fbpx
W I K O T I

Loading

wikoti | reservations
Privacy and Data Protection Policy

Last update: 07/02/2024

IT DIGITAL POMELO SRL (IDP) offers a set of services and applications to:

– the HoReCa businesses (restaurants, cafes, pubs…) referred to hereinafter as Business(es)/Business Clients

– natural persons acting as representatives/contact persons of the Business(es) referred to hereinafter as Business Users

to the HoReCa businesses customers (locals and travelers) referred to hereinafter as Individual Clients/Individual Users

Business Clients and Individual Clients being genericaly called UsersYou

The list of applications and websites owned by IDP are listed below and grouped per type of Users.

Individual Users:

wikoti.com : landing page for locals and travelers, no registration required

wikoti: Android and IOS mobile application for local and travelers to find and book a table,  registration is optional

Business Users and Businesses

business.wikoti.com: landing page about wikoti services, no registration required

restaurant-reservations.wikoti.com: landing page about wikoti reservations solution, no registration required

app.wiloti.com: web application for registered Users to manage their page in wikoti app and sites

app-reservations.wikoti.com: web application for registered Users to manage their reservations

wikoti manager: Android and IOS mobile appliccation for registered Users to manage their reservations

This policy details the practice of
IT DIGITAL POMELO SRL concerning the processing of personal data applied to wikoti domains and applications listed above  (hereinafter briefly, generically the App, respectively Website or Site), and is intended to inform Users about this subject.

By using the Site and/or the App, users acknowledge that they have become aware of and agree to this Privacy and Data Protection Policy, and also to the Cookie Policy and also the Terms and Conditions published on the Site and on the App.

1.       Identification of the data controller(s)

Name: IT DIGITAL POMELO SRL (hereinafter the Company, Owner or IDP)

Headquarters: Romania, Timis county, Timisoara, Calea Aradului, DN 69, KM 7 + 800 M

Registration no.: J35 /3433/2017

Fiscal code: RO38093953

Email: contact@wikoti.com

Phone no:+40 356 630 630

Name, headquartes, registration no, fiscal code, email and phone number for each Business can be found on the Business web page, Facebook page or by requesting such information to IDP.

The Company and the Businesses can act as joint controllers or as separate individual controllers (depending on the purpose of processing (details to be found at art. 6 below).

2.       Contact details in the field of personal data protection

The Company collects information from Users, in the following ways: directly from that User, from the traffic reports recorded by the servers hosting the Site, as well as through cookies.

Information provided directly by the Business User/Individual User:

Information provided by the Individual Users

(i)      When filling in the fields of the reservation form to book a table at a Business

(ii)    When creating an account on the wikoti platform

(iii)   When filling in the fields in the “Chat” box
Information provided by the Business Users

(i)      When filling in the fields of the “Sign up” form and for the Log in process for the Company

(ii)    When filling in the fields of the “Chat” box

(iii)   When filling in the fields of the “Payment” section, or provide the requested information by email or by phone, for the Company

(iv)   When offering your consent to receiving “Newsletters” from IDP
The Company and also each Business confirms that none of the Users’ personal data, shall be used for purposes other than those expressly indicated. However the Company and the Business can used it for marketing purposes provided a full compliance with the legal provisions.

 

Information obtained from the traffic reports recorded by server:

When a website/app is accessed, users automatically disclose certain information, such as the IP address, the time of the visit, the place where the website/app was accessed. The Company, like other operators, registers this information.

Information obtained through cookie:

All details on how data is processed in this context, are indicated in the Cookie Policy available on the Website and App.

The contact details that the User can use to transmit any requests, notifications or claims regarding this Privacy and Data Protection Policy, as well as the Terms and Conditions and the Cookie Policy, or any other information published on the Site/App, policies or operations performed by the Company, are indicated at point 1 above.

Should a request, notification or claim regard strictly the action of a Business, each Business User or Individual User may contact such Business directly.

The deadline for the Company to send a response is no more than 30 days from the receipt of the request. Should an issue concerning a Business (and not IDP) be object to the respective claim, notification or request received on the contact data of the Company, IDP undertakes to transmit it to the Business within maximum 5 days as of the moment when it was received, so that the Business can take the suitable action within the maximum 30 days period as of the moment when the Company received it. The same obligation is undertook correspondigly by the Business in regards to the claims, notifications or claims received which regard IDP.

