Security Policy

Security Policy

From the perspective of the new provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and in accordance with the requirements of Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, as amended and supplemented, ZEGASOFTWARE manages personal data securely and only for the specified purposes, for software development activities.

This Security Policy has been developed in accordance with the provisions of Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, as amended and supplemented, and regulates the manner in which this information is collected, as well as the conditions for its use within ZEGASOFTWARE.

By minimum security requirements, a set of technical, computer, organizational, logistical, procedural, and security measures were taken to ensure the minimum level provided for in Article 20 of Law no. 677/2001, in accordance with the requirements for the processing of personal data, approved by Order no. 52 of 18 April 2002 of the Ombudsman.

ZEGASOFTWARE has adopted adequate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access. In this regard, at the level of ZEGASOFTWARE, a person responsible for compliance with the provisions of Law no. 677/2001 has been appointed.

ZEGASOFTWARE has taken measures to safely store information regarding personal data, in order to ensure an adequate level of protection and security, in accordance with Law 677/2001.

 

Scope

This policy applies to all ZEGASOFTWARE employees with responsibilities for processing personal data and/or authorized individuals, as appropriate.

 

Terms and Definitions

ANSPDCP - National Authority for the Supervision of Personal Data Processing;

Personal identification number (CNP) - a significant number that uniquely identifies an individual, serving as a means to verify their civil status and identify them in certain computer systems by authorized individuals;

Personal data - any information relating to an identified or identifiable natural person; an identifiable person is someone who can be directly or indirectly identified, in particular by reference to an identification number or one or more specific factors identifying their physical, physiological, mental, economic, cultural, or social identity;

Personal data with general identification function (special category data) - numbers used to identify an individual in certain record-keeping systems that have general applicability, such as personal identification number, series and number of identification document, passport number, driver's license number, social security or health insurance number.

Operator - any natural or legal person, private or public, including public authorities, institutions, and their territorial structures, who determines the purpose and means of processing personal data. If the purpose and means of processing personal data are determined by a legal act or based on a legal act, the operator is the natural or legal person, public or private, designated as the operator by that legal act or based on that legal act.

Authorized person by the operator - a natural or legal person, private or public, including public authorities, institutions, and their territorial structures, who processes personal data on behalf of the operator.

Person responsible for the security policy of personal data - the person responsible for the proper functioning of the complex information protection system that contains personal data, as well as for the development, implementation, and monitoring of compliance with the provisions of the security policy of the personal data controller.

Processing of personal data - any operation or set of operations performed on personal data, whether by automated or non-automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure to third parties by transmission, dissemination, or any other form, linking or combining, blocking, erasure, or destruction.

Storage - keeping the collected personal data on any type of medium.

User - any person who acts under the authority of the operator, the authorized person, or the representative, with recognized access rights to personal data databases.

 

Reference Documents

Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR).

Law no. 677/2001 on the protection of individuals regarding the processing of personal data and the free movement of such data, as amended and supplemented.

Order of the Ombudsman no. 52 of 18/04/2002 approving the Minimum Security Requirements for the processing of personal data.

Decision of the National Authority for the Supervision of Personal Data Processing no. 132 of 20/12/2011 regarding the conditions for processing the personal identification number and other personal data with a general identification function and applicability.

 

Purpose of processing

The purpose of these measures is to establish the responsibilities of ZEGASOFTWARE employees for fulfilling obligations regarding the guarantee and protection of the fundamental rights and freedoms of individuals, especially the right to privacy, regarding the processing of personal data. The purpose of collecting and processing data is for software development activities.

 

Categories of individuals concerned

 

ZEGASOFTWARE processes personal data of individuals who apply for employment for the purpose of software development activities.

 

How individuals are informed of their rights

In accordance with the requirements of Law no. 677/2001, as amended and supplemented, individuals are informed of the information provided in Article 12, and ZEGASOFTWARE has the obligation to communicate to the data subjects, primarily, information regarding:

- The identity of the operator, representative, or authorized person;

- The purpose of processing;

- The categories of processed data since the data is collected directly from the data subjects;

- The mandatory or optional nature of providing personal data;

- The consequences of refusing to provide personal data;

- The recipients or categories of recipients of the data;

- The existence of the right to access, intervene in the data, object to the data processing, not to be subject to an individual decision, the conditions for exercising these rights, as well as the right to address the court;

- The possible transfer of data abroad.

