Personal Data Processing Policy on the www.rubio.ro Website – RUBIO TRADING & CONSULTING SRL

Art. 1. General Information

In carrying out its activity, RUBIO TRADING & CONSULTING SRL, headquartered in Arad, Arad County, Strada Dunarii no. 89, registered with the Trade Register under no. J02/497/2002, sole registration number RO14703906 (“the Company”), processes your personal data when you access the www.rubio.ro website (“the Website”).The Company continuously ensures compliance with all principles and legislation on personal data protection regarding the processing, collection, handling, storage, and transfer of personal data, as regulated by applicable law and by Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).This policy sets out the key principles regarding data protection and how the Company manages the personal data you provide to us by accessing the Website. The Company will keep this policy up to date and will publish the most recent version on the Website.

DEFINITIONS

The following definitions of the terms used in this document are taken from Article 4 of the GDPR:

Personal data: Means any information relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing: Means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

DPO: Means the Data Protection Officer, i.e., the person responsible for data protection.

Art. 2. Categories of personal data

We understand the importance of your personal data and we are committed to protecting its confidentiality and security. Therefore, it is important for us to inform you about the processing of your personal data as a user of our Website through this policy.The categories of personal data processed by the Company vary depending on the interaction and relationship you have with the Website. Thus, your personal data may be provided by you in various sections of the Website, in particular in the following situation: when you complete the Website contact form https://www.rubio.ro/contact.

Art. 2.1. Categories of data that may be processed:

a) When completing the contact form available on the Website: last name, first name, phone number, email address;

The data you provide must be true, accurate, and up to date, and you must have the right to provide it. The data mentioned under point a) above are provided by you voluntarily when interacting with the Company, depending on the purpose communicated by you. You are therefore responsible for the data you provide on the Website, both towards us and towards any third party that may be harmed by the provision of such data.The Website may also collect certain information regarding your browsing and interactions with its various sections. We will store or access information and cookies on your terminal equipment (computer, phone, tablet, etc.) only under the conditions described in the relevant Cookies section. The categories of personal data processed include: the time and date of access to the site, as well as the IP address of the device from which the Website was accessed.

Art. 2.2. The Company may process the data mentioned in Art. 2.1 above for the following purposes:

1. To manage requests, complaints, and suggestions: processing data submitted via the contact form; such processing is carried out based on your consent, as well as on the Company’s legitimate interest in resolving complaints, improving services, and managing suggestions and requests submitted to the Company;
2. In the context of processing Website visitors’ data, to ensure the proper functioning of the Company’s Website; the legal basis is the Company’s legitimate interest in improving the services provided;

Art. 3. Basic principles regarding the processing of personal data

The processing and management of your personal data is carried out in accordance with the following principles:

• It is open and transparent about what it does with the data and why it uses it;
• Keeps data secure;
• Ensures that it always has a legal basis for processing the data;
• Collects and uses only the minimum necessary data, thus respecting the data minimization principle;
• Keeps data up to date, accurate, and complete;
• Does not keep data longer than necessary, ensuring the implementation of retention periods where there is no mandatory legal retention period;
• Respects the legal rights of data subjects regarding their personal data;
• Does not transfer data abroad without taking the measures required for data transfers and not before informing data subjects accordingly.

Art. 3.1. Fairness and transparency

Personal data are processed lawfully, fairly, and transparently in relation to the data subject. This is a core principle and means that we use personal data only to the extent that the persons who entrust them to the Company have been informed in advance about how they will be used. You may request from the Company, at any time, information regarding the following key aspects:

• What type of data will be collected;
• For what purpose they will be used;
• With whom they will be shared (if applicable);
• Whether they will be transferred to other countries;
• How long they will be kept;
• What rights individuals have regarding their personal data;
• The contact channels through which data subjects can exercise these rights;
• Personal data will be processed only for the purpose communicated to the data subject;
• Any subsequent changes to the purpose of processing will be communicated to the data subject before their personal data are used for the new purpose.

Art. 3.2. Lawfulness

The Company carries out all processing activities for a well-defined purpose related to its activity and based on an appropriate legal justification, as well as in order to fulfill the Company’s legitimate interests in the context of carrying out its business, as follows:

• subscribing to the Company’s newsletter, through which we will send new product or service launches, commercial communications regarding promotions and campaigns carried out by the Company independently or in collaboration with one or more partners, useful information about the services provided, etc.;
• providing responses when the contact form is completed;
• participation in contests and campaigns organized online by the Company;
• managing applications received through the form in the “Careers” section;

Art. 3.3. Data subject consent

Obtaining the consent of the person whose data we intend to collect and process is another legal basis provided by the GDPR, and the Company will process personal data only on the basis of your explicit and unambiguous consent in all situations where such consent is required.

