Terms and Conditions


The information provided herein as “Terms and Conditions of the CookieBox application” (“Terms and Conditions of the Service”) constitutes the general framework agreement applicable to the Service developed and operated by S.C. Conversion Marketing S.R.L., headquartered in, Sos. Nord Nord no. 15-23, Swan Office Park, Windsor Building, et. 2, 077190, Voluntari, Ilfov, registered with the Trade Register under no. J23 / 894/2013 and having fiscal code no. RO18350386, hereinafter referred to as Provider.

1. TERMS

Visitors – shall refer to the internet users that access a website, identified by a cookie file in a database, used within the CookieBox Platform, in observance of the legislation in force;

Contract – shall refer at an agreement between Visitor and Website.

Website – shall refer to a website owned by Beneficiary and regsitred on CookieBox Platform;

Logs – shall refer to the cookie preferences chosen by Visitor on Beneficiary website, through the CookieBox Popup;

CookieBox Trial period – shall refer to the manner of collaboration that is based on a free-of-charge subscription to the CookieBox Platform throughout the collaboration, for a maximum 7 days. After these 7 days, the Beneficiary will have to choose one of the monthly subscription offers or the service will be terminated;

CookieBox Monthly subscriptions – shall refer to the manner of collaboration that is based on the issue of a monthly invoice sent to the Beneficiary based on allocated resources by the Provider to the Beneficiary described here: https://www.cookiebox.ro/#price;

MAU – Monthly active users (MAU) are only the visitors that expressed their cookie usage preferences. A user that doesn’t have a preference about the cookie usage, will not be counted;

CookieBox Personalized – For nonprofit organizations and students who wish to use CookieBox for their personal website, CookieBox offer pro bono packages;

CookieBox Service – shall refer to a self sustaining script that client must insert into the Web site. This script is responsible for generating the pop-up, informing the Visitor about the information collected by the cookies and also allows the Visitor to opt-out of certain non-necessary cookies;

CookieBox Platform – shall refer to the technical system operated by S.C. Conversion Marketing S.R.L., made available to the Beneficiaries at www.cookiebox, together with all relevant information and specific tools required for them to be able to use the CookieBox Service – to enable them to send messages. The CookieBox Platform allows you to display a pop-up notification box (the "Pop-up"), that can be used on your website for different purposes. It may be used to inform your website visitors ("Visitors") about your website Privacy Policy and Cookie usage

CookieBox is only the service provider and it is your own responsibility to ensure correct settings and implementation of CookieBox is used on your website in case you use it to comply with a certain law, regulation or directive, including but not limited to EU’s General Data Protection Regulation (GDPR) and EU’s ePrivacy Directive.

CookieBox offers a set of options for the pop-up, which is constantly updating to ensure Services cover as much customer needs as possible.

CookieBox organizes server resources in a way to provide a high level of service with at least 99.9% uptime on the operation of the cloud service, both website and scripts hosting.

First month of the subscription – shall refer to the calendar month during which the Contract is concluded;

"Personal data from the Beneficiary" shall mean any Personal Data processed by CookieBox on behalf of the Beneficiary, based on or with regard to the Contract; particular, their right to privacy with regard to the processing of Personal Data, applicable in Romania;

"Services" shall mean the services to be provided by CookieBox to the Beneficiary, in line with the Contract.

2. SUBJECT MATTER OF THE CONTRACT

2.1. The Subject Matter of the Contract consists in providing Service for the benefit of the Beneficiary, so as to allow the Beneficiary display a pop-up notification box to inform Visitors about Beneficiary website Privacy Policy and Cookie usage. The information displayed in the pop-up box is broken down into categories that the Visitor have the option to allow or block.

These preferences are saved temporarily only on the Visitor side to prevent the pop-up box from beeing shown all the time.

