1. Identity and contact details of the data controller

Personal data are processed by EUROEXPO FAIRS SRL, headquartered in BUCHAREST, Sector 1, Bvd. Expoziției no. 7, Trade Registry no. J40/8828/2014, VAT no. 33423058, email: info@euroexpo.ro, phone: +40 21 321 6030, in accordance with EU Regulation no. 679/2016 on the protection of personal data (GDPR) and Law no. 190/18.07.2018 regarding the measures for implementing the GDPR in Romania.

2. Contact details of the Data Protection Officer (DPO)

Although the legislation governing data processing does not require the appointment of a Data Protection Officer for the types of data and the processing methods we use, we have designated a person to fulfil this responsibility in order to ensure the right to privacy of all natural persons who benefit, have benefited, or will benefit from our services. Thus, the processing of personal data is carried out under the coordination of a Data Protection Officer. Any request regarding your rights related to the processing of personal data may be addressed using the contact details listed under point 1, or directly to the DPO at data.protection@euroexpo.ro.

3. Categories of data subjects and types of data processed

The processing of personal data by EUROEXPO FAIRS SRL concerns the following categories of persons:

• EUROEXPO FAIRS SRL’s natural-person customers (current, former, or potential), visitors to events organized by us, the general public, and their legal or conventional representatives/agents;
• Business contacts/representatives/agents (business/contractual partners, exhibitors, co-exhibitors, organizers, co-organizers, suppliers, service providers, tenants, etc. — current, former or potential) as well as representatives of public institutions/authorities;
• Natural persons (including those under 16 years of age) who intend to participate, are participating, or have participated in activities or programs organized by EUROEXPO FAIRS SRL, as well as their parents and/or guardians.

Personal data of the above categories may be obtained directly from them, from messages (sent by phone, fax, or email) through which requests regarding our products and services are addressed to us. Such data may also be obtained during direct meetings between EUROEXPO FAIRS SRL representatives and potential beneficiaries of our activities, or from contact information made manifestly public by persons falling into any of the categories mentioned above. Subsequently, contact details may be supplemented with other identity-related information, such as home or residence addresses, workplace address, nationally used identification numbers, health data, as well as other special categories of data, depending on requirements imposed by commercial and financial law or by regulations governing activities carried out for the benefit of the individuals whose data we process.

Another method of obtaining data, specific to our activities, is the audio-video recording or photographing of certain moments during events organized by us or with our participation. Such processing is always visibly signalled so that persons who do not wish their personal data to be processed in this way may avoid the areas where such data are captured. Furthermore, for any additional processing of personal data obtained in this way, when they have not been made manifestly public by the data subjects (for example, by voluntarily participating in audio-photo-video recorded events), we will request the consent of the persons whose identity may be revealed through the photographs or audio-video recordings made.

Additionally, personal data that are anonymous (i.e., do not directly identify the natural persons concerned) may be automatically collected from users who access EUROEXPO FAIRS SRL’s websites or online services. Such data are used to optimize and tailor the content of online services according to the requirements and interests of those who access them.

Depending on legitimate interests or legal obligations arising from partnership relationships concluded with the data subjects, the types of personal data we process include:

• Anonymous web-traffic data: IP address, geolocation data, device type (desktop, tablet, smartphone), browser type, cookies;
• Identification data: first and last name, telephone or fax numbers, email address, home address, residence address, or delivery address for products or services;
• National identification numbers: Personal Numeric Code (CNP), ID series and number, driver’s license number, passport number, health insurance number;
• Special categories of data that allow the individualization of a natural person: biometric data enabling unique identification (photo, audio) or—strictly in connection with employment relationships—health data or criminal record data.

4. Purpose, duration, and legal basis of processing

With respect to persons who are not commercial partners or legal (contractual) beneficiaries of EUROEXPO FAIRS SRL’s activities, we process only contact data for the purpose of pursuing legitimate interests connected to these activities. Such interests may include processing for statistical purposes or direct marketing. The duration of such processing will match the period during which EUROEXPO FAIRS SRL maintains the same legal status as at the time the data were collected, or until the data subject exercises a right requiring the suspension of processing or the deletion of such data.

