PRIVACY POLICY

The Objective of the Privacy Policy

Rompetrol Downstream SRL processes personal data in accordance with the provisions of the General Data Protection Regulation no. 679/2016 (“GDPR”) as well as with the applicable legislation on the protection of personal data. In this sense the present policy was drafted with the purpose and role to serve as a mean of information with regard to:

(i)        the activities of processing your personal data, thus performed by the Downstream SRL, as Personal Data Controller, in carrying out its activities;  

(ii)        the security of the data and the confidentiality of the processing of your personal data;

(iii)       your rights regarding personal data and how to exercise these rights.

The privacy policy may be modified from time to time, and Rompetrol will publish the updated version on this website each time. By frequently consulting this website you can make sure that you are permanently informed about the personal data processing activities undertaken by Rompetrol.

2.         Personal Data Operator:

The company Rompetrol Downstream SRL, which is part of the KMG International Group (hereinafter referred to as the "Company" or the "Controller") is a Personal Data Controller who is also the owner of this website, having the headquarter in Presei Libere Square, no. 3-5, City Gate Northen Tower, 2nd floor, District no. 1, Bucharest registered at the Trade Register Office under no. J40/1716/2000, UIC RO12751583.

Contact details of the companies part of the Rompetrol Downstream SRL can be found here.

3.       What categories of personal data we process, the purposes, the legal basis and the period for which your personal data are processed

Depending on the quality you have in relation to our company, Rompetrol as a Personal Data Operator processes certain personal data of yours for different purposes and legal basis, and keeps them for a certain period of time, as follows:

3.1.     Visitor of the website

We collect information from you as a visitor of our website by using cookies. This information includes: your IP address (anonymized), browser type, language settings, operating system, device type, domain name, domain host, date and time.

Please access the cookies policy here.  

3.2.     Gas stations’ clients/visitors  

3.2.1 Purposes of personal data processing

1. in relation to your purchase of LPG products, fuels and other specific products, ,as applicable, contracting and managing contracts concluded with you as client and/or user of “Fill & Go Personal” repectivly “Rompetrol Go+” card, in accordance with art. 6, para. 1, let. b) from GDPR, namely in order to conclude and execute a contract with the data subject.
2. for issuing invoices and managing their related collections, according to art. 6 para. 1, let. b) from the General Regulation on data protection;
3. in order to verify the creditworthiness and to approve the credit limit for Fill & Go Credit repectivly “Rompetrol Go+”  clients, according to art. 6, para. 1), let. f) and let. b) of the GDPR, respectively the legitimate interest of the Controller  to apply credit risk analysis measures and respectively in order to conclude and execute a contract with the data subject;
4. in order to fulfill a legal obligation by the Controller and its legitimate interest, respectively in order to ensure security, by video surveillance and analysis of security incidents (Law no. 333/2003 and GD No. 301/2012, as well as the legislation regarding transport of dangerous goods - GD No. 1175/2007 for the approval of the Implementing Norms of the activity of road transport of dangerous goods in Romania, Order of the Ministry of Transport, Construction and Tourism No. 1214/2015, Order No. 1044/2003) , according to art. 6, para. 1, let. c) and f) of the GDPR;
5. in order to carry out measures to prevent money laundering crimes in order to fulfill a legal obligation (Law no. 129/11.07.2019 for the prevention and combating of money laundering and the financing of terrorism, as well as for the modification and completion of some normative acts), according to art. 6, para. 1, let. c) from the General Regulation on data protection;
6. in order to resolve requests/complaints received at Rompetrol gas stations, either by telephone via Infoline or by mail/email, according to art. 6 para. 1), let. c) and f) of the GDPR, in order to fulfill a legal obligation (Ordinance no. 21/1992 on consumer protection), respectively for fulfilling a legitimate interest of the Controller which consists in analyzing and solving the notified incidents;
7. for contacting you in order to obtain your opinion regarding the quality of the services and products of the Controller and of the KMG International NV Group purchased by you, by telephone, e-mail, SMS, website, social media channels and mobile applications in accordance with art. 6, para. 1), let. f) from GDPR, respectively in the legitimate interest of the Operator to improve its services and products offered to its customers;
8. for internal/intra-group business reports, as well as for internal/external audits, according to art. 6, para. 1), lit. f) from GDPR, in the legitimate interest of the Controller to organize and controll its customer service activities, for ensuring a high level of quality of services and products offered;
9. for the recovery of receivables or other amounts due as dameges to the Controller, amicably / through enforcement, including for resolving various disputes, according to the concluded contracts and the legitimate interest of the Controller to recover the receivables related to the existing contractual relationship with you, according to art. 6, para. 1), let. b) and f) of the GDPR;
10. for solving the various requests addressed to the Controller, analysis of partnership / investment proposals, as well as the provision of information requested by you in writing (including those transmitted on social media channels), according to art. 6, para. 1, let. c) and f) of the GDPR, namely on the basis of a legal obligation of the Controller to respond within a limited period of 30 days, respectively of its legitimate interest in appropriate and timely settlement of these requests addressed to the Controller;
11. for your profiling, respectively in order to be able to provide you with information on standard or customized products and services from the portfolio of entities in the KMG International NV Group, by analyzing the services purchased, the transactions performed and other similar information, in accordance with art. 6, para. 1), lit. a) from GDPR, respectively based on your consent;
12. for marketing purposes, by using the means of communication, namely e-mail, sms, fax, phone call, notifications through mobile applications, such as for receiving newsletters and other commercial communications to promote the products and services of the KMG group International NV of which the Controller is a part, in accordance with art. 6 para. 1), let. a) from the General Regulation on data protection, based on your consent;
13. for marketing purposes, by using the means of communication, respectively e-mail, sms, fax, telephone call, notifications through mobile applications, such as for receiving newsletters and other commercial communications to promote the products and services of the KMG International NV Group, of which the Controller is a part, the organization of internal and external events, respectively your invitation to these events, in accordance with art. 6 para. 1), lit. a) from GDPR, based on your consent;
14. for participating in sweepstakes and other promotions based on a certain consumption behavior, in accordance with art. 6, para. 1) let. a) from GDPR, based on your consent;
15. for providing the services, benefits, as well as information regarding the modifications of the Loyalty Programs (e.g. Rompetrol Go), including contacting you regarding the situation of the loyalty points (e.g. their validity), according to art. 6, para. 1, lit. b) from GDPR in order to conclude and execute a contract with you;

