1.1 Transparency of data processing
1.1.1 Obligation to inform
Data subjects should be informed about how their personal data is used in line with applicable legislation and the following conditions.
1.1.2 Content and form of information
1. The company adequately informs interested parties on the following elements:
a) The identity of the data processor (s) and their contact details.
b) The intended use and purposes of use of the data. This information must include what data is recorded and / or processed / used, why, for what purpose and for how long.
c) If personal data are transferred or transmitted to third parties, the recipient, scope and purpose of such transfer / transmission will be known.
d) The rights of the interested parties in relation to the use of their data.
2. Regardless of the medium chosen, interested parties receive this information in a clear and easily understandable way
1.1.3 Availability of information
The information is available to interested parties at the time of data collection and, subsequently, every time it is requested.
2. Conditions of admissibility to the processing of personal data
Personal data will only be used under the following conditions and will not be used for purposes other than those for which they were originally collected. The use of the data collected for other purposes is allowed only if the eligibility conditions are met according to the following conditions.
2.2 Admissibility of the use of personal data
Personal data may be used if one or more of the following criteria are met:
a) It is clearly legally permitted to use the data as intended.
b) The interested party has consented to the processing of your data.
c) The processing of data is necessary for the fulfillment by the company of the contractual obligations with the interested party, including the contractual obligations of information and / or ancillary obligations, or for the fulfillment by the company of the obligations - or post-contractual measures for the initiation or processing of a contract that have been requested by the data subject
d) The data must be used to fulfill a legal obligation of the company.
e) It is necessary to use the data to safeguard the vital interests of the data subject.
f) The processing of data is necessary for the performance of a task in the public interest or in the context of the exercise of public authority for which the company or third party to whom the data are transferred has been entrusted.
g) The processing of data is necessary to realize the legitimate interests of the company or third party (s) to whom the data are transmitted, provided that these interests are not clearly offset by the interests of the data subject which deserve protection.
2.3 Consent of the interested party
The data subject is considered to have given his / her consent pursuant to clause (3.2), point b) of these Binding Corporate Privacy Regulations if:
a) The consent has been given expressly, voluntarily and on an informed basis that makes the interested party aware of the scope of what he is consenting to. The wording of the declarations of consent must be sufficiently precise and inform data subjects of their right to withdraw consent at any time. For business models in which the withdrawal involves a breach of contractual obligations, the interested party must be informed.
b) The consent was obtained in a form appropriate to the circumstances (written form). In exceptional cases it can be obtained verbally, if the fact of the consent and the particular circumstances that make the verbal consent seem adequate are sufficiently documented.
2.4 Automated individual decisions
a) Decisions which assess individual aspects of a person and which may have legal consequences for them or which may have a significant negative effect on them, are not based solely on the automated use of data. This includes in particular decisions for which data relating to the creditworthiness, professional suitability or health of the data subject are significant.
b) If, in individual cases, there is an objective need to make automated decisions, the data subject is informed without delay of the result of the automated decision and has the opportunity to make observations within an appropriate period of time. The comments of the interested party must be adequately taken into considerationand before making a final decision
2.5 Use of personal data for direct marketing purposes
Where the data are used for direct marketing purposes, the data subjects must be:
a) Find out how your data will be used for direct marketing purposes
b) be informed of your right to object at any time to the use of your personal data for direct marketing communications
c) Equipped to exercise the right not to receive such communications. In particular, they receive information on the company to which the opposition is to be filed
2.6 Special categories of personal data
a) The use of particular categories of data is allowed only where regulated by law or after obtaining the consent of the interested party. It is also permitted if the processing of data is necessary to fulfill the rights and obligations of the company in the field of labor law, provided that adequate protection measures are taken and this is not prohibited by national law.
b) Prior to the commencement of such collection, processing or use, the company informs its Data Protection Officer accordingly and documents this action. When assessing admissibility, particular attention should be paid to the nature, scope, purpose, necessity and legal basis of the use of the data.
2.7 Data minimization, data avoidance, anonymization and aliasing
a) Personal data must be appropriate, relevant and not excessive in relation to the use of the data for a specific purpose (data minimization). Data should only be processed within a given application when necessary (data processing).
b) Where possible and economically reasonable, procedures must be used to delete the identifying elements of the data subjects (anonymization) or to replace the identifying elements with other characteristics (aliasing).
