Privacy Policy
1. Name and address of responsible person
The responsible person for the purposes of the General Data Protection Regulation and other national data protection laws of the Member States and other data protection provisions is:
ING SERVICE Ltd., Miercurea-Ciuc, Zorilor Street, No. 73, Postcode: 530 153, Harghita county, Romania
Name and address of the data protection officer:
ING SERVICE Ltd.
Responsible for data protection:
Zorilor Street, No. 73.
530 153, Miercurea-Ciuc
Telefon: +40 749 164 054
E-mail: office@ingservice.ro
Any data subject may contact our data protection officer directly with any questions or suggestions regarding data protection.
2. General information on data processing
2.1 Scope of personal data processing
In principle, we process the personal data of our users only to the extent that this is necessary for the provision of a functional website as well as our content and services. The processing of personal data of our users is regularly carried out only with the user’s consent. An exception applies in those cases where it is not possible to obtain prior consent for genuine reasons or where data processing is permitted by legal regulations.
2.2 Legal basis for processing personal data
To the extent that we obtain the data subject’s consent for processing operations involving personal data, the legal basis is Article 6(1)(a) of the EU General Data Protection Regulation (GDPR).
Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis is Article 6(1)(b) of the GDPR. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
To the extent that the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, the legal basis is Article 6(1)(lit. (c) of the GDPR.
Where the vital interests of the data subject or of another natural person make it necessary to process personal data, the legal basis is Article 6(1)(d) of the GDPR.
If the processing is necessary to protect a legitimate interest of our company or of a third party and the interests, fundamental rights and freedoms of the data subject are not overridden by the interest mentioned in the first place, Article 6(1)(f) of the GDPR serves as a legal basis for the processing.
2.3 Data deletion and storage period
Personal data of the data subject shall be erased or blocked as soon as the purpose of storage ceases to apply. It may also be stored if this has been provided for by the European or national legislator in the regulations, laws or other Union provisions applicable to the controller. Data will also be blocked or erased if a storage period provided for by the above standards expires, unless there is a need for continued storage of the data for the conclusion or performance of a contract.
3. Making the website available and creating log files
3.1 Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the computer accessing it.
The following data is collected:
- Information about the type and version of browser used
- IP address of the user
- Date and time of access
- Websites from which the user’s system accesses our website
- Websites that are accessed by the user’s system via our website
- Stores the user’s language settings
- Store and track user interaction
- Stores user actions performed on the website
Log files contain IP addresses or other data that can be assigned to a user. This could be the case, for example, if the link to the website from which the user comes to the website or the link to the website to which the user is directed contains personal data. This data is also stored in our system log files. This data is not stored together with other personal data of the user.
3.2 Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6(1)(f) of the GDPR.
3.3 Purpose of data processing
The temporary storage of the IP address by the system is necessary to allow the website to be made available to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
Storage in log files is done to ensure the functionality of the website and to prevent attacks. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. In this context, no evaluation of data for marketing purposes takes place.
These purposes also represent our legitimate interest in processing data in accordance with Article 6(1)(f) of the GDPR.
3.4 Storage duration
The data is deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of data collection for the provision of the website, this happens when the respective session has ended.
In the case of storing data in log files, this happens after a maximum of seven days. It is possible to store after this period. In this case, the IP addresses of the users are deleted or alienated so that it is no longer possible to assign the requesting client.
3.5 Possibility of opposition and removal
Collecting data for the provision of the website and storing data in log files is absolutely necessary for the functioning of the website. Therefore, there is no possibility for the user to object.
4. Use of cookies – Cookie Policy
4.1 Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a unique string of characters that allows the browser to be uniquely identified when the website is called up again.
We use cookies to make our website easier to use. Some elements of our website require that the calling browser can be identified even after the page has been changed.
You can find out more about what cookies are stored, how long they are stored and what they contain by looking at the information in your cookie settings.
4.2 Legal basis for data processing
The legal basis for processing personal data through the use of technically necessary cookies is Article 6(1)(f) of the GDPR.
The legal basis for processing personal data through the use of cookies for analysis purposes is Article 6(1)(a) of the GDPR, if the user has consented to this.
4.3 Purpose of data processing
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change.
We need cookies for the following applications:
- Saving given consents
- Saving page language settings
User data collected through technically necessary cookies are not used to create user profiles.
Other cookies are used to improve the quality of our website and its content. Through analytics cookies, we find out how the website is used and can thus constantly optimise our offer.
These purposes also constitute our legitimate interest in processing personal data under Article 6(1)(f) of the GDPR.
4.4 Duration of storage, possibility of objection and deletion
Cookies are stored on the user’s computer and transmitted by the user to our website. Therefore, you, as the user, also have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all the functions of the website to their full extent.
5. Contact form and contact e-mail
5.1 Description and scope of data processing
Our website contains a contact form that can be used for electronic contact. If a user uses this option, the data entered in the data entry interface is transmitted and stored to us. These data are:
- User IP address
- Data entered
For data processing, your consent is obtained during the submission process and reference is made to this privacy policy.
