PERSONAL DATA PROTECTION POLICY
General provisions
Socar Petroleum SA, with registered office in Bucharest, 32-36 Pechea Street, floor 4, District 1, registered with the Trade Register Office of the Bucharest Court under no. J40/13723/2012, Tax Identification Number 12546600 (“Socar” or the “Company”), as data controller, processes your personal data in good faith, for the specific purposes mentioned herein, according to the data protection law, including, without limitation, Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”).
The purpose of this information is to explain who we are, how we process personal data, how we share and use personal data, and how you may exercise the rights you have under the GDPR.
Personal data means any information relating to an identified or identifiable natural person. Distinct information that together may lead to the identification of a certain person are also personal data.
By “processing” we mean any operation or set of operations which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
We take privacy seriously and we are aware that your personal data are yours; therefore, we make every effort to store them safely and to process them carefully. We don’t provide personal data to any third party without informing you. We have taken appropriate measures to protect the personal data that you share with us.
Purposes, basis for processing and categories of personal data
The personal data processed by Socar via this website or in the pursuit of its activity may be used for purposes such as:
- The entering into, and performance of, contracts for the purchase of goods and customer relationship management, including operations such as sales, the processing of payments and the preparation of financial and accounting documents, based on article 6 paragraph (1) letter b) of the GDPR. Socar processes identification data, contact details and the signatures of the Company’s customers, suppliers and collaborators, or those of the employees/representatives designated by them for the entering into, and performance of, contracts.
- The entering into, and performance of, contracts for the purchase of fuel using fuel cards, based on article 6 paragraph (1) letter b) of the GDPR. For his purpose, Socar processes personal data such as last and first name, username, customer representative’s job title, telephone number, e-mail address, card details, customer’s / customer representative’s ID Card details, signature.
- The entering into, and performance of, contracts for the purchase of vignettes/road taxes and compliance with the legal obligations to which it is subject under the relevant law, based on article 6 paragraph (1) letters b), c) and f) of the GDPR, as applicable. For his purpose, Socar collects the following categories of data: last and first name (only when invoices are issued), vehicle registration number, vehicle registration country, date and time when the vignette/road tax is issued/expires (to the extent that such information leads to the person’s identification), VIN, signature, address (only when invoices are issued), copy of the registration certificate (only for the correction of the vehicle registration number), vignette/road tax series and single transaction series.
- Carrying out wholesale transactions, including by filling out the form available in the Wholesale The Company collects the following categories of personal data: last and first name, address, title, employment, department, telephone number, e-mail address, ID card details, driver’s licence details, signature, based on article 6 paragraph (1) letter b) of the GDPR.
- Website management and maintenance, including the use of cookies, in order to ensure a quick and effortless user-website interaction. This type of data processing is based on your consent and on our legitimate interest, based on article 6 paragraph (1) letters a) and f) of the GDPR. For more details on the Company’s use of cookies, please see the dedicated section on the website.
- Carrying out recruitment operations, including by filling out the form available in the Careers section on the website, which involves the processing of identification details and information included on candidate CVs sent to the Company, and of publicly available candidate information, to the extent that it is relevant to the recruitment process. The processing of such data is based, as applicable, on your consent, our legitimate interest, or the steps required prior to entering into a contract, at the request of the data subject, based on article 6 paragraph (1) letters a), b) and f) of the GDPR.
- Carrying out marketing campaigns, based on article 6 paragraph (1) letters a), c) and f) of the GDPR. Socar collects personal data such as: last and first name, image, voice, contact details or other data required under the tax laws, as applicable.
- The monitoring, security and protection of Socar goods, persons and premises, according to Law no. 333/2003 on the security of premises, goods, valuables and the protection of individuals, by using video surveillance devices at Socar stations and at the registered office, based on article 6 paragraph (1) letter c) of the GDPR, and for the purposes of our legitimate interests, based on article 6 paragraph 1 letter f) of the GDPR. For his purpose, Socar processes you image by automated means and your vehicle’s registration number.
- Processing your requests, questions or complaints, based on article 6 paragraph (1) letter a) or letter f) of the GDPR, as applicable. Socar processes your last and first name and contact details you provided.
- In the progress of employment relationships, which involve the processing of data for the entering into, and performance of, employment contracts, compliance with the labour law and social security legal obligations and/or for the purposes of a legitimate interest pursued, based on article 6 paragraph (1) letters b), c) and f) of the GDPR, Socar processes its employees’ personal data, as detailed in the information note provided to its employees; in certain cases exceeding the performance of the employment contract, Socar processes its employees’ data based on their consent, based on article 6 paragraph (1) letter a) of the GDPR.
- The communication with our collaborators and contractual/business partners, based on article 6 paragraph (1) letter b) or f) of the GDPR, as applicable. For his purpose, Socar processes personal data such as: last and first name, job title and/or capacity and organisation represented, signature, contact details.
- The purchase of property or the transfer of real rights to Socar, based on article 6 paragraph (1) letters b) and f) of the GDPR, as applicable. For this purpose, Socar processes personal data such as: last and first name, data available on the ID document, data available on the title, data available on the tax certificate, data available on the energy performance certificate, and data available on the Land Register extract. Moreover, to the extent that Socar carries out a review of the property ownership history, it may process personal data of persons with whom it doesn’t have a direct relationship, such as the seller’s family members, the seller’s legal representatives, or others showing in the property ownership history.
