Data protection is a very important issue for us. The use of our website and application is possible without indicating personal data, however, if anyone wants to use our services, processing of personal data may become necessary. If processing of personal data is necessary and there is no legal basis or contract for such processing, we generally obtain the consent of the data subject (concerned person).
In order to comply with the provisions of the General Data Protection Regulation (GDPR), we have implemented numerous technical and organizational measures designed to provide the most complete protection of personal data processed through the website and the application. However, the transfer of data over the Internet may, in principle, have security gaps, so absolute protection cannot be guaranteed.
Our data protection policy uses the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). We want our Data Protection Policy to be legible and easy to understand for everyone. In order to achieve this goal, we first explain the terminology used.
In the current protection policy, we use, among others, the following expressions:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (“the data subject”). An identifiable individual is one that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more physical, physiological, genetic, mental, economic, cultural or social factors of that individual.
b) Data subject
The data subject is any identified or identifiable person whose personal data is processed by the data controller or data processor.
Processing is any operation or set of operations that is performed with personal data or personal data sets, whether or not by automatic means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, recovering, consulting, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing is the selection of stored personal data in order to limit future processing.
Profiling means any form of automatic processing of personal data consisting of the use of personal data to assess certain personal aspects relating to a person, in particular to analyze or anticipate aspects of the performance of the individual at the workplace, the economic situation, health, personal preferences, interests, behavior, location or travel.
Pseudonymization is the processing of personal data so that personal data can no longer be attributed to a particular subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that personal data cannot be attributed to an identified or identifiable individual.
g) Operator or controller responsible for processing
The operator or controller responsible for processing is the natural or legal person, public authority, agency or other body which, alone or with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are laid down by Union or Member State law, the operator or the specific criteria for his appointment may be provided by Union or Member State law.
h) Empowered Person – Processor
Empowered person – The processor is a natural or legal person, a public authority, an agency or another body that processes personal data on behalf of the operator.
The beneficiary is a natural or legal person, a public authority, an agency or other body to which personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in an investigation, in accordance with Union or Member State law, are not considered to be beneficiaries; the processing of such data by the respective public authorities must be in accordance with the applicable data protection rules in accordance with the purposes of the processing.
j) Third party persons
It may be a third party person, a natural or legal person, a public authority, an agency or body other than the data subject, the operator, the empowered person to do so under the direct authority of the operator or the person empowered to process personal data.
The consent of the data subject is any specific, informed and unambiguous indication of the person’s wishes by which he/she, through a statement or clear affirmative action, accepts the processing of his or her personal data.
2. The principles that govern our privacy and security of personal data policy are the following:
The principles of legality, fairness and transparency. This requires that data subjects’ personal data to be processed legally, fairly and transparently.
The purpose limiting principle. It requires personal data to be collected only for specified, explicit and legitimate purposes.
The principle of collecting the minimum data to reach the purpose for which consent was obtained. According to this principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
The principle of maintaining updated data ensure that personal data is accurate and up-to-date where necessary.
The principle of storing data strictly during the period for which consent was obtained. This requires that personal data be retained in a form that permits the identification of the data subjects for just as long as the data processing is necessary.
The principle of ensuring adequate data security so that these are integrated, confidential and available.
The principle of responsibility. The operator is responsible for compliance with the principles listed in Article 5 (1) of the GDPR and must be able to demonstrate compliance.
