Confidentiality policy

This Privacy Policy defines how we, www.prato.ro, a website owned by OLIN FOODS SRL, collect, store and use your personal data when you access or interact with our website, and where we obtain or collect your data.

This Privacy Policy is applicable from May 22, 2018, updated with the requirements of EU Regulation 2016/679.

• Data controller: OLIN FOODS S.R.L.
• How we collect or obtain information about you:
  • when you provide the respective data (e.g. by contacting us, by accessing, ordering or purchasing various products, by registering in the database to receive marketing information regarding our products;
  • when we make a reservation requested by you.
  • when we make a cancellation of the service requested by you.
  • when we validate, ship and invoice an order to you;
  • to resolve cancellations or problems of any nature relating to an order or contract, to the services or products or services purchased by you;
  • to ensure your access to the requested service;
  • sending newsletters and/or periodic alerts, in exclusively electronic format;
  • contacting you, at your voluntary request;
  • contacting you, in matters of Customer Relations;
  • statistical purposes
  • when you access our website, some data is collected through cookies.
• What information we collect: name, surname, telephone number, product delivery address, e-mail address, company name and identification data necessary for issuing the invoice (if applicable).
• How we use your data: in particular to contact you and to process the orders you place through our website (reservations, food product orders), to fulfill our contractual obligations, to promote our goods and services and in connection with our legal rights and obligations.
• Disclosure of data to third parties: we provide the minimum data necessary to fulfill our contractual obligations on that we have towards you, namely to transport service providers.
• Your data is not sold to third parties.
• How long your information is stored: no longer than necessary – depending on our legal obligations (e.g. to maintain accounting archives), or depending on any other basis on which we use the information (e.g. consent, contractual obligations, legitimate interests). Information about specific periods of storage of user data can be found in the section Duration of storage of your data.
• How your data is secured: by using technical and organizational solutions such as: storing information on secure servers, encrypting data transfers to and from our servers using SSL technology, encrypting payment operations on the site using SSL technology, allowing access to your personal data only when necessary.
• Use of cookies and similar technologies: we use cookies and similar technologies to collect information, such as web beacons, on our website including essential, functional, analytical and targeting cookies. For more information, please access our cookie policy here: https://www.prato.ro/politica-utilizare-cookies.html
• Transferring your personal data outside the European Economic Area: we will only transfer your personal data outside the European Economic Area if we are required to do so by law or in order to perform our contractual obligations to you – when we do this, we ensure that there are adequate safeguards in place, for example: the protection of personal data by partners outside the European Union is regulated by standard contractual clauses for the transfer of personal data from the Community to third countries.
• Use of automated decision-making processes: we use automated decision-making processes in connection with our website, e.g.: using Google Analytics tools, cookies, web beacons or using targeting cookies to display advertisements to people who visit our site on other websites (for example, by using the Google AdWords network).
• Your rights in relation to your personal data:
  • right to information – art. 13 and 14 GDPR – you can request information regarding the processing activities of your personal data;
  • right to rectification – art 16 GDPR – you can rectify inaccurate personal data or complete them;
  • right to erasure of data (“right to be forgotten”) – art 17 GDPR – you can obtain the deletion of data, if their processing was not lawful or in other cases provided by law;
  • right to restriction of processing – art 18 GDPR – you can request the restriction of processing if you contest the accuracy of the data, as well as in other cases provided by law;
  • right to opposition – art 21 GDPR – you can oppose, in particular, data processing based on our legitimate interest;
  • right to data portability – art 20 GDPR – you can receive, under certain conditions, the personal data you have provided to us, in a machine-readable format or you can request that the data be transmitted to another operator;
  • the right to file a complaint – you can file a complaint about the way personal data is processed with the National Supervisory Authority for Personal Data Processing;
  • the right to withdraw consent – in cases where the processing is based on your consent, you can withdraw it at any time. The withdrawal of consent will only have effects for the future, the processing carried out prior to the withdrawal remaining valid;
  • additional rights related to automated decisions: you can request and obtain human intervention regarding the respective processing, you can express your own point of view regarding it and you can contest the decision.