- Preparing the civil liability insurance file, to the extent that incidents take place at any Socar stations, generating loss to anyone, based on article 6 paragraph (1) letter a) of the GDPR. Socar processes personal data such as: last and first name, data available on the ID document, data available on the vehicle registration certificate, data available on the driver’s licence, telephone number and data included in affidavits.
- Providing call centre/help desk support services to SOCAR card holders, to customers who purchase vignettes and to potential customers, based on article 6, paragraph (1), letters a), b) and f) of the GDPR, as applicable. For this purpose, SOCAR processes the following categories of data: last and first name, telephone number, employment, vehicle registration number, voice, call recording.
- Providing electronic invoicing and notification services to SOCAR card holders, based on article 6, paragraph (1), letters a), b) and f) of the GDPR, as applicable, SOCAR processes the following categories of data: e-mail address, mobile number, invoice series and number, invoice value, invoice issue date, invoice due date, as applicable.
- The collection of debt/recovery of claims owed to Socar, including through enforcement proceedings, according to the contracts and the Company’s legitimate interest, based on article 6 paragraph (1) letters b) and f) of the GDPR. For this purpose, Socar processes identification data, contact details and the signature of data subjects against whom the debt collection/claim recovery proceedings are carried out and, as applicable, of the representatives thereof involved in these proceedings.
- The defence, exercise, establishment of a right/claim/request in court, before any other authority/institution/natural or legal person, auditor, without limitation, based on the Company’s legitimate interest to take all the measures that are necessary and appropriate to protect its rights and interests, under article 6 paragraph (1) letter f) of the GDPR. For this purpose, Socar processes identification data, contact details and the signature of data subjects in relation to whom such action and measures are taken by the Company (such as documentation, defence, exercise, establishment) and, as applicable, of the representatives thereof involved in such action and measures.
- Compliance with the Company’s legal obligations, such as preparing financial and accounting documents, submitting reports and following the procedures required by law, based on article 6 paragraph 1 letter c) of the GDPR. For this purpose, Socar processes the categories of personal data mentioned in the applicable regulations.
- Reputational and solvency assessments of third parties (legal basis: Art. 6 para. (1) lit. f) of the GDPR, i.e. the fulfilment of our legitimate interests). SOCAR will process your personal data by accessing public information available online or offline (Google, media, bpi.ro portal, just.ro, onrc.ro, listafirme.ro, etc.). The categories of personal data include, but are not limited to: general identification data (name and surname), data relating to employment relationships (data on function/profession; organisation (company/division/department)), professional data (profession/qualification); contact data (telephone/fax number); personal characteristics (image/picture); disciplinary/administrative/contractual data (offences, criminal record); data relating to litigation (data from enforcement/litigation file). Socar conducts such checks to determine the business ethics, reputational or compliance risks to which it may be exposed in its business relationships.
To the extent that the data processing is based on your consent, we inform you that the consent given for the processing of personal data may be withdrawn at any time, but the withdrawal of consent shall not affect the use of personal data before the withdrawal, only after.
Personal data concerning minors (such as: last and first name, address, telephone number, educational establishment, other personal data concerning them, personal data of family members) shall not be processed by Socar without prior consent from their parents/ legal guardians.
Should Socar intend to use your data for any purpose other than that for which they were collected, Socar shall provide you prior to any further processing with information on that other purpose and shall make available any other information required by law.
Duration of the processing of personal data
Socar shall process your personal data for the period of time necessary for the performance of the contracts, for compliance with the legal obligations specific to our field of work, or according to the applicable statutes of limitation, or for compliance with the archiving obligations to which we are subject under the applicable law (e.g. tax and financial-accounting obligations). CVs submitted on the website shall be stored for 1 year. Personal data processed by video surveillance shall be stored for 30 days after the recording date, unless there are duly justified grounds to store them for a longer period of time, under the law.
It is possible that at the end of the legal archiving period, the Company renders the data anonymous in such a manner that the data are no longer personal.
Recipients of personal data. Data transfer
In the processing operations carried out for the purposes mentioned bove, your personal data will be transmitted to Socar personnel who carries out processing, consultants, experts, authorised appraisers, lawyers, notaries public, courts of law, public institutions or authorities, insurers and auditors, and various service providers (e.g.: IT, archiving, courier services, service providers who carry out the maintenance of video cameras etc.).
In order to achieve some of the purposes mentioned above, some categories of personal data may be transferred outside Romania. Data may be transferred to countries within or outside the European Economic Area (“EEA”).
For transfers outside the EEA, the Company shall base the transfer on the GDPR requirements and on the standard data protection clauses adopted by the European Commission, to ensure the necessary level of security and confidentiality, or on other safeguards recognised under the law.
Rights of data subjects
In the context of the processing of your personal data, you have the following rights: the right to information, the right of access to the personal data concerning you, the right to rectification, the right to erasure of the data, the right to obtain restriction of processing, the right to data portability, the right to object to the processing of data and the right to lodge a complaint with a court of law or the National Supervisory Authority For Personal Data Processing.
Who can you contact?
In order to exercise your rights, you may send a request to the attention of the data protection officer, at the e-mail address dpo@socarpetroleum.ro.
Security measures regarding your personal data
We inform you that Socar has implemented appropriate technical and organisational measures to ensure the integrity and the confidentiality of your personal data, according to article 32 of the GDPR.
Socar takes the confidentiality of personal data seriously. Therefore, we take every measure that is necessary and reasonable in order to ensure the security and confidentiality of personal data, and for the processing thereof, according to the GDPR and the applicable European and national laws.
Date of last update: 28.12.2023