G. JPARD’S DATA PRIVACY POLICY

  • Last update: 20 march 2025

1. DEFINITIONS

GDPR“, “Regulation – Regulation (EU) 2016/679 of the Eurpean Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 /EC (General Data Protection Regulation);

personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

anonymous data‘ means any data the origin of which or on the basis of which processing has been carried out, but which cannot be associated with any identified or identifiable data subject;

processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination,  restriction, erasure or destruction;

controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law;

processor means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

recipient means the natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether or not a third party. However, public authorities to which personal data may be communicated in the framework of a particular investigation in accordance with Union or national law shall not be regarded as recipients; the processing of such data by those public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;

third party means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process personal data;

consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she accepts, by a statement or by a clear affirmative action, that personal data concerning him or her are processed;

personal data breach means a breach of security that results, accidentally or unlawfully, in the destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

representative means a natural or legal person established in the Union, designated in writing by the controller or processor, who represents the controller or processor in respect of their respective obligations under the GDPR;

binding corporate rules means the personal data protection policies to be respected by a controller or processor established in the territory of a Member State, with regard to transfers or sets of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or a group of undertakings  undertakings engaged in a joint economic activity;

supervisory authority means an independent public authority established by a Member State;

DPO – the data protection officer;

DPIA – data protection impact assessment , DPIA);

transmission” means the transmission in any form of personal data for the knowledge and consultation of personal data by one or more parties;

data subject‘ means the natural person to whom the personal data refer;

dissemination/disclosure‘ means making personal data known in any form to one or more parties and also making them available for consultation;

restriction of processing‘ means the marking of stored personal data in order to limit their future processing;

profiling‘ means any form of automatic processing of personal data which consists in the use of personal data to assess certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, place of the natural person or travels  Its.

2. PURPOSE AND SCOPE

2.1. Purpose

This Policy aims to establish the basic principles of personal data processing, the working methodology, as well as rules for Employees to ensure the confidentiality of personal data in the personal data processing operations  performed by Jpard Solutions S.R.L. (the “Company” or “Controller” or Jpard), in accordance with applicable law.

Respecting the confidentiality of personal data is an obligation of the Controller and its Employees, given the sensitivity of the personal data processed, the right to the protection of personal data and the right to the privacy of natural persons.

Controller’s employees understand and have full representation of the fact that breach of the confidentiality of personal data can lead to physical, material or moral harm to natural persons, such as loss of control over their personal data or limitation of their rights, discrimination, theft or identity fraud, financial loss, unauthorized reversal of pseudonymization, compromise of reputation, loss of confidentiality of personal data  protected by professional secrecy or any other significant economic or social disadvantage caused to the natural person concerned.

2.2. Recipients

The provisions of this Policy are binding on permanent and temporary employees of Jpard Solutions S.R.L. , as well as for any other persons who, although not jpard employees, may be assimilated to a dedicated jpard staff (all of whom are generically referred to in this document as “Employees”).

This Policy will be deemed to be of a general nature and will apply to all processing by Jpard. This document sets out how the personal data jpard holds and processes in the performance of its business activities will be protected.

If certain privacy issues are found to exist for which this Policy does not provide appropriate guidance, Employees should immediately seek advice from the Data Protection Officer (DPO) or jpard’s legal representative.

2.3. Scope of personal data

Customer data

The operator processes the following personal data belonging to the customer and / or to the other Data Subjects, as communicated:

(i) by means of the application forms for the provision of the requested service and their annexes;

(ii) by means of the proposal for the conclusion of the contract and its annexes;

(iii) by means of communications sent to Jpard after the date of conclusion of the contract (in written form, in electronic form, filled in to questions raised by phone by Jpard employees and by other means accepted by the data subject), such as: first name, surname, previous name, pseudonym, gender, address of domicile and residence, date, place and country of birth, personal identification number, serial number and number of identity document/passport,  other data of the identity document, other data from the civil status documents, citizenship, signature, data from the driving license / registration certificate, contact details (addresses, telephone numbers, fax, electronic addresses and mobile phone number), profession, place of work, pension file number, military situation, economic and financial situation of the client or, as the case may be,  of other Data Subjects.

In some cases, data contained in the criminal record may be requested, including the situation of disputes in which the client is involved, which jpard is necessary for the evaluation of the clients and/or the guarantees they present.

The Company may collect and use the personal data of customers and potential customers (e.g. name, age, date of birth, address, residency, email, etc.) to achieve business purposes.

