Policy

Security policy of personal data

Brokernet Software SA

Last update of document / Date of entry into force: 12 March 2019

1.Introduction

Brokernet Software SA, headquartered in Bucharest, Str. Izvor, Nr. 78, Sector 5, registered with the Trade Register under no.J40 / 7986/2011, tax identification code: RO 28733958, in accordance with the requirements of the EU Regulation no. 679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), we are committed to the protection of personal data of the individuals concerned and comply with applicable legal and regulatory provisions on their protection.

This policy is adopted by the management of Brokernet Software SA in its relations with all interested external parties

Brokernet Software SA allocates resources to ensure the confidentiality, integrity and availability of personal data that it processes.

This policy provides elements of what kind of personal data is processed, how personal data is used and to whom the personal data is shared and for what purpose.

We periodically review the privacy principles set forth below, these principles include our commitment to protecting the confidentiality, integrity, and availability of personal data.

The security of your personal data is an important factor for Brokernet Software SA that we take into account in relationships with the empowered, third parties, associated operators and all stakeholders. We are committed to being transparent and open. This security policy of Brokernet Software SA explains how we handle personal data from the moment we possess it. Other policies specific to the personal data security management system that are required to provide Brokernet Software SA products and services under security conditions are also applicable.

2. What personal data is processed by Brokernet Software SA for the purpose of service provision

For us, "personal data" means any information about an identified or identifiable individual ("the data subject").

For the provision of services, Brokernet Software SA stores the following personal data:

• For business partners: Contact details are collected.

• In the case of potential employees: collect contact details, information about expertise and professional experience.

• In case we issue insurance policies from our applications we collect the following personal data: Name, surname, address, age, gender, marital status, date of birth, nationality, marketing preferences, bank account details or payment card details, criminal convictions and relevant offenses, penalty points, employer, position and family details including relationships with you, mailing address, digital signature, CNP (personal identification number), data including auto license, vehicle data, the property or insured asset owned by an individual subject to insurance, bank data, income, tax benefits or social benefits, tax obligations, income from other sources, health data and data related to possible criminal offenses and convictions.In case we issue insurance policies from our applications we collect the following personal data: Name, surname, address, age, gender, marital status, date of birth, nationality, marketing preferences, bank account details or payment card details, criminal convictions and relevant offenses, penalty points, employer, position and family details including relationships with you, mailing address, digital signature, CNP (personal identification number), data including auto license, vehicle data, the property or insured asset owned by an individual subject to insurance, bank data, income, tax benefits or social benefits, tax obligations, income from other sources, health data and data related to possible criminal offenses and convictions.

•In the case of website users: You may visit the Website without disclosing who you are or giving any personal data about you. However, there will be cases such as requesting information from us through the Website in which we will need to obtain personal contact data; it is possible to collect this personal data through various methods and in various places on the website, including through forms, contact forms. We and our online service providers may use technologies that automatically store or collect certain information each time you visit or interact with the website (usage information).This usage information can be stored or accessed using a variety of technologies that can be downloaded to your personal computer, laptop, tablet, mobile phone, or other device whenever you visit or interact with our Website. Please refer to our Cookie Policy for further information.

3. For what purpose do we process the data

We process only the data necessary to provide services e.g. issuing policies in software applications, communicating with the individuals concerned, conducting personal recruitment activities, improving the content of our website, performing legal procedures.

4. How we process personal data

4.1 Business Partners and website users

We collect personal data:

(1)when you or your employer provides us with your contact details or other information during the course of collaboration, either directly, as business partners or as your company's representative;

(2) when you attend meetings, events or conferences that we organize or attend;

(3) when you visit and / or contact us through the Website.

Please refer to our Cookie Policy for further information.

4.2. Insurants and potential insured

We will collect your personal data:

(1) through third parties, such as intermediaries (e.g. insurance broker), or other insurance companies (e.g. if you are the insured of a company requesting an insurance policy where you will be a beneficiary);

(2) from other sources (e.g. personnel recruitment agencies, catalogs of business partners, government agencies)

5. The legitimate basis for the processing of personal data

- We base the processing of personal data on the following legitimate grounds:

- processing is required to conclude or execute a contract;

- processing is necessary to fulfill a legal obligation that we have;

- the legitimate business theme - we process the personal data of the users in order to be able to provide the services requested by the partners under appropriate conditions.

6. To whom and when can Brokernet Software SA transfer personal data

- When regulatory requirements require this .We comply with legal requirements whenever we receive requests from you or authorities in connection with a lawsuit. We will inform you when we will be required to provide your personal data in this way, unless this is done to us by law. When we receive such requests, we disseminate personal data only if we are convinced, in good faith, that the law requires us to do so. Nothing in this information is aimed at limiting the legal means of defense or the objections you might have to a third party's request to disclose your personal data.

- When we believe it is necessary to prevent harm to you or others.