3.       Data subject

 Given that the Company and also the Businesses process personal data of Business Users and of the Individual Users of the Site and/or App, they hold the status of data subject and declare that they are over 18 years old.

If the information / requests transmitted by a User also concern personal data relating to other persons (those persons hence acquiring the status of data subject), the Company and the Businesses shall process their data strictly in order to be able to respond to that information / request.

4.       Personal data processed

 Any information regarding an identified or identifiable natural person, respectively the data subject, shall be considered as personal data.

Considering the processing purposes indicated herein, the Company (and also the Businesses in the context of their activity performed in relation to the Site and/or App) tries to reduce as much as possible the personal data processed.

Users are responsible for any third-party personal data provided to the Company or the Business by means of the Website or App, and hereby confirm that they have that third party’s consent to provide the data.

Thus, according to the Cookie Policy, the data subject (the User) shall be able to choose the types of cookies (applicable where their use is not automatically made for the functioning of the Site/App) by sliding the box, in order to ensure a more complete and better experience when browsing the Site/App.

Personal data of the Individual User

(i)      When you as  Individual User fill in the fields of the reservation form to book a table at a Business, your personal data is processed (for the purposes indicated at point 6): name, surname, e-mail, phone number and IP

However, additional data regarding your reservation may be processed, such as: the Business where you made a reservation, the date, time, day of the reservation; the number of people the booking was made for; other booking details you may provide during the reservation process; as well as the status of  the reservation

(ii)    When you as  Individual User fill in the fields of the creating an account form on the wikoti platform, your personal data is processed (for the purposes indicated at point 6): name, surname, e-mail, phone number and IP

(iii)   When you as Individual User fill in the fields of the “Chat” box, you indicate: name and surname as well as IP (all being personal data).

Other personal data could be processed by the Company if included in the information / request you sent when using the chat box. The Company did not request the respective data, but insofar as they are absolutely necessary in order to be able to respond to those transmitted by you through the chat box, the processing of personal data shall be performed at your request of the Site/App.
Personal data of the Business User

(i)      When you as  a Business User fill in the fields of the “Sign up” form for the Business or provide the required information by email or phone, you indicate: name, surname, e-mail and phone number, password and IP (if the phone number and the email are the personal ones or contain personal data such as name and surname, they also become personal data). The same information shall be used later, after the account is created, for the Log in process of the Company. In any case, the password is not seen by IDP.

(ii)    When IDP suspends or deletes a Business account, if needed: name, surname, e-mail and phone number, password and IP (if the phone number and the email are the personal ones or contain personal data such as name and surname, they also become personal data).

(iii)   When you as a Business User fill in the fields of the “Chat” box, you indicate: name, surname and IP (all being personal data).

Other personal data could be processed by the Company if included in the information / request you sent when using the chat box. The Company did not request the respective data, but insofar as they are absolutely necessary in order to be able to respond to those transmitted by you through the chat box, the processing of personal data shall be performed at your request as user of the Site/App.

(iv)   When you as a  Business User fill in the fields of the “Payment” section or provide that information by email or by phone, you can indicate in addition to the data of the Company, also your name and surname (these being personal data).

(v)    When you as a Business User consent to receiving “Newsletters” from IDP, you indicate: email address (can be personal data).
The Company and also each Business confirm that none of the personal data indicated above, shall be used for purposes other than those expressly indicated. However the data can be used for marketing purpose in full compliance with the legal provisions.

Depending on the cookie settings, other data can be processed (especially those related to User preferences and behaviour on the Site/App).

5.       Processing of personal data

It represents the processing of personal data, any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means.

The Company as well as the Business where bookings are made, access, collect, use and perform any other actions allowed by the applicable law on the personal data of the Users, within the limits indicated herein.

6.       Purpose

 The Business User and the Individual User are natural persons who accesses this Site/App and whose personal data are processed for different purposes (respectively you). Those purposes are:

  • For the personal data provided directly by the User:
Purpose of processing personal data of the Individual User

(i)      Personal data collected when filling in the reservation form to book a table at a Business, is processed for:

–   in order for the Company and the Business to be able to make the reservation on a certain person’s name and manage it afterwards

–   in order for the Business to confirm the reservation by phone or email

–   in order for the Business to ask details regarding the meals and drinks (such as potential allergies, number of persons at the table, special sitting etc.)