    If the Company decides to process your personal data for other purposes, especially based on art. 6, para. 1, let. a) from the EU General Regulation on data protection, respectively based on your consent, you will be sent a separate information note, to allow you to express your consent freely.

3.2.2 Personal Data Processed

a)        The data processed for the clients holding a debit or credit  Fill & Go respectively Rompetrol Go+ card are the following: name and surname, data indicated on the copy of the identity document, address (domicile / residence), telephone, indicated e-mail, citizenship, IBAN and bank account, data regarding services and products purchased (such as: quantity, value, date and place of purchase of fuel), Fill & Go a card code, data on income,  Fill & Go card transaction history, car type, contact details, data included in the Fill & Go contract.

b)        The data processed for the clients enrolled in the Rompetrol GO Loyalty Program are the following: name, surname, e-mail address, telephone number, gender, date of birth, data regarding date and location of enrollment, points collected, preferences and amount of consumption, frequency and value of purchase, data on services and products purchased (such as: quantity, value, date and place of purchase), data from Rompetrol Go customers who have a card Fill & Go Personal (address, customer code, transactions made).

c)         Other data processed for customers/visitors are the following: your image captured by surveillance cameras, in the case of your visits to the Controller's fuel stations; name surname or any other data are necessary for the resolution of your complaints and notifications, including your voice if the complaints and notifications were made by means of telephone calls through the Infoline/call center service; Name and surname, address, CI series in case you want to issue an invoice for the purchased products.

3.2.3 Data processing period   

(a)       the data processed for the enrollment and contracting of the various programs, for example Rompetrol GO, Rompetrol GO +, is done during the contract/program, with the exception of documents (e.g. contracts, invoices, etc.) that contain personal data of a financial and accounting nature, these being additionally stored according to the applicable legal requirements (eg Accounting Law no. 82/1991, Fiscal Code, etc.);

(b)    the income statement is kept at most until the termination of the contractual relationship, but not less than 3 years from the date of granting the credit limit, and if the credit limit is not granted, then this document is deleted/destroyed immediately;

(c)      the personal data of potential customers not enrolled in Rompetrol programs will be deleted/destroyed no later than three months after receiving them;

(d)   the data collected to resolve requests/complaints, including the recordings of telephone conversations related to requests/complaints addressed to the Controller, will be kept for 4 months from the date of collection, with the exception of the complaints, where the data will be kept for 3 years from the date of their settlement.

