Notification regarding the
protection of personal data

1. General Information

• Introduction

  On the 25th of May, 2018, the European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data (the “Regulation”) becomes applicable.

  Its main purpose is to increase the level of protection of personal data and to create a climate of trust that allows each person control over their own data.

  Thus, we consider it a good time to inform you on how we protect your personal data and how we appropriate the provisions of the Regulation.

  The following notification on data protection is designed to inform you about the processing of your personal data and about your rights.

  Regarding this processing in accordance with the General Data Protection Regulation (“GDPR”) and the local legislation in force.

• Operator

  We, the Company Grapefruit SRL with headquarters in Iași Municipality, str. Vasile Pogor nr. 6, mansardă, Iași County, are the Operator, according to the GDPR and, thus, are responsible for the processing of the data described below. For questions or requests regarding data processing, please contact our data protection officer, whose contact details can be found below.

  The collection of this data is done only with your consent.

  Your refusal determines the impossibility of the operator (Grapefruit SRL) to conclude the contract for services / sale of products, to send information or ordered products, because the company lacks one of the essential conditions, respectively the identity of the parties.

• Personal data

  Grapefruit SRL processes the following personal data:

  • Surname and forename, home address and e-mail address;

  • Data from the identity card, Personal Identification Number, telephone number, the company you represent.

  • Profile from online social media;

  • The information you provide about your preferences;

  • Information about your use of our website;

  • The communications you carry with us or that you direct towards us through letters, emails, SMS, chat services, calls and social networks;

  • Information about your computer and the visits and use of this website, including your IP address, geographic location, browser type, reference source, duration of the visit and the number of page views, if you opened emails from us, if you accessed links from our emails;

  • Details about why you decided to sign up on the website/ answer the questionnaire;

  • Details about topics / areas of interest to you, answers to our questionnaires;

  • Information about the services you use to communicate with others or any communication preferences you have provided to us.

2. Information on processing

• Types of data processing

  “Processing” means any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, transmission by transmission, dissemination or making available in any other way, alignment or combination, restriction, deletion or destruction.

• Principles of personal data processing

  Grapefruit SRL undertakes to respect the principles of personal data protection (hereinafter referred to as “the Principles”) provided by the GDPR, to ensure that all data is:

  1. Processed in a fair, legal and transparent manner;

  2. Collected for specified, explicit and legitimate purposes;

  3. Appropriate, relevant and limited in relation to the purposes for which they are processed;

  4. Correct and updated;

  5. Stored in a form that does not allow the identification of the data subjects for a longer time than is necessary in relation to the purpose of the processing;

  6. Processed in accordance with the rights of the data subject, in a manner that ensures adequate security of processing, so that the data is complete, confidential and available.

• Purpose and ground for the processing of data

  1. Registration of users. We will process the personal data collected through the registration form on the website www.grapefruit.ro through which you create an account or subscribe to a newsletter, for better and easier administration. This processing is based on Art. 6 paragraph thesis 1 letter b) of the GDPR.

  2. User interaction, analysis and profiling.

     1. You give us your prior consent to use your personal data in order to:

        • receive a newsletter through which we offer you news, future campaigns, invitations to various events, information, marketing messages or articles that may also contain commercial offers;

        • communications to you: we use your data to manage our relationship with you as a user and to improve our services and your experience with us;

        • improve the experience of the clients on our web site and to identify the preferences and\or your behaviour, inclusively through automatic processes, that do not suppose human intervention. We will always take account of your options.

        You can unsubscribe from such types of information. You have the right not to consent or to oppose regarding the commercial or direct marketing activities, including the creation of a profile for the purpose of such activities. Your personal data will be deleted when you unsubscribe from the Newsletter section. You can unsubscribe at any time by means of the link attached to the received communications or by a written request addressed to dpo@grapefruit.ro.

        We can provide you with our information by email. This processing is legitimately based on Art. 6 par. 1 thesis 1 letter a) GDPR.