–   in order for the Company and the Business to be able to receive feedback from the Individual User afterwards. One request of feedback shall be sent by the Business by email, and the Business as well as IDP shall have access to the response

–   in order for IDP to improve the App and/or Website as well as to prepare statistic reports for Businesses, which allow them to better provide services for the Individual Users

(ii)    Personal data indicated by an Individual User when creating an account on wikoti platform (Sign in and Log in), is processed in order to gain to exclusive features such as reservations history, participation in loyalty programs, personalized recommendations

(iii)   Personal data indicated by an Individual User in the “Chat” box, is processed in order to know how they may address that user and respond.

Purpose of processing personal data of the Business User

(i)      Personal data indicated by a Business User by filling in the “Sign up” form for the Business, is processed by the Company in order to be able to create a valid account for each Business and to manage the account and bookings received by means of the Site/App. The same information shall be used later, after the account is created, for the Log in process. In any case, the password is not seen by IDP.

(ii)    Personal data indicated by a Business User in the “Chat” box, is processed in order to know how they may address that user and respond

(iii)  Personal data indicated by a Business User by filling in the “Payment” section or offered by email or phone for making the payments owed by the Business, is processed by the Company in order to prepare the invoice and receive a valid payment.

(iv)   Personal data indicated by a Business User hen the Business User consents to receiving “Newsletters” from IDP, he/she/it indicates: email address (personal data). The same data as the ones indicated at letter (i) above shall be processed, under the mentioning that the Business User may choose to indicate another email address for this, case in which also that address shall be processed by IDP in order to send information concerning its new products and services, news, articles, events and other marketing oriented materials.
The Company and also each Business confirms that none of the personal data of the Users, shall be used for purposes other than those expressly indicated above, especially they shall not be processed for marketing purposes without observing the legal provisions.
  • For the personal data provided by the traffic reports recorded by server:
  • identification of the sections of interest of the Site/App
  • safer administration of the computer system and the Site/App
  • For the personal data provided by the use of cookies:
  • functioning and smooth operation of the Site/App (needed cookie)
  • depending on the settings chosen by the User, additional personal data can be used for obtaining statistical information that allows to improve the offered services, saving preferences, advertising, analytics, behavioural targeting, tag management, displaying content from external platform, aaccess to third-party accounts, content performance and features testing (A/B testing), interaction with data collection platforms and other third parties, social features etc. All details regarding this type of data processing can be found in the Cookie Policy.

If the Company and/or the Business intends to subsequently process the personal data for a purpose other than those indicated above, it shall provide the data subject (the User) prior to such further processing, additional relevant information regarding the secondary purpose, by completing the necessary formalities according to the law.

7.       Recipients of the processing

The personal data are processed by:

  • the administrators and employees/collaborators of the Company that deal with the administration and development of the Website/App and who are involved in the activities regarding the Businesses’ accounts and sending of newsletters, the management of bookings made by the Individual Users (including preparing statistics), as well as their questions/notifications;
  • the administrators and employees/collaborators of the Business where the booking is made by an Individual User, which deal with the reservations management process and client service, as well as answering questions/responding to notifications;
  • the support service providers contracted by the Company or the Business, in order to fulfil its contractual or legal obligations, such as:
  • the graphic designers, the software developers, the IT maintenance or business consultants – can access all the data recorded only when required by their activity, including those of the Users indicated at point 4 above;
  • the attorneys – can access all data recorded, including those of the Users, in case of legal issues that require their involvement;
  • advertising, PR and communication companies for the marketing activity. These companies may collect data through cookies or through the registration forms for the bookings or feedback, and to the extent that this happens, the controller shall provide this information to the data subjects in advance and obtain their consent where needed;

The list of suppliers listed above is not exhaustive, but it does indicate the main such collaborating companies. They shall have the capacity of independent data controller, joint data controller or data processor in relation to the Company respectively with the Business involved – depending on the factual situation and the contract’s clauses. However, regardless of the quality held, they are obliged to maintain the confidentiality and security of the personal data of the data subject (the Business User and/or the Individual User), adopting appropriate technical and organizational measures. Upon request, the updated list of providers and main clauses of those contracts which may impact the personal data, can be communicated to that Business User/Individual User.