Employee data 

Jpard collects and uses the personal data of its employees (current and former) in the course of the employment relationship, including the obligations arising therefrom, under the law and only for relevant, appropriate and customary purposes. The Human Resources Department will communicate to the Employees information about the reasons and methods of processing the respective data.

Jpard acknowledges and respects the privacy rights of its employees, limiting the collection, access and use of personal data related to employment. Jpard takes additional preventive measures before disclosing any employee’s information to legitimate third parties. Such disclosures can only take place if there is a full understanding that the access and use of the data is limited, and that the data needs to be protected.

3. GENERAL PRINCIPLES

3.1. Organisational solutions

Jpard, as Controller, has adopted the following organizational solutions regarding data privacy:

  • technical aspects of data security are the responsibility  of the IT Department and must be managed both on the basis of defined guidelines, processes and procedures, and through controls carried out at the level of information systems;
  • the responsibility for data processing in accordance with this Policy lies with all Employees, Jpard will ensure the necessary organizational measures to implement the provisions of the Data Privacy Regulation and Policy, so that the processing of personal data is carried out in accordance with Regulation (EU) 2016/679;
  • The DPO will train Jpard employees so that they respect the confidentiality of the personal data processed, the mechanisms of ensuring confidentiality;
  • without prejudice to the foregoing, Jpard may – at his discretion, or if provided for by applicable law – appoint a Data Protection Officer who will supervise all personal data processing activities. Regardless of the appointment of the Data Protection Officer, the designation of responsibilities must reflect jpard’s requirements mentioned above. In all cases, a Data Protection Officer will be appointed when it is mandatory under the Regulation (the presence of processing operations requiring regular, systematic monitoring of data subjects on a large scale, the large-scale processing concerns special categories of data);
  • Jpard employees are obliged to comply with the Privacy Policy as well as with the measures for processing personal data, ensuring an adequate level of protection of the data thus processed.

3.2. General provisions

The conduct of jpard’s current activity involves the performance by the Employees of data processing that are subject to the following principles:

  • the data must be processed in a lawful, fair and transparent manner;
  • the data must be collected for specified, explicit and legitimate purposes and are not further processed in a way that is incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered incompatible with the original purposes;
  • the data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • the data must be accurate and, if necessary, kept up to date; all necessary measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • the data must be kept in a form which permits identification of data subjects for a period not exceeding the period necessary to fulfil the purposes for which the data are processed; personal data will be stored for longer periods to the extent that they will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes;
  • the data must be processed in a way that ensures adequate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organisational measures.

Through the measures adopted, the controller undertakes to implement the technical and organizational measures necessary to ensure the necessary degree of confidentiality and the security of the processing of personal data.

Personal data may be collected, used, retained, transmitted and deleted, respecting the confidentiality of their content, as well as the other rules set out in this Policy as well as the obligations provided for in the Regulation.

3.3. Security of processing

Ensuring the security of the processing of personal data involves respecting an adequate level of data confidentiality and will be done with Jpard’s compliance with technical and organizational measures such as:

  • pseudonomization and encryption of personal data;
  • the ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability of, and access to, personal data in a timely manner in the event of an incident of a physical or technical nature;
  • implementation of processes for testing, evaluating and regularly assessing the effectiveness of technical and organizational measures to guarantee the security of processing.

Jpard will ensure that the above principles are respected. It must also be able to prove compliance with the principles and fulfilment of the obligations arising therefrom.

The employees’ access to the personal data held will be granted on the basis of an appropriate authorization, depending on the group to which they belong and the level of security to which it is assigned. Any Employee/Authorized Third Party/Recipient who will have access to the personal data held by Jpard only as a result of the need to use that information and will have the obligation to respect its confidentiality and to comply with the technical and organizational measures so that the processed data is protected. In this regard, jpard’s employee activity may be monitored to verify compliance with applicable personal data protection laws or rules and the data protection policies implemented.

If there is a suspicion of a breach of this Privacy Policy, the incident must be reported to at least one of the following persons:

  • Department manager;
  • The data protection officer.

The latter are obliged to take the necessary measures in accordance with the legal rules or those laid down in jpard proceedings

4. GENERAL OBLIGATIONS

Jpard is obliged, in carrying out its business activities, to proceed with caution, to comply with the laws of Romania, to protect its customers and other Data Subjects, as well as its own rights and interests.