Art. 3.4. Data minimization

Personal data will be used only when it is strictly necessary and relevant for a specific process task or project. Where the use of personal data cannot be avoided, the Company will use only the minimum data necessary to achieve that purpose.

Art. 3.5. Data accuracy

Data protection legislation requires personal data to be kept accurate, complete, and up to date. The Company will ensure the correction, completion, updating, or deletion, as applicable, of inaccurate or incomplete data.

Art. 3.6. Retention period and data storage

We will keep your personal data for a period no longer than necessary to fulfill the purposes for which the data are processed, except where legal provisions provide otherwise or require us to do so.Thus:

• regarding the contact form, we will keep your personal data for the period necessary to respond to your messages and requests and to prove the correspondence carried out with you, but no longer than 1 year from their receipt;
• for participation in contests and campaigns organized online by the Company, we will keep your personal data for the period necessary to run these programs and to prove your participation in them, according to the Regulations communicated for each event;
• regarding analyses of browsing on the Website and user interactions with the Website, we will keep data regarding your interactions for a period of up to 3 years.

The Company may delete your personal data when it considers they are no longer necessary for the purposes for which they were collected.We do not store information or access information stored on your terminal equipment (computer, phone, tablet, etc.) except with your prior consent or when these operations are carried out solely for the purpose of transmitting a communication over an electronic communications network, or are strictly necessary in order to provide an information society service expressly requested by you (for example, storing information about your activities on the Website or in a mobile or tablet application so that you can easily use the Website or the mobile or tablet application upon a subsequent visit).For the use of cookies for which your prior consent is required, the Website will request your consent through a banner displayed on the Website upon access. This banner contains a link to this Personal Data Protection Policy and offers you the option to accept cookies as well as the option to refuse them. If you have given your consent but later change your mind, you can use your internet browser settings to delete stored information or to refuse cookies.If you want to know what cookies are, please access the Privacy Policy on our Website.

Art. 3.7. Data security

The Company ensures and implements the technical and organizational security measures required by law and industry standards to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as well as against any other form of unlawful processing. We also take measures to ensure that we use your personal data exactly as described in this Policy and to respect the choices you make regarding the processing of your personal data.

Art. 3.8. Disclosure to third parties

Except as presented below, we will not disclose any information relating to your data without authorization. Based on your express and unambiguous consent, provided accordingly and only within the limits of applicable law, or for the purpose of complying with a legal obligation and/or protecting a legitimate interest, we may transfer your personal data to:

• Service providers in the following areas: marketing, administrative services, and transaction processing services;
• Other service providers, all of whom have signed confidentiality agreements; organizations or companies that coordinate specific studies and agree to keep the received information confidential;
• State/government agencies, where required by law;
• Other authorities and bodies, for the purpose of fulfilling our legal obligations and/or protecting our legitimate interests;
• Other companies with which we may develop joint programs for offering our products and services on the market;

The transfer of your personal data to the recipients mentioned above will be carried out only under a confidentiality commitment and the assurance of an adequate level of security on their part, guaranteeing that personal data are kept safe.

Art. 4. Rights of individuals

According to the applicable legal provisions, data subjects benefit from the following rights:

• The right to be informed about how and why personal data are used;
• The right to request copies of the personal data held by an entity (including information contained in emails, instant messages, notes, etc.);
• The right to request the correction of any inaccuracies in their personal data;
• The right to request the erasure of personal data (including permanent deletion from the Company’s systems and from any systems of an outsourcing provider to which the Company has allowed access);
• The right to request the Company to stop processing personal data;
• The right to object to the use of their personal data for direct marketing purposes;
• The right to have any personal data provided to the Company transferred to another party (e.g., another banking service provider) “in a structured, commonly used and machine-readable format”;
• The right not to be subject to a fully automated decision-making process (i.e., a system-generated decision without human involvement) where the outcome produces a legal effect or similarly significantly affects the individual concerned;
• The right to withdraw consent where it has been given for a processing purpose;
• The right to lodge a complaint with the National Supervisory Authority for Personal Data Processing, if considered necessary.

If the Company receives a request from you to exercise any of the rights mentioned above, we will respond within 30 days, with the possibility of extending this period only after informing the data subject and provided there is a justified reason that prevents us from responding within 30 days.

Art. 5. Personal data security breach

If personal data are lost, damaged, stolen, compromised, or following a complaint regarding how the Company has handled personal data, the Company will report the breach to the National Supervisory Authority for Personal Data Processing within 72 hours of becoming aware of the breach and will notify the relevant individuals without undue delay where they are likely to be affected by the incident. In addition, the Company will make reasonable efforts to limit the damage caused by the data security breach.

Art. 6. Organization and responsibilities

Responsibility for ensuring appropriate processing of personal data lies with any person who works for or collaborates in any form with the Company and who has access to the processed personal data.