General Data Protection Regulation

This specific procedure appears in the context of the General Data Protection Regulation (GDPR) adopted on April 27, 2016 and binding on May 25, 2018. GDPR is a European la on the protection of individuals with regard to the processing of personal data and on the free movement of such data in the European Union. It also refers to personal data exported to non-EU countries.

The protection provided by this Regulation refers to natural persons, alive, irrespective of their nationality or place of residence, and refers to the processing of personal data. The Regulation does not cover the processing of personal data of authorized persons or legal persons.

Introduction
Marine & Offshore Consultants SRL must collect and use certain personal data of employees and collaborators.

This data refers to the personal data of clients, collaborators, contacts of employees and other people with whom the organization is related.

This procedure describes how personal data is collected, handled and processed to meet the company’s data
protection standards, i.e. to comply with the law.

Why this procedure exists
This personal data protection procedure ensures that Marine & Offshore Consultants:
● Complies with the legal provisions on data protection and establishes rules of good practice in the field
● Protects the rights of employees, clients and partners
● It is transparent regarding the storage and processing of personal data
● Protects against the risk of personal data loss or theft

Personal data protection law
GDPR 679/2016 describes how organizations – including Marine & Offshore Consultants – must collect, manipulate and store personal information.

These rules apply regardless of storage mode, electronically, on paper or in other ways.

In order to comply with the legislation, personal information must be collected and used correctly, stored in secure places and not to be unlawfully disclosed.

GDPR is based on 8 important principles. They say that personal data must:
1. Be processed correctly and legally;
2. They are only obtained for legal and specific purposes;
3. Be either appropriate, relevant and not excessive;
4. Be correct and updated;
5. Do not be stored more than necessary;
6. Be processed in accordance with the rights of the persons involved;
7. Be properly protected;
8. They will not be transferred outside the European Economic Area, unless the country provides one adequate level of protection.

Rights of individuals with regard to personal data
● Right to information – information on personal data processing may be requested at any time;
● Right to rectification – Inaccurate or incomplete personal data can be rectified;
● The right to delete the data (the “right to be forgotten”) – data can be erased if their processing was not lawful or in other cases provided by law;
● Right to restrict processing – You may be required to restrict processing if it is disputed data accuracy, as well as in other cases provided by law;
● The right to object – may in particular oppose data processing that is based on the interest of the legitimate person;
● The right to portability of data – may, under certain conditions, receive the data provided in a format which may be read automatically or may be required to transmit that data to another operator;
● The right to file a complaint – one can complain about the way the data is processed personal data to the National Supervisory Authority for Personal Data Processing;
● Right of withdrawal of consent – in cases where processing is based on the consent of a person, it can be withdrawn at any time. Withdrawal of consent will only have effect for the future, processing prior to the withdrawal remaining valid;
● The right not to be subject to automatic or profiling decisions related to automated decisions: You may require and obtain human intervention with respect to that processing, or you can express your point of view about this type of processing.

People, risks and responsibilities

Purpose of the procedure
This procedure applies:
● Central Office of Marine & Offshore Consultants;
● All of the secondary offices and departments of Marine & Offshore Consultants;
● All employees and volunteers of Marine & Offshore Consultants;
● All contractors, suppliers and other people working from Marine & Offshore Consultants.

The procedure refers to all personal data owned by the company relating to individual / nominal persons.

These data include:
● Name and surname;
● Postal address;
● E-mail address;
● Phone numbers;
● Personal identification number;
● Date of birth;
● Identity Card Data;
● Civil status;
● Passport data;
● Statement;
● Studies, courses;
● Experience (CV);

Risks of data protection
This procedure protects Marine & Offshore Consultants from personal data security risks, identifying these risks and taking the necessary steps to adequately protect your personal data. So, for this purpose, Marine & Offshore Consultants highlights the main risks that may arise in protecting personal data:
● Violation of privacy rules. For example, mis-distribution of information;
● Deficiencies in offering alternatives. For example, everyone in the company must be free to choose how personal data is used by the company;
● Damage to reputation. For example, the company suffers when hackers have access to the sensitive data;

Responsibilities
All those who work for or with Marine & Offshore Consultants have the responsibility of providing personal data from their collection to handling and storage, according to GDPR.

Each team handling personal data must ensure that they are processed and handled in accordance with this procedure and with the legal principles of data protection.

However, the following persons have key responsibilities in data protection:
● Directors are first responsible for ensuring the legal protection of data at Marine & Offshore Consultants;
● Human Resources Officer: keeps the personal data safe and up-to-date, handling personal data of employees and collaborators, periodically updating the responsibilities of directors for data protection, risk and problems, periodic review of procedures and policies for personal data protection, informs employees and employees about the protection of personal data (see Annex 1 and Annex 2 Information on the protection of personal data of current and new employees), responds to questions from employees and collaborators about this procedure and GDPR, responds to employees and collaborators requests regarding data that Marine & Offshore Consultants owns (data request) and verifies and approves any contract or agreement with third parties that involves the use of sensitive data.
● IT responsible: ensures systems, services and equipment used to store personal data so as to meet legal security standards, periodically checks and scans hardware and software equipment and systems to ensure data security, evaluates third party services used by the company for the storage and processing of personal data. For example, cloud storage services.