     2. Data analysis and user profiling. These include market research, users opinion surveys, user analysis, user segmentation and user profile realizing, in order to define the behaviour of the browsing and user activity. It is possible to ask you for feedback regarding our information of Newsletter type and to communicate it to specific members of our staff in order to improve the services. We can also use notes from the conversations that we have with you online, by phone or face to face, in order to customize the information and services that we offer you. For these purposes we will contact you by e-mail, SMS or by phone. For the purposes mentioned above, your data will be stored in our data basis and will be enriched with data that we collect from public sources. It is necessary to follow our legitimate interests in order to improve our services and user relationships, which represent a key factor for our success in business. The collected and stored data helps us to find out more about your interests and needs. This allows us to take them into consideration and to act in consequence, that means through customized communication. This process is based on the Art. 6, paragraph thesis 1 letter f) from GDPR.

     3. Improvement and development of services: The analysis on how you use our services helps us to understand you better and shows us what we can improve. For instance: we analyze your purchase history data to provide you with information or tips on how to best use our services, we analyze the results of our marketing activities to measure their effectiveness and the relevance of our campaigns. This processing is legitimately based on Art. 6 par. 1, letter a) of the GDPR.

     4. Fulfillment of legal obligations. Personal data may be processed for the purpose of fulfilling some legal obligations. We use your payment information for accounting, billing and auditing purposes and to detect and / or prevent any fraudulent activity, if it’s the case. This processing is legitimately based on Art. 6, par. 1, letter c) from the GDPR.

     5. In order to recruit people interested in vacancies. On the website www.grapefruit.ro we periodically display the available vacancies. Interested persons are asked to send a CV to the email address shown for recruitment. The candidate’s data will be processed both within the recruitment process, for the accessed position, as well as for future vacant positions. If the CV is selected for the next stage, the candidate will be asked to sign a confidentiality agreement before the examination. References from the previous employers of the candidates can become relevant during the recruitment process. If we need these, we will contact the candidate to request his/her agreement to obtain them on his/her behalf. If the candidate does not express his/her consent in this regard, he/she will need to obtain these references himself, if he wishes to continue the recruitment process. The candidate has the option to request the deletion of personal data. In the event that Grapefruit SRL will receive CVs or requests for employment on channels other than the website indicated above, it will keep this data until it is requested to delete the data. This processing is based on Art. 6, paragraph thesis 1, letter b) of the GDPR.

• Beneficiaries of the data

  To achieve the goals mentioned above in points 2 letter c) we use service providers, respectively empowered according to art. 28 of the GDPR, for example, our hosting, platform, and maintenance service providers, for sending emails and SMS, telephone contact or printing of personalized advertising materials, external consultants, all of them being in Romania or outside it or the European Union / European Economic Area.

  We ensure, for instance, by contractual regulations, that these service providers process personal data in accordance with the European data protection law, in order to guarantee a high level of data protection, (for example, standard contractual clauses, the existence of compulsory corporate rules, etc.) even if the personal data is transferred to a country where another level of data protection is commonly used and for which there is no decision of adequacy adopted by the EU Commission.

  No other transfers of personal data to other recipients are made unless we have this obligation by law. For more information on the proper protection of international data transfer or their copy, please contact our data protection officer by e-mail at dpo@grapefruit.ro.

• Mandatory / Voluntary Provision of Data and Duration of Preservation

  1. The provision of the following data is necessary in order to conclude the contract with you / registration or to contact you for the purposes shown above:

     • Surname and forename, residence address and email address

     If you do not formulate some of the requested data we will not be able to conclude a contract with you, you will not be able to open an account on the website and you will not be able to purchase the products from the Grapefruit SRL website.

  2. In the case of the recruitment process it is necessary to provide the following data:

     • Surname and forename, residence address, data from your identity card, Personal Identification Number, phone number, email address and the company you are working/worked at.

  3. The provision of the other data is optional and this data is not a legal or contractual requirement or a necessary requirement to conclude a contract. If you do not provide us with this personal data, this will have no other consequences for you.

  4. We collect personal data:

     1. Directly from you when you register on the site or place an order.

     2. When provided indirectly: Your information may be distributed to us by services that already have access to your data (for instance Facebook). Certain data may be made available, including to partner websites.