2.2. The Service provided to the Beneficiary are the following:

use of the CookieBox Platform to manage information about Privacy Policy and Cookie usage;

administration by the Provider of the hardware and software infrastructure referred to in paragraph a);

monitoring the account usage and instant or periodic reporting of errors caused following the integration with external IT systems, as well as reactive reporting of any blacklisting;

consultancy services with regard to the Cookie Consent activity detailed in the "Documents" section of the CookieBox Platform and refers to a list of documents detailing information about the GDPR laws;

developing customized pop-up or banner templates, according to the requirements of the Beneficiary;

graphic design services for pop-up and banner;

management services for Cookie Consent, for the benefit of the Beneficiary;

other cookie consent related-activities.

3. GENERAL PROVISIONS

3.1. The CookieBox Platform may be used on a monthly subscription basis.

3.2. The monthly subscription fee paid by the Beneficiary to the Provider for the use of the CookieBox Platform shall be as follows:

3.2.1 Free subscription is FREE* price and you benefit from:

  • Email support
  • Customizable cookie categories
  • 1 domain
  • Unlimited subdomains
  • Up to 200.000 monthly active users*
  • Optional addon: website scanner for only €5.99
  • Forever free

3.2.2 Business subscripstion is 18.99 EUR price and you benefit from:

  • Email & Phone Support (response time within 24h hours)
  • Customizable cookie categories
  • 2 domains
  • Unlimited subdomains
  • Up to 800.000 monthly active users*
  • Optional addon: website scanner for only €5.99
  • 7 day trial period

3.2.3 Enterprise subscription is 34.99 EUR price and you benefit from:

  • Email, phone & remote support response time within 24h hours
  • Free web scanner
  • 5 domains
  • Up to 1.500.000 monthly active users*
  • 7 day trial period

3.2.4 Personalized subscribtion is negociable price and you benefit from:

  • Customizable solutions
  • Individualized support to help admins manage at scale

* Monthly active users (MAU) are only the visitors that expressed their cookie usage preferences. An user that doesn’t have a preference about the cookie usage, will not be counted.

4. RATES AND PAYMENT

4.1. The Beneficiary shall pay to the Provider a monthly subscription fee for contracted Service, based on the package choosen (Tiny, Business, Enterprise and Personalized).

4.2. The Beneficiary is under the obligation of making full payment of the subscription fee, irrespective of whether or not it made use of the CookieBox Service during the respective month.

4.3. The invoice shall be issued covering the subscription fee in full, in advance, for the following month.

4.4. The Provider shall issue a tax invoices in RON, using the RON/ EUR exchange rate published by the National Bank of Romania on the date of the invoice, and shall send it to the Beneficiary if the Beneficiary has the fiscal residence in Romania. If the fiscal residence has been declared outside Romania, we will issue an invoice without VAT and the amount will be expressed in EUR.

4.5. The Beneficiary may use the CookieBox Platform account only after the Provider has collected the payment under the CookieBox Business subscription in full.

4.6. Subsequently to making the payment for the first month of the subscription, the Beneficiary shall pay for the CookieBox subscription within 5 (five) days of the issue of the invoice by the Provider. The Provider reserves the right to suspend its Services without prior notice in case the Beneficiary does not make payment within 5 (five) days of the issue of the invoice.

4.7. . Given the nature of the services provided, since the Beneficiary is able to use the CookieBox Platform immediately after making the payment, the Beneficiary acknowledges and expressly agrees that the right of withdrawal within 14 days following the provision of the Service, provided for in Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights - transposed in the national legislation through Emergency Ordinance No. 34/2014 on consumer rights in contracts concluded with professionals, amending and supplementing certain normative acts - shall not apply in the case of the CookieBox Service, in line with the exceptions referred to under Article 16 (including Article 16, letters a and m) of the Directive and of Emergency Ordinance No. 34/2014.