We will share with you information in this manner only if we reasonably believe, in good faith, that it is necessary to protect your rights, property and security, other partners and Brokernet Software SA.

- for legitimate business interests we can pass certain personal data to our group companies;

- companies that provide support in our business (IT infrastructure providers, communication systems, online payments, etc.);

- if the status of Brokernet Software SA changes our organizational structure (if we initiate a restructuring process, if we are acquired or if we enter into insolvency or bankruptcy), we may transmit your data to a successor or affiliated company or other partners according to the applicable regulatory requirements .

- we may communicate personal data to third parties in order to improve the quality of the services we provide. These third parties also have similar obligations with Brokernet Software SA in respect of personal protection .

Empowered persons and third parties also have similar obligations with Brokernet Software SA regarding the protection of personal data.

7.Transfer of personal data outside the European Economic Area (EEA)

We may transfer personal data in the EEA or outside the EEA if some of Brokernet Software SA's partners have their headquarters or operate outside the EEA.

We perform data transfers outside the EEA only if sufficient data security guarantees are provided. If, following the risk analysis, we consider that processing is affected by high risks, we will inform ANSPDCP about finding a solution.

8. The period of personal data storage

We will store the personal data required to provide the services according to the object of activity, to keep in touch with the persons concerned and to comply with the applicable legal obligations. We will only store your personal data for the period of time required to achieve the above-mentioned processing purposes, while respecting the legal requirements in force and the interest in protecting the rights of the data subjects.

Brokernet Software SA will determine whether it has a legitimate interest or a legal obligation to further process your personal data for other purposes; you will be adequately and reasonably informed in this regard.

Personal data will be processed at least for the period of validity of the insurance contract, and subsequently for the duration of the contractual obligations by either party. Personal data will be stored as long as is necessary for the above-mentioned purposes or for a period of time provided by the general legal provisions and those applicable in the field of insurance in accordance with the archive nomenclature applicable at company level. If you agree to process the data listed below for marketing purposes, the personal data collected will be retained until we are notified of the withdrawal of the consent.

The processing activities listed above will require the storage of personal data over the following periods:

1- Personal data included in the databases of the insurance applications: during the life of the insurance contract, as well as subsequently, for the duration of the contractual obligations to be performed by either party.

2- Personal data contained in invoices, other accounting and financial documents: 10 years (according to the legislation in force), starting with the date of the financial year in which they were drawn up.

3- Personal data specific to the contractual relationship: 10 years (according to the legislation in force) after termination of contract effects.

4- Personal data specific to the recruitment process: max. 3 years or until termination of consent.

We do not keep your personal data longer than necessary, so we only keep them for a long enough period to meet the purpose for which we collected the data. As soon as we no longer need them, we initiate actions to destroy them, unless legislation requires us to keep them for a longer period of time.

9.Obligations and rights of the operator / Brokernet Software SA

9.1. The operator is fully responsible for complying with the obligations imposed by the legislation on the processing of Personal Data and as of May 25, 2018 he is required to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In the event that they remain valid, the provisions of Order no. 52/2002 regarding the approval of the minimum security requirements for personal data processing, as well as the provisions of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector will continue to apply.

9.2. The Operator shall take all necessary measures against the use, reproduction, transfer, disclosure or unauthorized publication of Personal Data collected from the data subject and will use Personal Data for the purpose of processing.

9.3. The operator declares and warrants that its own staff and agents have been informed of their obligations in accordance with the requirements of Regulation (EU) 2016/679, supplementary regulations on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the requirements of its own information security management system.

9.4. Obligations of the Operator regarding the processing of personal data:

- as operator of personal data, the operator undertakes to offer sufficient guarantees regarding the technical and organizational security measures related to the processing of personal data and to comply with the security rules, so that the processing of the personal data of the persons concerned should meet the requirements of Regulation (EU) 2016/679 and ensure the protection of the rights of the data subject in accordance with the provisions of Article 32 of the Regulation.

- The personnel of the operator performing the processing of personal data will be established based on the need to know principle. In this sense, access to Personal Data is only allowed for employees or officers who need to know them.

- The operator is fully responsible for training its staff on the obligations set out in this document and in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

- The Operator ensures that in the event of the termination, for any reason, of the collaboration relationship with its own staff, all personal data given to the personnel will be erased and personal data received from the data subject will remain fully secure.

9.5. The operator undertakes to process personal data in good faith and to store personal data in a form that permits identification of the data subjects strictly for the time necessary to achieve the purposes for which the data are collected and in which they will be further processed.

9.6. The operator keeps a record of the processing activities carried out in order to conclude the employment contract, according to the provisions of art. 30 par. (2), (3) and (4) of the Regulation.