Although they are not considered as receipients of personal data under the legal provisions, public authorities (including the fiscal authority and the consumer protection authority) and the courts of law may process all/any of the personal data obtained by means of the Site/App.

8.       Legal ground for processing

 

  • Art.6 lit.a GDPR – the processing is carried out based on the consent of the User -> situation applicable when the processing of the data is done by IDP in the context of the cookies accepted by the User and which are not necessary for the functioning of the Website/App; when the processing of data is done by the Company in the context of the chat section; as well as when the processing of data belonging to a Business User is performed by IDP for marketing purposes to the list of Newsletter subscribers;
  • Art.6 lit.b GDPR – the processing is carried out for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract -> situation applicable when the processing of the personal data belonging to the Business User is done by IDP in the context of the forms from sections “Sign in” and “Log in”, and also when the processing of data belonging to the Individual User is done by IDP and the Business in the context of his/her/its reservation (as detailed under art. 6);
  • Art.6 lit.c GDPR – processing is necessary for compliance with a legal obligation to which the Company as data controller is subject –> situation applicable in the context of data processing in relation to the competent authorities or legal service providers, as well as for the payment by the Business User of the subscription made on behalf of the Business and for invoicing by IDP;
  • Art.6 lit.f GDPR – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject –> situation applicable in the context of data processing by IDP for the normal functioning and administration of the Site/App, as well as when sending notifications for similar purposes with the initial one.

In any case, the Owner will gladly help to clarify the legal basis that applies to each specific processing.

9.       Type of processing

 Data processing activities performed, mainly refer to:

  • collecting the data indicated by the Business User in the “Chat”, “Sign in”, “Log in” and payment forms by IDP;
  • collecting the data indicated by the Individual User in the “Chat” and “reservation” form by IDP and the Business where the reservation was made;
  • collecting the data indicated by the Individual User in the “Sign in” and “Log in” form by IDP;
  • use of data for providing answers to the messages transmitted by the Business User or Individual User, by IDP and/or the Business (depending on the addressee);
  • use of data of the Individual User by IDP and the Business where the reservation was made, to ask and receive feedback, as well as for preparing statistical records by IDP;
  • use of data for the conclusion and execution of the contract by IDP (in case of the Business Users and Individual Users), respectively by the Business (in case of the Individual Users);
  • use of data for the purpose of each category of cookies chosen by the Business User or Individual User;
  • collecting other unsolicited data of Business User or Individual User (or of a third party), if provided by that User in a communication, request or complaint, so that it can respond and solve the request or remedy the incident;
  • storing personal data according to the law and within the limits necessary to achieve the purpose, in the electronic and secure database held by the Company respectively by the Business;
  • allowing access to personal data to certain employee and external collaborator who provides support services for the Company respectively for the Business, whose activity involves the processing of personal data under the condition of undertaking the obligation of confidentiality and GDPR compliance;
  • allowing access to personal data to the competent authorities, insofar as the law obliges.

10.   Processing and retention of data duration

 The retention period of the personal data processed, is:

  • until the withdrawal of the consent or the exercise of the right to data erasure (right to be forgotten) of the data subject – for the processing of personal data based on the consent of the data subject within the limits indicated by art. 17 of the EU Regulation no. 679/2019;
  • until the deletion of the Business profile at the request of the Business User or by the decision of IDP (as result of a sanction for breaching the Terms and Conditions or as a result of the expiration of the subscription of that Business) – all data indicated in that subscription account, log in not being available after that date;
  • for 3 years after receiving the last reservation form filled in by the Individual User, in order for IDP to be able to prepare statistics and improve the Website and/or App;
  • for as long as the Individual User has a valid account on the wikoti platform, in order for IDP to be able to offer historical information of his/her booking made using the Site/App;
  • for 3 years after receiving the message from the chat box or in any other way, from the Business User or the Individual User, in order to be able to demonstrate the measures taken by the Company or the Business, considering the duration of the general limitation period for the right to action before the courts regulated by the Romanian Civil Code;
  • a longer period than those abovementioned, when the law or order of an authority regulates in such manner or when there is a well-justified ground for this action (for example, to prove payments and invoicing, or to exercise a right before the court in a litigation started before the expiry of the storage period indicated herein).