5. RIGHTS AND DUTIES OF THE BENEFICIARY

5.1. Aside from all other rights set forth herein, the Beneficiary shall have the following rights:

to use the CookieBox Platform to display a pop-up notification box informing his website Visitors about website’s Privacy Policy and Cookie usage, in observance of this Contract;

to use the CookieBox Platform to display a banner notification informing his website Visitors about website’s Privacy Policy and Cookie usage, in observance of this Contract;

5.2. Aside from all obligations set forth herein, the Beneficiary shall have the following obligations:

not to use the CookieBox Platform to display any unrequested messages (Spam), irrespective if the purpose of the message is commercial or non-commercial.

not to contribute to disseminating electronic messages containing or promoting any materials hazardous to the IT equipment of the Visitor or containing obscene or indecent language, illegal, intimidating, abusive, indecent, racist, or chauvinistic messages, or which might be discriminatory towards any individual in any manner, or which would infringe in any way or to any extent any standard or regulation in force;

to observe all duties stipulated hereunder and in the applicable legislation in force pertaining to the activity carried out, including, but without limitation to the legislation in force in the field of electronic communication and the legislation on personal data protection;

to pay to the Provider, in observance of the deadline set hereunder, the amount of the CookieBox subscription fee, as well as any other service fees ordered by it; Can request web development and creation, and for the price evaluation should send an e-mail to the address cookiebox@conversion.ro

not to provide access to the account created in CookieBox Platform to un-authorized persons or entities, bearing responsibility for the consequences of such un-authorized access to the CookieBox Platform. In case there is a breach of security or the Beneficiary notices any un-authorized access to their account, the Beneficiary is under the obligation of notifying the Provider immediately, providing all relevant details about the incident;

to hold all intellectual property rights on all materials (texts, images, files) sent through the messages and to be accountable for the content thereof.

6. RIGHTS AND DUTIES OF THE PROVIDER

6.1. Aside from the other rights set forth herein, the Provider shall have the following rights:

to check, at any time, the observance by the Beneficiary of the Contract, and of the legal provisions in force, and to suspend, at any time, acces to CookieBox Platform, if the Beneficiary fails to meet any obligation;

to use the logo and brand of the Beneficiary for marketing purposes;

to amend, at any time, the Contract, the commercial policy and the rates, as it considers fit. Any amendment of the rates shall operate immediately upon notification of the Beneficiary.

to suspend the provision of cookie consent services to the Beneficiary whenever there is suspicion or proof that the Beneficiary is infringing the provisions hereof.

6.2. Aside from the other right set forth herein, the Provider shall have the following duties:

to allow the Beneficiary to have access to the CookieBox Platform enabling it to display a pop-up notification box or banner informing his website Visitors about website’s Privacy Policy and Cookie usage, in exchange for the rates agreed hereunder;

to ensure proper operation of the CookieBox Platform and to repair, as fast as possible, any error or technical problem;

to inform the Beneficiary prior to any maintenance works on the CookieBox Platform;

7. LIABILITY

7.1. The liability for the content of the messages shown thourgh pop-up or banner rests solely with the Beneficiary;

7.2. In case of any delay in the payment of the invoices due, the Beneficiary is in default by operation of law, without any prior notification from the Provider, as of the date on which the payment obligation becomes due and must pay default penalties of 0.5% per day of the total amount of the invoice issued. Aside from the right to apply default penalties for non-observance of the payment deadlines set forth herein, the Provider is entitled to suspend the provision of the Service until all due payment are made by the Beneficiary, including any compensations and/ or any penalties

7.3. For any payment obligation, the Beneficiary shall be deemed in default by operation of law, without any prior notification from the Provider, as of the date on which the payment obligation becomes due.

7.4. The Provider is entitled to direct any amount received from the Beneficiary towards cover any of the outstanding amounts owed by the Beneficiary, without taking into account the destination indicated by the Beneficiary for the payment.

7.5. In case of failure by the Beneficiary to observe any obligation set hereunder, the Provider is entitled to suspend the provision of the Service, without any formalities or without the intervention of any court of law, until the repair/ fulfilment of the obligation by the Beneficiary.

7.6. The Provider shall not be held liable by the Beneficiary for any damages - direct, indirect, current or potential - or for any loss of profit, including (for example, but not limited to): financial loss, loss of revenue or profit, loss of clients or any other type of loss or damage of any nature and for any reason, if it is a result of the suspension and/ or termination of the Service.

8. CONFIDENTIALITY OF THE INFORMATION

8.1. The Parties acknowledge that, in consideration of the provision of the CookieBox Service, the following information shall become confidential, subject to the confidentiality agreement undertaken herein:

access data of the Beneficiary to the CookieBox Platform;

all information related to the Visitors of the Beneficiary.

