In order to receive information about your Personal Data, the purposes and the parties the Data is shared with, contact the Owner.
Owner and Data Controller
SC Extrome SRL., Iasi, Romania
Owner contact email: firstname.lastname@example.org
Types of Data collected
The owner does not provide a list of Personal Data types collected.
Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using this Application.
Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.
Users are responsible for any third-party Personal Data obtained, published or shared through this Application and confirm that they have the third party’s consent to provide the Data to the Owner.
Mode and place of processing the Data
Methods of processing
The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of this Application (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Owner at any time.
Legal basis of processing
The Owner may process Personal Data relating to Users if one of the following applies:
- Users have given their consent for one or more specific purposes. Note: Under some legislations the Owner may be allowed to process Personal Data until the User objects to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of Personal Data is subject to European data protection law;
- provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
- processing is necessary for compliance with a legal obligation to which the Owner is subject;
- processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner;
- processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party.
In any case, the Owner will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
The Data is processed at the Owner’s operating offices and in any other places where the parties involved in the processing are located.
Depending on the User’s location, data transfers may involve transferring the User’s Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.
Users are also entitled to learn about the legal basis of Data transfers to a country outside the European Union or to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.
If any such transfer takes place, Users can find out more by checking the relevant sections of this document or inquire with the Owner using the information provided in the contact section.
Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.
- Personal Data collected for purposes related to the performance of a contract between the Owner and the User shall be retained until such contract has been fully performed.
- Personal Data collected for the purposes of the Owner’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding the legitimate interests pursued by the Owner within the relevant sections of this document or by contacting the Owner.
The Owner may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn. Furthermore, the Owner may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
The rights of Users
Users may exercise certain rights regarding their Data processed by the Owner.
In particular, Users have the right to do the following:
- Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
- Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
- Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
- Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
- Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
- Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
- Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract which the User is part of or on pre-contractual obligations thereof.
- Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.
Details about the right to object to processing
Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.
How to exercise these rights
Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.
Additional information about Data collection and processing
The User’s Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this Application or the related Services.
The User declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.
Additional information about User’s Personal Data
System logs and maintenance
For operation and maintenance purposes, this Application and any third-party services may collect files that record interaction with this Application (System logs) use other Personal Data (such as the IP Address) for this purpose.
Information not contained in this policy
More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.
How “Do Not Track” requests are handled
This Application does not support “Do Not Track” requests.
To determine whether any of the third-party services it uses honor the “Do Not Track” requests, please read their privacy policies.
Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where required.
Definitions and legal references
Personal Data (or Data)
Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
Information collected automatically through this Application (or third-party services employed in this Application), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User’s IT environment.
The individual using this Application who, unless otherwise specified, coincides with the Data Subject.
The natural person to whom the Personal Data refers.
Data Processor (or Data Supervisor)
Data Controller (or Owner)
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application.
The means by which the Personal Data of the User is collected and processed.
The service provided by this Application as described in the relative terms (if available) and on this site/application.
European Union (or EU)
Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.
This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).
Legal Requirements Overview
Legal Requirements Overview
General Legal Requirements
In general, users need to be informed of:
- Website/app owner details
- Your notification process for policy changes
- What data is being collected
- Third-party access to their data (who the third-parties are and what data they’re collecting)
- Their rights in regards to their data.
You may be further responsible for making additional disclosures to users, third-parties and the supervisory authority depending on your law of reference.
Consent here refers to the informed voluntary agreement of an individual to engage in a particular event or process.
Broadly speaking, users need to be able to decline, withdraw or give (depending on the regional law) consent . Consent may be acquired using any method that would require the user to take a direct and verifiable affirmative action; these can include checkboxes, text fields, toggle buttons, sending an email in confirmation etc.
Determining your law of reference
Generally, the laws of a particular region apply if:
- You base your operations there; or
- You use processing services or servers based in the region; or
- Your service targets users from that region
This effectively means that regional regulations may apply to your business whether it’s located in the region or not.For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind. You can read more about which laws apply to you here.