     3. When you visit our website: we use cookies to identify you when you visit our site and to allow us to personalize your online experience (for example, your login details, information you are interested in, etc.). www.grapefruit.rodoes not send spam messages. We send emails only to those who have registered to the list of subscribers and we respect the decision of those who want to unsubscribe.

     4. From other sources when you become our customer or when you use our products and services.

     Only children at least 16 years of age can give their consent. For children under this age, the consent of the parents or legal guardians of the children is required.

  5. Period of the data storage

     Grapefruit SRL stores your personal data for as long as processing is required and until you ask us to delete them. We will respond to these requests, subject to the preservation of certain information including after closing the account, in situations where applicable law or our legitimate interests require it.

     When we no longer need your personal data, we will securely delete or destroy it. We will also consider whether and how we can minimize the amount of personal data we use over time and whether we can ensure the anonymity of your personal data so that they will no longer be associated with you or identify you, in which case we may use that information without further notice.

3. Your rights

You can contact the company for exercising the rights provided by Regulation no. 2016/679 at the following contact details:

Grapefruit SRL with headquarters in Iași Municipality, str. Vasile Pogor nr. 6, mansardă, Iași County. E-Mail: dpo@grapefruit.ro

In order to obtain official interpretations related to the exercise of the rights deriving from the legislation regarding the protection of personal data or to express your dissatisfaction with the way in which Grapefruit SRL ensures the processing of personal data, you can contact the National Supervisory Authority for Personal Data Processing at the following contact details: (i) by post or courier at the address in Bucharest, Bulevard General Gheorghe Magheru no. 28-30, sector 1, postal code 010336, (ii) by electronic mail to: anspdcp@dataprotection.ro, (iii) by fax to no. 0318.059.602 or (iv) at phone number 0318.059.211.

According to the GDPR these rights are the following:

1. The right to receive information on the data processing and a copy of the processed data (the right of access, Article 15 GDPR).

2. The right to request the rectification of inaccurate data or the completion of incomplete data (right of access, art. 16 GDPR).

3. The right to request the deletion of personal data (the right to be “forgotten”) and, if the personal data has been made public, to transmit the information regarding the request for deletion to other operators (the right to deletion, article 17 GDPR).

4. The right to request the restriction of data processing (right to restriction of processing, article 18 GDPR) – you can request the restriction of processing if you dispute the accuracy of the data, as well as in other cases provided by law.

5. The right to receive personal data regarding the data subject in a structured, commonly used and readable in a mechanical manner format and to request the transmission of this data to another operator (right to data portability, article 20 GDPR).

6. The right to oppose data processing with the intention of ceasing the processing – you can oppose, in particular, to the data processing based on our legitimate interest, (right to object, article 21 GDPR).

7. The right to withdraw at any time a given consent in order to stop a processing of the data that is based on your consent. The withdrawal will not affect the legality of the processing based on the consent granted before the withdrawal (the right of withdrawal of the consent, article 7 GDPR).

8. The right to file a complaint with a supervisory authority if you consider that data processing is a violation of the GDPR (the right to file a complaint with a supervisory authority, Article 77 GDPR).

9. Additional rights related to automatic decisions: you can request and get human intervention on the respective processing, you can express your own point of view on it and you can challenge the decision.

4. Security of processing

Grapefruit SRL has adopted technical and organizational data processing measures, updated in accordance with the GDPR requirements, in order to protect your personal data against any unauthorized access action, misuse or transmission, unauthorized modification, destruction or accidental loss. All our employees and collaborators, as well as any third parties acting on behalf and in the name of Grapefruit SRL, are obliged to respect the confidentiality of your information and the requirements of the GDPR, in accordance with the provisions of this Policy.

We make sure that we impose on our contractual partners who have access to the personal data we process the contractual obligations in accordance with the legal provisions and that we verify their compliance with the obligations they have undertaken. They will process the personal data on our behalf and for us, only in accordance with the instructions received from it and only in compliance with the security and confidentiality requirements within the limits imposed.

5. Processing of personal data in partnership

Some of the personal data processed through the website www.grapefruit.ro may be transferred to third parties and you express your express consent to do so, as well as in cases where there is a legal obligation for Grapefruit SRL to proceed in this way.

