INFORMATION NOTICE CONCERNING PERSONAL DATA PROTECTION

In accordance with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “EU General Data Protection Regulation” or “GDPR”), as well as the national regulations enacted for the implementation of the EU General Data Protection Regulation, the company Innovative Environmental Oil Refinery SA, part of the KMG Innovative Environmental Oil Refinery Group (hereinafter the “Company”), with its registered office in Romania, registered at the Trade Registry under no. J 13/534/05.02.1991, duly represented by Yedil Utekov, as General Manager, is required to safely process, in good faith and in compliance with the legal provisions in effect, your personal data you supply to us, solely for the specified purposes. 

1. Data Controller: 
Innovative Environmental Oil Refinery SA is a company organised and existing under the laws of Romania, which, as controller, stores in good faith the personal data of its customers in accordance with the regulations in force, in full compliance with the principles of personal data processing for legitimate purposes, pursuant to the EU General Data Protection Regulation, the national regulations enacted for the implementation of the EU General Data Protection Regulation. 

1.    Personal Data

The processed data are:
•    first name and last name,  
•    (domicile / residential) address, phone / fax number, e-mail, 
•    position
•    information regarding purchased services and goods.

2.    Purposes of personal data processing

Such data are processed by the Company for the following purposes:
a)    for marketing direct purposes, by using communication means such as email, sms, fax, phone calls, in order to send newsletters and other commercial communications intended to promote the goods and services to the Controller’s KMG Innovative Environmental Oil Refinery Group, pursuant to point (a) of Article 6 (1) of the EU General Data Protection Regulation, 

b)    your profiling, in order to offer you information regarding standard or customized goods and services from the portfolio of KMG Innovative Environmental Oil Refinery Group entities, by analysing purchased services, transactions and other similar information, pursuant to point (a) of Article 6 (1) of the EU General Data Protection Regulation;

c)    for marketing direct purposes, by using comunication means such as email, sms, fax, phone calls, in order to organise internal and external events, as well as to invite you to attend such events, pursuant to point (a) of Article 6 (1) of the EU General Data Protection Regulation;

d)    for contacting you in order to obtain your opinion on the Controller’s and KMG Innovative Environmental Oil Refinery Group’s services and goods purchased by you, by phone, pursuant to point (f) of Article 6 (1) of the EU General Data Protection Regulation, respectively the legitimate interest of improving the products and services offered to our clients.

e)    for contacting you to fulfil the steps necessary to conclude a potential business relationship with the Controller or another company from KMG Innovative Environmental Oil Refinery Group, pursuant to point (b) of Article 6 (1) of the EU General Data Protection Regulation. 

f)    for performing due diligence activities in case a business relationship will be concluded between the Controller or another company from KMG Innovative Environmental Oil Refinery Group and the company that you are representing, pursuant to point (f) of Article 6 (1) of the EU General Data Protection Regulation, respectively the legitimate interest of entering into business relationship with reliable and integer partners.



3.    Duration of personal data processing


The processing for the purposes mentioned herein (section Purposes of personal data processing) shall take place during the contractual relationship with the Controller, as well as for a period of 1 year from the termination thereof. If you withdraw your marketing direct consent, your data will no longer be processed for this purpose as of the date of the consent withdrawal.


4.    Need for personal data processing


If you do not give your consent to the processing of your personal data for direct marketing purposes or for contacting you in order to present you standard or customized offers or for inviting you to events organised by the Controller or the entities of the KMG Innovative Environmental Oil Refinery Group, pursuant to paragraph 2 above, for which your consent below is necessary, your contractual relation with the Controller will not be affected in any way.

Your objection to the processing of your personal data for the purpose of obtaining your opinion on the services and goods offerred or purchased pursuant to paragraph 2 (e) will not affect in any way your contractual relation with the Controller.

5.    Processors and Data Recipients

Personal data may be transmitted to the data subject, the data subject’s representatives, other companies of the Controller’s group, companies serving fuel stations; advertisers, IT and telecommunications services providers, couriers, advertisers, other contractual partners (e.g. notaries, auditors under a confidentiality obligation in respect of the transmitted data).


The data sent to third parties will be adequate, relevant and limited to what is necessary for the purposes for which they are collected and permitting transmission to a certain third party.


6.    International Transfer
In the event that your data are transferred to other companies from other countries, in order to achieve the purpose of the data processing operation, the safeguards set out at Articles 44-49 of the EU General Data Protection shall be applied.

7.    Right of the data subject

In order to be fully informed, you, as the data subject, have the following rights exclusively in respect of your personal rights, pursuant to the EU General Data Protection Regulation: 

a)    The right to information and access to your personal data,
b)    The right to have your personal data rectified,
c)    The right to be forgotten/to have your personal data erased;
d)    The right to restriction of processing;
e)    The right to data portability 
f)    The right to object to the processing of your data, if your personal data are processed pursuant to point (e) or (f) of Article 6 (1), including profiling based on those provisions, and for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and for the purposes of the legitimate interests pursued by the Controller;
g)    The right not to be subject to an automated decision, meaning that you have the right to request and obtain the withdrawal, cancellation and reconsideration of any decision having legal effects on you, adopted solely based on automated data processing for the purpose of evaluating personality traits, such as your professional skills, trustworthiness, behaviour at the workplace;
h)    The right to lodge a complaint with the National Supervisory Authority for Personal Data Processing or to any competent courts.

All the above rights may be exercised by means of a written signed and dated request transmitted to the Controller’s office located in Navodari, Navodari Boulevard, no. 215, Administrative Building, Constanta County, Romania. For any questions regarding the processing of your personal data, you may contact the Data Protection Officer by sending a letter to the email address: dataprotection@ieoilrefinery.com. 



Any questions regarding the exercise of your data protection rights will be answered by the Controller within 30 days, in accordance with the EU General Data Protection Regulation no. 679/2016.

In addition, you are entitled to withdraw your consent at any time, without effect on the lawfulness of the processing based on such consent prior to the withdrawal thereof.
 
The Data Controller guarantees that your data are processed for legitimate purposes, and that it implements adequate technical and organisational measures to ensure data integrity and confidentiality pursuant to Articles 25 and 32 of the EU General Data Protection Regulation.