(e)       documents, which contain personal data and are processed for the purpose of recovering debts or other amounts due as dameges to the Controller will be kept until the completion of the recovery procedures or, as the case may be, until the final settlement of any disputes;

(f)        personal data collected based on your consent for marketing purposes will be kept until your consent is withdrawn or until the termination of the contractual relationship or until the deadlines established by the competition regulations, whichever comes first;

(g)       the duration of the storage of video recordings captured by surveillance video cameras is at least 20 calendar days, but not more than 30 calendar days from the date of their making;   

3.3.     Legal representatives, shareholders, guarantors, employees, contact persons of the companies acting as business partners of KMG International NV Group

3.3.1.  The purposes of processing the personal data

a)        in order to contract and carry out the service contracts concluded with the business partners, as clients and / or subcontractors, according to art. 6 paragraph 1, letter f) of the GDPR;

b)        for fulfilling the legitimate interest of the Operator, in order to carry out the procedures regarding the selection of offers, organized by him for contracting of goods / services / works, etc. according to art. 6 paragraph 1, letter f) of the GDPR;

c)         to perform the know your counterparty analysis of the business partner in order to carry out the business activity in full compliance with the applicable legal provisions, in order to strengthen the security of contracts, avoid conflicts of interest and protect the Operator's reputation, in order to manage contracts and perform veirifcation and reporting in accordance with applicable law, as well as for the fulfillment of a legal obligation such as the prevention and sanctioning of money laundering, the establishment of measures to prevent and combat the financing of terrorism. according to art. 6 paragraph 1, letter c) of the GDPR, as well as for the protection of the legitimate interest of the Operator according to art. 6 paragraph 1, letter f) of the GDPR;

d)        for ensuring the safety and security at work of the employees of the partners carrying out activities on the industrial platforms where the Operator is the main contractor, on the industrial platforms of the Operator, or at the KMG International NV Group companies premises, in order to fulfill the legal obligations contained in the health and safety legislation. at work, in accordance with art. 6 paragraph 1, letter c) of the GDPR, as well as for the protection of the legitimate interest of the Operator according to art. 6 paragraph 1, letter f) of the GDPR;

e)          for carrying out second party audits in order to fulfill the legitimate interest, (according to art. 6 paragraph 1, letter f) of the GDPR) of the Operator to ensure that the services / products offered by the business partner meet the necessary quality standards;

f)         for contacting you in order to obtain the opinion of the company you represent regarding the quality of the Operator's services and products purchased, by telephone, e-mail, in accordance with art. 6 paragraph 1) letter f) of the GDPR on data protection, respectively in the legitimate interest of the Operator.

g)        for contacting the clients by e-mail directly by the financial audit company that audits the financial statements of the Operator in order to carry out the annual audit process in accordance with art. 6 paragraph 1) letter f) of the GDPR, respectively in the legitimate interest of the Operator.

h)        for commercial purposes, by using the means of communication, respectively e-mail, sms, fax, telephone call, newsletter / s and other commercial communications for the promotion of the Operator's services, in accordance with art. 6 paragraph 1) letter f) of the GDPR, respectively on the basis of the legitimate interest to collaborate with the company you i)

i)          for the recovery of receivables or other amounts due as dameges to the Controller, including by executing the contractual guarantees for non-compliance with the contractual conditions according to the legitimate interest of the operator art. 6 paragraph 1) letter f) of the GDPR;

j)          in order to resolve possible disputes amicably or in court according to the legitimate interest of the operator, art. 6 paragraph 1) letter f) of the GDPR;

k)       for carrying out internal/external audits as well as for carrying out internal reports in order to fulfill the legitimate interest of the Controller, (according to art. 6 paragraph 1, letter f) of the GDPR);

3.3.2.  Processed Personal Data  

For the purposes indicated in point 3.3.1. above, following data of employees / affiliate/ legal representatives of business partners may be processed: name, surname, position, signature, telephone, email, serial and ID card number, ID copy as well as documents attesting certain qualifications / attestations / certifications ( ex: diplomas, authorizations, attestations, permits etc.).

3.3.3.  Data processing period

The storage period of the collected personal data will be determined as follows:

(a)       the data processed for contracting, knowing the partners and carrying out the service contracts will be kept for a maximum of 5 years from their termination. In case of disputes, these will be kept until the end of the dispute in question.

