection against data breach. Therefore, Montrepcom S.R.L. established agreements with empowered people, which contain their tasks and responsibilities.

  1. Personal data storage

If data is stored on paper, it must be kept in a safe place, away from unauthorized personnel.

Paper stored data must be destroyed after they are no longer necessary.

Computer stored data must be protected with strong passwords that are constantly changing. CD-stored data or memory-sticks must be encrypted or protected with passwords and blocked when they are not used.

Servers which contain personal data must be kept in a safety location, away from the general office space;

Data must be saved in back-up, according to the back-up society’s procedures;

Data should not be directly saved on mobile devices such as laptops, tablets or smartphones.

Every server that contains sensitive data should be approved and protected by the security software.

It must be taken every possible measure in order to keep data safe.


  1. Personal data retention

We must not store personal data longer than necessary. What is required depends on every circumstance, based on the reasons of obtaining the data.


  1. Rights of the data subject

Natural people have rights above data that we must respect as far as possible. We must assure that people can exercise their rights in the following ways:

  1. Right to be informed

Provide clear, transparent, accessible and free information that is written in a clear language.

Maintain a clear evidence of the way we are using personal data to ensure compliance.

  1. Right to access by the data subject

Allow access to natural people’s personal data and additional information.

Allow people to know and to verify the legality of processing activities.

If people request access to its data, we should provide information such as:

- purposes of data processing;

- recipients of their data;

- data categories;

- for how long it’s the data stored;

- existence of an automated decision-making process;

- possibilities of transferring data outside the European Space;.


  1. Right to rectification

We must rectify or modify personal data if they are inaccurate or incomplete. This must be done without delay and no later than one month (extended to two months).


  1. Right to erasure (right to be forgotten)

We must erase personal data if the data subject requests it or if there isn’t any other reason to continue the processing.

  1. Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;

  4. the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.


  1. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

  1. Right to object.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.


  1. Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.


  1. Confidentiality notification


When should we provide a confidentiality notification?

A confidentiality notification must be provided when obtaining personal data directly from the subject. If contrary, the subject must be informed in a reasonable amount of time since data was obtained.

If data are used to communicate with the subject, then the notification must be provided at least at first communication.


If data could be transmitted to a third-party, the notification should be sent not later than the moment of data disclosure.


What should a confidentiality notification contain?

Notification should be concise, transparent, comprehensible and accessible. They must be given freely and they must be written in a clear language, especially if they could address to children.


The following information must be included:

- contact information of the data operator / DPO;

- the purpose and the legal basis of data processing;

- the data operator’s legitimate interests;

- the right to withdraw consent in any moment, if necessary;

- categories of personal data used;

- every future recipient of personal data;

- information regarding data transfer to different countries and safety measures in case of transfer;

- data’s storage period, criteria for establishing the storage period and details regarding data erasure;

- the right to press charges to ANSPDCP and internal complaining procedures;

- the source of personal data (if they weren’t obtained directly from the data subject);

- any existence of an automated decision-making process, including information about the manner in which decisions are taken and consequences applied to the data subject;

- if providing personal data is part of a contractual duty.


  1. Data subject request


A formal request by a data subject to a controller to take an action on their personal data is called a Data Subject Request or DSR. The controller is obligated to promptly consider each DSR and provide a substantive response either by taking the requested action or by providing an explanation for why the DSR cannot be accommodated by the controller. A controller should consult with its own legal or compliance advisers regarding the proper disposition of any given DSR.


We must provide a document which contains the requested information. The document should be provided without delay and within one month since receiving the request. If the request requires more complex processing, the term could be extended to two months, and the subject must be informed about it.

We can deny answering some requests and, if the request is unfounded or excessive, we can charge a fee.

It is prohibited to modify any of the requested data after an access request was made.


Requests regarding data portability

All data requested must be provided in a structured way, which can be easily read by a device. Normally, it would be a CSV file, but it can be used any other format.

How to proceed in case of exercising the right to erasure?