9. INTELLECTUAL/ INDUSTRIAL PROPERTY RIGHTS

9.1. The Beneficiary declares and acknowledges that the technology and know-how – whether patented or not - incorporated in the CookieBox Platform and in the CookieBox Service are and shall remain property of the Provider.

Therefore, the Beneficiary acknowledges and agrees that the Provider holds all intellectual property rights concerning the CookieBox Platform and the CookieBox Service and, that, except for the right to use the CookieBox Platform and the CookieBox Service, and that, on condition that all obligations herein are observed in full, it does not acquire any other right with respect to the CookieBox Platform and/ or the CookieBox Service.

9.2. The Beneficiary acknowledges and undertakes to observe at any time the property right of the Provider on the CookieBox Platform and on the CookieBox Service;

9.3. In case the Provider receives a notification or a complaint from a third party, the Provider shall forward it to the Beneficiary, which shall be solely responsible for correcting the situation and indemnifying the affected third parties, as well as the Provider for any costs or damages incurred.

10. TERMINATION OF USE OF SERVICE

10.1. The Parties may terminate this Contract unilaterally, by sending a 30-day prior notification to the other party, to the email address cookiebox@conversion.ro. The termination shall operate after the expiry of the 30-day period following the receipt of the notification.

10.2. In case of suspicion and/ or non-observance by the Beneficiary of any obligation set for it under this Contract, the Provider, as it deems fit, may notify the Beneficiary about the termination of provision of the CookieBox Service, which termination shall operate immediately, by operation of law, without any other formalities and without the intervention of any court of law, the Beneficiary being directly responsible for any damage generated. In case of Contract termination for such provisions, the Beneficiary shall lose any right to request reimbursement of the amounts paid in advance.

11. SPECIAL CLAUSES

11.1. The Beneficiary shall guarantee and shall hold the Provider harmless against any claims, actions, causes of action, suits, damages, liabilities, obligations, costs and expenses (including, but without limitation, any legal fees, in-house conciliation costs, court litigation expenses, hereinafter collectively referred to as Losses) which can be attributed or which are corelated with the infringements by the Beneficiary of this Contract and any other liability claim.

11.2. The conclusion of this Contract and/ or the use by the Beneficiary of the CookieBox Platform is equivalent to acknowledging that the Beneficiary read, understood and agreed with the provisions hereunder and with the Terms and Conditions of the Service, as displayed at any time on the CookieBox Platform.

11.3. The Beneficiary shall be liable for all obligations, operations and debts resulted from this Contract and/ or the use of the Service until full discharge therefrom.

12. PROCESSING OF PERSONAL DATA FROM THE BENEFICIARY

12.1. During the provision of the Services by the Provider in line with the Contract, the Provider, in its capacity as Person authorized by the Beneficiary, may process Personal Data from the Beneficiary on behalf of the Beneficiary, as Personal Data Processor.

12.2. In all cases in which Personal Data from the Beneficiary is processed on the basis of, or in connection to the Contract, the Provider:

12.2.1. shall process, transfer, modify, change or alter Personal Data from the Beneficiary or shall disclose or allow the disclosure of Personal Data from the Beneficiary to third parties according to Annex 1 (Details on the Processing of Personal Data from the Beneficiary), and exclusively:

according to the requirements concerning the observance of the Beneficiary’s instructions - documented and reasonable (which, except if provided otherwise, shall relate to the processing of personal data from the Beneficiary as required for the purpose of providing the Services hereunder), including with regard to the transfer of Personal Data from the Beneficiary to a third party or an international organization; or

according to the requirements concerning the observance of the applicable legislation by the Provider, case in which the Provider (to the extent permitted under the law) shall inform the Beneficiary with regard to the legal requirement in question before processing the respective Personal Date from the Beneficiary.

12.2.2. when learning of a personal data breach:

shall notify the Beneficiary in 48 (forty eigt) hours, and

shall cooperate with the Beneficiary and shall take all reasonable commercial measures indicated by the Beneficiary in view of providing assistance in investigating, mitigating and repairing a personal data breach, on condition of full reimbursement by the Beneficiary in each case of all costs incurred by the Provider (including with internal resources and any costs with third parties), in a reasonable manner with regard to the fulfilment of the obligations in this paragraph 12.2.2, to the extent to which the personal data breach was not caused by the Provider.

