The activity of personal data protection within the Bucharest-Ilfov Intercommunity Development Association for Public Transport.

Legal Framework

In all European Union member states and implicitly in Romania, starting from May 25, 2018, the protection of individuals with regard to the processing of personal data and the free movement of such data is regulated by Regulation (EU) No. 679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR).

According to Article 4, paragraph 1 of the General Data Protection Regulation, “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more specific factors related to their physical, physiological, genetic, mental, economic, cultural, or social identity. According to paragraph 2 of the same article, “processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Association for Intercommunity Development for Public Transport Bucharest – Ilfov (TPBI), a legal entity, processes personal data for the purpose of fulfilling its main duties as outlined in its Statute and Articles of Incorporation, in compliance with the principles established in Article 5 and the legal conditions set forth in Article 6 of the General Data Protection Regulation.

Thus, TPBI ensures that personal data is processed legally, fairly, and transparently with respect to the data subject, and that the collection of such data is for specific, legitimate, and explicit purposes, so that it is not processed in a manner incompatible with these purposes.

Furthermore, TPBI ensures the adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through the implementation of appropriate technical or organizational measures.

TPBI processes data through its various departments/services/offices/sections for the following activities: processing of lists of beneficiaries for transport service benefits (discounts and free services); promotion exams/competitions for employment; management of personnel files; organizing and conducting events; legal actions and representation in court; resolution of requests and petitions; public relations; journalist accreditation; control and auditing; legal procedures for accessing classified information; public procurement procedures; and concluding/executing contracts for goods/services supply; declarations of assets and interests, issuing opinions/advisory notes, etc.

TPBI processes the following categories of personal data: first and last name, date and place of birth, personal identification number, identity card number and series, address, phone number, correspondence address, financial data, legal data (documents certifying land ownership, cadastral records, land registry excerpts for informational purposes, etc.), technical data (technical documentation in the project phase), etc. These data are collected directly from the institution’s personnel, from subordinate or coordinated structures, or from partners or citizens through petitions, requests, letters, notifications received at the headquarters, or via email/fax.

Individuals whose personal data is processed have the following rights, as outlined in Articles 7, 12-22 of the Regulation: the right to access data; the right to rectification; the right to deletion; the right to restrict processing; the right to object to processing; the right to be informed in the event of a data breach that may result in a high risk to the rights and freedoms of individuals; the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).

These rights can be exercised as per the conditions outlined in the General Data Protection Regulation, by sending a request via email to office@tpbi.ro or by submitting a signed and dated written request by mail or in person at the TPBI Registry, located at 22 Tudor Vladimirescu Blvd., Sector 5, Bucharest.

Additionally, anyone who believes they have been harmed by the way their personal data is processed has the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).

In accordance with the provisions of Article 13 of the General Data Protection Regulation, we provide you with the following information:

I) Information regarding the processing of personal data in the activity of handling petitions, granting hearings, and processing requests for access to public interest information.

To fulfill the legal obligations concerning the resolution of petitions and requests formulated under Law 544/2001, TPBI processes personal data in a lawful, fair, and transparent manner, in compliance with the provisions of Regulation (EU) 2016/679 regarding the protection of individuals with regard to the processing of personal data and the free movement of such data, as well as the repeal of Directive 95/46/EC – the General Data Protection Regulation (GDPR), and Law No. 190/2018 of July 18, 2018, concerning measures for the implementation of the General Data Protection Regulation.

Purposes of Processing

• Registration and resolution of petitions submitted (in the private interest of individuals, legal entities, and legally constituted organizations) based on O.G. no. 27/2002 regarding the regulation of the petition resolution activity, with subsequent amendments and additions, as well as the handling of requests, complaints, and reports submitted in writing, and, if applicable, recording verbal statements made by citizens during hearings.

• Preparation of an activity report on petitions, including information regarding the solutions provided by public authorities to the petitions they were tasked with resolving, which will be presented annually to TPBI management.

• Registration and resolution of requests submitted based on Law no. 544/2001 regarding access to public interest information, with subsequent amendments and additions.

• Completion of necessary data for registering requests received from individuals and legal entities in the Register for the recording of requests and responses regarding access to public interest information, and information on the resolution method adopted.

• Registration and resolution of memoranda, requests, and complaints submitted by individuals and legal entities based on O.G. no. 27/2002 regarding the regulation of the petition resolution activity.

• Completion of necessary data for recording in the petition register and information on how they are resolved.

• Issuance of opinions/approvals to ensure the technical and functional conditions for providing local public transportation services and local public railway passenger transport services within the association, integrated with public passenger transport services in the Bucharest-Ilfov region, including metro, regional trains, water transport, and other terrestrial, water, and suspended transportation means, as well as other alternative transport systems, and other aspects contributing to urban mobility based on the analysis of the Technical-Economic Commission within TPBI.

Legal Basis for Processing

The processing of personal data for the purposes mentioned above is based on Article 6, paragraph (1), letter (c) of the GDPR, Government Ordinance no. 27/2002 regarding the regulation of petition resolution activities, approved with amendments and additions by Law 233/2002, and Law no. 544/2001 regarding access to public interest information, with subsequent amendments and additions.

It is important to mention that the petition must include the petitioner’s identification details (name, surname, address, and a phone number where the petitioner can be contacted) and signature, as well as copies of supporting documents (if applicable). In the case of a collective petition, it must include the identification details and signature of at least one petitioner from the group. If the identification details and text are not legible, the petition will be classified. Additionally, anonymous petitions or those without the petitioner’s identification details will not be considered and will be classified according to Article 7 of Government Ordinance no. 27/2002 regarding the regulation of petition resolution activities.