You can exercise these rights, either individually or cumulatively, very easily, by simply sending a request to our headquarters in Brasov, str. Brazilor, no. 55 or by email to: dpo@prato.ro.
OLIN FOODS SRL, through the website www.prato.ro, does not request or store any information regarding bank cards. No online payments are made through the website www.prato.ro.

Table of Contents

• Details about our company
• What information we collect when you visit our website
• What information we collect when you contact us
• What information we collect when you interact with our website
• Use of automated decision-making systems
• How we collect information about you from third parties
• Disclosure and additional uses of your data
• How long we store your data
• Securing your information
• Your rights over your personal data
• Your right to object to data processing for certain purposes
• Sensitive personal data
• Changes to our privacy policy

Details about our company our

The data controller regarding our website is: OLIN FOODS S.R.L., based in Brasov, str. Brazilor, no. 55, Romania, tel:+40 268 412 600. You can contact us by writing to the address mentioned above or by e-mail at dpo@prato.ro.
If you have any questions regarding this privacy policy, please contact the data controller.

What information do we collect when you visit our website

• We collect and use information from website visitors in accordance with this section and the section entitled Additional Disclosure and Uses of Your Information.
• Web Server Log Information
• We use a third-party server to host our website, called ROSPOT S.R.L, whose privacy policy is available here: https://rohost.com/confidentialitate/. Our website server automatically records the IP address you use to access our website, as well as other information about your visit, such as the pages accessed, the information requested, the date and time of the request, the source of access to our website (for example, the website or URL (link) that referred you to our website) and the browser and operating system version.
• Use of information from website server logs for IT security purposes
• Our provider collects and stores server logs to ensure the security of the IT network. This includes analyzing log files to help identify and prevent unauthorized access to our network, distribution of malicious code, predicting DDOS attacks and other cyberattacks by detecting unusual or suspicious activity.
• Unless we are investigating suspected or potential criminal activity, we do not make or allow our provider to make any attempt to identify you based on information collected through server logs.
• Legal basis for processing: compliance with legal obligations to which we are subject (Article 6(1)(c) of the General Data Protection Regulation).
• Legal obligation: recording access to our website using server log files is a technical measure to ensure an adequate level of security to protect the information collected on our website in accordance with Article 32(1) of the General Data Protection Regulation.
• Cookies and similar technologies
• Cookies are data files that are sent from a website to a browser to record information about users for various purposes.
• We use cookies on our website, including essential, functional, analytical and targeting cookies and web beacons. For further information about the use of cookies, please see our cookie policy, which is available here: https://www.prato.ro/politica-utilizare-cookies.html
• You can reject some or all of the cookies we use on our website by changing your browser settings or you can disable non-essential cookies using our cookie control tool, but rejecting them may affect the functioning of the website or some of its features. For more information about cookies, including how to change your browser settings, visit www.allaboutcookies.org or see our cookie policy.

What information do we collect when you contact us

• We collect and use information from individuals who contact us in accordance with this section and the section entitled Disclosure and Additional Uses of Your Information.
• Email – When you send a message to the email address displayed on our website, we collect your email address and any other information you provide in that email (such as your name, your telephone number and the information contained in any signature block in the email).
• Legal basis for processing: Our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
• Legitimate interest: To respond to questions and messages we receive and to keep a record of correspondence.
• Legal basis for processing: Necessary for the performance of a contract or for to enter into a contract at your request (Article 6(1)(b) of the General Data Protection Regulation).
• The reason why it is necessary for the performance of a contract: if your message is for the supply of goods or to take steps at your request prior to supplying you with goods marketed by us (e.g. providing information about such goods); we will process your information to do this.

Transfer and storage of your information.