3. Transfer of personal data
3.1 Nature and purpose of the transfer of personal data
a) Personal data may only be transferred if the receiving party assumes responsibility for the data received (transmission) or if the recipient uses the data only in accordance with the instructions and requirements of the transferring party (data processing contract in charge). br>
b) Personal data will be transferred only for the purposes permitted pursuant to (3.2) of these Binding Corporate Privacy Regulations in the context of corporate activities or legal obligations, or with the prior consent of the interested parties.
3.2 Data transmission
a) If a company transmits data to bodies located in a third country or which transfer data across national borders, steps must be taken to ensure that such data is transmitted correctly. Appropriate requirements regarding confidentiality and data security must be agreed with the recipient before data is transmitted. Furthermore, personal data, in particular data collected in the EU or the EEA, will only be transmitted to controllers outside the European Union if the appropriate level of data confidentiality has been ensured using these Binding Corporate Rules. Privacy or other appropriate measures, such as EU standard contractual clauses or individual contractual agreements that meet the relevant requirements of European and national law.
b) On the basis of the Company's requirements and generally recognized technical and organizational standards, adequate technical and organizational measures must be adopted to guarantee the security of personal data, including during their transmission to third parties.
3.3 Data processing commissioned
a) When a company (client) engages a third party (contractor) to provide services on its behalf according to its instructions, then, in addition to a service contract including the work to be performed, the contract must also refer to the contractor's obligations as subject in charge of data processing. These obligations establish the customer's instructions regarding the type and methods of processing personal data, the purposes of the processing and the technical and organizational measures necessary for data protection.
b) The contractor will not use the personal data (entrusted to him for the execution of the order) for its own or third party processing purposes without the prior consent of the customer. The contractor will inform the client in advance of any plans to subcontract work to other third parties in order to fulfill its contractual obligations. The customer has the right to object to such use of subcontractors. Where subcontractors are used as permitted, the contractator obliges them to comply with the requirements of the agreements concluded between the contractor and the client.
c) Subcontractors will be selected on the basis of their ability to meet the above requirements.
4. Data quality and security
4.1 Data quality
a) Personal data must be correct and, if necessary, updated (data quality).
b) In light of the purpose for which the data are used, appropriate measures are taken to ensure that incorrect or incomplete information is deleted, blocked or, if necessary, corrected.
4.2 Data security - Technical and organizational measures
The company adopts appropriate technical and organizational measures for business processes, IT systems and platforms used to collect, process or use data in order to protect this data.
These measures include:
a) Prevent the access of unauthorized persons to the data processing systems on which the personal data are processed or used (admission control);
b) Ensure that data processing systems cannot be used by unauthorized persons (control denial of use);
c) Ensure that persons authorized to use a data processing system can only access data to which they have authorized access and that personal data cannot, during processing or use or after registration, be read, copied , altered or removed by unauthorized persons (data access control);
d) Ensure that, in the course of electronic transmission or during its transport or recording on IT support, personal data cannot be read, copied, altered or removed by unauthorized persons, and that it is possible to control and identify the data processors to which data is to be transmitted by data transmission equipment (data transmission control);
e) Ensure that it is possible to review and establish retroactively whether and by whom personal data has been entered into data processing systems, altered or removed (data entry control);
f) Ensure that outsourced personal data can only be processed in accordance with the customer's instructions (contractor control);
g) Ensure that personal data are protected against accidental destruction or loss (availability check);
h) Ensure that data collected for different purposes can be treated separately (separation rule).
5. Rights of interested parties
5.1 Right to information
1. The interested party has the right at any time to contact any company that uses his data and to request the following information:
a) personal data concerning them, including origin and recipient (s);
b) the purpose of use;
c) the subjects and managers to whom the data are regularly communicated, in particular if the data are transmitted abroad;
d) the provisions of these Binding Corporate Privacy Regulations.
2. Relevant information must be made available to the applicant in an understandable form within a reasonable period of time. This is generally done in writing or electronically. Providing a hard copy of these Binding Corporate Privacy Rules is sufficient as a means of communicating information about their requirements.
