INFORMATION ON THE PROCESSING OF PERSONAL DATA – effective from 09.08.2024

This document aims to inform you about the processing of your personal data and your rights as a data subject, in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

Throughout this notice, the term “data subject” refers to visitors to the Magistrala6.ro website, including individuals and representatives of legal entities browsing the Metro Line 6 site.

INTRODUCTION

The Magistrala6.ro website (hereinafter referred to as the “Site” or “Platform”) is owned and operated by Metrorex S.A., the Bucharest Metro Transport Company, a legal entity under Romanian law, headquartered at Bd. Dinicu Golescu No. 38, Bucharest, Sector 1, registered with the Trade Registry under J40/6880/1999, Unique Registration Code 13863739 (hereinafter the “Company” or “Data Controller”).

CONTACT DETAILS OF THE DATA PROTECTION OFFICER

The Data Protection Officer can be contacted via email at dpo@metrorex.ro or by mail at the aforementioned registered office.

PROCESSED PERSONAL DATA

The Magistrala6.ro website processes the following personal data:

• Identification data: email, first name and last name, and telephone number, in case you choose to provide them. These data are required for processing information and messages submitted through the contact form;
• Internet Protocol (IP) address and password processed when you browse the site, send emails, or complete the contact form on the www.Magistrala6.ro website;
• Device information, such as hardware model, operating system version, unique device identifiers, and information about the mobile network, including the phone number;
• Device event information, such as errors, system activity, hardware settings, browser type, language, date and time of your request, and referring URL;
• Cookies that can uniquely identify your browser. For more information about the cookie usage policy, please click here (link to the cookie policy);
• Location information by using various technologies to determine location, including your IP address;
• Your browsing preferences on the website;
• Searches performed on our site.

PROCESSING OF DATA. PURPOSE OF PROCESSING. LEGAL BASIS

The Magistrala6.ro website processes personal data through the following operations: collection, recording, organisation, storage, modification, extraction, consultation, use, transmission, combination, blocking, restriction, deletion, destruction, and archiving of personal data.

Data Type	Scope of processing	Legal Bases	Categories of Data Recipients
Contact details: email address, first name, and last name.	Providing assistance regarding messages sent to Magistrala6.ro through all available channels (e.g., website, social media pages – Facebook, Instagram, YouTube).	Article 6, paragraph 1, letter c – processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., providing information about the progress of the M6 Metro Line construction).	WordPress Platform, Meta, Google (YouTube) – Providers of online marketing services.
Email (provided via the contact form)	Providing support services for your requests (e.g., handling inquiries, complaints, and petitions submitted by citizens) through communication channels (e.g., email, postal mail).	Article 6, paragraph 1, letter F – Legitimate Interest: “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, especially when the data subject is a child.”	WordPress Platform, Website Hosting Company, Project Constructors and Supervisors for Magistrala6.ro – PR Departments
Information about the device used (such as hardware model, operating system version, unique device identifiers, and mobile network information, including phone number); IP address.	Analysing the behaviour of the data subject/any person accessing the Magistrala6.ro page on the www.Magistrala6.ro website through the use of cookies, both from Magistrala6.ro and its contractual partners, with the purpose of providing content tailored to the user’s preferences. Magistrala6.ro applies the Cookie Usage Policy available on the www.Magistrala6.ro website for this purpose.	Article 6, paragraph 1, letter a – based on the consent given by selecting options regarding cookies – applies to cookies that are not strictly necessary for the operation of the website. Article 6, paragraph 1, letter F – Legitimate Interest: “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, especially when the data subject is a child.” – applies to cookies that are strictly necessary for the functioning of the website.	Provider of online marketing services: Google, WordPress.
Information about the device used (such as hardware model, operating system version, unique device identifiers, and mobile network information, including phone number); IP address.	Conducting internal analyses (including statistical analyses) to improve and develop services, as well as conducting market studies and analyses regarding Magistrala6.ro for its enhancement.	Article 6, paragraph 1, letter F – Legitimate Interest: “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, especially when the data subject is a child.”	–
Email, information about the device used (such as hardware model, operating system version, unique device identifiers, and mobile network information, including phone number); IP address.	archiving both in hard copy and electronic format of messages sent through the website regarding the relationship with the Data Subject.	Article 6, paragraph 1, letter F – Legitimate Interest: “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, especially when the data subject is a child.”	–
Email, information about the device used (such as hardware model, operating system version, unique device identifiers, and mobile network information, including phone number); IP address.	resolving disputes, investigations, or any other petitions/complaints in which Magistrala6.ro is involved.	Article 6, paragraph 1, letter F – Legitimate Interest: “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, especially when the data subject is a child.”	Lawyers, Consultants, Courts of law, competent public authorities, including those in the field of investigating cyber fraud.

LIST OF PERSONAL DATA RECIPIENTS

• Supervisor: The joint venture Padeco Co. Ltd. – Oriental Consultants Global Co. Ltd. – Metroul S.A.
• Constructors: The joint venture Alsim Alarko – Makyol and the joint venture Gülermak Ağir Sanayi Insaat Ve Taahhüt A.S. – Somet SA
• Public authorities with control and oversight responsibilities

INFORMATION REGARDING THE TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

The Magistrala6.ro website does not transfer personal data of its customers outside of Romania or the EU/EEA member states.

