Data protection

Policy regarding the processing of personal data within CNCIR SA

The National Company for the Control of Boilers, Lifting Installations and Pressure Vessels, hereinafter referred to as “CNCIR SA”, is a Romanian legal entity, of national strategic interest, organized as a joint stock company, with the Romanian state as sole shareholder. CNCIR SA was established in 2010 and operates – based on the Articles of Incorporation approved by Government Decision no.1139/2010, with subsequent amendments and completions and of Law no. 31/1990, with subsequent amendments and completions – starting with 01/01/2011. CNCIR SA has as main object of activity the performance of tests and technical analyzes, NACE code 7120 – revised edition 2/2008, for the purpose of
  • performing technical checks to authorize the operation and
  • technical verifications in use,
for the installations and equipment provided by Law no. 64/2008 on the safe operation of pressure installations, lifting installations and fuel consuming appliances with subsequent amendments and completions, in annex no. 2 – “Conventional pressure and lifting installations, fuel consuming appliances and their components”. In addition to the main object of activity, CNCIR SA is specialized and carries out activities in the following fields:
  • analyzes and technical laboratory examinations;
  • adult professional training activities in the ISCIR regulated field;
  • certification of personnel, products and processes (Notified body under the auspices of the European Commission – NB 2558)
  • technical verifications in use for technical investigations/examinations of installations/equipment
Part of CNCIR SA’s responsibility in relation to its own employees, clients and external collaborators is the way in which it takes care of the personal data previously provided during the contractual/commercial relations, but also on the occasion of future professional collaborations.
  • processed in a lawful, fair and transparent manner, respecting the principles of legality, fairness and transparency;
  • processed in a lawful, fair and transparent manner, respecting the principles of legality, fairness and transparency;
  • The trust of the clients and of the external collaborators in the services and the personnel of CNCIR SA is one of the main preoccupations of the company. In this sense, in order to provide the best services, CNCIR SA focuses on continuous improvement throughout the activity. CNCIR SA is aware of the importance of customer data and external collaborators and is committed to protecting their confidentiality and security. In accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, CNCIR SA provides in an integrated and practical manner the information related to the processing of data of its own employees, customers and external collaborators. CNCIR SA applies the principles regarding the protection of the personal data collected and undertakes that this data be:
  • processed in a lawful, fair and transparent manner, respecting the principles of legality, fairness and transparency;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • accurate and, if necessary, up-to-date; all necessary measures shall be taken to ensure that inaccurate personal data is deleted or rectified without delay, having regard to the purposes for which it is processed;
  • kept in a form which permits identification of data subjects for a period not exceeding the period necessary for the purposes for which the data is processed;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Personal data processed by CNCIR SA In the context of fulfilling the tasks established by law and carrying out the current activity of the company and in the context of fulfilling the legal obligations, CNCIR SA may request certain personal data. For this purpose, CNCIR SA may process the following personal data: surname and given name, correspondence address, telephone, e-mail, signature, position, identification data from the Identity Card, mentions regarding professional experience, attestations, authorizations or other data necessary to fulfil the company’s goals.