• We use a third-party email provider to store the emails you send to us. Our email provider is Microsoft – Office 365. Its privacy policy is available here: https://privacy.microsoft.com/en-us/privacystatement.
• The emails you send us will be stored within the European Economic Area on Microsoft Office 365 servers in Austria.
• Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
• Legitimate interest: to respond to questions and messages we receive and to keep track of correspondence.
• Legal basis for processing: necessary for the performance of a contract or to start the process of entering into a contract at your request (Article 6(1)(b) of the General Data Protection Regulation).
• The reason why it is necessary for the performance of a contract: if your message. aims to provide goods or services or to take steps at your request before providing you with our goods and services (for example, providing information about such goods and services); we will process your information to do this.
• Telephone – When you contact us by telephone, we collect your telephone number and any information you provide to us during the conversation with us. Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation)
• Legitimate interest: to respond to questions and messages we receive and to keep a record of correspondence. Legal basis for processing: necessary for the performance of a contract or to enter into a contract at your request (Article 6(1)(b) of the General Data Protection Regulation).
• The reason why it is necessary for the performance of a contract: if your message concerns the supply of goods or taking steps at your request before supplying you with goods marketed by us (e.g. providing you with information about such goods); we will process your information to do this).

Transfer and storage of your information.

• Information about your call, such as your telephone number and the date and time of your call, is processed by our telephone service providers:
  • Vodafone Romania, with the privacy policy at: https://www.vodafone.ro/personal/servicii-si-tarife/termeni-si-proceduri-legale/confidentialitate/index.htm.
  • Telekom Romania, with the privacy policy at: https://www.telekom.ro/images/docs/Legal_docs/utilizare_site/PROTECTIA_DATELOR_CU_CARACTER_PERSONAL_telekom.ro.pdf
• Post – If you contact us by post, we will collect all the information you provide us in any postal communications you send us. Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
• Legitimate interest: to respond to questions and messages we receive and to keep a record of correspondence. Legal basis for processing: necessary for the performance of a contract or to start the process of entering into a contract at your request (Article 6(1)(b) of the General Data Protection Regulation).
• The reason why it is necessary for the performance of a contract: if your message is for the supply of goods or to take steps at your request before supplying you with the goods being marketed (e.g. providing information about such goods and services); we will process your information to do this).

What information do we collect when you interact with our website

• We collect and use data from individuals who interact with certain features of our website, in accordance with this section and the section entitled Disclosure and Additional Uses of Your Information
• Newsletter – When you sign up for our newsletter to receive information about new collections, promotions, events or contests, through subscription forms or from any other form based on which you can express your consent to register in the database, we collect first name, last name, e-mail. Legal basis for processing: your consent (Article 6(1)(a) of the General Data Protection Regulation).
• Consent: you give your consent to receive our newsletter by subscribing to it using the steps described above.

Transfer and storage of your data.

• We use a service provided by a third party to send our newsletter and to manage our email list, namely Mailchimp. Information about its privacy policy can be found here: https://mailchimp.com/contact/ – Mailchimp uses technologies to measure the performance of newsletter campaigns, such as delivery rates, open rates and click-through rates and unsubscribe rates, links with which the customer interacted.
• Registration on our website
• When you register and create an account on our website, we collect the following information: name, surname and email address. If you do not provide all the information requested by the registration form, you will not be able to register or create an account on our website. Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation). Legitimate interest: registration and administration of accounts on our website to allow you to access the history of purchased services and invoices.
• The information you provide to us through the registration form on our website will be stored in the European Economic Area on the servers of the web hosting service provider SC ROSPOT SRL in Romania. Its privacy policy is available here: https://rohost.com/confidentialitate/ – Legal basis for processing: necessary for the performance of a contract (Article 6(1)(b) of the General Data Protection Regulation). Reason why it is necessary for the performance of a contract: we need the information collected through the order form to fulfill our obligations arising from the contract, namely the delivery of the ordered goods.
• Legal basis for processing: compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).Legal obligation: we have a legal obligation to issue you an invoice for the goods and services you have purchased from us, in which you are registered for VAT purposes and we request the mandatory information collected for this purpose by our payment form.