Upon expiry of the aforementioned periods, all data shall be deleted from the Company’s and the Businesses’ records. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

11.   Rights of the data subject (of the User)

 a)The right to be informed

Please review in this regard the present policy, the Cookie Policy and the Terms and Conditions.

The Company reserves the right to modify / update the content of the Site and App, including the policies to which references are made, at its sole discretion, at any time and for any reason (including but not limited to the occurrence of legislative or jurisprudential changes that may affect the consequences to those published on the Site/App). The revision of this policy in the future shall be signalled by modifying the “Last updated” date at the top of this document. After the date the updated policy is published, accessing the Site/App shall represent the User’s acceptance of these updated conditions.

However, if there shall be significant changes that could affect the rights and freedoms of the Users or if it shall become obligatory to obtain their consent, informing them about these changes shall be made by easily visible indications posted on the Site/App (pop-ups) or by transmitting e-mails to the addresses provided (if applicable). Such significant changes shall have effects for users within 15 days from the time of the posting the pop-up in question or of sending the email (how the information shall be made being decided by the Company, by on a case by case basis).

Regardless of the extent of the change, the responsibility to check the content of the Site/App (including the Terms and Conditions, as well as the policies displayed), in order to be up to date with the latest versions, shall be entirely the responsibility of the User. Thus, STUDY OF THIS PRIVACY AND DATA PROTECTION, OF THE TERMS AND CONDITIONS AND THE POLICY COOKIE, SHOULD BE MADE BY USERS WHENEVER THEY ACCESS THE SITE OR APP, AND BEFORE MAKING ANY REGISTRATION OR PROVIDING ANY DATA, WHEREAS CHANGES CAN APPEAR.

Upon request, the data subject shall be informed about the essence of the contracts concluded with the recipients of personal data where possible, and also of the data source.

Company undertakes no liability in regards to the policies applied by the Businesses, except for the ones mandatory under the applicable legislation in case the two entities are considered joint controllers for the personal data of Individual Users.

b)The right of access the personal data processed

If the data subject wishes to receive information regarding the processing of data performed by the Company, he/she/it can send a request to IDP, and a response shall be provided within maximum 30 days as of reception.

Should an issue concerning a Business (and not IDP) be object to the respective claim, notification or request received on the contact data of the Company, IDP undertakes to transmit it to the Business within maximum 5 days as of the moment when it was received, so that the Business can take the suitable action within the maximum 30 days period as of the moment when the Company received it. The same obligation is undertook correspondigly by the Business in regards to the claims, notifications or claims received which regard IDP.

c)The right to data rectification

If the data subject wishes to rectify/amend the inaccurate/incomplete personal data concerning him/her/it as provided to the Company, he/she/it can send a request to IDP, and a response shall be provided within maximum 30 days as of reception.

Should an issue concerning a Business (and not IDP) be object to the respective claim, notification or request received on the contact data of the Company, IDP undertakes to transmit it to the Business within maximum 5 days as of the moment when it was received, so that the Business can take the suitable action within the maximum 30 days period as of the moment when the Company received it. The same obligation is undertook correspondigly by the Business in regards to the claims, notifications or claims received which regard IDP.

d)      The right to data erasure (right to be forgotten)

The data subject shall have the right to obtain the erasure of personal data concerning him/her/it:

  • at the expiration of the processing duration;
  • if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • if the data subject withdraws his/her/its consent on which the processing is based and where there is no other legal ground for the processing;
  • if the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • if the processing is illegal, the personal data being unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation.

The exceptional cases provided in art. 17 paragraph 3 of the European Regulation no. 679/2016 are applicable.

Some data are part of the Company’s respectively Businesses’ records, which is keept in relation to its legal obligations or its legitimate interest. Therefore, not all data can be erased, according to the law. However, any refusal to delete the data shall be motivated and shall be based on a clear legal basis.

e)The right to restriction of processing and the right to object

The restriction of processing can be applied if the data subject finds out that:

  • the accuracy of the personal data is contested, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are not yet deleted and are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The Company and the Business may continue processing the restricted personal data, if it is necessary to establish, exercise or defend a right in court, or protect/defend a person but only with the consent of the data subject.