In the US, there is no single comprehensive national body of data regulations; there are, however, various laws on a state level as well as industry guidelines and specific federal laws in place. Since online site/app activity is rarely limited to just one state, it’s always best to adhere to the strictest applicable regulations. With this in mind, the most robust data law framework is implemented by the state of California. The California Online Privacy Protection Act (CalOPPA), implemented in 2004, was the first state law to make privacy policies mandatory and it applies to person or company whose website/app processes the personal data of California residents.
In addition to the generally required disclosures above, CalOPPA also requires that you:
- Notify affected users in the occurrence of security breaches that impact their data
In regards to consent, US law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.
Special Care Regarding Children
If your service is knowingly collecting, using, or disclosing personal information from children under 13, then special regulations apply to those data processing activities.
Children’s Online Privacy Protection Act (COPPA) is a US federal law implemented to better protect the personal data and rights of children under 13 years of age. Under this law, if you operate a website or online service which is directed to children under 13, or you have actual knowledge that you’re collecting personal information from children under 13, you must give notice to parents and get their verifiable consent before collecting, using, or disclosing the information, and must keep the information collected secure. “Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (e.g. checking a form of government-issued ID against an applicable database).
What is meant by the “personal information” of children
“Personal information” within this context refers to the child’s:
- Name or ID information (eg. social security number)
- Location info including physical address, geolocation data or IP address
- Any contact information including phone numbers and email addresses
- Device identifiers
- Media containing the child’s image or voice, including photos, videos or audio files
In the EU the General Data Protection Regulation (GDPR) was introduced in an effort to centralize data protection for people in the EU and becomes enforceable in May 2018. At its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general).
In general the GDPR requires that you:
Have a lawful basis. The GDPR requires that you have at least one lawful basis for processing user data. There are 6 lawful bases outlined under the GDPR.
Aquire verifiable consent. Under the GDPR, consent is one of several “lawful bases” for processing user data and as such, it must be “freely given, specific, informed and explicit”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).
The GDPR also gives users a specific right to withdraw consent and, therefore, it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital that you document and keep clear records related to the consent.
Records of consent should at least contain the following information:
- The Identity of the user giving consent;
- When they consented;
- What disclosures were made (what they were told) at the time they consented;
- Methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
- Whether they have withdrawn consent or not
Consent is not the ONLY reason that an organization can process user data; it is only one of the “Lawful Bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. With that said, there will always be data processing activities where consent is the only or best option.
Inform users in regards to data processing and honor their rights. Under the GDPR users have mandated rights that must be honored. These include:
- The right to be informed: In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/ app.
- The right of access: Users have the right to access to their personal data and information about how their personal data is being processed.
- The right to rectification: Users have the right to have their personal data rectified if it is inaccurate or incomplete.
- The right to object: Under the GDPR, users have the right to object to certain activities in relation to their personal data.
- The right to data portability: Users have the right to obtain (in a machine readable format) and use their personal data for their own purposes.
- The right to erasure: When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
- The right to restrict processing: Users have the right to restrict the processing of their personal data in specific cases.
- Rights related to automated decision making and profiling: Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.
Meet specific requirements if transferring data outside of the EAA. The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions.
Implement privacy by design and default. Under the GDPR, data protection should be included from the onset of design and development of the business processes and infrastructure.
Disclose security breaches. Under the gDPR, you are required to inform the supervisory authority of security breaches involving user data within 72 hours of becoming aware of it. In most cases you’re also required to inform affected users (with a few exceptions).
Appoint a DPO (where certain conditions are met). Under the GDPR you may be required to appoint a Data Collection Officer in several specific cases including situations where large-scale, systematic processing of user data occurs and where special categories of data are being processed.
Maintain records of processing activities (where certain conditions are met). The GDPR may require that you keep and maintain up-to-date records of the particular data processing activities you’re carrying out in several specific cases. These cases include situations where the processing can result in a risk to the rights and freedoms of individuals and where special categories of data are being processed.