Where permitted by relevant national law, a company may charge a fee for providing the relevant information.
5.2 Right to protest, right to cancel or block data and right to correction
1. The interested party may object to the use of their data at any time if such data are used for non-legally binding purposes.
2. This right of protest also applies if the interested party has previously consented to the processing of their data.
3. Legitimate requests for deletion or blocking of data are promptly met. Such requests are legitimate in particular when the legal basis for the use of the data is no longer valid. If a data subject has the right to have the data deleted, but the deletion of the data is not possible or unreasonable, the data is protected against unauthorized use by blocking. The statutory retention periods must be observed.
4. The interested party may at any time request the company to correct the personal data in his possession if such data are incomplete and / or incorrect.
5. For business models in which withdrawal or cancellation determines a non-fulfillment of the obligations coThe interested party is informed.
5.3 Right to clarifications, comments and remedies
1. If an interested party claims that your rights have been violated by the unlawful use of your data, in particular by providing evidence of a verifiable violation of these Binding Corporate Privacy Regulations, the responsible companies will clarify the facts without intentional delay. For data transferred or transmitted to companies outside the European Union, in particular, the company based in the European Union must clarify the facts and provide proof that the receiving party has not violated the requirements of these Binding Regulations. data privacy company or is liable for any damage caused. The companies will work closely together to clarify the facts and give each other access to all the information they need to do so.
2. The interested party may at any time lodge a complaint with Edotta shpk if he suspects that Edotta shpk is not processing his personal data in accordance with the legal requirements or with the provisions of these binding corporate privacy regulations. The reasoned complaint must be dealt with within an appropriate period and the interested party informed accordingly.
3. If the complaint concerns several companies, the Data Protection Officer of the company most aware of the subject shall coordinate all relevant correspondence with the data subject.
4. Appropriate channels must be in place to report data privacy incidents (such as a special purpose email account provided by Data Privacy, Legal Affairs and Compliance or a direct contact that can be contacted online).
5. The Data Protection Officer of the company concerned shall inform without delay of the data protection incident using the relevant reporting processes.
6. Data subjects may file a complaint under these Binding Corporate Privacy Regulations if their rights have been violated or if they have suffered a loss.
5.4 Right of application and complaint
Each data subject has the right at any time to contact the Data Protection Officer of the company using his personal data with questions and complaints relating to the application of these Binding Corporate Privacy Rules. The company that is most familiar with the object or the company that collected the data of the data subject ensures that the rights of the data subject are correctly respected by the other responsible companies.
5.5 Exercise of data subjects' rights
Data subjects must not be at a disadvantage because they have made use of these rights. The form of communication with the data subject - for example by telephone, electronically or in writing - should comply with the data subject's request, where appropriate.
5.6 Hard copy of the Binding Corporate Privacy Regulations
A hard copy of these Binding Corporate Privacy Rules will be provided to anyone upon request only.
6. Data Protection Organization
6.1 Responsibility for data processing
6.2 Data Protection Officer
1. The company appoints a Data Privacy Officer, whose task is to ensure that the individual organizational units of this company are informed about the statutory and internal requirements of the company / group regarding data confidentiality and, in particular, about these Binding Corporate Regulations Privacy. The Data Protection Officer takes appropriate measures, in particular random inspections, to monitor compliance with data protection legislation.
2. The company ensures that the Data Protection Officer possesses the necessary skills to assess the legal, technical and organizational aspects of the data protection measures.
3. The company makes available to the Data Protection Officer the financial and personnel resources necessary for the performance of his / her duties.
4. The Data Protection Officer has the right to report directly to the company management, and is organizationally connected to the company management.
5. The data protection officer of each company is responsible for implementing the requirements of Edotta shpk's data protection strategy.
6. All departments of each company are obliged to inform the Data Protection Officer of their company of any developments in the IT infrastructure, network infrastructure, business models, products, of the processing of personnel data and related strategic plans. The data protection officer must be informed promptly of new developments in order to ensure that any data protection issue can be considered and evaluated.