General rules

The only people who have access to personal data are those who need this data to exercise their job.

Marine & Offshore Consultants will inform all employees and collaborators of how their personal data is used by the company and third parties, through an information note, making this procedure available, etc. (see Annex 1 – Initial Information of Employees on the Protection of Personal Data and Annex 2 – GDPR Agreement of New Employees).

Marine & Offshore Consultants processes the personal data of employees and collaborators who have given their consent for this purpose, being properly informed of how data is used.

Personal data will not be distributed for informal purposes. When access to confidential information is required, employees can ask the manager directly.

Marine & Offshore Consultants will ensure that employees are properly and fully informed in order to help them understand the responsibility of handling the personal data.

Employees will keep their personal data safe, will be cautious and follow the specific procedure.

In addition, strong passwords will be used on any device with which they work and these passwords should not be shared with others.

Personal data should not be disclosed to unauthorized persons, either within the company or outside.

Personal data must be updated periodically when it is found to be outdated. If they are no longer needed, they can be deleted from the database or destroyed.

Employees will seek the help of the direct manager or human resource manager when they are not sure about certain aspects of data protection.

Marine & Offshore Consultants nu proceseaza date personale sensibile (religie, orientare sexuala, date genetice sau biometrice etc.).

Personal data processed by Marine & Offshore Consultants are required by law and can only be accessed by authorized persons or by state institutions.

Everyone has the right to access their own personal data collected by Marine & Offshore Consultants following a written request and at reasonable intervals to verify the lawfulness of the process.

Everyone has the right to update their personal data and the right to “forget” upon request, if the law permits.

In Marine & Offshore Consultants personal data of employees and collaborators are analyzed manually, they are not subject to automatic processing.

At Marine & Offshore Consultants, personal data is processed anonymously for direct marketing purposes. Only marketing data and experience are used in marketing.

Principles of personal data protection by design and by default applies whenever personal data is processed.

As soon as Marine & Offshore Consultants finds out that it happened a breach of personal data protection, it will notify the competent authorities of this breach, without delay and within 72 hours of observation, if possible.

Marine & Offshore Consultants will communicate to the competent authorities and individuals involved a personal data security breach, especially when this breach poses a high risk to a person’s rights and freedoms, allowing him to take the necessary precautions.

The processing of sensitive personal data relating to race, ethnic origin, political opinions, religion, philosophical beliefs of genetic or biometric data for the purpose of identifying a person, health or sex life data is forbidden at Marine & Offshore Consultants.

Personal data storing

This paragraph describes how and where personal data should be kept so that it is safe. Questions about keeping personal data can be addressed directly to the IT manager or data processor (executives, accountants, human resources).

The data stored on the paper will be kept in a folder placed in a safe place, inaccessible to unauthorized persons.

This guide applies to electronically stored data but also to data printed on paper for various reasons:
● When not required, staff records are held in a safe, inaccessible, possibly locked place;
● Employees will be instructed not to leave behind documents that contain personal data, such as the printer;
● When they are no longer needed, the papers containing personal data will be destroyed and discarded.

Electronically retained data will be protected from unauthorized access, accidental deletion, and hacker attack:
● Personal data will be protected with strong passwords that will be changed periodically and will not be shared with other employees;
● When data is stored on mobile media (CD, DVD, USB), they will be locked securely when not in use;
● Personal data will be stored on specific drivers and servers and will only be saved on an approved cloud storage service;
● Servers containing personal data are located in a safe place outside the office;
● Data is saved periodically on the server. These backups are regularly tested according to company standards;
● Personal data will not be saved directly on your laptop or other mobile devices (tablets, smart phones);
● All servers and computers that contain personal data are protected by approved security software and firewalls.

Using personal data

Personal data is irrelevant if Marine & Offshore Consultants can not use them. However, it will be taken into account that accessing personal data may result in their loss, theft or alteration.

When working with personal data, employees will ensure that they lock the computer / screen when they are not around.

Personal information will not be shared for information purposes.

Data will be encrypted before being transferred electronically. The IT manager can explain to employees how to send data to authorized external contacts.

Personal data is not transferred outside of the European Economic Area..

Employees will not save personal data in personal computers. Always access and update the
centralized data copy.

Data accuracy

The legislation in force requires Marine & Offshore Consultants to assume responsibility for the accuracy and correctness of personal data.

The accuracy and correctness of personal data is the responsibility of all employees.

Personal data will be kept in as few places as possible. Employees will not create unnecessary extra copies.

Employees will benefit from every opportunity to ensure that personal data is accurate and complete. For example, they will update customer data when they call.