(b)       the financial-accounting data including the contracts concluded depending on their nature will be kept in accordance with the provisions established by the Fiscal Code and the related legislation.

(c)       the data to be processed in order to carry out the tender selection procedures will be kept for 3 years from the completion of the procedures.

(d)       data processed for the purpose of the second part audit shall be retained for 3 years from the audit complition date.

(e)       the processing of data in order to ensure safety and health at work will be done throughout the performance of the service contract.

(f)        the processing of data in order to obtain the opinion on the quality of services will be done during the existence of the business relationship.

(g)       the processing of data for the purpose of carrying out the internal/external audit process, internal reporting  will be done for a maximum of 3 years from the termination of the business relationship.

(h)       the data whose processing is strictly related to the provision of the contracted services will be kept for the duration of the contract.

(i)       documents that contain personal data and are processed for the purpose of recovering debts or other amounts due as dameges to the Controller as well as for defending a right in court of the Controller will be kept until the completion of the recovery procedures or, as the case may be, until the final resolution of any disputes.  

3.4.     Processing of personal data of former employees of the companies from KMG International NV Group

3.4.1.  The purposes of processing thepersonal data of former employees of the companies from KMG International NV Group

The personal data of the former employees are processed based on the legal obligations of the former employer in accordance with art. 6 paragraph 1, letter c), and art. 9 letter b) of the GDPR, respectively the obligations to keep these data and to issue certificates at the request of the former employee or to transmit information to the state authorities, as well as based on Operator’s legitimate interest to perform internal audits and verifications or to responds to the requests of external auditors, but also to protect Operator’s interests in court., in accordance with art. 6 paragraph 1, letter f) of the GDPR.

3.4.2.  Processed Personal Data  

For the purposes indicated in point 3.4.1. above, the following data of the former employees will be processed: the content of the personnel file, without being limited to: name, surname, position held, unique ID, identity data and photo-copies of them, employment contracts, retirement data, data on education and professional experience (CV, copies of diplomas), etc., the payroll and elements contained therein, including the documents that formed the basis for its preparation (not limited to: name, surname, ID data, uniques ID, position, job, salary data, bank account, medical certificates, salary statements, seizures, timesheets, dependents, benefits, etc.).

3.4.3.  Data processing period

The data will be kept according to the legal provisions as follows: 75 years the data regarding the personnel file and 50 years the data regarding the salary statement, periods that run from the termination of the employment relationship.

3.5.    Candidates who have applied for a vacant position in order to be employed or to complete an internship

3.5.1.  Purposes of personal data processing 

In order to participate in the recruitment and selection program related to the occupation of one of the existing or future vacancies / positions  or to carry out a current or future internship or internship program, where you are a Candidate, your personal data are processed by Operator for purposes related to activities related to the field of human resources. The processing of your personal data in the mentioned context is done in accordance with Article 6 paragraph 1), letter a) of the GDPR, respectively your agreement to participate in the recruitment and selection process.

3.5.2.  Processed Personal Data   

(b)   Checks in the vew of your selection: references / request for references, interview notes, records / test / test results including technical tests and psychometric tests (measures your abilities, skills, behaviors or personality traits).

3.5.3.  Data processing period  

Your personal data as indicated in point 3.5.2. above are kept 6 months from your agreement or 6 months from the last login in your account created on the career website of the KMG International NV Group in case you applied through it.

3.6.     Visitors of our headquarters

3.6.1.  Purposes of personal data processing  

The personal data of the visitors are processed in order to ensure the security and safety of persons, guarding the assets and goods in accordance with art. 6 lit. f) of the GDPR, namely the legitimate interest of Operator, as well as of the affiliated companies within the KMG International NV Group.

3.6.2.  Personal data of visitors   

In order to achieve the objectives indicated at point 3.6.1. above, the following personal data of visitors are processed: name, surname, entry time, exit time, visitor's image, the name of your employer or the company you work with (if the visit is for business purposes) and the name of the person visited.

3.6.3.  Data processing period 

The storage of personal data will be done for the purposes presented above for a maximum period of 2 years, except for the image of the visitor captured by the cameras, this being kept for a maximum period of 30 calendar days.