9.7. The operator undertakes:

a) to use personal data only for the purposes set forth in the employment contract for which the data subject communicated the data, except where the data subject has given consent for the use of the data for other purposes;

b) not to disclose personal data that they have access to, as a result of a vulnerability of computer systems;

c) In the event that the Operator discovers a security incident in the personal data transmission and processing system with regard to the security of the IT systems, as well as any incident related to the possible misuse or inappropriate use of any kind of information that may have an impact on the personal data provided by the data subject, the Operator undertakes to report immediately, but no later than 72 hours by e-mail, any such security incident found.

d) Within no more than 72 hours from the date of the violation, the Operator shall transmit to the data subject a Report containing at least the elements in art. 33 par. (3) of the Regulation.

e) In particular, the Operator has the obligation to submit proposals regarding the rectification of the detected incidents; In the event of a security incident, the Operator must comply with the procedure provided for in Art. 33 of the GDPR, respectively the notification of the Supervisory Authority;

f) To provide assistance through appropriate technical and organizational measures to meet the obligations to respond to requests for the exercise by the data subject of the rights resulting from the Regulation;

g) not to send unauthorized documents or files containing Personal Data received from the data subject, which may prejudice the data subject;

h) to provide data subjects with the right to data portability in a structured format, currently used and automatically readable, if technically possible.

i) to apply appropriate technical and organizational measures to protect any data, in particular personal data received, against accidental or unlawful destruction, unauthorized loss, modification, disclosure or unauthorized access, in particular if the processing involves data transmission within a network, as well as against any other form of illegal processing;

j) to present to the data subject , at the express request, sufficient guarantees regarding the technical and organizational security measures concerning the processing operations to be carried out.In this respect, it shall forward to the requesting Party a report on the measures it has implemented in relation to the processing of personal data;

10. Data subject rights

As a data subject, you have the following rights:

- to request a report on the processing of your personal data in the possession of Brokernet Software SA;

- to withdraw consent to the processing, when processing is based on consent, but without affecting the legality of the processing activities carried out so far;

- the right to data portability, if processing is based on consent, a contract or automatic means of decision making, the right to request Brokernet Software SA to provide the personal data obtained directly from the data subject and, if possible, to transmit those data directly to another operator;

- the right to request Brokernet Software SA to rectify any inaccurate or no longer up-to-date personal data;

- the right to request that personal data be deleted when they are no longer needed / the right to be forgotten;

- in the case of a dispute over the correctness of the processing of personal data, the right to restrict the processing;

- if processing is based on legitimate interests, the right to object to the processing of personal data (where applicable).

The above rights may be exercised at any time.

For the exercise of these rights and for any information regarding the personal data security management system, we encourage you to submit a written, dated and signed request or an electronic request to the following address: Brokernet Software SA, Bucharest, Izvor nr. 78, email: octavian.pasparuga@brokernet.ro. Telephone 0758 070 590 to inform you of the security measures implemented.

If you wish to withdraw your consent, you can also use the "unsubscribe" option that is included in each marketing communication.

You are granted the right to contact the National Personal Data Protection Authority or to appeal to the courts in order to defend any rights guaranteed by the legislation on the protection of personal data that has been infringed upon you.

National Authority for the Supervision of Personal Data Processing at G-ral. Gheorghe Magheru, no. 28-30, sector 1, Bucharest, Romania or by e-mail at anspdcp@dataprotection.ro.

11. What security measures does Brokernet Software SA use to protect your personal data?

We are committed to protecting the personal data of the data subjects as soon as we are in their possession. We implement organizational and technical security measures. Despite our efforts, if we identify a security breach that affects you, we will inform you and we will initiate appropriate corrective action.

To protect the personal data of the individuals concerned, Brokernet Software SA uses encryption and pseudonimization technologies. Even if we use these technologies and other security measures to protect confidential information and provide appropriate security , we do not guarantee 100% security.

Brokernet Software SA uses the security procedures and warranties that it deems appropriate to protect the personal data of our partners and of other persons who shared their personal data with the company. Brokernet Software SA security requirements are required for all our agents and suppliers. Our goal is to ensure the confidentiality, integrity and availability of the personal data under the control of Brokernet Software SA.

The information security management system Brokernet Software SA is certified by the TUV Thuringen certification body in relation to the requirements of the ISO 27001 standard.

The Brokernet Software SA IT Management System is certified by the RINA Certification Body (www.rina.org) in relation to the requirements of ISO 20000-1.

12. What happens if we modify this policy on personal data protection?

We may need to change this policy. Updates will be published on the website www.brokernet.ro or can be found at the company's headquarters. If the changes are substantial, we will announce the update through our regular communication channels for such ads.

In order to ease your review effort, we will publish the version and date of entry into force on the bottom part of the document regarding the security policy for personal data.

How to contact Brokernet Software SA

If you want to correct your personal data, modify the way we collaborate and process this data or if you like to ask questions about our policies regarding the security of your personal data processing, please contact us at the contact details below:

Brokernet Software SA

Address: Bucharest, Str. Izvor no. 78

octavian.pasparuga@brokernet.ro

Tel.0750 070 590