3. Name and address of the operator, within the meaning of the General Data Protection Regulation (GDPR):
SC Civitronic SRL, str. Gheorghe Doja, no. 11, Timișoara, Timiș county
4. Processed data
|Type of data||Purpose of processing||The basis of processing||Data is transmitted to||Purpose of transmission||Processing time|
|Bidding, contracting, invoice issuing||Contract, tax legislation||Parking lot owner||User identification||Contract duration, tax legislation|
|Bidding, contracting, invoice issuing||Contract, tax legislation||–||–||Contract duration, tax legislation|
|Bidding, contracting, paying fee||Contract||Parking lot owner||User contacting||Contract duration|
|License Plate Number|
|Payment association with the vehicle||Contract||Parking lot owner||Vehicle identification||Contract duration|
|User bank card|
|Making payment||Contract||Payment processor Stripe Payment Europe, Limited||Payment||Contract duration|
|Bidding, contracting||Contract||Parking lot owner||User contacting||Contract duration|
|Name, surname, address, phone number, email address, bank account no. of parking lot owner / representative||Bidding, contracting, making payment||Contract||–||–||Contract duration|
Through a cookie, information and offers on our site can be optimized by user. Cookies allow us, as mentioned before, to recognize the users of our website. The purpose of this recognition is to make our website easier to use. The user of the website, for example, does not need to enter access data each time the site is accessed because it is retrieved and the cookie is stored in the user’s computer system. Another example is the shopping cart cookie in an online store. The online store remembers articles that a customer has placed in their virtual shopping cart through a cookie.
6. Collection of general data and information
Our website collects a series of general data and information when a user or an automated system requests it. These general data and information are stored in the server log files. What can be collected:
- browser types and versions used
- the operating system used
- the website from which an access system reaches our website (the so-called referral)
- date and time of access
- the Internet Protocol address (IP address)
- the Internet service provider of the access system and
- any other similar data and information that can be used for attacks on our IT systems.
These general data and information are required for:
- the correct delivery of the content of the website
- website content optimization
- ensuring the long-term viability of our IT systems, and
- providing authorities with the necessary information to investigate in the event of a cyber attack.
We therefore analyze data and statistical information anonymously in order to increase data security and our security and to ensure an optimal level of protection of the personal data we process. The anonymous data of the server log files is stored separately from all the personal data provided.
7. Registration on our website
The person concerned has the possibility to register on our website with the indication of personal data. Personal data entered by the data subject are collected and stored exclusively for the purposes for which they were collected. By registering on the website, the IP address assigned by the Internet Service Provider (ISP) is also stored and used by the user, the date and time of the registration. The storage of these data takes place on the basis of legitimate interest, as this is the only way to prevent the misuse of our services and, if necessary, to support the investigation of the offenses committed. Such data shall not be passed on to third parties, except where there is a legal obligation to transmit the data or if the transfer is requested by the law enforcement agencies.
The registration of the data subject, with the voluntary indication of personal data, allows us to make use of the content or services provided, which can only be provided to registered users. Registered persons have the ability to change the specified personal data during registration at any time or to remove them completely from our database. We must provide at any time, at the request of the data subject, information about your personal data stored. Additionally, we need to correct or delete personal data at the request of the data subject, unless there are legal storage obligations.
8. Subscription to our newsletters
On our website, users can subscribe to our company newsletter. The subscription form specifies which personal data is transmitted, as well as the request to receive the newsletter. We regularly inform our customers and business partners through our newsletter about our offers. The newsletter may only be received by the data subject if:
- Has a valid email address and
He/she subscribes to this service.
Upon subscription, a confirmation email will be sent to the email address specified by the person concerned. During the subscription to receive the newsletter, we store the IP address of the IT system assigned by the Internet Service Provider (ISP) and used by the data subject at the time of registration, as well as the registration date and time. Collecting this data is necessary to prevent the (potentially) abusive use of the person’s e-mail address at a later date.
The personal data collected from the newsletter registration will only be used to send our newsletter. In addition, subscribers to the newsletter can be informed by e-mail as long as this is necessary for the operation of the newsletter service or in case of technical changes.
There will be no transfer of personal data collected by the newsletter service to third parties. Subscription to our newsletter can be denounced by the person concerned at any time. The consent to the processing of personal data that the data subject has expressed on subscription may be revoked at any time. To revoke your consent, a link is found in each newsletter. It is also possible to unsubscribe from the newsletter at any time directly on our website or to communicate this in other ways.
9. Newsletter monitoring
Our newsletter contains so-called tracking pixels. A tracking pixel is a thumbnail graphic embedded in such emails that are sent in HTML format to allow logging and analysis of log files. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, we can see if and when an email was opened by a recipient and which e-mail links were accessed by the person concerned.