6.3 Employee commitment and training
1. Companies oblige their employees to keep data and telecommunications secrecy at the latest at the beginning of the employment relationship. Employees must receive sufficient data privacy training as part of this commitment. The company must initiate appropriate processes and provide resources for this purpose.
2. Employees must receive data privacy training regularly, or at least every two years. Companies have the right to develop and manage dedicated training courses for their employees. The data protection officer of each company documents the provision of these training courses and reports on an annual basis.
3. Edotta shpk's data protection officer may centrally make available resources and processes to oblige and train Edotta shpk employees.
6.4 Collaboration with the Supervisory Authorities
1. The companies undertake to collaborate, on a fiduciary basis, with the supervisory authority entrusted to them or with the company transmitting the data, in particular, to answer questions and follow recommendations.
2. In the event of a change in the legislation applicable to a company that may have substantial prejudicial effects on the guarantees provided for by this Binding Corporate Privacy Regulation, the company concerned communicates the change to the competent supervisory authority.
6.5 Contacts responsible for requests
Edotta shpk's data protection officer can be contacted at:
E-Mail: firstname.lastname@example.org during normal business hours (Central European Time).
7.1 Scope of the Liability Regulations
1. The Binding Corporate Rules apply exclusively to the processing of personal data collected in the Albanian Law no. 9887, of 10.03.2008 on the Protection of Personal Data and EU / EEA, which falls within the scope of the EU Directive on Data Protection 95/46 / EC.
2. Within the EU / EEA, the legal liability provisions of the country in which a company is established apply. For data that is not subject to Section (1), Paragraph 8.1, of the BCRP the provisions on the legal liability of the country in which the respective company that collected the data has its registered office, or if there are no existing legal provisions, the terms the conditions of the company that collected the data apply.
3. Compensation for exemplary damage, where a company has to make payments to an interested party in excess of the damage itself, is explicitly excluded pursuant to Albanian law no. 9887, of 10.03.2008 on the protection of personal data.
1. Anyone who has suffered damage as a result of the violation of one or more of the obligations provided for by the Binding Corporate Privacy Regulations by Edotta shpk or data recipients to whom Edotta shpk has transferred or transmitted data, has the right to request the compensation for damages corresponding to Edotta shpk.
2. The interested party also has the right to compensation for damage from the company Edotta shpk.
3. The interested party must initially request compensation for damages from the company that transferred or transmitted the data. If the transferring company is not responsible in law or in fact, the interested party has the right to seek compensation from the receiving company. The beneficiary company will not be able to withdraw from liability by appealing to the liability of a contractor in the event of a breach.
4. The interested party has the right to lodge a complaint at any time with the competent supervisory authority or the competent supervisory authority for Edotta shpk.
7.3 Third Party Benefits for Data Subjects
If the interested party has no direct rights, he / she will have the right, as a third party beneficiary, to assert claims against companies that have violated their contractual duties, on the basis of the provisions of these Binding Corporate Privacy Regulations.
At the discretion of the individual, the place of jurisdiction to enforce liability claims may be:
a) The Albanian courts.
8. Final provisions
8.1 Review and amendment of these Binding Corporate Rules Privacy
2. Any significant changes to these Binding Corporate Privacy Regulations that become necessary, for example, following adjustments made to adapt them to legal requirements, must be agreed with the supervisory authority. These changes will apply directly to all companies that have signed the Binding Corporate Rules Privacy after an appropriate transition period.
3. The Privacy Manager informs all companies that have introduced the Binding Corporate Privacy Rules of the modified content.
8.2 Procedural law / Severability clause
These Binding Corporate Rules Privacy is subject to the procedural law of the Republic of Albania in the event of disputes. If individual provisions of these Binding Corporate Privacy Rules are or become null and void, they will be deemed to have been superseded by provisions that come closest to the original intentions of these Binding Corporate Privacy Rules and the void provisions. In case of doubt, in these cases or in the absence of relevant provisions, the applicable data protection regulations of the European Union apply.
The company makes information on the rights of data subjects and the third party utility clause available to the public in an appropriate format, such as in the data protection notes on the Internet. This information will be published as soon as these Binding Corporate Privacy Rules become binding on a company.