Optional information

We also ask you to consent if you wish to receive marketing communications from us. For further information, please see the “Marketing communications” section below.
Legal basis for processing: our legitimate interests (Article 6(1)(a) of the General Data Protection Regulation).
Legitimate interests: you agree to process any optional information you provide by sending this information to us, so that you are constantly informed about our offers and services.

Marketing communications

When completing your order, you will have the option to receive marketing communications from us, by checking the option indicating that you wish to receive marketing communications from us.
Transfer and storage of your information
We use a service provided by a third party to send newsletters and to manage our email list, namely Mailchimp. Information about its privacy policy can be found here: https://mailchimp.com/contact/
Mailchimp uses technologies to measure the performance of newsletter campaigns, such as delivery rates, open rates and click-through rates and unsubscribe rates, links with which the customer interacted.
Legal basis for processing: consent (Article 6(1)(a) of the General Data Protection Regulation).
Consent: You consent to us sending you information about our goods and services by signing up to receive such information in accordance with the steps described above.

Information collected or obtained from third parties

If we mistakenly receive information about you from a third party and/or we do not have a legal basis for processing this information, we will delete your information.

Use of automated decision-making mechanisms

We use automated decision-making mechanisms on our website. We do not consider that this has any legal effect on you or affects you in a similar way.
You have the right to object to our use of automated decision-making mechanisms and profiling described in this section. You can do this by opting out of cookies and similar technologies, in accordance with the method described in the relevant section of this privacy policy. If you do not want us to process your real IP address (usually the IP address assigned by your Internet Service Provider) when you visit our site, you can use a virtual private network (VPN) or a free service such as Tor.

You can learn more about the use of cookies and similar technologies (including the legal basis for their use) and how to opt out of them in the cookie policy, available here: http://www.prato.ro/politica-utilizare-cookies.html

Use of automated decision-making mechanisms for advertising

Automatic decision-making mechanisms are those decision-making mechanisms by technological means (by means of a machine) without human involvement.
We automate the display of advertisements containing our products on other websites that you visit by using cookies. For further information about the types of cookies we use, please see our cookie policy, available herehttp http://www.prato.ro/politica-utilizare-cookies.html.
The use of automated methods of displaying advertisements to people who have visited our website leads to increased advertising efficiency. Thus, cookies will be used to recognize that you have visited our site to show you advertisements (unless you have blocked such cookies) and will collect information about your online behavior.
How you can object: You can block these types of cookies by using your browser settings. For more information, please see our cookie policy:
http://www.prato.ro/politica-utilizare-cookies.html

Disclosure and additional uses of your data.

This section sets out the circumstances in which we will disclose your data to third parties and any additional purposes for which we use your data.
Disclosure of your information to service providers
We use a number of services provided by third parties that are necessary to run our business who process your information for us on our behalf, namely:

• Telephony service providers
• Email service providers
• IT service providers
• Website developers
• Web hosting service provider(s)
• Marketing service providers
• Email Marketing Service Provider
• Transportation Service Providers

Your information will be shared with these service providers where necessary to provide you with the products you have ordered. We do not publicly disclose the identity of our service providers for security and competitive reasons. However, if you would like further information about the identity of our service providers, please contact us directly by email at dpo@prato.ro and we will provide you with such information if you have a legitimate reason to request it.

Legal basis for processing: legitimate interests (Article 6(1)(f) of the General Data Protection Regulation). Legitimate interest: Where we share your information with these third parties in a context other than where it is necessary to perform a contract (or at your request to do so), we will share your information with such third parties to enable us to conduct and manage our business effectively.

Legal basis for processing: necessary for the performance of a contract or to take steps at your request to enter into a contract (Article 6(1)(b) of the General Data Protection Regulation).
Reason why it is necessary for the performance of a contract: we may share information with our service providers to enable us to perform our obligations under that contract or to take steps you have requested prior to entering into a contract with you.