Carry out a DPIA (where certain conditions are met). In cases where the data processing activity is likely to result in a high risk to users, the GDPR requires that a Data Protection Impact Assessment (DPIA) be carried out.
You can read more about the GDPR here.
ePrivacy (Cookie Law)
Because using cookies means both processing user data and installing files that could be used for tracking, it is a major point of concern when it comes to user data privacy rights. The ePrivacy Directive (or Cookie Law) was implemented to address this concern.
The banner must:
- Briefly explain the purpose of the installation of cookies that the site uses
- Be sufficiently conspicuous so as to make to make it noticeable
- Describe in detail the purpose of installation of cookies
Blocking cookies before consent:
In compliance with the general principles of privacy legislation, which prevent the processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.
Consent to cookies can be provided by several actions. Subject to the local authority, these actions may include continued browsing, clicking on links or scrolling the page.
Exemptions to the consent requirement:
- Technical cookies strictly necessary for the provision of the service. These include preference cookies, session cookies, load balancing, etc.
- Statistical cookies managed directly by your organization (not third-parties), providing that the data is not used for profiling*
- Statistical (anonymized) third-party cookies (e.g. Google Analytics)***This exemption is may not be applicable for all regions and is therefore subject to specific local regulations.*
In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR.The upcoming regulation is expected to still uphold the same values as the directive.
You can read more about The Cookie Law here.
Situational Legal Requirements
In addition to the disclosures and requirements outlined above (and subject to your law of reference), if operating an e-commerce website or app, you’re further subject to the applicable consumer rights laws and applicable industry rules.
Under most countries’ laws, when selling to consumers, you need to inform customers of the following:
- Returns/Refund details
- Warranty/ Guarantee information (where applicable)
- Safety information, including instructions for proper use (where applicable)
- Terms of delivery of product/ service
- Seller contact details (e.g. email address)
In the US, there is no one national law in regards to returns/refunds for purchases made online as in most cases, this is implemented on a state-by-state basis, however, under several state-laws, if no refund or return notice was made visible to consumers before purchase, consumers are automatically granted extended return/refund rights. In cases where the item purchased is defective, an implied warranty may apply in lieu of a written warranty. Written warranties should at least adhere to industry standards of fairness.
While e-commerce disclosure requirements remain largely enforceable on a state-by-state basis in the US, it is standard in many cases to include this information via the Terms and Conditions document; returns and refund disclosures, are often also included on dedicated site/ app content areas that are easily accessible from the product description page.
Under EU law, sellers must replace, repair, refund or reduce the price of purchases made on defective items.
Consumers also have an unconditional ‘right to withdraw‘ (“cooling off period”) for up to 14 days. This means that consumers may cancel or withdraw from distance contract (sales occurring online, over the phone, mail order, from a door-to-door salesperson) for any reason for up to 14 days after receiving the product (in the cases involving goods) or after signing and paying (in cases involving services).
It’s worth noting that 14 days is the minimum; in specific countries, national rules may extend this period.
This right to withdraw does not apply in all situations. Some exemptions are:
- Event and travel tickets & car rental reservations
- Sealed media items such as CDs which have been unsealed by the receipient.
- Digital content that has been already been downloaded by the consumer
- Made to order or distinctly personalized items (eg. personalized crafted jewelry box)
- Goods bought from a private individual rather than a company
- Services where contract conclusion coincides with service completion (eg. hiring a mechanic to do an urgent onsite repair)
Consumers located in the EU are also protected by a default legal 2 year guarantee on items purchased at no additional cost to the consumer. This guarantee applies It’s worth noting that the 2-year guarantee is the minimum; in specific countries, national rules may extend this period. These rules usually apply to any company selling to EU residents but may vary for international sellers on a case-by-case basis. It is worth noting, however, that in recent cases US courts have chosen to uphold the applicable EU law.
