Politica de confidențialitate

DATA PROCESSING SECURITY POLICY

PURPOSE

The purpose of this policy is to establish the necessary measures and the responsibilities of the employees of Noumeno to fulfill obligations regarding the guarantee and protection of the fundamental rights and freedoms of individuals, in particular the right to private, family, and personal life, in relation to the processing of personal data.

SCOPE

This policy applies to all Noumeno employees with responsibilities for processing personal data and/or, as applicable, to authorized individuals.

TERMS AND DEFINITIONS

ANSPDCP – National Supervisory Authority for Personal Data Processing.
Personal Data – any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.
Anonymous Data – data which, due to its origin or the specific processing method, cannot be associated with an identified or identifiable person.
Controller (Operator) – any natural or legal person, public or private, including public authorities, institutions, and their territorial structures, that determines the purpose and means of processing personal data.
Data Security Officer – the person responsible for the proper functioning of the information protection system containing personal data, as well as for drafting, implementing, and monitoring compliance with the personal data security policy.
Processing of Personal Data – any operation or set of operations performed on personal data, whether by automated or manual means, such as collection, recording, organization, storage, adaptation, modification, extraction, consultation, use, disclosure to third parties by transmission, dissemination or otherwise, combination, blocking, deletion, or destruction.
Storage – retaining personal data on any type of medium.
User – any person acting under the authority of the controller, authorized person, or representative, with recognized rights to access personal data databases.

REFERENCE DOCUMENTS

Law no. 677/2001 for the protection of individuals regarding the processing of personal data and the free movement of such data, with subsequent amendments.
Order of the People’s Advocate no. 52/18.04.2002 regarding minimum security requirements for personal data processing.
ANSPDCP Decision no. 90/18.07.2006 regarding cases where notification of personal data processing is not required.
ANSPDCP Decision no. 100/23.11.2007 regarding cases where notification of personal data processing is not required.
ANSPDCP Decision no. 132/20.12.2011 regarding the processing conditions for personal identification numbers and other general-purpose personal data.

GENERAL PRINCIPLES

Noumeno has adopted appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access. Personnel responsible for compliance with Law no. 677/2001 have been designated.

Measures are in place to ensure secure storage of personal data, guaranteeing an adequate level of protection in accordance with applicable law. Organizational and technical measures focus on:

User identification and authentication
Access type and rights
Data collection procedures
Computers and access terminals
Access log files
Staff training

SPECIFIC PROCEDURES

User Identification and Authentication

Access to personal data systems requires authentication using unique credentials obtained during onboarding and identity management.
Each user has a unique identifier (username) that cannot be shared or assigned to multiple people.
Inactive accounts are disabled and deleted after a period specified by Noumeno.
Each account requires authentication using a password. Passwords are securely stored, periodically updated, and masked during input.
Access is automatically blocked after a fixed number of incorrect authentication attempts.
Users are obliged to maintain the confidentiality of their credentials and are responsible to the controller for their use.
Authorized personnel manage account suspension or revocation in case of termination, reassignment, misuse, or extended absence.

Access Type

Users may only access personal data necessary for their job duties. Access rights are determined by functionality (admin, input, processing, storage, etc.) and permitted actions (read, write, delete), including procedures to enforce these limits.

Data Collection

Only authorized personnel may collect and enter personal data into Noumeno systems.
All data modifications are logged with date, time, and user ID. Deleted or modified data are retained for auditing purposes.

Computers and Access Terminals

Terminals are located in restricted-access rooms or lockable areas.
Idle sessions automatically log out after a pre-set period.
Servers hosting personal data are accessed only under controlled permissions.
Mobile storage devices containing personal data may not leave the premises without prior approval.

Access Logs

All personal data access is logged. Unauthorized access attempts are also recorded.
Logs are retained for at least 2 years and may be used as evidence in investigations.
Logs allow identification of users who accessed data without proper justification.

Staff Training

Employees are informed about Law no. 677/2001, minimum security requirements, and risks associated with personal data processing.
Users are trained in confidentiality and receive reminders via system notifications.
Users must log out when leaving workstations.

Computer and Data Security

Measures include:

Prohibition of unauthorized software.
User awareness of malware and virus risks.
Installation of antivirus, anti-malware, and security systems.
Restriction of copying/printing personal data outside normal business flows.

Printing and Manual Processing

Only authorized users may print personal data.
Documents containing personal data must be stored in lockable cabinets or returned to authorized personnel immediately after use.

PROCESSING OF IDENTIFIABLE PERSONAL DATA

Processing is allowed only with explicit consent, legal provision, or with ANSPDCP approval and adequate safeguards.
Principles: data must be relevant, limited, accurate, and processed only for specified purposes. Retention is limited to what is strictly necessary.

RIGHTS OF DATA SUBJECTS

Right to Information

Individuals must be informed about the purpose of processing, rights available under law (access, correction, objection), and other information required by supervisory authorities.
Consent is obtained before personal data collection.
Notification registration number must be mentioned in all documents collecting, storing, or disclosing personal data.

Right of Access

Individuals may request confirmation of whether their data is being processed, free of charge once per year.

Right to Rectification or Erasure

Individuals may request correction, updating, blocking, or deletion of data processed unlawfully.
Transformation into anonymous data is permitted if processing is non-compliant.

Right to Object

Individuals may object to processing of their personal data at any time for legitimate reasons. Processing must stop if the objection is justified, except when legal provisions override it.

Right to Legal Recourse

Data subjects may appeal to supervisory authorities or courts to enforce rights and seek compensation for damages caused by unlawful data processing.

PERSONAL DATA DISCLOSURE

Data may be shared with authorized personnel or public/private entities with:
1. Explicit, informed consent from the data subject; or
2. Legal authorization.
Online transfers must ensure system security.
Data subjects who exercised the right to object must not have their data processed.