Confidentiality Policy

website and social media – crowe.ro

Rev: 3.0 Valid as of 06.03.2023    

1.        Premises

2.        Identity of the controller

3.        Processed personal data

4.        Quality of processed data

5.        Collection purpose

6.        Period in which personal data shall be processed:

7.        Personal data recipients

7.1 Persons mandated for processing personal data

8.        Security measures

9.        Data transfer

10.      Your rights regarding the processing of personal data

11.      Cookie information

12.      Cookies used on the website and personal data processing purposes

13.      Legal grounds of the processing based on the cookie technologies used by the website

14.      Manner of managing cookies and the consent regarding their use

15.      Manner of exercising the right to oppose, in case of processing based on Legitimate Interests

16.      Security and confidentiality problems

17.      Other security aspects related to cookies

  

 

1.   Premises

We hereby inform you regarding the personal data which the company collects when you use our website and the social media resources we control. In the process of collecting and processing the provided personal data, the company acts as a personal data controller, and it has the legal obligation of providing information regarding the data which it collects, the purpose and means of processing personal data and the rights which you, as a data subject, have on personal data, according to the law.

 

The purpose of this document is to descriptively detail the manner in which the company collects, uses and treats your personal data when you use the website.

 

We assure you that data confidentiality is valuable for our company, and we commit to comply with the private nature and security of the information provided by you when you visit our website.

 

The notion of personal data includes any information which leads or may lead to your identification as a natural-person user when you interact with the online resources provided by the company. 

 

According to art. 4 section 1 of Regulation no. 679/2016, "personal data" means “any information related to an identified or identifiable individual ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, especially in reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or several elements specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity”.

 

We inform you that the website may be accessed without disclosing your identity or providing any information regarding your personal data. However, information may be automatically obtained when you visit the website, by recording in logs communication data such as the IP address from where you access the website and the links you access. However, this data cannot lead to your identification as an individual in the absence of other data sets. 

 

Crowe Finexpert-Boscolo shall not correlate this information with other data that would allow your identification, unless the website is used in an abusive manner and there is the risk of committing a crime. Other personal data may be processed only with your consent, granted by one of these forms: contact forms, user accounts created on the website, etc. The obtained personal data shall be processed by the company based on your consent, freely expressed by one of the aforementioned forms.

Crowe Finexpert-Boscolo provides adequate technical means for you to express, in a free and informed manner, your consent for each data set, for which you express your processing approval. 

 

https://www.crowe.ro is, technically, a sub-website used for promoting https://www.crowe.com. crowe.com is independently maintained and developed by Crowe LLP, an entity that provides an “as-is” web advertising platform, by establishing the processing purposes and means. The Crowe Finexpert-Boscolo Group, on one hand, and Crowe LLP, on the other hand, independently and separately process various categories of personal data, acting as independent operators. 

 

 

2.   Identity of the controller

The Crowe Finexpert-Boscolo Group is composed of the following personal entities: 

FINEXPERT - BOSCOLO CONSULTING SRL, registered office at address No. 5, Popa Petre Street, part 2, Section 5, District 2, Bucharest, Trade Register registration number J40/7111/2003, Sole Registration Number RO15462709;

FINEXPERT - BOSCOLO TAX & CORPORATE SRL, registered office at address No. 5, Popa Petre Street, 4th floor, part 1, District 2, Bucharest, Trade Register registration no. J40/8368/2015, Sole Registration Number RO34753380;

FINEXPERT - BOSCOLO AUDIT AND ADVISORY SRL, registered office at address No. 5, Popa Petre Street, unit A, 5th floor, office 501, District 2, Bucharest, Trade Register registration no. J40/4007/1995, Sole Registration Number RO7475015;

FINEXPERT - BOSCOLO ZUCCHETTI PAYROLL SRL, registered office at address No. 5, Popa Petre Street, part 2, 3rd floor, section 7, District 2, Bucharest, Trade Register registration no. J40/4049/2006CUI RO18468447;

The companies shall be collectively hereinafter referred to as “Controller”, defined as a personal data controller according to European Regulation no. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR). 

You may contact us online at e-mail address [email protected] or by mail to the aforementioned addresses.

We are not obligated to have a data protection officer; therefore, any question regarding the use of your personal data must be sent by using the aforementioned contact data.     