Such personal data collected in the tracking pixels contained in the newsletter are stored and analyzed to optimize the delivery of the newsletter as well as to adapt the content of future newsletters to the interests of the concerned person. This personal data will not be passed on to third parties. The individuals concerned are at all times entitled to revoke their expressed consent. After a revocation of consent, these personal data will be deleted.
10. The ability to communicate through the website
Our website allows for quick electronic contact and direct communication with us through an e-mail address. If a person is contacting us by e-mail or a contact form, personal data transmitted is automatically stored. Such personal data transmitted voluntarily by the data subjects are stored for processing or contacting that person. There is no transfer of personal data to third parties.
11. Automatic deletion of personal data
We process and store the personal data of the person concerned only for the period necessary to achieve the purpose for which they were collected, except when the storage period is required by national or European legal rules.
If the purpose for which the data were collected has been reached or if the storage period required by national or European legal rules has expired, personal data is automatically deleted in accordance with legal requirements.
12. Rights of the data subjects
THE RIGHT TO BE INFORMED
Once you have consented and become a data subject, you have the right to be informed about everything that happens to your personal data, usage purpose, access, change and even revoke your consent for a specific organization. At the same time, you have the right to access your personal information whenever you want.
Based on this right, you can request information on all aspects of your personal data collected by the operator: whether your data is processed or not, where it comes from, who processes it, what purpose, what time period, where it’s stored. Also under this right, you can request a “copy” of the processed information.
THE RIGHT TO RECTIFICATION
You may request the rectification, modification of your personal data processed by the operator after the operator has verified your identity through internal procedures.
RIGHT TO BE FORGOTTEN (RIGHT TO DELETION OF DATA)
Another important right is for data deletion (or to be forgotten). The general principle is that a person has the right to request the deletion of personal data. This right is not an absolute one, meaning that there are circumstances in which the data will not be erased at the request of the data subject. For example, if personal data are used to comply with a legal obligation or for public health safety, for scientific research, then the right to delete data may be denied to the data subject.
THE RIGHT TO RESTRICT DATA PROCESSING
According to GDPR, a person has the right to restrict the processing of personal data under various circumstances. For example, a person may restrict the processing of personal data when he/she thinks they are not accurate. In this case, the person will be able to restrict data processing until their accuracy is verified. Another case where data processing can be restricted is when the data subject objects to the processing.
PORTABILITY OF DATA
You also have the right to port the data. In the absence of any other contractual terms (you should be informed before consenting to data processing), you can move your data from one supplier to another easily and quickly.
THE RIGHT TO OPPOSITION
This right includes: the right to oppose processing and the right to oppose the application of automated decision-making and profile creation.
RIGHTS CONCERNING THE AUTOMATIC DECISION-MAKING PROCESS AND PROFILE CREATION
This right wants to protect people from certain negative decisions that can be taken without human intervention. GDPR defines profile creation as any automated form of processing in order to evaluate certain personal aspects of the individual, such as performance at work, health, personal preferences, economic situation, location, and others. If an organization uses profile creation, it needs to take certain security measures. For example, use correct mathematical or statistical procedures, personal data to be secure, and measures to allow anomalies to be corrected with a minimum risk of error. To be remembered, automated decision-making should never be applied to a child.
THE RIGHT TO WITHDRAW YOUR CONSENT
Through a symetrical will manifestation to the one in which you have given your consent, you will be able to withdraw it at any time, and we will take account of this withdrawal.
In the exercise of any of these rights, if there are no legal impediments, we will comply with the provisions of the GDPR Regulation, operating as requested by the data subject, and informing the data subject about the steps taken.
13. The legal basis of the processing
Article 6 (1) let. a of the GDPR Regulation serves as a legal basis for the processing operations for which you give us consent for a particular processing purpose.
If the processing of personal data is necessary for a contract implementation to which the data subject is a party, as the case may be, for example, where the processing operations are necessary for the supply of goods or for the provision of services, the processing is carried out on the basis of Article 6 paragraph 1, point b of the GDPR Regulation. The same applies to the processing operations required for pre-contractual measures, for example in the case of bidding.