We can deny the subject’s right to erasure in the following situations:

- if the right to information and freedom of expression are violated;

- if we must fulfill a legal obligation in matter of a public interest task;

- in case of health issues or public interest;

- in case of archiving for public interest, scientific research, historical research or statistics.

If the erased data were transferred to a third-party, it should be contacted an informed about their obligation to also erase the data. If the data subject is requesting it, we should confirm its data erasure.


Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.


Automated individual decision-making and profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.


  1. Third-parties

Any data processing by a processor shall be governed by a binding contract setting out various terms and conditions. The following are the mandatory components of a GDPR-compliant data processing contract:

  • Nature of services provided: Define the subject matter, duration, nature and purpose of data processing;

  • Data Constituents: Define the type of personal data and categories of data subjects;

  • Demarcation of responsibilities: Define the rights and obligations of the controller and the processor;

  • Authority: Processor to act on the written instructions of controller;

  • Confidentiality: People involved in data processing to be subjected to confidentiality requirements;

  • Security of processing: Processor to implement appropriate organizational and technical measures for data security;

  • Records of processing activities: Both the controller and the processor must maintain appropriate records pertaining to data processing;

  • Sub-processors: Processors must engage sub-processors only with the prior written consent of controller;

  • Assistance in compliance: Processors must assist controller in facilitating exercise of user data access rights, rights of erasure, security of processing, notification of personal data breaches, data protection impact assessments, audits and inspections;

  • Data Protection Officer (DPO): Processor should appoint a DPO to ensure appropriate implementation and monitoring of GDPR initiatives;

  • Demonstrate compliance: Processor to provide requisite data to the controller to demonstrate compliance under the GDPR.

  1. Criminal offence data

Criminal record

Any process of verifying a criminal record is justified by law. The criminal record cannot be obtained only based on the subject’s consent. We cannot keep a criminal record data register.


  1. Data auditing

Periodic data auditing are necessary to manage and to mitigate risks. These contain information about data categories, way of storage, way of use, responsible people and any other relevant regulations or retaining terms.


  1. Activity monitoring

Montrepcom S.R.L. will periodically revise this procedure and will modify it when necessary. Every violation of the regulation must be communicated to the general manager. Every employee must completely and permanently respect this Regulation.

  1. Training

All employees will be trained regarding the 2016/679 Regulation and any other legal procedures concerning data protection. If an employee’s position is changing, it will be trained in compliance with its new activities.


  1. Data breach

Montrepcom S.R.L. must constantly apply technical and organizational measures which can assure a correct managing situation in case of data breach. These measures must help society to:

- immediately establish if a data breach was produced;

- notify the Supervising Authority if necessary;

- inform the data subject about the data breach, if necessary.


Any violation of the society’s Regulation and procedures must be reported immediately. Montrepcom S.R.L. has the legal obligation to report any data breach to ANSPDCP within 72 hours.

Every employee has the right to report a case of law enforcement failure regrading personal data. This allows us to:

- investigate the breach and to take solutions for remediation;

- keep a data breach register;

- notify ANSPDCP regarding any non-compliant situations.

Any employee who didn’t notify a data breach or who suspected a breach but didn’t report it will be submitted through disciplinary action.


Cookies policy

“Internet Cookies” (known as “browser cookie” or “HTTPS cookie” or simply “cookie”) is a small dimension file formed of letters and numbers that will be stored on the computer, mobile or other terminal equipment of an user of the Internet. The cookie is installed through the request of a web server of a browser (ex. Internet Explorer, Chrome) and is completely “passive” (does not contain software, viruses or spyware and cannot access the information stored on the hard-disk of the user). A cookie is formed of 2 parts: name and content or value of the cookie. Moreover, the period of existence of a cookie is determined; technically, only the web server that sent the cookie can access it again from the moment in which an user returns on the website associated to that web server.

The users can configure their browser to reject all the cookie files. The deactivation or refusal to receive cookies can make certain sections/pages unavailable or difficult to view and used (for example: filling in the online forms/ broadcasting of the public information video etc.)

bottom of page