Jpard works closely with any other entities belonging to jpard, with affiliated entities, present and future.

Jpard’s employees are obliged to ensure the confidentiality of personal data under the Employment Agreement and this Privacy Policy. Failure to comply with the Privacy Policy or the Concluded Employment Agreement may lead to the commencement of disciplinary actions, including the termination of the employment contract.

The Controller reserves all the rights to proceed to the recovery of the amounts of money granted as compensation to a data subject, as a result of non-compliance by the employees with the Privacy Policy. Failure to comply with the confidentiality of the processed personal data may be penalized according to the legal regulations in the field.

Each department within Jpard has the obligation to keep a record (drawing up and updating) of the persons appointed by the company’s management to process the personal data, if the nature of the activities carried out within the Department requires the processing of personal data.

It is the obligation of the Human Resources department to request information from all departments for the purpose of updating personal data at jpard level.

It is hereby established that jpard’s management has the power to supervise the processing of data, including the proper functioning of the information systems used in the processing and transmission of personal data. In the exercise of this task, any Employee may be asked for information on data processing and may establish by working instructions mandatory rules in the field of data processing.

Any contract concluded between Jpard, as a Personal Data Controller, and a third party, as Processor, will have to include the confidentiality and processing clauses of personal data in accordance with the Rules.

4.1. Verification of the correctness of personal data

All employees are required to verify the personal data retained by Jpard in terms of the accuracy and completeness of the relevant information and must amend it accordingly. As a general rule, access is limited to data used to identify a person and does not include all the information Jpard retains about the Employee. For example, Jpard may share the performance assessment form and individual outcomes under the development plan, but the overall information of the multi-person advancement plan cannot be shared.

4.2. Personal activities

Jpard’s commitment to respect The Employees’ privacy rights does not constitute permission to perform improper personal activities during the service (e.g. Jpard computers must only be used for business purposes). In addition, in order to ensure the security and protection of its IT systems, the Company has the right to review the communications and information created by the Employees during the activity, to the extent permitted by the legislation in force.

4.3. Refusal to process personal data

Any employee has the right to object to the Human Resources department in connection with the collection, use and disclosure of his or her personal data. Jpard will assess the Employee’s objections, make a decision in accordance with applicable law and communicate its decision to the Employee.

4.4. Submission of information

The Company will transmit data related to its employees and customers to entities belonging to it only if necessary or, if possible, in accordance with applicable law. These entities will take any precautionary measures aimed at ensuring the legality of the communication and observance of the “professional secrecy”.

The transmission to the Controller’s related entities of data relating to Jpard’s customers is permitted, by way of example, in the following cases:

  • When the interests at stake are balanced: transmission is allowed, for the purpose of complying with the anti-money laundering provisions, with regard to data on “reporting suspicious transactions”. Consequently, only Employees appointed to execute anti-money laundering measures have the right to transmit and receive such personal data.
  • Anonymous data (e.g. for statistical purposes or for the purpose of market analysis).

The transmission of data relating to both customers and employees is permitted, by way of example, in the following cases:

  • Where there is the express consent of the data subjects: the consent must be specific and thus strictly related to the object for which that transmission is carried out (e.g. marketing). Consequently, in order for Jpard to ensure that the acceptance has been legitimately granted by the client, it is necessary to verify the content of the information notice sent to the client and the related consent form.
  • Cases that are equivalent to consent: (e.g. conclusion of a contract, legal obligation, legitimate interest of Jpard).

5. SPECIFIC OBLIGATIONS

The processing of personal data is carried out only by jpard employees who have the necessary competence to carry out such processing. If the employee does not know his degree of access to confidential data, he will be able to address the department manager to which he belongs.

In order to maintain the appropriate confidentiality of personal data, Employees are obliged to comply with the data processing restrictions imposed by Jpard through the implemented Security Policy, depending on the data category and level of access.

Jpard uses appropriate administrative, technical, physical and security measures aimed at:

(i) comply with legal requirements and employment agreements;

(ii) to protect personal data against loss, theft, unauthorised access, use or alteration.

Jpard uses all means necessary to keep personal data accurate, complete and up-to-date.

5.1. Rights of data subjects

The GDPR mainly confers on individuals the following rights:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right of erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • The right related to automated decision making and profiling.

5.2. Transfer

The manner in which Jpard transfers personal data, in accordance with the Regulation, i.e. all transfer operations will be done in compliance with the Personal Data Exchange Procedure.