The Company or the Business shall communicate to the recipients that a rectification, deletion or restriction of the personal data took place, unless it is impossible or it involves disproportionate efforts.

f)The right to data portability

The Business User, the Individual User or a third party indicated by him/her/it, can receive on request, the personal data processed by the Company and/or the Business. IDP and Business undertake no responsibility for the data processing performed by that third party.

The obligation to ensure the right to portability is the responsibility of the Company and the Business only if the processing of the personal data is based on the consent of the data subject or on the conclusion and execution of the contract. The actions shall be taken within maximum 30 days from the receipt of the request.

g)The right to object

The Business User and the Individual User shall have the right to object, on grounds relating to his/hers/its particular situation, at any time to processing of personal data based on the legitimate interest of the controller (including profiling).

Regardless to the above, if the controller demonstrates well justified legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, the processing of data can continue.

h)The right to submit a claim

The data subject may submit:

  • a request / a claim using the contact data of the Company, as indicated at art. 1 above, or directly those of the Business in relation to which the issue has arrised.
  • an action before the competent court;
  • a complaint before the competent processing supervising authority. In Romania, that authority is the Romanian National Supervisory Authority for the Processing of Personal Data (www.dataprotection.ro).

However, the Company and the Business both wish any conflict/dispute to be resolved amicably and provides all availability in this regard.

i)The right to withdraw the consent given

The data subject may withdraw his/her/its consent at any time, without however affecting the legality of the processing before the withdrawal nor the one based on another legal grounds.

j)The right to not be subject to an automated decision

The data subject has the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him/her/it which is based solely on automated processing and which produces legal effects concerning him/her/it or similarly significantly affects him/her/it. Such processing includes ‘profiling’.

However, this does not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) is based on the data subject’s explicit consent.

  • Predictions based on the Individual User’s Data (“profiling”)

The Owner may use the personal data collected through the Site/App to create or update user profiles. This type of data processing allows the Owner to evaluate User choices, preferences and behaviors for the purposes outlined in the respective section of this document.

User profiles can also be created through the use of automated tools like algorithms, which can also be provided by third parties.

The Individual User always has a right to object to this kind of profiling activity. To find out more about the Individual User’s rights and how to exercise them, the individual User is invited to consult this art. 11.

  • Decision-making

Automated decision-making means that a decision which is likely to have legal effects or similarly significant effects on the Business User and the Individual User, is taken solely by technological means, without any human intervention.

Automated decisions are made by technological means – mostly based on algorithms subject to predefined criteria – which may also be provided by third parties.

The rationale behind the automated decision making is:

  • to enable or otherwise improve the decision-making process;
  • to grant Users fair and unbiased treatment based on consistent and uniform criteria;
  • to reduce the potential harm derived from human error, personal bias and the like which may potentially lead to discrimination or imbalance in the treatment of individuals etc.;
  • to reduce the risk of user’s failure to meet their obligation under a contract.

As a consequence, Users are entitled to exercise specific rights aimed at preventing or otherwise limiting the potential effects of the automated decisions taken. In particular, Users have the right to:

  • obtain an explanation about any decision taken by IDP as a result of automated decision-making and express their point of view regarding this decision;
  • challenge a decision by asking the Owner to reconsider it or take a new decision on a different basis;
  • request and obtain from the Owner human intervention on such processing.

12.   Main obligations of the data subject

a) Confidentiality

The data subject has the obligation to keep the confidentiality of all personal data with which he/she/it comes into contact in relation to the Company or the Business, except they agree otherwise.

b) Complying with the data security measures

The data subject shall not process any confidential data or personal data of third parties, unless it is absolutely necessary, confidentiality is ensured and the specific legislation is fully complied with.

In case of breach of the obligations indicated in this art. 12 by the data subject, the Company respectively the Business, shall be entitled to obtain compensation for all the damages suffered.

13.   Obligations of the Company and of the Business in the wikoti context. Security measures applicable to the processed personal data

The Company and the Business, both comply with the provisions of the data protection legislation and have implemented appropriate technical and organizational measures to ensure the security of the processed personal data and the rights of the Users. Thus, they have implemented measures such as:

  • the conclusion of contracts with collaborators which have undertook the obligation of confidentiality in relation to the personal data processed, as well as the general obligation to comply with the applicable legislation in the field of personal data protection;
  • training the employees and collaborators on the importance of personal data protection, as well as limiting their access to data according to their attributions and competences;
  • establishing internal procedures having the purpose of protecting personal data;
  • indicating specially contact data which can be used for questions/claims regarding personal data (ie. the one indicated in art. 1 of the present policy for IDP);
  • implementing information security measures;
  • the data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated;
  • not installing cookies in addition to those necessary for the functioning of the Site/App and offering the Users at all times the possibility to choose the additional cookies accepted.