The website www.grapefruit.ro may contain, at one point, links to other sites whose data processing policies may differ from those of www.grapefruit.ro.

Please consider and consult the policies regarding the protection of personal data of the other sites, www.grapefruit.ro cannot assume responsibility.

6. Liability disclaimer

The site www.grapefruit.ro may contain links to other sites and/or other websites that are not the property of Grapefruit SRL. Grapefruit SRL assumes no responsibility for the content of these sites and therefore will not be held responsible for the content, advertising, goods, services, software, information or other materials available on or through these websites. Grapefruit SRL will not be responsible for the loss of personal data, for any negative effects on the personal data of the visitors or for other moral and/or patrimonial damages caused by the access to the respective sites.

7. Automatic processing of Cookie data

The website www.grapefruit.ro uses Cookie identifiers. Below is our Cookie Policy and you can exercise your right to disable Cookies: This policy refers to the use of cookies on the website www.grapefruit.ro operated by Grapefruit SRL.

• What are cookies?

  The cookie is a small file, consisting of letters and numbers, which will be stored on the computer, mobile terminal or other equipment of a user accessing the Internet. The cookie is installed by the request issued by a web-server to a browser and is completely “passive” (it does not contain software, viruses or spyware and cannot access the information on the user’s hard drive).

• What are cookies used for?

  These files make it possible to recognize the user’s terminal and present the content in a relevant way, tailored to the user’s preferences. Cookies provide users with a pleasant browsing experience and support our efforts to provide user-friendly services (for instance: online privacy preferences, shopping cart or relevant advertising) or are used in the preparation of aggregate anonymous statistics that help us understand how a user interacts with our web page, allowing us to improve the structure and content, excluding the user’s personal identification.

• What Cookies do we use?

  We use two types of cookies: temporary (limited per session) and persistent.

  Temporary cookies are stored until the site or browser is closed and persistent cookies are files that remain on the user’s terminal for an unlimited period of time until they are manually deleted by the user.

• How are cookies used by www.grapefruit.ro?

  Grapefruit SRL uses cookies for the following purposes:

  • Site performance cookies, load-balancing

  • Cookies for visitor analysis, registration, marketing, geo-targeting

  • Third party cookies of various providers of marketing services or other types

• Security and privacy issues

  Cookies are NOT viruses! They use plain text formats. They are not made up of pieces of code, so they cannot be executed nor can they self-run. Consequently, they cannot be duplicated or replicated on other networks in order to run or replicate again. Because they cannot perform these functions, they cannot be considered viruses.

  However, cookies can be used for negative purposes. Because they store information about users’ browsing preferences and browsing history, both on a particular site and on several other sites, cookies can be used as a form of Spyware. Generally, browsers have integrated privacy settings that provide different levels of cookie acceptance, validity period and automatic deletion after the user has visited a particular site.

• Deletion of cookies

  In general, an application used to access web pages allows the cookies to be saved on the terminal by default. These settings can be changed so that the automatic administration of cookies is blocked by the web browser, or the user is informed whenever Cookies are sent to his/her terminal. Detailed information about the possibilities and ways of managing cookies can be found in the settings area of the application (web browser). Limiting the use of cookies may affect certain functionalities of the web page.

• Details about the cookies used

  The necessary cookies help to make a site usable by enabling basic functions, such as page navigation and access to secure areas on the site. The site cannot function properly without these cookies.

  Statistical cookies help site owners understand how visitors interact with sites by collecting and reporting information anonymously.

  Marketing cookies are used to track users from one site to another. The intention is to display relevant and engaging ads for individual users, thus they are more valuable to advertisers and third parties dealing with advertising.

  Due to possible changes in the legislation, a modification of these data protection notifications may become necessary. In this case, we will inform you about such changes. To the extent that the changes affect a processing that is based on your consent, we will request a new consent from you, if necessary.

  By ticking the acceptance box you express your agreement for the processing of your personal data for the purposes presented above, meaning that we will also use your personal data to provide you with our information by email, SMS, letter, telephone, or fax.