 

3.   Processed personal data 

According to art. 13 of Regulation no. 679/2016 on the personal data protection and the provisions of the national internal provisions on personal data protection, we hereby inform you that the Finexpert-Boscolo Group, as a controller, processes your personal data as follows: 

 

 

Personal data	Process	Legal grounds	Retention period	Third parties
Personal data that is necessary for electronic communications established between your terminal and our resources: IP address, browser type, access terminal type, resource accessing date and time, visited pages	Electronic communications	Legitimate interest	1 year	IT service provider
Cookies - files that are necessary for electronic communications - session cookies without personal data	Electronic communications	Legitimate interest - basic website operation	While the page is opened by the website	Independent controller Crowe LLP - www.crowe.com
Operational cookies - used files, recording the cookie processing approval	Improving the navigation experience	Consent	1 year	Independent controller Crowe LLP - www.crowe.com
Identification data disclosed by contact forms: surname, first name, e-mail address, telephone number, other data which you disclose in details	Using online contact means	Consent	As long as you maintain your approval	IT service providers, marketing service providers
Data from your social media accounts: images, account identifiers, other information you publish, opinions (likes)	Interactions you make with our social media resources	Your consent granted to social media networks	As long as you maintain your approval	IT service provider Marketing service providers
Surname, first name, e-mail address, the company for which you work	Direct marketing: subscription to the professional and commercial notices of the group	Consent granted online	As long as you maintain your approval	IT service providers Marketing service providers Specific application service providers
Data collected for the purposes of applying for an available job: surname, first name, date of birth, address, telephone number, e-mail address, graduated college, all the data you included in your CV	Personnel recruitment	Consent granted online / legal grounds of the contract	As long as you maintain your approval / 3 months after the recruitment campaign	IT service providers Application management app providers
Contact data: surname, first name, position in the company	Company promotion by customer representatives’ testimonials	Consent - granted by other methods (physical)	As long as you maintain your approval	IT service providers Marketing service providers
Images of group employees and affiliates, surname, first name, position, social media pages, professional experience	Company promotion	Consent - granted by other methods (physical)	As long as you maintain your approval	IT service providers Marketing service providers
Images of company employees who attend internal events or CSR actions	Company promotion / Increasing employee loyalty	Consent - granted by other methods (physical)	As long as you maintain your approval	Marketing service providers
Images of persons who attend events organized by group companies	Company promotion	Consent - granted by other methods (physical)	As long as you maintain your approval	IT service providers Marketing service providers
Images of persons who attend CSR events organized by group companies	Social responsibility	Consent - granted by other methods (physical)	As long as you maintain your approval	IT service providers Marketing service providers

 

 

4.   Quality of processed data

The company permanently aims to comply with the principles regarding the quality of processed data, according to the provisions of art. 5 of Regulation no. 679/2016. Thus, personal data is processed:

 

·       legally, fairly and transparently in relation to the data subject;

·       collected for determined, explicit and legitimate purposes, and is not subsequently processed in a manner which would be incompatible with these purposes;

·       adequate, relevant and limited to what is necessary to the purposes for which it is processed;

·       stored in a form that allows the identification of the data subjects for a period that does not exceed the period that is necessary for fulfilling the purposes for which the data is processed;

·       processed in a manner that ensures the adequate security of the personal data;

 

5.   Collection purpose

We use your personal data only for legitimate business purposes. These include:

 

·       providing the requested information, and in order to reply to the correspondence received from you;

·       promoting the image of the company;

·       personnel recruitment;

·       sending information about the Finexpert-Boscolo Group, about our promotions and about our activities and events, and those of our partners;

·       managing the relationships with our customers, by requesting feedback in relation to our products and services, and sending it to certain members of our personnel in order to improve our offers;

·       personalized marketing: sending letters, e-mails or text messages, in order to provide you with a product or a service. You can unsubscribe from the offers from this category. You are entitled to not consent or object to commercial or direct marketing activities, including the creation of a profile in order to carry out the activities from this category;

·       in order to carry out legal obligations and social responsibilities, according to Romanian and international laws;

 

Each personal data processing has a well-defined purpose which fits into the aforementioned table. 

 

 

6.   Period in which personal data shall be processed: 

The period during which the data is kept depends on the legal grounds of the processing and on the category of the data which is processed, and is indicated in the aforementioned table. As a general principle, personal data shall be processed for a minimum period provided by the law. 