If our company is subject to a legal obligation that requires us to process personal data, such as fulfillment of tax obligations, the processing is based on art. 6 (1) letter c of GDPR Regulation.
In rare cases, processing of personal data may be necessary to protect the vital interests of the data subject or of another individual. This would be the case, for example, if a visitor was injured in our company and name, age, health insurance data or other vital information should be passed to a doctor, hospital or other third party. Under this hypothesis, processing will be based on Article 6 (1) d of the GDPR Regulation.
Finally, the processing operations could be based on Article 6 (1) (f) of the GDPR Regulation, if processing is not carried out for any of the above-mentioned reasons, if the processing is necessary for the purposes of legitimate interests pursued by our company or a third party, unless such interests are contrary to the interests or fundamental rights and freedoms of the data subject that require the protection of personal data. Such processing operations are particularly permitted because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is the client of the operator (recital 47 of the GDPR sentence 2).
14. Legitimate interests pursued by the operator or by a third party
If the processing of personal data is based on Article 6 (1) (f) of the GDPR Regulation, our legitimate interest is to conduct our business in the interests of all our employees and shareholders.
15. The period for which personal data will be stored
The criteria used to determine the period of storage of personal data are defined by the purpose of the collection and the legal basis. After the expiry of that period, the corresponding data is deleted if it is no longer required for the performing or conclusion of a contract or if the data subject has not given his consent to the storage of such data for a certain period of time.
16. The existence of an automatic decision-making process
As a responsible company, we do not make automated or profiled decisions.
17. Data protection provisions related to the application and use of Facebook
On this website, we have integrated Facebook social network components.
The Facebook operator is Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, United States. Outside the United States or Canada, the operator is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland.
An overview of all Facebook plugins can be accessed at https://developers.facebook.com/docs/plugins/. Through these plugins, Facebook is informed about which specific sub-site of our website was visited by the person concerned.
The Facebook Privacy Guide, available at https://facebook.com/about/privacy, provides information on Facebook’s collection, processing, and use of personal data. Furthermore, here the Facebook settings options, offered to protect the privacy of the data subject, are explained. Also, different configuration options are available to stop data transfer on Facebook.
18. Data protection regarding the application and use of Google AdSense
On this website we integrated Google AdSense. Google AdSense is an online service that allows you to place advertisements on third-party websites. Google AdSense is based on an algorithm that selects ads displayed on third-party websites to match the content of that third-party website. Google AdSense permits an Internet-based targeting that is implemented by generating individual user profiles.
The Google AdSense operator is Alphabet Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, United States.
The person concerned may, as mentioned above, prevent the cookies from being set on our website at any time through a proper adjustment of the web browser used and hence permanently refuse the cookie setting.
Through Google AdSense, personal data and information – which also includes the IP address and is required to collect and count the displayed ads – is sent to Alphabet Inc. in the United States. These personal data will be stored and processed in the United States of America. Alphabet Inc. may disclose personal data collected through this technical procedure to third parties.
Google AdSense is further explained at the following link: https://www.google.com/intl/en/adsense/start/.
19. Data protection provisions for applying and using Google Remarketing
On this website, we’ve integrated Google remarketing services. Google Remarketing is a component of Google Ads, which allows displays of advertising material to Internet users who have visited our website.
The Google Remarketing Operator is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, United States.
The person concerned may, as mentioned above, prevent the cookies from being set on our site at any time through a proper adjustment of the web browser used and hence permanently refuse the cookie setting. Such an adjustment of the internet browser would prevent Google from establishing a cookie on the data technology system of the person concerned. In addition, cookies already used by Google can be deleted at any time through a web browser or other software.
Additionally, the person concerned has the ability to challenge Google’s interest-based advertising. For this purpose, the target person must access the link at www.google.de/settings/ads and make the desired settings in each internet browser used by the concerned person.
20. Data protection provisions for the application and use of the Google Ads service
On this website, we’ve integrated Google Ads. Google Ads is an Internet advertising service that allows the advertiser to place ads on Google search engine results and on the Google advertising network. Google Ads allows an advertiser to pre-define certain keywords by which an ad displayed in Google search results is displayed when the user engages with the search engine to find keywords.