Data subjects are adequately informed considering the specific circumstances of the processing (such as the method of data processing, the medium on which data is collected, etc.), and this is done through the documents through which personal data is collected, as well as by displaying a Privacy Notice at ZEGASOFTWARE's premises and on the website https://zegasoftware.com.

 

Categories of processed data

In accordance with the requirements of Law no. 677/2001 on the protection of individuals regarding the processing of personal data and the free movement of such data, as amended and supplemented, ZEGASOFTWARE processes personal data related to name, date and place of birth, citizenship, signature, address (domicile/residence), education data, health data, other personal data, through manual and electronic means, while complying with all security and protection requirements imposed by law.

Furthermore, according to Article 4(1)(c) of Law no. 677/2001, as amended and supplemented, personal data intended to be processed must be adequate, relevant, and not excessive in relation to the purpose for which they are collected and subsequently processed.

The collection of special category data is carried out only with the consent of the data subject, in accordance with Article 7(2) and Article 8 of Law no. 677/2001, as amended and supplemented. This consent must be explicit, informed, freely given, and unambiguous.

 

Individuals are obliged to provide the data requested by ZEGASOFTWARE, as they are necessary:

- For the provision of software development services;

- For the legitimate interests of the company or the third party to whom the data is disclosed.

ZEGASOFTWARE will request certain personal data without which the provision of these services or the conclusion of employment contracts will not be possible. At that time, the data subject will be informed about the consent for the processing of personal data and whether the provided data will be accessible to other partners of ZEGASOFTWARE or third parties.

The processing of personal data with identification function, such as the personal identification number, series and number of identification document/passport, is carried out in accordance with the provisions of Article 8 of Law no. 677/2001, as amended and supplemented, as well as Decision no. 132/2011 of the President of ANSPDCP.

ZEGASOFTWARE designates authorized users for the operations of collecting, entering, and processing personal data in information systems or manual systems.

 

Communication of personal data

Personal data may be communicated between ZEGASOFTWARE and its authorized persons or between ZEGASOFTWARE or its authorized persons and other public institutions or entities, whether public or private, in the following situations:

- If the data subject has given explicit and unambiguous consent for the communication of their data;

- Without the consent of the data subject in cases provided by law.

 

The communication of personal data in the situations mentioned above may take place if one of the following conditions is met:

- The communication is based on a contract or, where applicable, a cooperation document that must include at least the legal basis and purpose of the processing, the maximum processing period, the rights and obligations of the parties, the security measures for the processing, and the respect for the rights of the data subject. It must also mention that the data can only be used by the beneficiary organization and solely for the purpose for which they were requested.

- The communication is based on a written request that must include the legal basis, purpose of processing, and the requested data, as well as, if applicable, the number assigned by the National Supervisory Authority.

The communication of personal data may also be carried out online, while complying with the provisions mentioned above and ensuring the security of the communication systems for personal data.

Personal data for which data subjects have exercised and been granted the right to object cannot be subject to processing.

Requests for the communication of personal data addressed to ZEGASOFTWARE must include the identification data of the applicant, as well as the reasoning and purpose of the request, in accordance with legal provisions. Requests that do not contain these elements will be returned for completion, and those that do not meet the conditions provided by law will be rejected, stating the reasons why the communication of personal data is not possible.

Before communicating personal data, ZEGASOFTWARE verifies their accuracy and, if necessary, updates them. In the event that incorrect or outdated data have been transmitted, ZEGASOFTWARE has the obligation to inform the recipients of such data about the non-compliance, specifying the data that have been modified.

 

When communicating personal data, ZEGASOFTWARE informs the recipients about the prohibition of processing the data for purposes other than those specified in the communication request.

 

The recorded information is intended for use by the company and may be communicated, without limitation, to the following categories of recipients:

- The data subject;

- The legal representative of the data subject;

- Employees of the company;

- Other individuals or legal entities processing personal data on behalf of the company, excluding its authorized persons;

- Contractual partners;

- Other companies within the same group;

- Judicial authorities;

- Central/local public authorities.

 

Guarantees accompanying the disclosure of data to third parties

ZEGASOFTWARE complies with the provisions of Article 5 of Law No. 677/2001, as amended and supplemented, by establishing specific guarantees regarding the purpose and means of processing, which attest to the fulfillment of the conditions of legitimacy provided by Article 5 of Law No. 677/2001.