When a legally valid partnership arises between EUROEXPO FAIRS SRL and the data subjects, identification data required by the laws governing the contractual relationship will be added to the contact data. These data are processed for a period equal to the limitation period of the legal obligations assumed (as a rule, 3 years) or for the period imposed by law for certain categories of documents (for example, personnel files must be kept for 75 years).

5. Obligation to provide data

When you contact us directly (by email or phone) to obtain information, providing your data is not a legal or contractual obligation nor a requirement necessary for entering into a contract. However, please note that without these data we will be unable to send you information about EUROEXPO FAIRS SRL activities you have shown interest in at any point.

When a legally regulated partnership is established between you and EUROEXPO FAIRS SRL, it will be necessary to provide, in addition to contact data, the information required by the legal norms governing the activities we will carry out for your benefit; without such data we cannot supply the requested services or products.

6. Legitimate interests

The data you provide are processed in order to achieve EUROEXPO FAIRS SRL’s objectives regarding the activities it is authorized to carry out. These interests may include—but are not limited to—contacting partners to promote our services or products, transferring personal data to companies with which we have partnership relations when their activity requires access to such data, preventing fraud and the abusive use of our services and products, monitoring premises to ensure their physical security, protecting our IT systems, processing for historical, scientific and statistical purposes, and processing for research purposes (including marketing studies).

7. Security of processed personal data

EUROEXPO FAIRS SRL undertakes to apply all technical and organizational measures to ensure the protection of personal data processed through IT and communications systems and other electronic systems, as well as data processed in any other form, against threats and any actions that may affect the confidentiality, integrity, availability, and authenticity of the data and the non-repudiation of processing operations, as well as the functioning of IT systems—whether such incidents occur accidentally or intentionally.

8. Data disclosed to third parties

Personal data processed in activities involving natural persons will not be disclosed to any third party for use in purposes other than those for which they were collected.

Strictly with regard to the purposes for which personal data were collected, the personal data processed by EUROEXPO FAIRS SRL may be made available to intermediaries specialized in providing services connected or complementary to our activities (such as electronic payment services, courier services, accounting services, etc.). In addition, any disclosure of personal data to a third party will be made only on the basis of a legal commitment under which the legal entity empowered by EUROEXPO FAIRS SRL to process personal data undertakes to comply with the GDPR and the applicable domestic legal norms.

9. Transfer of data to a third country or an international organization outside the European Union

We do not transfer data to entities outside the EU unless the respective states are on the EU list of countries considered to ensure an adequate level of personal data protection, or only under the conditions described in Chapter V of the GDPR regarding transfers of personal data to third countries or international organizations. Thus, any transfer of personal data outside the EU will be carried out only after obtaining your consent, at which time we will inform you of the risks such transfers may involve due to the lack of an adequacy decision and of appropriate safeguards.

10. Rights of data subjects

For natural persons whose personal data are processed, EUROEXPO FAIRS SRL ensures the exercise of all rights provided under Articles 13–22 of the GDPR, as follows:

• Right to be informed and right of access. When personal data are collected—or within a maximum of 30 days if obtained indirectly—the data subject is informed about the identity and contact details of EUROEXPO FAIRS SRL, the DPO’s contact details (if applicable), the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, any intention to transfer the data to a third country or international organization (if applicable), the period for which the data will be stored or the criteria used to determine that period, the existence of automated decision-making including profiling, and, at least in such cases, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
• Right of access. Data subjects have the right to obtain from EUROEXPO FAIRS SRL confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to those data and to the information listed above.
• Right to rectification and erasure. Data subjects have the right to obtain from EUROEXPO FAIRS SRL without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, data subjects have the right to have incomplete personal data completed, including by means of providing a supplementary statement. They also have the right to obtain the erasure of personal data without undue delay where the grounds set out in Article 17(1) GDPR apply.
• Right to restriction of processing. Data subjects have the right to obtain the restriction of processing in the cases described in Article 18 GDPR.
• Right to object. Data subjects have the right to object, on grounds relating to their particular situation, to processing for marketing purposes, to profiling, or to being subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them.

With regard to the processing of anonymous data automatically collected when accessing our online services, you may object at any time to this type of processing by activating the privacy settings of your browser or by choosing applications that provide anonymous web-browsing features.