Google Ads is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, United States.
The purpose of Google Ads is to promote our website by including relevant advertising on third-party websites and in search engine results on Google search engine, and by inserting third-party advertisements on our website.
The concerned person may at any time prevent cookies from being set up by our website, as mentioned above, through a proper setting of the Internet browser used, and thus permanently refuse the cookie setting. Such a configuration of the Internet browser used would prevent Google from entering a conversion cookie into the person’s information technology system. Additionally, a cookie set by Google Ads can be deleted at any time through your internet browser or other software.
The concerned person has the ability to oppose the Google interest-based advertisement. Therefore, the concerned person has to access the link www.google.de/settings/ads from each of the browsers used and determine the desired settings.
Additional information and applicable data protection provisions on Google can be downloaded at https://www.google.com/intl/en/policies/privacy/.
21. Data protection provisions related to the application and use of LinkedIn
We also have integrated components of LinkedIn Corporation on this website. LinkedIn is a web-based social network that allows users with existing business contacts to connect and make new business contacts. More than 400 million people registered in over 200 countries use LinkedIn. Thus, LinkedIn is currently the largest business contact platform and one of the most visited websites in the world.
More information about the LinkedIn plug-in can be accessed at https://developer.linkedin.com/plugins.
LinkedIn receives information via the LinkedIn component provided that the person concerned is linked to LinkedIn when using our website. This happens regardless of whether the person clicks on the LinkedIn button or not. If such a transmission of information to LinkedIn is not desirable to the data subject, then he or she could prevent this by disconnecting from their LinkedIn account before entering our website.
22. Data protection provisions to apply and use YouTube
On this website, we have integrated YouTube components. YouTube is an Internet video portal that allows video editors to create free videos, giving users viewing for free, reviewing and commenting on them.
The YouTube operator is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, United States. YouTube LLC is a subsidiary of Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, United States.
More information about YouTube can be found at https://www.youtube.com/yt/about/en/. YouTube’s data protection provisions are available at https://www.google.com/intl/en/policies/privacy/ and provide information on the collection, processing and use of personal data by YouTube and Google.
23. Data protection provisions for the application and use of other SEO and analysis tools
These tools are used on various sections or subsections of our website, and are the following:
- SEMRush – A SEO analysis tool. More information about SEMRush can be found here: https://www.semrush.com/company/legal/terms-of-use/ and data protection policy information are available here: https://www.semrush.com/company/legal/privacy-policy/
- Hotjar – A tool for tracking user behavior on the website with anonymized data. More information about Hotjar can be found here: https://www.hotjar.com/legal/policies/terms-of-service and information about data protection policy here: https://www.hotjar.com/legal/policies/privacy
- Hubspot – An in-depth analysis tool for user behavior on the website. More information about Hubspot can be found here: https://legal.hubspot.com/community-tou and the data protection policy here: https://legal.hubspot.com/privacy-policy?_ga=2.115176261.353259744.1526989630-105251658.1526989630
24. Data protection provisions regarding the application and use of WordPress plug-ins
On some parts or subsections of our website we have integrated other WordPress plug-ins to facilitate the sales process of our products and services. WordPress is an open source platform for website publishing. Plug-ins used:
- MailChimp for WordPress
25. Payment methods: Data protection provisions for the use of Stripe as a payment processor
On this website, we have integrated components of Stripe service. Stripe is an online payment service provider.
The Irish Stripe company is Stripe Payments Europe, Ltd, based in The One Building, Lower Grand Canal St, Dublin 2, Ireland, registered with the Trade Register under no.513174.
If the person concerned uses Stripe, we automatically transmit the data of the data subject to Stripe Payments Europe Ltd. By selecting this payment option, the data subject agrees with the transfer of personal data needed to process the payments.
Personal data sent to Stripe Payments Europe Ltd are usually the name, surname, address, e-mail address, IP address, phone number, mobile phone number, payment amount, card number, name on card, expiration date, CVV code, unique transaction identification and any other data on the payment methods used, or other data needed to process payments.
The applicable data protection provisions in Stripe can be downloaded from https://stripe.com/dpa/