12.2.3. upon receipt of any request, complaint or communication related to the obligations of the Beneficiary based on the applicable legislation on data protection:

shall notify the Beneficiary as soon as possible, in a reasonable manner;

shall cooperate with the Beneficiary and shall take the reasonable commercial measures indicated by the Beneficiary to allow the latter to observe any exercise of rights by a Subject on the grounds of the applicable data protection legislation, or the observance of any evaluation, inquiry, notification or investigation based on the applicable data protection legislation, on condition of full reimbursement in each case by the Beneficiary of all costs incurred by the Provider (including with internal resources and any costs with third parties) in a reasonable manner with regard to the fulfilment of the obligations in this paragraph 12.2.3.

12.2.4. shall implement the technical and organizational measures provided in Annex 2 hereto, in collaboration with the Beneficiary. The Beneficiary has confirmed that it has reviewed and approved these measures as providing a proper security level with regard to the Personal data from the Beneficiary to be processed by the Provider in its capacity as a Person authorized by the Beneficiary;

12.2.5. shall ensure that its employees with access to personal data from the Beneficiary are under contractual, professional or legal obligations of confidentiality;

12.2.6. shall provide reasonable support to the Beneficiary with regard to the impact assessment concerning the data requested on the grounds of Article 35 GDPR and to the prior consultations addressed to any Supervisory Authority of the Beneficiary which is requested on the grounds of Article 36 of GDPR, related to the processing of personal data from the Beneficiary by the Provider on behalf of the Beneficiary and in consideration of the nature of the Processing and of the information available to the Provider; and

12.2.7. with the exception of cases in which the applicable legislation imposes contrary obligation, it shall stop processing personal data from the Beneficiary within 90 days of the termination or expiry of the Contract, of, if it occurs earlier, the termination or expiry of the Service it refers to, and, as soon as possible thereafter, it shall either return or delete from its systems the personal data from the Beneficiary and any copies thereof.

12.3. The Beneficiary authorizes the Provider to hire the subcontractors with regard to the processing of personal data from the Beneficiary. During the term of the Contract, the Provider may hire other subcontractors, in observance of the following obligations:

The Provider shall notify the Beneficiary (via e-mail or otherwise) with regard to its intention of using a new subcontractor to process personal data from the Beneficiary;

The Provider shall include in the contract concluded with each subcontractor terms that are substantially similar to those provided in clause 12 thereof;

In case a subcontractor fails to meet its obligations concerning the protection of personal data from the Beneficiary, the Provider shall be fully liable before the Beneficiary with regard to the fulfilment of these obligations

With regard to any notification set based on Art. 12.3, Paragraph 1, the Beneficiary shall have 30 (thirty) days following the receipt of the notification, to inform the Provider with regard to any reasonable objection related to the hiring of the subcontractor in question. In such situation, the parties shall attempt - in good faith and throughout a period of maximum 30 (thirty) days as of the date of the objection - to reach a reasonable solution from a commercial standpoint, which would allow to avoid hiring such subcontractor. In case such solution cannot be reached, the Provider shall be entitled to terminate the Contract unilateral, through a written notification sent to the Beneficiary.

12.4. The Provider shall make the information available to the Beneficiary and (as applicable) shall collaborate in conducting any audit or inspection, upon reasonable request from the Beneficiary to give assurance that the Provider observes the obligations set hereunder, on condition that such request does impose a duty on the Provider to provide or to allow access to:

internal information of the Provider concerning prices,

information concerning other subcontractors of the Provider,

any of the external reports of the Provider that have not been made public or

any internal reports prepared by the internal audit functions of the Provider. Moreover, the Beneficiary may request a maximum of one audit or one inspection during any period of 12 consecutive months.