Also, the Company or the Business shall inform the competent data protection authority in the event of a breach concerning data security, without undue delay and, if possible, within 72 hours from the moment it became aware of it, unless it is unlikely to create a risk for the rights and freedoms of individuals. If the notification to the authority shall not be made within the 72 hours, it shall be accompanied by a justified explanation for the delay.

Immediately after finding out of the breach, with at least 24 hours before the expiration of the 72 hours term, the Company respectively the Business shall inform each other, analyse the situation and decide afterwards on the next steps and which of them shall notify the authority according to the above, respectively the data subject according to the provisions below.

In the event of an incident concerning the security of personal data, the data subject shall be also informed without undue delay, if the breach of the security of personal data is likely to generate a high risk for his/her/its rights and freedoms. However, informing the Business Users and/or the Individual Users affected by the data breach, shall not be necessary informed if any of the following conditions is met:

  • the controller(s) has implemented adequate technical and organizational protection measures, and these measures have been applied in the case of the personal data affected by the security breach;
  • the controller(s) has taken further measures to ensure that the high risk for the rights and freedoms of the data subjects is no longer likely to occur;
  • would require a disproportionate effort. In this situation, a public notification (such as a pop up notification on the Website and App if the Company is in breach, respectively on the website of the Business if the Business is the one in breach) shall be conducted instead or a similar measure shall be taken, so that the data subjects are informed in an equally effective manner.

Any statistics regarding the traffic of the Business Users and/or the Individual Users on the Site/App, which the Company or the Business shall provide to third party advertising networks or to other sites, shall have a data set form and shall not include any identifiable information about any individual Business Users and/or the Individual Users.

Unfortunately, no data transmission through the internet can be guaranteed to be 100% secure. Consequently, despite the Company’s efforts to protect Users personal data, it cannot guarantee or ensure the security of information transmitted by them through the Site/App. All Users are therefore warned that any information sent through the online environment shall be done at their own risk. To mitigate this risk, one of the measures took by the Company is to offer all interested Users the possibility to send requests / addresses / messages in material form, to the Company headquarters, and not necessarily through the chat box.

14.   Liability of the Company

 The Company’s liability in relation to the data subject shall be established in relation to the quality held in the respective data processing operation, the reason and place of the incident, the security measures taken, the measures took to avoid incidents and the observance of the other legal obligations and the policies published on the Site/App.

IDP undertakes not to allow any account to be created by Businesses which do not expressly consent by checking in the corresponding box, that have reviewed and undertake this privacy policy, the Terms and Conditions and the Cookie Policy.

The Company undertakes only the obligations established as absolutely mandatory under the law, undertaking no additional obligation towards the Businesses, the Business Users or the Individual Users (including but not limited to undertaking a direct liability before the data protection competent authority or the Individual User, instead of the Business in relation to how the Business processes that person’s personal data). Moreover, any liability of IDP towards the Business or any claim it might have towards the Company, regardless of the reason, shall be limited to the last 3 (three) invoices paid by the Business to the Company.

15.   Place of processing. Transfer of personal data to third countries / international organizations

Personal data is processed at the Owner’s and Businesses’ operating offices in Romania and in any other places from EU where the parties involved in the processing are located.

Depending on the Business User’s or the Individual User’s location, data transfers may involve transferring that user’s data to a country other than their own. However, neither the Company nor the Business shall not transfer any personal data obtained by means of the Site/App in a country outside the EU (hence no transfer of personal data under the GDPR meaning of this term, shall occur).

16.   Final provisions

This policy applies to the Company, to the Businesses and to the Site and/or App Users (including those who complete the existing forms on the Site and/or App).

This document is part of the Company’s set of security policies and is undertook by the Businesses. Other policies can apply to the topics addressed herein and can be reviewed according to specific needs.

In addition to the information contained in this privacy policy, IDP may provide the Users with additional and contextual information concerning particular services or the processing of personal data upon request. Please see the contact information at the beginning of this document.