Alternatively, it is possible to contact us via the e-mail address provided. In this case, the user’s personal data submitted via e-mail will be stored.
In this context, the data will not be passed on to third parties. The data is used exclusively for the processing of the conversation.
5.2 Legal basis for data processing
The legal basis for processing the data is Article 6(1)(a) of the GDPR, where the user has given consent. The legal basis for processing data submitted in the course of sending an e-mail is Article 6(1)(f) of the GDPR. If the contact is for the purpose of concluding a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.
5.3 Purpose of data processing
The processing of personal data in the data entry interface is for the sole purpose of processing the contact. In the case of e-mail contact, this also constitutes the legitimate interest necessary for the processing of the data.
The other personal data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our IT systems.
5.4 Storage duration
The data is deleted as soon as it is no longer necessary for the purpose for which it was collected and there are no further legal retention periods.
5.5. Possibility of opposition and removal
The user has the possibility to withdraw his/her consent to the processing of personal data at any time. If the user contacts us by e-mail, he/she may object to the storage of his/her personal data at any time. In this case, the conversation cannot be continued.
6. Use through third party tools
6.1 Scope of processing of personal data by third parties
In order to be able to provide and continuously improve our services, we rely on the services of the following third party providers, through which personal data may also be processed. We have selected these third party providers carefully and in accordance with the provisions of the General Data Protection Regulation (GDPR).
6.1.1 Google Maps
Unless otherwise specified in this privacy policy, the operator of all Google services mentioned herein is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
We have integrated the “Google Maps” service via API to display geographical information. Using Google Maps allows Google to collect, process and use data about your use of the service. By using the Google Maps service, information about your use of this website, including your IP address and (starting) address entered as part of the route planning function, may be transmitted to Google in the USA. The map content is transmitted by Google directly to the user’s browser, which then integrates it into the website. We have no influence on the scope of the data collected by Google in this way. We also have no influence on the further processing and use of the data by Google and therefore cannot assume any responsibility in this regard. Further information about the processing of your data by Google can be found in Google’s privacy policy.
The following data is collected and processed using Google Maps:
- IP address
- Location information
- Usage data
- Date and time of visit
- URLs
The legal basis for the data processing is Article 6 para. Consent is voluntary and may be refused at any time or revoked with effect for the future.
Personal data will be kept as long as necessary for the purpose of the processing. The data will be deleted as soon as they are no longer necessary for the purpose.
The data may be transmitted to the following recipients in addition to Google Ireland Limited for processing:
– Google LLC.
– Alphabet Inc.
In the course of processing by Google, data may be transmitted to third countries, such as the USA. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfers to the US. This may imply various risks for the lawfulness and security of data processing. The security of the transmission is practically guaranteed by the so-called SCCs (special contractual conditions). These are intended to ensure that processing is subject to a level of security that complies with the GDPR. To the extent that the SCC are not sufficient, consent is obtained in advance in accordance with Article 49(1)(a) of the General Data Protection Regulation (GDPR).
Through the CSC, Google complies with the European level of data protection when processing relevant data, even if this data is stored and processed in the US. The SCC is based on an implementing decision of the European Commission, which you can find here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=de
The Google Ads Data Processing Terms with reference to CSC can be found here: https://business.safety.google/intl/de/adsprocessorterms/
More information about Google’s data processing can be found at: https://policies.google.com/privacy?hl=de.
6.1.2. Google Analytics
On our website we use the Google Analytics (GA) analytics and tracking tool of the American company “Google Inc”. For the European area, Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services.
Google Analytics collects data about your actions on our website, such as a click on a link, and transmits this data to Google Analytics. This data is used to create reports that allow us to better tailor our website to visitors’ expectations.
These reports include among others:
- Reports on target groups
- Display reports
- Behaviour reports
- Real-time reports
The cookie enables Google Analytics to recognize a subsequent visit.
The storage period is 14 months and for Universal Analytics 26 months. After expiry, user data will be deleted.
The legal basis for the data processing is Article 6 para. Consent is voluntary and may be refused at any time or revoked with effect for the future.
Personal data shall be kept until the purpose of the processing has been fulfilled and shall be deleted as soon as it is no longer necessary for that purpose.
Data may be transmitted to the following recipients in addition to Google Ireland Limited in the course of processing:
– Google LLC.
– Alphabet Inc.
In the course of processing by Google, data may be transmitted to third countries, such as the USA. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfers to the US. This may imply various risks for the lawfulness and security of data processing. The security of the transmission is practically guaranteed by the so-called SCCs (special contractual conditions). These are intended to ensure that processing is subject to a level of security that complies with the GDPR. To the extent that the CSC are not sufficient, consent is obtained in advance in accordance with Article 49(1)(a) of the General Data Protection Regulation (GDPR).
Through the CSC, Google complies with the European level of data protection when processing relevant data, even if this data is stored and processed in the US. The SCC is based on an implementing decision of the European Commission, which you can find here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=de
The Google Ads Data Processing Terms with reference to CSC can be found here: https://business.safety.google/intl/de/adsprocessorterms/
More information about Google’s data processing can be found at: https://policies.google.com/privacy?hl=de.