5.3. Retention and erasure of personal data

The retention / storage and deletion of personal data, in order to ensure the confidentiality of data and information, as well as for their safe keeping, within the current activity executed by the employees will be done in compliance with the provisions contained in the Policy for retaining and deleting personal data no.7.

5.4. Security incident reporting and handling

If an employee comes into contact with information that is not intended for the access group to which he belongs, the information received by him having a higher or different level of security than the one to which the employee is entitled according to those set out in the Privacy Policy, the employee is obliged to proceed immediately to the information:

  • Department manager;
  • To the data protection officer.

Employees will not comply with any request to transmit/disseminate personal data to individuals who are not employed at Jpard. If the request is made by a data subject, the employee will submit this request to the competent persons within the Human Resources Department in order to proceed to the verification of the submitted request and the elaboration of the response in accordance with the rules of the Regulation.

Employees will not comply with any request for the transmission / dissemination of personal data to another / other employees, before ensuring that they are part of a group with an adequate level of access or its request is endorsed by the Manager of the department to which they belong.

The concrete way of notifying the Supervisory Authority on Personal Data Protection and informing the data subject in case of a personal data breach, including the activities to be carried out when a security incident occurs, respectively, the recording of security breaches, the preparation of notifications and information required by the GDPR,  establishing the flow of travel in their controlled drafting and dissemination to the Supervisory Authority and the data subjects are provided for in the Procedure for reporting and handling security incidents no.6.

6. REGULI „CLEAN DESK”

To improve the security and privacy of Jpard’s information, it adopted “Clean Desk”  rules for workstations for computers and printers.

This ensures that all sensitive and confidential information, whether on paper, a storage device, or a hardware device, is properly blocked or removed when a workstation is not in use. These rules will reduce the risk of unauthorized access, loss, and damage to information during and outside normal operating hours or when workstations are left unattended. The rules are an important control of security and privacy and are necessary for compliance with the GDPR.

These rules apply to all permanent, temporary and contracted staff working in Jpard.

6.1. Rules. Whenever an office is not occupied for a long time, the following rules will apply:

1. All sensitive and confidential documents must be removed from the desk and locked in a drawer or storage cabinet. These include mass storage devices such as CDs, DVDs, and USB drives.

2. All waste paper containing sensitive or confidential information shall be placed in dedicated confidential boxes.

3. Computer workstations must be locked when the office is unoccupied and completely closed at the end of the working day.

4. Laptops, tablets and other hardware devices must be removed from the desk and locked in a drawer or storage cabinet.

5. Keys for accessing drawers or storage cabinets should not be left unattended at a desk.

6. Printers and faxes must be treated with the same care, namely:

a. Any printing work containing sensitive and confidential documents must be recovered immediately. When possible, the “Print Locked” function should be used.

b. All documents remaining at the end of the working day will be removed accordingly.

6.2. Compliance. This policy will be formally monitored by the DPO and may include random and planned inspections.

6.3. Non-compliance. Any employee or contractor who has found that he has violated these rules may be subject to disciplinary measures until the termination of the employment contract.

7. REGULI „BRING YOUR OWN DEVICE” (BYOD)

Jpard grants/ employees the right to use personal smartphones and tablets in the workplace. Jpard reserves the right to revoke this privilege if users do not comply with Jpard’s policies and procedures.

These rules are designed to protect the security and integrity of Jpard’s data and technology infrastructure. Limited exceptions to these rules may arise in light of variations in devices and platforms.

Employees must accept the terms and conditions set forth in this policy in order to be able to connect their devices to the Jpard network.

7.1. Acceptable use

Jpard defines the acceptable use of the business as activities that directly or indirectly support the company’s activity. Jpard defines acceptable personal use during the Company as a reasonable and limited personal communication, such as reading.

The devices may not be used at any time to:

  • the storage or transmission of illicit material;
  • the storage or transmission of information on intellectual property belonging to other companies;
  • Harassing others

Employees can use their mobile device to access the following resources owned by Jpard: email, calendars, contacts, documents, etc.

Jpard has a zero tolerance policy for sending messages via SMS or emailing while driving, and only speaking without hands while driving is allowed.

7.2. Devices and media

Smart phones are allowed, including iPhones, Android and Windows phones, etc.

Tablets are allowed, including iPad and Android, etc.

Connectivity issues are resolved by THE IT Department; employees should contact the device manufacturer for issues related to the operating system or hardware.