The guarantees for disclosing personal data are as follows:

- Consent of the data subject: The consent of the data subject is one of the guarantees for the disclosure of personal data. The consent must be explicit and expressed in a clear and specific manner, in accordance with Article 5(1) of Law No. 677/2001. The processing of special categories of data is carried out in compliance with the provisions of Article 7(2)(a) of Law No. 677/2001, and the processing of personal identification numbers or other data with a general applicability for identification purposes is carried out in accordance with the provisions of Article 8(1)(a) of Law No. 677/2001, only when the data subject has expressly consented to such processing. The data subject agrees to provide the requested personal data and understands that the services cannot be provided without the requested personal data provided to ZEGASOFTWARE.

- Legal provisions: Legal provisions represent another guarantee for the disclosure of personal data.

- Other guarantees: Obligations of confidentiality and respect for professional or service secrecy by employees who have access to the processed personal data.

- Training of employees within ZEGASOFTWARE who process the collected personal data. All employees with access rights to the collected data receive initial training in data protection. This procedure is integrated into the training and guidance program for all users with access rights and responsibilities in the collection and processing of personal data. The company's management ensures that all personnel involved in the operation of personal data processing are trained and informed about all functional, operational, and administrative aspects of this activity. All these aspects are provided for in the Internal Regulation.

- Measures to maintain confidentiality: After training, each employee signs a confidentiality declaration.

- Introduction and compliance with the confidentiality clause provided in contracts concluded regarding the services performed.

The processing of personal data, including the disclosure to third parties, may be carried out in certain cases, provided that adequate guarantees are in place to respect the rights of the data subjects.

 

ZEGASOFTWARE respects the principles of adequacy, relevance, and non-excessiveness, as well as measures of confidentiality and security of processing, by establishing appropriate guarantees, namely:

- The purpose of processing is determined explicitly and legitimately.

- Measures are established and implemented to ensure the exercise of the rights of data subjects.

- The data retention period is limited to the period necessary for fulfilling the purpose, after which the data will be archived in accordance with the applicable legislation.

- Access to data collection systems is established, and appropriate technical and organizational measures are established and respected to protect the data.

- The data is used only within the limits of the established purpose.

- Disclosure to other recipients is prohibited, except when the data subject has given consent or there is an explicit legal provision.

- Written designation of the person(s) who will process the data and who must assume responsibility for maintaining their confidentiality; the list containing the record of these persons will be updated as necessary.

- Written appointment of a specialized person in information security to oversee data processing, including the proper functioning of the information systems used in this activity.

- Establishment of an information security plan that includes, primarily, technical security in information technology and security of the spaces where the data is processed, taking into account the minimum security requirements.

- Establishment, in writing, of the rights and obligations of the data controller who transmits the data and the data controller who receives them.

 

What does giving consent mean?

According to the provisions in the legal act regarding the processing of personal data, the consent of the data subject represents any express, free, specific, and informed indication of the data subject's will by which the data subject agrees to the processing of personal data concerning him/her.

Consent must be given explicitly in a form that allows its proof by the data controller.

Prior to obtaining consent, the data controller has the obligation to inform the data subject about:

- The identity of the data controller and its representative, if applicable.

- The purpose of the data processing.

- Additional information, such as: recipients or categories of recipients of the data; whether the provision of all requested data is mandatory and the consequences of refusing to provide them; the existence of the rights provided by Law No. 677/2001 for the data subject, especially the right of access, intervention on the data, and objection, as well as the conditions for exercising them.

- Any other information whose provision is required by the supervisory authority's provisions, taking into account the specific nature of the processing.

 

Privacy Policy

This policy establishes how information is collected, as well as the conditions of use of the information within the company.

To prevent unauthorized use of personal data and abuses, ZEGASOFTWARE employs complex security methods and technologies, along with employee policies and work procedures, to protect the personal data collected in accordance with applicable legal provisions.

Measures to ensure the security of data processing

 

Policy for the Security of Personal Data Processing

 

According to Articles 19 and 20 concerning the confidentiality and security of processing in Law No. 677/2001, as amended and supplemented, ZEGASOFTWARE applies appropriate technical and organizational measures to protect personal data against destruction accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures have been taken to protect the personal data of data subjects processed by ZEGASOFTWARE, including the processing of special categories of data, which comply with the minimum requirements for the security of personal data processing according to the provisions of Order No. 52 of April 18, 2002, published in the Official Gazette No. 383 of June 5, 2002.