Disclosure of your information to other third parties

We disclose your information to third parties in certain circumstances, as set out below.
Providing information to third parties, such as Google Inc., Facebook. Google collects information through the use of Google Analytics on our website. Google, Facebook, use this information, including IP addresses and information from cookies, for a number of purposes, such as improving the quality of our services and your browsing experience. The information is collected by Google and Facebook anonymously.
Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interests: improving the quality of our services.

Disclosure and use of your information for legal reasons

Reporting possible criminal acts or threats to public safety to a competent authority
If we suspect that criminal or potential criminal conduct has occurred, we will, in certain circumstances, need to contact a competent authority, such as the police. This could be the case, for example, if we suspect that fraud or cybercrime has been committed or if we receive threats or malicious communications against us or third parties.
Generally, we will only need to process your information for this purpose if you have been involved in or affected by such an incident in some way.
Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interest: preventing crime or suspected criminal activity (such as fraud).
In connection with the exercise or potential exercise of our legal rights
We will use your information in connection with the exercise or potential exercise of our legal rights, including, for example, exchanging information with debt collection agencies if you do not pay amounts due where you are contractually obliged to do so. Our legal rights may be contractual (where we have entered into a contract with you) or non-contractual (such as legal rights we have under copyright or tort).
Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interest: to enforce our legal rights and take steps to secure our legal rights.

In connection with a dispute or legal or potential legal proceedings

We may need to use your information if we are involved in a dispute with you or a third party, for example, either to resolve the dispute or as part of mediation, arbitration or a court order or similar process.
Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interest: resolving disputes or potential disputes.

For ongoing compliance with laws, regulations and other legal requirements

We will use and process your information to comply with legal obligations to which we are subject. For example, we may need to disclose your information pursuant to a court order or subpoena, if we receive one.
Legal basis for processing: compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).
Legal obligation: legal obligations to disclose information, established in our charge by domestic or international normative acts (for example in the form of an international agreement that Romania has signed).
Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interest: if legal obligations are part of the laws of another country and have not been integrated into the legal framework of Romania, we have a legitimate interest to comply with these obligations.

Duration of storage of your data.

This section sets out how long we keep the data we collect. We have set specific retention periods where possible. Where this has not been possible, we have set out the criteria we use to determine the retention period.

Retention periods

Server logs: we retain server log information for a period of 6 months.
Order information: when you place an order for goods, we retain this information for ten years from the end of the financial year in which you placed the order, in accordance with our legal obligation to keep records for tax purposes.
Correspondence: when you make a request or contact us for any reason, whether by email or telephone, we will retain your information for as long as necessary or until you expressly request us to delete your data, which will be applied in conjunction with our legal obligations.
Newsletter: We retain the information you used to sign up for our newsletter for as long as you remain subscribed (unless you unsubscribe) or if we decide to cancel our newsletter service.

Criteria for determining retention periods

In all other circumstances, we will only keep your information for as long as necessary, taking into account the following:

• the purpose and use of your information both now and in the future (for example, whether it is necessary for us to continue to store that information in order to continue to perform our obligations under a contract with you or to contact you in the future;
• whether we have a legal obligation to continue to process your information (such as any record-keeping obligations imposed by law or relevant regulations);
• whether we have any grounds for continuing to process the information (such as your consent);
• whether we have a legitimate interest in continuing to process your data;
• the levels of risk, cost and liability involved in continuing to hold it information.

Securing your information.

We take appropriate technical and organizational measures to secure your information and to protect it against unauthorized or unlawful use and against accidental loss or destruction, including:

• sharing and providing access to your data to the minimum extent necessary, subject to confidentiality restrictions where applicable and anonymously, whenever possible;
• using secure servers to store information;
• verifying the identity of any person requesting access to information before granting them access to the information;
• using the Secure Sockets Layer (SSL) standard to encrypt any information you send us via any forms on our website;
• we only transfer your data via a closed system or data transfer encrypted.

Sending information to us by e-mail

The transmission of information over the internet is not entirely secure and if you send us information via the internet (by e-mail or otherwise), you do so entirely at your own risk.
We cannot be held liable for any expenses, loss of profit, damage to reputation, damages, liabilities or any other form of loss or damage suffered by you as a result of your decision to send us information by such means.