12.5. The Beneficiary guarantees that all Personal Data from the Beneficiary processed by the Provider according to this section were and shall be collected and processed by the Beneficiary in observance of the applicable law on data protection, including, but without limitation:

ensuring that all notifications sent to regulatory authorities and all approval from such authorities required according to the applicable Legislation on data protection are made and kept by the Beneficiary, and

ensuring that all Personal Data from the Beneficiary is collected and processed in an equitable and legal manner, that they are correct and updated, and a notification concerning the processing of personal data is sent to the Subjects to describe the processing to be carried out by the Provider based on this Contract.

12.6. The Beneficiary shall indemnify and exempt the Provider from any responsibility for all losses incurred and all fines and sanctions applied by public authorities, including by any Supervisory Authority, which derive from any request by a third party or public authority, including any Supervisory Authority, which derives from any infringement of section 12.5.

13. ASSIGNMENT

13.1 Without the express prior written approval by Provider, the CookieBox Platform shall have no right to assign and/or transfer in any way, totally or partially, his/her rights and obligations arising in relation to the Agreement concluded with Provider and/or to the use of the Service.

13.2 By using the Service, the Visitor hereby acknowledges Provider’s right to assign at any given moment, without any other approval from the Visitor, totally or partially, any and each of its rights and/or obligations arising in relation to the Agreement concluded with the Visitor and/or to the use of the CookieBox Platform. Additionally, the Visitor hereby acknowledges Provider’s right to assign/transfer to a third party, in any way, totally or partially, the CookieBox Platform.

14. NOTIFICATIONS

14.1 All notifications, communications and/or any other requests related to the CookieBox Platform shall be in writing and will be communicated at the correspondence address or e-mail address provided by the AVisitor in the registration forms of the Visitor Account, and by Provider in the Preamble of the Terms and Conditions of the Service, as subsequently amended and updated and posted on the Platform at any given moment.

14.2 The Visitor admit that any notifications, communications made by Provider through by CookieBox Platform are reliable and are enforceable against in the published moment by the CookieBox Platform.

14.3 If a communication is sent via postal service (including any delivery service), it shall be valid only if sent accompanied by acknowledgement of receipt and shall be considered received at the date mentioned on such acknowledgement of receipt by the receiving postal office and/or by the courier.

14.4 If a communication is sent via e-mail, it shall be considered received on the working day it was sent and/or on the following working day, if sent during a non-working day.

15. FORCE MAJEURE

15.1 Any unforeseeable and insurmountable circumstance, beyond the will and control of the Parties, that shall render impossible the performance of the obligations by the Visitor and/or Provider, shall be considered a Force Majeure event and shall relieve the party claiming the Force Majeure of any liability for performing such obligation.

15.2. Causes of a Force Majeure events are such circumstances, including but not limited to: war, revolution, earthquake, massive floods, embargo, expropriation, devastating fire, discontinued or blocked access to or functioning of the CookieBox Platform and/or of the Services for reasons not ascribable to Provider.

15.3 The Party claiming a Force Majeure event shall give notice thereof, within 10 working days of the date the Force Majeure has occurred, to the other party, and provide the documents attesting the Force Majeure, issued by a competent authority within 30 (thirty) working days of such date. The Party in question shall also have the obligation to immediately communicate the end date of the cause of the Force Majeure.

15.4 In case of omitting to give notice, in accordance with the abovementioned conditions and the deadlines, of the start and end date of the Force Majeure cause, the party claiming the Force Majeure shall bear all the damages caused to the other party by such omission.

15.5 The Parties hereby commit to take all reasonable measures as necessary in order to limit any damages that may arise during the Force Majeure event, as a consequence of the Force Majeure.

15.6 During a Force Majeure event that prevents one or both parties from performing their obligations, the parties are relieved of any liability for performing their obligations. In case the Force Majeure does not end within 3 (three) months as of the date it was notified, any party can terminate the Agreement and/or the use of the CookieBox Platform.

16. APPLICABLE LEGISLATION AND JURISTRICTION

16.1 The provisions of the Visitor Service shall be governed by the laws of Romania.

16.2 In accordance with article 117 of the Civil Procedure Code the competent courts of Bucharest, Romania shall have exclusive jurisdiction over all and any disputes arising in connection with the provisions of the Terms and Conditions of the CookieBox Platform, as subsequently amended and updated and posted on the Platform at any given moment and/or in connection with the Agreement concluded between the Visitor and Provider in accordance with these Terms and Conditions.