 

Training of staff

ZEGASOFTWARE's personnel are informed about the provisions of Law No. 677/2001 on the protection of individuals regarding the processing of personal data and the free movement of such data, the minimum requirements for the security of personal data processing according to the provisions of Order No. 52 of April 18, 2002, the provisions of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR), as well as the risks involved in the processing of personal data.

Users who have access to personal data are trained on the confidentiality of personal data and access only the personal data necessary to perform their duties.

All provisions of the Personal Data Processing Security Policy apply.

 

Manual processing of personal data

Documents containing personal data are kept in files or locked cabinets or with another security mechanism. Documents containing personal data used for specific operations are delivered to authorized persons or immediately locked after completing those operations.

 

Principles underlying the processing of personal data

The processing of personal data is carried out in compliance with legal requirements and in conditions that ensure the security, confidentiality, and respect for the rights of data subjects.

The processing of personal data is based on the following principles:

- Legality: Processing of personal data is carried out based on and in accordance with legal provisions.

- Well-determined purpose: Any processing of personal data is done for specific, explicit, and legitimate purposes that are adequate, relevant, and not excessive in relation to the purpose for which the data is collected and subsequently processed.

- Confidentiality: Individuals processing personal data on behalf of ZEGASOFTWARE have confidentiality clauses specified in their job descriptions, an annex to the individual employment contract.

- Consent of the data subject: Any processing of personal data, except for processing related to strictly defined categories mentioned in Law No. 677/2001, can only be performed if the data subject has given explicit and unambiguous consent for that processing.

- Information: Data subjects are informed that their personal data will be processed.

- Protection of data subjects: The rights of data subjects are presented in the section "Rights of individuals whose personal data is collected and/or processed."

- Security: Measures to ensure the security of personal data are established to achieve an adequate level of security for the processed personal data.

 

The processing of personal data with a general applicability for identification purposes, including disclosure to third parties, is only allowed under the following conditions:

- The data subject has given explicit consent.

- The processing is expressly provided by a legal provision.

- In other cases, with the approval of the National Authority for the Supervision of Personal Data Processing, and only if adequate guarantees for respecting the rights of data subjects are in place.

ZEGASOFTWARE respects the principles of adequacy, relevance, and non-excessiveness, as well as measures of confidentiality and security of processing. In the case referred to in point c) above, the following aspects are considered:

- The purpose of processing should be determined explicitly and legitimately.

- Measures are established and implemented to ensure the exercise of the rights of data subjects.

- The data retention period should be strictly necessary for fulfilling the purpose, after which the data will be deleted or destroyed, as applicable.

- Access methods to data collection systems are determined, and appropriate technical and organizational measures are established and respected to protect the data.

- Data is used only within the limits of the established purpose.

- Disclosure to other recipients is prohibited, except when there is explicit consent from the data subject or a legal provision.

- Designation, in writing, of the person(s) responsible for processing the data and ensuring the confidentiality of the data. The list containing the record of these persons is updated as necessary.

- Appointment, in writing, of a person specialized in information security to oversee the processing of data, including the proper functioning of the information systems used in this activity.

- Establishment of an information security plan that primarily includes technical security in information technology and security of the spaces where the data is processed, taking into account the minimum security requirements.

- Establishment, in writing, of the rights and obligations of the data controller who transmits the data and the data controller who receives the data.

 

The collection and processing of personal data with a general applicability for identification purposes, including disclosure, by making and retaining copies of identification documents, are prohibited, except in situations specified in points a), b), and c) above.

 

Technical measures regarding the processing of personal data

All documents containing personal data are registered and follow the rules for storage, processing, duplication, transportation, transmission, destruction, and archiving established by the National Archives Law (No. 16/1996) and internal procedures.

Therefore, the processing of such data, including disclosure to third parties, can only be done if:

- The data subject has given explicit consent.

- The processing is expressly provided by a legal provision.

- In other cases, with the approval of the National Authority for the Supervision of Personal Data Processing, and only if adequate guarantees for respecting the rights of data subjects are in place.