 

In case of personal data whose legal grounds are constituted by your consent, the processing may be carried out as long as you maintain your approval, which you previously signed in a free and informed manner, without affecting the legality of the processing carried out based on your consent, before it is withdrawn.

 

After the expiry of the indicated period, your personal data shall be deleted according to our internal policies and procedures. 

                  

 

7.   Personal data recipients 

Personal data may be provided to legally authorized state authorities, upon their request, according to the law. 

 

Personal data may also be communicated to other commercial entities (partners, group companies), by complying with the provisions of art. 13 and 14 of Regulation no. 679/2016.

 

7.1 Persons mandated for processing personal data

The processing the aforementioned data may involve providers that carry out, based on contracts, actions that would lead to the achievement of the aforementioned purposes. 

 

By procedure, the selection of these providers also involves a standardized assessment phase, which assesses the preparation and compliance degree of the provider’s activities with the GDPR requirements. 

 

These providers are mandated according to GDPR and operate your data by considering the legal provisions, and also written instructions regarding the processing of personal data, issued by the companies from the Crowe Finexpert Boscolo group, which are mandatory. The mandated persons must apply at least the same technical, organizational and legal measures as the operator, as well as other measures, specific to their activities. 

 

The list of mandated persons, generically indicated by categories of activities, may be consulted by a simple request, either to data protection officers or to the contact addresses indicated by the company. The controller is entitled to change these suppliers.

 

8.   Security measures

The controller and any entities that are mandated by the controller in order to process data shall establish technological, physical, administrative and procedural guarantees, according to the accepted standards in this field, in order to protect and ensure the confidentiality, integrity and accessibility of the processed personal data. 

 

The controller and the entities mandated by the controller shall prevent the unauthorized use or access to personal data, and shall prevent personal data security breaches (security incidents), according to the instructions, policies and laws applicable to the controller. 

 

The controller ensures that its employees and collaborators process this data by complying with the imposed confidentiality policy and all the internal procedures implemented regarding European regulation no. 679/2016.

 

The Crowe Finexpert-Boscolo group is responsible for the security of the personal data it collects, which is processed in the systems and resources of the group by the online resources provided by Crowe LLP. Crowe LLP is responsible, as an independent controller, for the cyber security of the platform via which Crowe Finexpert Boscolo collects this data. 

 

 

9.   Data transfer

The Crowe Finexpert-Boscolo group does not transfer data outside the European Economic Area, for any of the aforementioned operations. If the use of technical solutions involves storing and processing data outside the European Economic Area, the controller shall previously consider and analyze the legal grounds of the data transfer. This informative note shall be adequately updated. The safety measures regarding transfers remain valid no matter the situation.

 

Crowe LLP is responsible, as an independent operator, for personal data processing which may involve personal data transfers, including for choosing technical solutions specific to the used web platform. 

 

 

10.   Your rights regarding the processing of personal data

Regulation no. 679/2016 provides the following rights to persons whose data is processed:

 

·       right to access

·       right to rectify

·       right to delete data

·       right to restrict the processing

·       right to data portability

·       right to oppose

·       right to withdraw your consent at any time, without affecting the legality of the processing carried out based on your consent before withdrawing it;

·       right not to be subject to exclusively automated processing, including profiling, according to GDPR;

·       right to submit complaints with the competent supervision authority;

 

For all the personal data processing operations carried out based on a legal obligation or under a contract, the refusal to provide this data may cause the termination of the contractual relations between the parties.

 

The processing carried out based on legitimate interests is necessary for the adequate operation of the internal processing of the controller and complies with the internal policies and procedures, which constitute obligations related to the employment contract concluded between the parties. All the processing operations carried out based on legitimate interests are detailed and approved by the managers of the organization, and ensure balance between the necessity of the processing and the data subject’s rights. For each processing operation carried out based on legitimate interests, you may ask to read the related documentation. 

 

Depending on the legal grounds of the data processing and on the legal provisions imposed by the national or European legislation, some of the aforementioned rights are not applied. 

 

For the processing whose legal grounds are based on your consent, you are entitled to request its cessation at any time, either by the technical means provided by media resources (by unsubscribing from our news flow, by cookie selection, etc.) or by contacting our company by the classic means provided by us (e-mail address [email protected] or telephone number 0312285115)

 

The controller does not have automated decisional processes.