STORAGE OF PERSONAL DATA

Personal data will be stored for as long as necessary for the purposes outlined above or for the duration specified by general legal provisions, as well as those applicable under archival laws. Except for data collected via cookies, whose duration is specified in the Cookie Policy (click here), and where an express legal provision exists, personal data will be retained for a maximum of 3 (three) years from the last interaction with Magistrala6.ro.

YOUR RIGHTS REGARDING THE PROCESSING OF YOUR PERSONAL DATA BY Magistrala6.ro

1. Right of access to personal data – You can obtain confirmation from us as to whether Magistrala6.ro processes personal data relating to you and what specific data is processed.
2. Right to rectification – You may request the correction or updating of inaccurate or incomplete personal data.
3. Right to erasure or the “right to be forgotten” – You may request the deletion of your personal data in certain situations, such as (i) the data is no longer necessary for the purposes for which it was collected or processed, (ii) your data was processed unlawfully, (iii) processing was based on your consent, which has since been withdrawn.
4. Right to withdraw consent – Consent can be withdrawn at any time where the processing of your personal data was based on your consent.
5. Right to restrict processing – You may request the restriction of the processing of your personal data in certain circumstances, such as (i) if you contest the accuracy of the data, for a period allowing us to verify the accuracy of that data, or (ii) if your data has been processed unlawfully, and you oppose its deletion by requesting a restriction on its use.
6. Right to data portability – You may request and receive the personal data concerning you that you have provided to us, with the right to transmit it to another controller, where the processing was based either on your consent or on a contract with us, and where the processing was carried out by automated means. This right can only be exercised where the data was processed exclusively by automated means and where the extraction of such data is technically feasible for Magistrala6.ro at the time of the request.
7. Right to object – You can object, based on your particular situation, to the processing of your personal data in certain circumstances, such as (i) when processing was done for our legitimate interest, or (ii) when the processing has the purpose of direct marketing, including profiling based on these provisions.
8. Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or significantly affects you. In case Magistrala6.ro makes automated decisions regarding your personal data, you may (i) request and obtain human intervention in the respective processing, (ii) express your viewpoint regarding the processing, and (iii) contest the decision.
9. Right to be notified of security breaches that have or may have an impact on your personal data.
10. Right to lodge a complaint with Magistrala6.ro and/or with the competent data protection authority and to take legal action.

To exercise these rights or for any additional questions regarding this notice or the processing of personal data by Magistrala6.ro, please contact our Data Protection Officer via email at dpo@metrorex.ro, by post, or through a signed written request at the registered office address provided above. Your request will be reviewed and resolved within 30 days from the date of registration.

To file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP), contact details are as follows:

• Website: http://www.dataprotection.ro/
• Email: anspdcp@dataprotection.ro
• Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Postal Code 010336, Bucharest, Romania
• Phone: +40.318.059.211, +40.318.059.212
• President’s Office: +40.318.059.220
• Fax: +40.318.059.60

TECHNICAL AND ORGANISATIONAL MEASURES

Technical Measures

1. Data Encryption: Utilising encryption to protect personal data during storage and transmission, particularly for data transfers over public networks.
2. Access Control: Implementing access control systems to ensure that only authorised personnel have access to personal data, including managing user rights and employing strong authentication.
3. Network Protection: Using firewalls, intrusion detection systems, and other technologies to protect networks from unauthorised access and cyber-attacks.
4. Application Security: Ensuring the security of applications processing personal data through penetration testing, vulnerability scans, and code reviews.
5. Security Incident Management: Implementing procedures for the rapid detection and effective response to security incidents.
6. Backup and Recovery: Regularly creating and testing data backups to prevent data loss and ensure quick recovery in case of an incident.
7. Physical Security: Protecting physical access to hardware and storage media containing personal data.
8. Security Updates: Keeping all systems and applications up to date to protect against known vulnerabilities.

Organisational Measures

1. Developing and implementing data protection policies and procedures that are regularly reviewed and updated.
2. Ensuring that all employees receive regular training on data protection and are aware of their responsibilities concerning data processing.
3. Clarifying the roles and responsibilities of employees concerning data protection.
4. Conducting Data Protection Impact Assessments (DPIAs) for new or revised processes involving personal data processing.
5. Ensuring that all third parties processing personal data on behalf of the organisation comply with security and confidentiality requirements.
6. Conducting regular audits and assessments to verify compliance with data protection policies and standards.
7. Developing and testing incident response plans, including notification of regulatory authorities and data subjects, where appropriate.

PROCEDURES IN CASE OF A DATA BREACH

A data breach refers to any incident that results in the unauthorised access, disclosure, alteration, accidental or unlawful loss, or destruction of personal data processed on www.Magistrala6.ro. Our IT team continuously monitors the systems for any suspicious activity. In the event of detecting a potential breach, it must be immediately reported to the Data Protection Officer.

Upon detection of a breach, immediate action will be taken to mitigate the impact, including isolating the affected system and assessing the nature and extent of the breach. In the event of a breach that poses a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority within 72 hours of discovering the breach. If the security breach presents a high risk to individual rights and freedoms, the affected individuals will be notified without undue delay.

All security incidents will be documented, including details about the breach, its effects, and the actions taken in response. We will evaluate and revise our security practices to prevent similar incidents in the future and update our procedures based on lessons learned.