Devices must be presented with IT to properly secure jobs and configure standard applications, such as browsers, office productivity software, and security tools, before they can access the network.

7.3. Security

To prevent unauthorized access, devices must be password protected using the device’s features, and a strong password is required to access the Jpar network.

The company’s strong password policy is: passwords must be at least six characters long and have a combination of uppercase, lowercase letters, and numbers and symbols. Passwords will be changed every 90 days, and the new password cannot be one of the previous 15 passwords.

The device must lock with a password or PIN if it is inactive for five minutes.

After five failed connection attempts, the device will crash. The IT Department will be contacted to regain access.

It is strictly forbidden to access root networks (Android) or jailbroken (iOS).

Smartphones and tablets belonging to employees who are only for personal use are not allowed to connect to the network.

Employee access to Jpard’s data is limited based on user profiles defined by IT and applied automatically.

The employee’s device can be erased remotely if:

1. the device is lost;

2. the employee terminates his employment relationship;

3. IT detects a data or policy breach, virus, or similar threat to the security of Jpard’s data and technology infrastructure.

7.4. Risks. Disclaimers

While the IT Department will take all precautions to prevent the loss of the employee’s personal data in case they need to remotely delete a device, it is the employee’s responsibility to take additional precautions such as backing up emails, contacts, etc.

Jpard reserves the right to disconnect devices or disable services without notice.

Lost or stolen devices must be reported to Jpard within 24 hours. Employees are responsible for immediate notification after the loss of a device.

Employees must use their devices ethically at all times and comply with Jpard’s acceptable use policy.

Employees are personally responsible for all costs associated with his device.

The employee assumes full responsibility for the risks, including but not limited to the partial or complete loss of Jpard data and personal data due to an operating system error, errors, viruses, malware and/or other software or hardware or programming failures that make the device unusable.

Jpard reserves the right to take appropriate disciplinary action until the termination of the individual employment contract for non-compliance with these rules.

8. PROCESSORS

Contractual partners/ collaborators of the Operator and affiliated entities or other companies that provide complementary services to the Operator’s products and services, such as:

  • entities participating in the negotiation, conclusion or performance of contracts (service and goods suppliers, IT operators, lawyers and other consultants, etc.);
  • entities that ensure the proper functioning of the Operator’s products and services and of all transactions related to its products and services;
  • entities that ensure the security and other types of protection of the information systems of the Operator and of the affiliated entities operating in Romania;
  • entities that research the quality level in order to satisfy the customers’ requirements or that ensure or mediate the offer of the Operator’s products and services;
  • companies that print, manage and/or transmit invoices/returns/notifications;
  • couriers;
  • contact/call-center service providers;
  • archiving-storing societies;
  • consultants, accountants, auditors;
  • persons to whom the rights and/or obligations of the Operator have been transferred;
  • entities ensuring the collection of debts and/or the recovery of assets.

The data transmitted to recipients will be adequate, relevant and not excessive in relation to the purposes for which they were collected.

In order to fulfill its obligations and commitments under the contracts concluded with its clients, as well as to ensure an efficient and professional processing, the Controller may process the Personal Data including through third parties, empowered to do so by the Controller, with whom it will conclude written contracts under the terms of the Regulation (“Powers of Attorney“).

The data processors are obliged to comply with the Controller’s requirements for the safety of processing and to take the necessary technical and organizational measures to ensure the protection of personal data.

By way of example, the following categories of persons may be designated as Empowered persons:

  • archiving-storing societies;
  • companies that print, manage and/or transmit invoices/returns/notifications;
  • couriers;
  • contact/call center service providers.

9. PREVENTIVE MEASURES

Employees understand the danger represented by cyber attacks or social engineering attacks, as well as the repercussions that these attacks may have on the Operator, its employees or the data subjects.

In order to ensure a high standard of security, the Operator organizes training courses on personal data vulnerabilities and the security preventive measures that are adopted in case of cyber-attacks.

The employee will be informed about attacks such as:

  • Phishing: Through which attackers use spam emails to direct victims to websites created by attackers so that personal data is entered on that website.
  • Social engineering: malicious manipulation of certain persons by which employees are persuaded to disseminate confidential data;
  • DNS poisoning: Cache poisoning is an attack in which corrupted data is inserted into the cache database of the Domain Name System (DNS) name server. The attacker intends to send duplicate responses from an imposter DNS to redirect a domain name to a new IP address. The new IP address is most likely controlled by the attacker and is used to spread computer worms and other malware.