 

In all cases, requests may be submitted regarding the processed personal data, and the controller must reply within 30 days. This term may be longer, but its extension must be substantiated in writing by the controller.

 

Your rights may be exercised upon a request submitted to the data protection officers or to the contact addresses indicated by the company. 

 

You are also entitled to file a complaint to the data protection supervision authority from Romania, if you deem that the processing of the personal data breaches the applicable laws.

 

 

The institution to which you may file complaints is: 

 

Personal Data Protection Supervision National Authority
No. 28-30, G-ral Gheorghe Magheru Blvd., Bucharest [email protected] www.dataprotection.ro	+40.318.059.211 +40.318.059.212

 

Personal data protection officer: the company is under no legal obligation to appoint one, therefore it has not appointed one

 

 

11.                 Cookie information

https://www.crowe.ro uses cookies.

The purpose of the information below is to provide to users additional details about the placement, use and management of the cookies used by https://www.crowe.ro. 

A user is any natural person who accesses the aforementioned website. 

Cookie technologies allow the storage and accessing of information on / from a user’s terminal equipment or device, and may be cookies, software development kits (SDK), plugins or social media buttons, device/browser fingerprinting (fingerprinting or sole identification of the device / web browser), pixels, etc.

A cookie is a small special text file, placed on a user’s device by the websites which the respective user accesses. The cookie is sent by an internet domain / website to a web browser (e.g. Microsoft Edge, Chrome, Firefox), and then sent back by the browser, every time the respective website is accessed. The text files of the cookie have two components (name and value or content) and are stored on the visitor’s computer, tablet or phone for a predetermined period of time.

Each cookie contains identification numbers and the date and time when it was placed in the device / web browser via which the website was accessed. These cookie identifiers are deemed as personal data as they my individualize the devices on which the cookies were placed and their users.

The identification numbers of cookies may be combined with other personal and non-personal data, such as the IP address, other online identifiers such as advertising or user identifiers, information about the accessed pages and subpages, information about the browser, screen resolution, language. These combinations are used for generating additional personal data on the user, such as, for example, socio-demographic data (categories of likes and interests derived from online behavior, age categories, geographic localization).

Also, the user data collected by cookies by automated processes constitutes the basis for creating profiles which are used for delivering behaviorally targeted advertising.

Cookies may be divided into four general categories: session cookies, persistent cookies (based on their lifecycle criterion), first-party cookies and third-party cookies (based on the criterion of their origin).

Session cookies temporarily save in the web browser information about the user’s actions on the website, or data inputted by the user. Session cookies are automatically deleted when the user closes the browser or the window in which the website was accessed.

Persistent cookies remain stored on the user’s terminal after the end od the current navigation session, until their expiry date (generally, their lifecycle may be up to several years). These cookies retain information for future visits, such as the visitor’s browsing preferences or  settings, for the purpose of providing an improved usage experience.

First-party cookies are placed by the website / internet domain accessed by the user.

Third-party cookies are placed by a website / internet domain other than the one accessed by the user, when the accessed website contains information incorporated from a third-party website.

 

12.                 Cookies used on the website and personal data processing purposes

On our website, we use two out of the four aforementioned cookie categories. These are grouped into specific categories depending on the purposes for which the personal data is processed. These two categories do not process personal data and are specific to the web platform of Crowe LLP. The Crowe Finexpert-Boscolo group does not have any control over the manner in which these files are managed. Crowe LLP is the entity which takes independent decisions in this regard.

Crowe Finexpert-Boscolo recommends consulting the policies of third parties regarding the use of cookies and other similar technologies by the respective third parties, before accepting this type of data processing.

The cookie categories used on our website depending on the purposes for which personal data is processed are:

 

12.1         Strictly necessary 

These files are strictly necessary for the operation of the website, including those for saving/processing the options expressed by you regarding cookie technologies. These do not contain personal data, are deleted when the page opened by crowe.ro is closed, do not require your consent for placement/accessing, and cannot be deactivated. These cookies are managed by Crowe LLP. 

 

12.2         Ensuring website functions

These file categories allow the website to offer enhanced and personalized functions, for example retaining personal preferences during browsing. The files are only used for hiding the window which allows you the options regarding the cookie modules and in order to provide a direct link to the cookie preference page. These cookies are managed by Crowe LLP.