Your rights over personal data

Subject to certain restrictions, you have the following rights in relation to your data which you can exercise by sending a written request to OLIN FOODS SRL – www.prato.ro, at the following address:
Mun. Brasov, Str. Brazilor, no. 55 or by sending an e-mail to dpo@prato.ro:

• you have the right to to access your data and receive information about its use
• you have the right to request the correction and/or completion of the information (right to rectification)
• you have the right to request the deletion of the data (right to be forgotten)
• you have the right to restrict the use of the data
• you have the right to receive the data in a portable format
• you have the right to object to the processing of your data.
• you have the right to withdraw your consent to the processing of your data.
• you have the right to appeal to a supervisory authority – in accordance with Article 77 of the General Data Protection Regulation. For this purpose, in Romania, the supervisory authority is: www.dataprotection.ro

Verifying your identity if you request access to your information.

If you request access to your information, we are required by law to use all reasonable measures to verify your identity before doing so.
These measures are designed to protect your information and reduce the risk of identity fraud, identity theft or general unauthorized access to your information.

How we verify your identity

Where we have appropriate information about you in our database, we will attempt to verify your identity using that information.
If it is not possible to identify you from this information or if we do not have sufficient information about you, we may request copies or certificates of documents to verify your identity before we can provide you with access to your information.
We may confirm the exact information we need to verify your identity in your specific circumstances if and when you make such a request.
Your right to object to data processing for certain purposes
You have the following rights regarding your data which you can exercise by sending it to OLIN FOODS SRL at the following address:
Mun. Brasov, str. Brazilor, no. 55 or by sending an e-mail to dpo@prato.ro.

• to object to the use or processing of your information by us to perform a task in the public interest or in our legitimate interests, including analyzing or predicting your behavior based on your information;
  and
• to object to the use or processing of your data for direct marketing purposes (including any profiling we engage in in connection with such direct marketing).

You can also exercise your right to object to the use or processing of your data for direct marketing purposes:

• by clicking on the unsubscribe link at the bottom of any marketing email we send you and following the instructions that appear in your browser after you click on that link;
• by sending an SMS message containing only the word “UNSUBSCRIBE” in response to any marketing communication we send by text message or by accessing the link provided in the SMS message you receive; or
• by sending an email to dpo@prato.ro, requesting us to stop sending you marketing communications or by including the words “UNSUBSCRIBE”;

For more information on how you can object to the use of data collected through cookies and similar technologies, please see our cookie policy, available here: http://www.prato.ro/politica-utilizare-cookies.html

Sensitive personal data

“Sensitive personal data” is information about an individual that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic information, biometric information for the purpose of uniquely identifying an individual, information concerning health or information concerning the sex life or sexual orientation of an individual.
In specific situations, we collect “sensitive personal data” regarding trade union membership. We process personal data regarding membership in a trade union because, based on partnerships with certain trade unions, members of those unions can benefit from certain facilities and discounts.
If, however, you accidentally or intentionally provide us with other sensitive personal information, you will be deemed to have given us your explicit consent to process the sensitive personal information in accordance with Article 9(2)(a) of the General Data Protection Regulation. We will use and process your sensitive personal information for the purpose of deleting it.

Changes to our Privacy Policy

We update and modify our Privacy Policy periodically.

Minor Changes to Our Privacy Policy

If we make minor changes to our Privacy Policy, we will update the Privacy Policy. The processing of your information will be governed by the practices set out in the new version of the Privacy Policy from its effective date.

Material changes to our privacy policy or the purposes for which we process your information
If we make material changes to our privacy policy or intend to use your information for a new purpose or for a purpose different from the purposes for which we originally collected it, we will notify you by email (where possible) or by posting a notice on our website.
We will provide you with information about the change in question and about the purpose and any other relevant information before we use your information for the new purpose.
Where necessary, we will obtain your prior consent before using your information for a purpose different from the purposes for which we originally collected it.