ANNEX 1: DETAILS FOR THE PROCESSING OF PERSONAL DATA FROM THE BENEFICIARY

This Annex 1 includes certain details regarding the Processing of Personal Data in line with Article 28, paragraph (3) of the GDPR

Subject matter and duration of processing of Personal Data from the Beneficiary:

The Subject matter and duration of processing of Personal Data from the Beneficiary are set in the Contract.

Nature and purpose of the Processing of Personal Data received from the Beneficiary:

The purpose of the Processing of Personal Data received from the Beneficiary is set in the Contract. Upon request, the Provider shall provide Account Management services, which means that an account manager of the Provider manages the content and images from popup and banner.

The types of personal data from the Beneficiary to be processes are, as applicable:

Cookies, IP Address, Browser Technology, Operating System.

The categories of Subjects to which the Personal Data from the Beneficiary refer: Visitors

The rights and duties of the Beneficiary are set within the Contract.

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

The minimum security requirements for the Processing of Personal Data received from the Beneficiary shall cover the following:

  1. Identification and authentication of users

A user is any person acting under the authority of the Provider, with the right to access the Personal Data from the Beneficiary.

In order to gain access to a personal data database, users must identify themselves. Identification is done through username and password.

Each user shall have its own identification code. It is not possible for several users to share the same identification code.

Any user account is accompanied by a method of authentication.

Authentication is done using a password.

Passwords are changed periodically.

The Provider’s computer system shall automatically deny access to a user after introducing a wrong password 5 times.

Any user receiving an identification code and a method of authentication must observe the confidentiality thereof and shall be accountable to the Provider.

The Provider shall authorize certain users to revoke or suspend an identification and authentication code, following their user’s resignation or dismissal, contract termination, transfer to another service or assignation of new tasks that do not require access to Personal Data from the Beneficiary, in case of misuse of the codes received or in case of lengthy absence for a period determined by the entity.

Access of users to Personal Data from the Beneficiary carried out manually shall be done based on an authorization issued by the Provider.

  1. Type of access

Users shall only access Personal Data from the Beneficiary required for the fulfilment of the purpose set in the Contract.

The department providing technical support shall have access to Personal Data from the Beneficiary to solve exceptional situations.

  1. Collecting personal data from the Beneficiary

The Provider shall nominate users authorized for the collection and introduction of Personal Data from the Beneficiary in a computer system.

Any modification of the Personal Data from the Beneficiary can only be done by authorized user nominated by the Provider.

  1. Creating backup copies

The Provider shall determine the timeline for the backup copies of the Personal Data from the Beneficiary, as well as for the programs used for automated processing. A limited number of users shall be appointed by the Providers to create backup copies.

  1. Computers and access terminals

Computers and other access terminals are installed in rooms where access is allowed using magnetic cards or keys.

  1. Access files

The Provider shall take measures to ensure that any access of Personal data from the Beneficiary is recorded in an access file (entitled log for the purpose of automated processing (or in a registry for manual processing of personal data.

For automatic processing, this information shall be stored in a general access file or in separate files for each user.

  1. Telecommunication systems

The Provider shall carry out periodic control of authentications and on the types of access to detect dysfunctionalities pertaining to the use of telecommunication systems.

  1. Training of personnel

During user trainings, the Provider shall provide information on the provisions of the applicable legislation on data protection as well as regarding risks entailed by personal data processing.

Users with access to personal data from the Beneficiary shall be informed by the Provider concerning the confidentiality thereof.

  1. Use of computers

To maintain security in the processing of Personal data from the Beneficiary (particularly against computer malware), the Provider has implemented measures consisting in:

forbidding the use by the users of software programs from external or suspicious sources;

informing users about the dangers of computer malware;

implementing automated malware removal and computer security systems.

Published: 01.08.2018

Install now
Become GDPR/ePR compliant and gain your user’s trust.

Create my CookieBox now