Marine &a Offshore Consultants will make it easier for you to update your personal data whenever possible. For example, through the company’s website.

Incorrect data will be erased. For example, when a customer can not be found at the phone number in the database, it will be deleted.

The marketing manager or company directors will update the database every six months.

Applications for access to the database

All persons whose data appear in the Marine & Offshore Consultants database are entitled to:
● Ask what information the company has about them and why;
● Request access to personal data;
● Be informed about how to keep these accurate and updated data;
● Be informed about the company’s privacy policy.

When a person contacts the company asking for this information, the action is called an access request (see Annex 3 – Application for Access to Personal Data).

Requests for access to personal data can be made by email addressed to the personal data processor (responsible human resources, accountants, directors) at office@marineoffshoreconsultants.com. The data processor may require a standard access form to be filled in.

Requests for access to personal data are not paid. The person processing the personal data will issue a response to the request within 14 business days.

The Data Controller will verify the identity of the person requesting the data before handing him any information.

Disclosure of personal data for other reasons

Under certain circumstances, the Personal Data Protection Act allows disclosure of personal data to legal institutions without the consent of the holder.

In such circumstances, Marine & Offshore Consultants will disclose the personal data requested by legal entities. In this case, the data controller will ensure that the request is legal.

Providing information

Marine & Offshore Consultants will ensure that company employees and collaborators understand how the
company processes personal data and understand:
● How to use personal data;
● How to exercise their rules.

Marine & Offshore Consultants owns the Privacy Statement that sets out how personal data is used by the company. This Statement is available on request. A version of this Statement, as well as the Privacy Policy, can be found on the company’s intranet and printed at the Reception Desk.

Initial information

Regarding the protection of personal data

Subordinated Marine & Offshore Consultants SRL, with headquarters in Constanta, Mamaia Blvd. 203 ap.8, J13/15/8.01.2013, CUI 31062445, phone +40241551515, based on art. 13 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL/27 April 2016, we will inform you that we will collect and process your personal data requested for employment (name, email address, telephone number, home address, CNP, marital status, studies, experience, etc.) for the purpose of concluding the employment contract between you and the subscriber.

The legal basis for processing your personal data is – the conclusion and execution of a contract, and – the processing required to comply with the obligation, a legal obligation governed by labor law.

We inform you that the recipients of your personal data are the subscribed employees, the accounting department and human resources, but also the clients (who will be provided with your name, email address and telephone number when applicable), as well as state institutions and that we DO NOT intend to transfer these data to another company (marketing and advertising company).

The data will be stored for a specified period as long as there is a contract of employment in force and, in the case of a dispute, during the settlement of the dispute and in accordance with the legislation in force as long as we have a legal obligation to keep contracts work, states and other legal documents in the accounting records and company archive.

We inform you that you have the right to request access to your personal data as well as rectification or erasure or restriction of processing under the law, as well as the right to complain to the supervisor if you believe that your rights have been disregarded.

We will establish technical and procedural measures to protect and ensure the confidentiality, integrity and accessibility of your personal data processed; prevent unauthorized use or access, and prevent personal data breach, in accordance with applicable law.

All details on the collection, processing and storage of your personal data are in the GDPR Data Protection Procedure that can be accessed at any time in electronic or paper form.

Data Processing Agreement According to GDPR

Subordinated Marine & Offshore Consultants SRL, with headquarters in Constanta, Mamaia Blvd. 203 ap.8, J13/15 / 8.01.2013, CUI 31062445, phone +40241551515, based on art. 13 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL / 27 April 2016, we will inform you that we will collect and
process your personal data requested for employment (name, email address, telephone number, home address, CNP, marital status, studies, experience, etc.) for the purpose of concluding the employment contract between you and the subscriber.

The legal basis for the processing of your personal data is the conclusion and performance of a contract as well as the processing necessary to comply with the legal obligation, a legal obligation governed by labor law.

We inform you that the recipients of your personal data are the subscribed employees, the accounting department and human resources, but also the clients (who will be provided with your name, email address and telephone number) and state institutions, and that NO we intend to transfer these data to another company (marketing and advertising company). Also, CV data, especially those related to studies and experience, will be processed anonymously in case of collaborations with other companies (not marketing and advertising companies).

The data will be stored for a specified period as long as there is a contract of employment in force and, in the case of a dispute, during the settlement of the dispute and in accordance with the legislation in force as long as we have a legal obligation to keep contracts work, states and other legal documents in the accounting records and company archive.

We inform you that you have the right to request access to your personal data as well as rectification or erasure or restriction of processing under the law, as well as the right to complain to the supervisor if you believe that your rights have been disregarded.

We will establish technical and procedural measures to protect and ensure the confidentiality, integrity and accessibility of your personal data processed; prevent unauthorized use or access, and prevent personal data breach, in accordance with applicable law.

We mention that all details with regard to storage and process of personal data can be accessed anytime in the hard copy of GDPR Procedure (available on Reception).