7. Rights of the data subject
If your personal data are processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller:
7.1 Right to information
You may request confirmation from the controller that personal data relating to you are being processed by us.
If there is such processing, you may request information from the controller on the following:
– he purposes for which personal data are processed;
– the categories of personal data which are processed;
– the recipients or categories of recipients to whom your personal data have been or will be disclosed;
– the planned duration of the storage of your personal data or, if it is not possible to provide specific information in this respect, the criteria for determining the duration of storage;
– the existence of a right to rectification or erasure of personal data concerning you, a right to restrict processing by the controller or a right to object to such processing;
– the existence of a right of appeal to a supervisory authority;
– any available information on the origin of the data, if the personal data are not collected from the data subject;
– the existence of automated decision making, including profiling, in accordance with Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information on the logic involved, as well as on the scope and intended effects of such processing for the data subject.
You have the right to request information about the transfer of your personal data to a third country or international organisation. In this context, you may request to be informed of the appropriate safeguards under Article 46 of the GDPR in relation to the transfer.
7.2 Right of rectification
You have the right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. The controller shall rectify the data without undue delay.
7.3 Right to restrict processing
You may request the restriction of the processing of your personal data under the following conditions:
– if you dispute the accuracy of personal data relating to you, for a period allowing the controller to verify the accuracy of the personal data;
– the processing is unlawful and you refuse to erase the personal data and request instead the restriction of the use of personal data;
– the controller no longer needs the personal data for processing purposes, but you need them for asserting, exercising or defending legal rights, or
– if you have objected to the processing in accordance with Article 21(1) of the GDPR and it has not yet been established whether the legitimate reasons of the controller outweigh your reasons.
Where the processing of personal data relating to you has been restricted, such data may be processed, except for storage, only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
If the restriction of processing has been limited in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
7.4 Right to erasure
7.4.1. Obligation to erase
You may request the controller to delete your personal data without delay, and the controller is obliged to delete such data without delay if one of the following applies:
– Personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
– You revoke your consent on which the processing was based in accordance with Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
– you object to the processing in accordance with Article 21(1) of the GDPR and there are no overriding legitimate grounds for processing, or you object to the processing in accordance with Article 21(2) of the GDPR.
– Personal data relating to you has been unlawfully processed.
– The deletion of your personal data is necessary to comply with a legal obligation under Union law or the law of a Member State to which the controller is subject.
– The personal data concerning you have been collected in connection with the information society services provided in accordance with Article 8(1) of the GDPR.
7.4.2. Information to third parties
Where the controller has made public personal data relating to you and is obliged to erase it in accordance with Article 17(1) of the GDPR, it shall take reasonable steps, including technical measures, taking into account available technology and the cost of implementation, to inform data controllers processing personal data that you, as the data subject, have requested that they erase all links to or copies or replicas of that personal data.
7.4.3. Exceptions
The right to erasure does not apply insofar as the processing is necessary
– for the exercise of the right to freedom of expression and information;
– for compliance with a legal obligation requiring processing under Union or Member State law to which the controller is subject or in the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
– for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the GDPR;
– to assert, exercise or defend legal claims.
7.5 Right to information
If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of data or restriction of processing to all recipients to whom personal data relating to you have been disclosed, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed by the operator about these recipients.
7.6 Right to data portability
You have the right to receive personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller, without being prevented from doing so by the controller to whom the personal data was provided, provided that
– the processing is based on consent under Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract under Article 6(1)(b) of the GDPR; and
– the processing is carried out using automated procedures.
In exercising this right, you also have the right to have your personal data transferred directly from one controller to another, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7.7 Right of opposition
You have the right to oppose at any time, on grounds relating to your particular situation, the processing of personal data relating to you which is carried out pursuant to Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.
The controller will no longer process your personal data unless it can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You may, in connection with the use of information society services, without prejudice to Directive 2002/58/EC, exercise your right to object by means of automated procedures using technical specifications.
7.8 Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent at any time in accordance with data protection legislation. Revocation of consent does not affect the lawfulness of processing carried out on the basis of consent until revocation.
7.9 Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which affects you in a similar and significant way. This does not apply if the decision:
– is necessary for the conclusion or performance of a contract between you and the responsible person,
– is authorised by the law of the Union or of the Member States to which the controller belongs and that law contains appropriate measures to protect your rights and freedoms and your legitimate interests, or
– is done with your express consent.
However, these decisions do not have to be based on special categories of personal data under Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect your rights and freedoms and legitimate interests.
With regard to the first and last mentioned case, the controller shall take reasonable steps to protect your rights and freedoms and legitimate interests, including at least the right to obtain the intervention of a person from the controller, to express your point of view and to challenge the decision.
7.10 Right to submit a complaint to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of employment or place of the alleged breach, if you consider that the processing of personal data concerning you violates the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.