Regarding cookies, you may also use your browser’s settings to view, delete, or block the storage of such modules on your device. Please note, however, that many websites use cookies to optimize website content according to the preferences and settings you made upon your first visit. Thus, on subsequent visits, restoring those settings will no longer be necessary. By deleting or blocking cookies, each time you revisit a website you may be asked again to set certain display preferences. More details about cookies are provided in point 11.

• Right to data portability. Where personal data have been provided by a data subject in a structured, commonly used and machine-readable format for processing by EUROEXPO FAIRS SRL, the data subject has the right, in the cases provided by Article 20 GDPR, to transmit those data to another controller without hindrance from EUROEXPO FAIRS SRL.
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to lodge a complaint with the National Supervisory Authority for the Processing of Personal Data (ANSPDCP) if you consider that your rights have been infringed by EUROEXPO FAIRS SRL. ANSPDCP can be contacted at +40 318 059 211, anspdcp@dataprotection.ro or via www.dataprotection.ro.
• If providing personal data constitutes a legal or contractual obligation or a requirement necessary for entering into a contract, data subjects have the right to be informed of the possible consequences of failure to provide such data.

You can exercise any of the rights listed above by sending a request using the contact details provided under point 1, or using the contact information available on the website http://www.euroexpo.ro/.

11. Cookies

What are cookies?
Cookies are small files saved on a user’s computer. They are designed to store a small amount of data specific to a particular visitor and the website accessed, and are accessible both to the person who owns the device where the cookies were automatically stored and to the website that transmitted the file. This type of processing allows the server to deliver a web page tailored to a particular user or even to transmit information from one visit to another to a similar site owned by the same party.

Are cookies enabled in my browser?
To check whether your browser is set to allow cookies, look in the browser’s settings under the section dedicated to privacy and security. There you will also find information on enabling or disabling cookies and deleting them. You can also view the content of these files.

What data are contained in a cookie?
Each cookie file is essentially a small table containing pairs of values (key, data)—for example (name, John) (surname, Smith). Once the cookie has been read by code on the server or client computer, the data can be retrieved and used to appropriately personalize the web page.

When are cookies created?
Writing data to a cookie usually occurs when information is transmitted to the website—for example, after clicking a “submit” button, the data-handling page might store values in a cookie. If the user has disabled cookies, the write operation will fail and subsequent visits that could retrieve information from cookies will either behave as for new visitors or will require the user to re-enter information that would otherwise have been stored in a cookie.

Why are cookies used?
Cookies provide a convenient way to associate information about the use of a site without requiring the storage of massive amounts of data for each visitor within the site itself. Moreover, storing data on the server without using cookies would require recognizing each user solely via authentication (username and password). Not least, using cookies reduces the amount of personal data processed within the operator’s own systems, since a cookie is stored on the device owned by the data subject.

What is the lifespan of a cookie?
A cookie’s expiry can be set when the cookie is created. By default, the cookie is “destroyed” when the browser window is closed, but it can be designed to persist for a period after the site has been accessed.

Who can access cookies?
When a cookie is created, its visibility can be controlled by setting the main domain of the site that uses it. The cookie will then be accessible to any site belonging to that domain. For example, the domain could be set to “maindomain.ro”, and the cookie would be available to sites at “maindomain.ro”, “xyz.maindomain.ro”, etc. This can be used to allow related pages to “communicate” with each other.

How secure are cookies?
There are many concerns regarding privacy and security on the internet. Cookies themselves do not pose a threat to privacy, as they can only be used to store information that the user has voluntarily provided or that the web server already has. Although it is possible for this information to be made available to certain third-party sites, this does not create risks beyond those specific to storing data in a central database. If you are concerned that information you provide to a web server will not be treated as confidential, you should consider whether you truly need to provide that information—or provide none at all.

What are tracking cookies?
Some commercial websites include embedded advertising served by a third-party site, and such ads may store a cookie for that third party. The cookie may store information such as the site name, certain products viewed, pages visited, etc. When the user later visits another site that contains a similar embedded ad from the same third party, the advertiser can read the cookie and use it to determine certain information about the user’s browsing history. This allows publishers to deliver targeted ads that are, in theory, more relevant to the user. However, many people consider such “tracking cookies” an invasion of privacy because they allow an advertiser to build user profiles without their consent or knowledge.