The complete and updated list of these cookie types is available in the cookie preference center. The cookie preference center allows this processing to be restricted, and to be carried out only with your explicit consent, by allowing the storage of these files or by using the button by which you accept the storage of all cookie types. 

 

13.                 Legal grounds of the processing based on the cookie technologies used by the website

The legal grounds of the personal data processing by strictly necessary cookies is our legitimate interest to ensure that the website operates in an adequate manner.

For the other cookie types, divided into categories depending on the general purposes for which personal data is processed, our legal grounds are constituted by the consent granted by the users of our website, and, in some cases, the legitimate interest of some partners, indicated in the confidentiality policies of the respective partners.

 

14.                 Manner of managing cookies and the consent regarding their use

Cookies used for ensuring the transmission of communications over the internet and cookies that are necessary for providing services requested by users on the website, known as “strictly necessary cookies”, do not need to obtain consent.

Cookies that are not strictly necessary may be refused by the user before accessing the website; however, not all the functions or contents of the website shall be available, thus considerably reducing the usage experience.

Thus, before accessing the website, a “Cookie preference center” consent dialog window shall be displayed on the screen, where the user may choose and activate the cookie categories and partners for which he/she wishes to grant his/her consent regarding the processing of personal data.

You are entitled to modify the previously expressed options and to withdraw your consent at any time regarding the processing of data by cookie technologies, and the legality of the processing until the withdrawal shall not be affected. 

Alternatively, most browsers offer to the user, by settings, the possibility of having a certain degree of control over cookies:

•                Edge https://support.microsoft.com/en-gb/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy 

•                Chrome   https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=en 

•                Firefox    https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences 

•                Opera   https://help.opera.com/en/latest/ 

•                Safari   https://support.apple.com/en-gb/safari 

You may read detailed information about cookies and about the manner in which they can be controlled on these websites: www.aboutcookies.org,  www.allaboutcookies.org and https://cookiedatabase.org.

 

15.                 Manner of exercising the right to oppose, in case of processing based on Legitimate Interests

You may exercise the right to oppose the processing of data based on the legitimate interests of some partners, if you deem that your fundamental interests or rights and freedoms prevail over the interest of such a partner, by accessing the confidentiality policy of the respective partner (by clocking on its link in the Cookie preference center) and by directly sending your request to the respective partner.

You may exercise the right to oppose the processing of data based on the legitimate interests of Crowe Finexpert Boscolo, if you deem that your fundamental interests or rights and freedoms prevail over our interests and rights, by sending an e-mail for this purpose to [email protected], in which you indicate the reasons for which you oppose the processing activities carried out based on our legitimate interests.

You may also waive the collection and use of data for behaviorally targeted advertising by using the mechanisms for exercising this option at http://www.aboutads.info/choices and https://www.youronlinechoices.com/ro/ .

 

16.                 Security and confidentiality problems

Cookies are not viruses! They use plain text formats.  They are not composed of code fragments, so they cannot be executed and cannot run independently. Consequently, they cannot be duplicated or replicated in other networks in order to run or be replicated again. As they cannot perform these functions, they cannot be deemed as viruses.

However, cookies may be used for negative purposes.  As they store information about users’ preferences and browsing history, both for a particular website and on several other websites, cookies may be used as a form of spyware.  Many anti-spyware products are configured to emphasize this fact, and constantly mark cookies in order to be deleted within antivirus / anti-spyware deletion / scanning procedures. 

Generally, browsers have integrated confidentiality settings which provide various levels of cookie acceptance, the period of validity and automatic deletion after the user has visited a particular website.

 

17.                 Other security aspects related to cookies

As identity protection is very valuable, and represents the right of each internet user, it is advisable to be aware of any potential problems which cookies may create.  As information between the browser and the website is constantly transmitted in both ways by cookies, if an attacker or unauthorized person intervenes in the data transmission process, the information contained in the cookie may be intercepted. 

Other cookie-based attacks involve incorrect settings of cookies on servers.  If a website does not request the browser to only use encrypted channels, attackers may use this vulnerability to trick browsers to send information through unsecure channels.  Then, attackers use the respective information in order to access certain websites in an unauthorized manner.  It is important to be careful in choosing the most adequate method of personal information protection.

Due to their flexibility, and to the fact that most visited and largest websites use cookies, these are almost unavoidable.  Disabling cookies disallows the user’s access to the best-known and most-used websites, including YouTube, Gmail, Yahoo , etc.