Moreover, according to Article 6, paragraph 3 of Law no. 544/2001 regarding access to public interest information, written requests for public interest information must include the following elements: the authority or public institution to which the request is addressed; the requested information, allowing the authority or public institution to identify the public interest information; the name, surname, and signature of the requester, as well as the address where the response is requested.

Categories of Personal Data

• Identification and contact data: name and surname, home and/or correspondence address, signature, email address (if the petition/request is submitted electronically);

Other relevant data may also be processed as long as they have been provided by the petitioner for the issue raised or the specific request: personal information of any nature (medical, economic, social, cultural, technical, legal, etc.) presented in the petition/request, if applicable.

Failure to provide the necessary personal data will result in the classification of the petition or public interest information request or prevent the analysis and resolution of such petitions/requests.

Recipients

Petitions, requests for opinions/advice, and requests for public interest information that fall outside the competence of TPBI will be forwarded to the relevant authorities or public institutions responsible for such matters. The petitioner or the individual requesting public interest information will be notified accordingly, in compliance with the law.

Personal data included in petitions, requests for opinions/advice, and requests for public interest information will not be transferred to a third country or an international organization.

Retention Period

The retention period for personal data is in accordance with the provisions of the National Archives Law no. 16/1996. Petitions and related correspondence are archived for a period of 5 years, and the petition registers are archived for 5 years. Requests and responses made under Law no. 544/2001 regarding access to public interest information, and related correspondence, are archived for 5 years, as is the Register for recording requests and responses regarding access to public interest information. It is noted that the Registers of incoming and outgoing documents for the organizational structures within TPBI are kept for 30 years.

II) Information for Individuals Whose Personal Data is Processed for Access to TPBI Headquarters

The security personnel of the building where TPBI’s headquarters is located process the personal data of visitors to facilitate access to the building.

The processing of personal data is carried out in compliance with the General Data Protection Regulation (GDPR) for the purpose of managing access to the building. Access will only be granted based on an access document and in compliance with the security conditions of the TPBI headquarters.

Access documents will be issued based on a valid identity document (ID card, passport, or identity book). During the process of issuing the access document, the following personal data will be processed: name and surname, series and number of the identity document, citizenship, photograph from the identity document, and personal identification number (CNP).

Refusal to provide personal data will result in the inability to access the building.

Personal data obtained during the access procedures, access documents, and data stored in electronic format will be kept for no more than 30 days, after which they will be deleted/destroyed.

Video recordings obtained through the integrated security system will be retained for a maximum of 30 days, after which they will be deleted, except for those necessary for analyzing events that disturb order and security or those requested by competent authorities, in accordance with the law.

III) Privacy Policy Regarding Personal Data for Websites Belonging to TPBI

Personal Data

In principle, access to information available on the websites belonging to TPBI does not require the provision of personal data. However, to access certain services, personal information may be requested when filling out a form.

Through the websites belonging to TPBI, personal data may be requested for the identification of the user and/or the possibility of contacting them in case of requests, petitions, or complaints. The nature of the information requested primarily refers to personal data such as: name, address, phone numbers, email address. TPBI will maintain the confidentiality of this information.

Some information requested through the websites may be subject to personal data processing (in accordance with legal provisions regarding the protection and processing of personal data, as well as the free movement of these data). By accessing and navigating this site, users explicitly and unequivocally consent to the processing of such data.

1. The use policy of TPBI’s websites regarding cookies is specified in the Terms of Use section. TPBI’s websites may use cookies to collect, process, disseminate, or record personal data.

2. Collection of Personal Data

For security reasons, the web server retains information about visits and the use of this website (user accesses) in log files. The information retained in the logs includes: IP address, date and time of access, accessed address, duration of the visit, page views, and navigation paths on the web pages. There are sections where, for identification purposes, other information is retained, such as the person’s first and last name, and email address. By completing the information in the forms provided, you confirm your consent for the retention and display of this data.

2.1. Use of Personal Data

Personal information transmitted through our website will be used for the purposes specified in this policy or on the respective pages of the website. We may use personal information to:

• Send requested notifications by email;
• Address requests and complaints made by petitioners or about them regarding the TPBI website;
• Ensure the security of the website and prevent fraud;
• Other uses.

2.2. Transmission of Personal Data is carried out only in cases provided by law.

2.3. Security of Personal Data

At TPBI, technical and organizational precautionary measures have been implemented to prevent the loss, misuse, or alteration of personal information.

3. Except for the situations outlined in section 2.2. “Transmission of Personal Data,” TPBI will not disclose personal data about users to third parties.

4. TPBI’s website pages may use Data Analytics services or other similar services to count views.

5. TPBI’s website pages may use sharing functions from various social media applications (e.g., Facebook, Twitter, Instagram, YouTube, etc.). For their usage and cookie policies, please check and modify the policies of each social media application.

Links to Other Websites

It is possible that TPBI’s websites or the information displayed may contain links to other websites and/or forms or services managed by third parties. They may also include web links or references to other websites deemed by TPBI to be useful in terms of content, which are not under the control or guidance of the Association.

When using these web links or references, the general terms and conditions for using those websites will apply. TPBI cannot guarantee/control the timeliness and accuracy of the information presented on third-party websites to which it links.

This privacy policy regarding personal data does not include the practices and policies of these third parties related to their services or websites. TPBI does not control the websites and/or forms of third parties. The user must consult and verify the privacy policy of those websites/services before accessing or using them.