Purposes of personal data collection

CNCIR SA will process personal data to the extent that this step is necessary to fulfill the purposes mentioned below, in compliance with the legal measures of security and confidentiality of data. The purposes of the processing of personal data are represented by: – Carrying out technical checks in order to authorize the operation and technical checks in use; – Technical laboratory analyses and examinations; – Adult professional training activities in ISCIR regulated field; – Certification of personnel, products and processes (Notified Body under the auspices of the European Commission – NB 2558); – Technical checks in use for technical investigations/examinations in installations/equipment; – Audit and control/supervision activities; – Carrying out the commercial/contractual activity of CNCIR SA; – Invoicing and collecting the value of the services provided by CNCIR SA; – Marketing, promotion, including the transmission of general or personalized commercial offers; development and improvement of services; – Fulfilment of incidental legal obligations; – Communication with public or public interest bodies / authorities / institutions; – Debt collection/Recovery of outstanding debts; – Settlement of disputes and litigations, enforcement of court, arbitration decisions, court orders, etc.
Legal grounds for the collection and processing of personal data:
  1. Fulfilling the legal tasks of CNCIR SA.
  2. Concluding or executing a contract with the company’s customers or suppliers.
  3. Achieving the legitimate interests of CNCIR SA.
  4. Fulfilling a task that serves a public interest.
  5. The data subject has given his/her consent.
  6. Persons covered by the processing of personal data.
The persons whose data may be processed by CNCIR SA, exclusively for the purposes mentioned below are:
  • Individual clients of CNCIR SA (current, former or potential), visitors, the general public, their representatives/proxies, legal or conventional;
  •  Representatives/proxies/business contacts (suppliers, service providers, etc. – current, former or potential) and of public institutions/authorities.
CNCIR SA considers all personal data collected to be confidential and will not share it with third parties except in the implementation of the purposes mentioned above. Communication of personal data collected The personal data collected is intended for use by CNCIR SA and may be communicated only to the following recipients: data subject, legal representatives/proxies of the data subjects, CNCIR SA representatives, representatives/proxies/contact persons of public and local institutions/authorities, criminal investigation/investigation bodies, courts in accordance with the provisions of applicable national and community law. The confidentiality of personal data will be ensured by CNCIR SA and will not be provided to third parties other than those mentioned in this document. Period of retention of personal data CNCIR SA keeps the personal data for the period of time necessary to comply with the legal obligations specific to the field of activity or according to the applicable prescription terms. Protection of personal data In order to avoid the unauthorized use of personal data, as well as possible abuses, CNCIR SA uses security methods and technologies, together with appropriate policies and working procedures, to protect the personal data collected. CNCIR SA has implemented and certified an integrated management system in accordance with the standards SR EN ISO 9001:2015, SR EN ISO 14001:2015, SR OHSAS 18001:2008 and SR ISO/CEI 27001:2013. Thus, compliance with the provisions of SR EN ISO/IEC 27001:2013 Information technology. Security techniques. Information security management systems. Requirements ensure the customers and external collaborators of CNCIR SA of a high security of all personal data that the company processes. The complete security of the data transmitted through the Internet is monitored by CNCIR SA, and in the event of receiving a notification regarding a security incident, CNCIR SA will use strict security procedures and measures against unauthorized, illegal use, destruction, accidental loss or disclosure of personal data. Rights of clients and external collaborators regarding personal data: In relation to CNCIR SA, unless the law provides otherwise, you have the following rights:
  • the right of access, respectively the right to obtain a confirmation from CNCIR SA that it processes personal data, as well as access to it and the provision of information about the processing;
  • the right to rectification, which refers to the correction, without undue delay, of inaccurate personal data and/or the completion of incomplete data;
  • the right to restrict processing, which shall apply if:
i. the accuracy of personal data is contested, ii. the processing is illegal and the data subject objects to the deletion of personal data, instead requesting the restriction of the processing, iii. personal data collected is no longer required, but is required to establish, exercise or defend a right in court, iv. the data subject has objected to the processing for the period of time in which it is verified whether our legitimate interests in the processing of personal data prevail over the rights of the data subject;
  • the right to delete/the right to be forgotten, i.e. the right to delete without undue delay the personal data collected, if such data is no longer necessary for the purpose for which it was collected and there is no other legal basis for processing, the data has been collected illegally or the data must be deleted in order to comply with a legal obligation;
  • the right to oppose the processing, unless it is demonstrated that there are legitimate reasons for the processing of the data, reasons prevailing over the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of a right in court;
  • the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects on the data subject or similar harm, unless such processing is necessary for the performance of the individual employment contract or is permitted by law.
  • the right of portability, namely the right to receive personal data, which have been provided for the purposes indicated herein, in a structured, commonly used and automatically readable format, and the right to send such data to another operator;
  • the right to withdraw consent at any time and free of charge;
  • the right to file a complaint with the National Authority for the Supervision of Personal Data Protection (ANSPDCP);
  • the right to go to court if the data subject has suffered damage as a result of the processing of personal data
Exercising the rights of the data subject

The data subject shall exercise his/her right by sending a written request:
– by mail, to the address: Str. Ocna Sibiului 46-48, Bucharest, sector 1, Romania, CNCIR SA Headquarters – for the attention of the DATA PROTECTION MANAGER
– by e-mail, to the address: : protectia.datelor@cncir.eu

General Manager Timofte Ioana