EU law also mandatorily requires that sellers inform consumers of the European Online Dispute Resolution (ODR)platform via direct link. The ODR, or “online dispute resolution” is a process that allows consumers based in the EU to easily file complaints (in regards to online sales) against companies also established in the EU. This means that ODR requirements can also apply to US companies that have any kind of physical presence in the EU.
E-commerce disclosure requirements in the EU may fall under one or a combination of national laws, standard contract requirements and EU directives. In regards to the latter, online merchants are required to disclose:
- The technical step involved in placing an order in a “clear, comprehensible and unambiguous manner”
- The terms and conditions under which the sale process is concluded
While these rules typically do not apply to sales between private individuals, it is strongly advised that you read the relevant regional consumer rights laws.
Emails and Newsletters
Most laws require that you inform users about your data processing activities (typically done via a privacy notice) and – depending on the region – that you obtain user consent and/or provide an easy way for them to withdraw consent.
Generally, these laws apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list as in such a case, you may not know the recipient’s country of residence. For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
As newsletter sign-up forms are data collection tools, under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
You can read more about legal requirements regarding Newsletters and Email lists here.
Under EU GDPR regulations, consent is one of the Lawful Bases for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service.
Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13 must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
You can learn more about legal requirements regarding children here.
Other Legal Considerations
Setting Terms and protecting your business
The T&C document is essentially a legally binding agreement; therefore not only is it important to have one in place, but it’s also necessary to ensure that it meets legal requirements. Generally, standard contract terms will apply and under the most laws, contracts used by traders must be fair. This means that the document must be up-to-date with all applicable regulations, precise, visible and easily understandable so that users can both easily see it and agree to it. The “agreeing action” should be done in an unambiguous way (e.g. clicking a checkbox with a visible link to the document before being able to create an account or use the service).
While the full content may vary based on the particulars of your business, the Terms and Conditions should at least include the following:
- Identification of the business.
- Description the service that your site/ app provides.
- Information on risk allocation, liability, and disclaimers.
- Warranty/ Guarantee information (where applicable)
- Safety information, including instructions for proper use (where applicable)
- Terms of delivery of product/ service
- Rights of use (if applicable)
- Conditions of use/ purchase (eg. age requirements, location-based restrictions)
- Refund policy/ exchange/ termination of service and related info
- Info related to methods of payment
- Any additional applicable terms
You can learn more about Terms and Conditions here.
Another example is that of Amazon. Here’s an excerpt of what they had to say:
We extended the requirement to disclose our affiliate relationship to any means where you may be leveraging Associates’ content.
From time to time third party requirements can change in response to internal or regional regulations. It is, therefore, necessary to ensure that your policies meet the latest requirements in order to avoid potential penalties or interruption of service.
Consequences of non-compliance
The legal ramifications of non-compliance include:
Non-compliance with CalOPPA or COPPA may lead to government officials bringing suit or seeking civil penalties against you. In one example, the owners of the Imbee website were fined US$130,000 for COPPA violations of allowing children under 13 to register without parental consent. Similar fines can apply under other state and federal laws.
Non-compliance with GDPR requirements can carry fines up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
Sanctions & Audits
Potential sanctions may be implemented against organizations found to be in violation of regulations. These sanctions include official reprimands (for first-time violations) and periodic data protection audits. The GDPR gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations. So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of the data subject of the inquiry. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.
Both the GDPR and CalOPPA give individual users the right to compensation for any damages resulting from an organization’s non-compliance with regulations. This means that violating regulations can leave you open to potential litigation.
Loss of Services
Here is an example from Amazon Web Services Partner Network’s Terms and Conditionsin regards to consent:
For any Third-Party Data you provide to AWS, you represent and warrant that you have received all necessary consents for (a) you to share the Third Party Data with AWS and its Affiliates, and (b) AWS and its Affiliates to use the Third-Party Data to contact its subject(s) to market our goods and services and the Program.