4.       Who receives your data?

4.1      Recipients of your personal data

In order to achieve the purposes described above, Rompetrol uses the services of various contractors or other companies within the KMG International NV Group. According to GDPR, they are divided into several categories, which in relation to the operation of processing your personal data, are classified as follows: operators, processors or associated operators.

Therefore, we specify that, in order to achieve the purposes mentioned in section 3 above, your data can be shared, without being limited to, with the following types of recipients:

1. companies ensuring operating of Rompetrol gas stations, in the name and on behalf of Rompetrol;
2. IT and telecommunications service providers, security and protection, courier, advertising agencies, other contractual partners (eg lawyers, debt collection companies, auditors bound by the obligation of confidentiality regarding the data transmitted, etc.);
3. state authorities such as ANAF, ANPC, etc. based on their competencies provided by the applicable law.

4.2      Transfer of your data to foreign countries

In the context of the operations described above, your personal data may be transferred to countries of the European Union ("EU") or the European Economic Area ("EEA").

We hereby inform you that any transfer made by the Operator to an EU or EEA member state will comply with the legal requirements established by GDPR. As part of the processing of the data described above, the transmission of personal data to recipients from countries outside the European Union may also take place. The transfer in this case will be made to: (i) countries for which the EU Commission has established that they provide an adequate level of data protection, or (ii) countries or operators in relation to which we ensure that there is an adequate level of protection of data (especially by concluding agreements containing standard contractual clauses for data transfer and / or any other measures imposed as the case may be).

5.       Use of cookies

This website uses cookies. More details on these modules and how they are used can be accessed here.

6.       Security of your personal data  

Rompetrol guarantees that it processes your data in conditions of legitimacy and legality, implementing at the same time adequate technical and organizational measures to ensure the integrity and confidentiality of the data according to art. 25 and 32 of the GDPR.

7.       Your rights rearding personal data:

As the data subject, you have the following rights provided by GDPR, regarding exclusively your personal data:

(a)       The right of access means your right to obtain a response from the Operator whether or not it process personal data concerning you and, if so, you may have access to those data and to the information provided by art. 15 of the GDPR.

(b)       The right to data portability refers to the right to receive personal data in a standard, structured, commonly used and automatically readable format and the right to have your data transmitted to another operator without hindrance from Rompetrol, if these data are processed automatically and, the data are processed based on your consent expressed according to art. 6 para. 1) lit. a) or art. 9 para 2) lit. a), respectively on the basis of a contract according to art. 6 para. 1) lit. b) of the GDPR.

(c)       The right to object represents the right to oppose, for reasons related to your particular situation, to the processing of personal data concerning you, including the creation of profiles based on those data, when the processing is carried out pursuant to art. 6 paragraph 1) letters e) and f), respectively for the achievement of a legitimate interest of the operator or for the accomplishment of a task that serves a public interest. 

(d)       The right to rectification refers to the correction, without undue delay, of inaccurate personal data. You have the right to obtain the completion of personal data that are incomplete, including by providing an additional statement, and the rectified data will be communicated to each recipient who received the data, unless this proves impossible or involves disproportionate effort.

(e)       The right to delete data ("right to be forgotten") means the right to request the deletion of personal data, without unreasonable delay, if: the data are no longer necessary for the purposes for which they were collected or processed; you withdraw your consent and there is no other legal basis for processing; you object to the processing and there are no legitimate legal reasons prevailing; personal data have been processed illegally; personal data must be deleted in order to comply with a legal obligation; personal data were collected in connection with the provision of information society services. The deletion of the data will be communicated to each recipient who received the data, unless this proves impossible or involves disproportionate efforts.

(f)        The right to restriction of data processing refers to the case where you challenge the accuracy of the data, for a period that allows the operator to verify the correctness of the data: if the processing is illegal and the person opposes the deletion of personal data, requesting instead the restriction of their use; if Operator no longer needs the personal data for the purpose of processing, but you request them for the ascertainment, exercise or defense of a right in court; if you objected to the processing for the period of time in which is needed to  verify whether the legitimate rights of Operator prevail over those of the respective person.

(g)       The right not to be subject to a decision based solely on automatic processing, including the creation of profiles, which produces legal effects that concern or significantly affect you, with the exception of processing for the conclusion or performance of a contract with you, such processing is authorized by the applicable legal provisions or the data processing is performed based on your freely expressed consent.

(h)       The right to withdraw your consent. When the processing of personal data is carried out on the basis of your consent, you have the right to withdraw your consent at any time, without affecting the legality of the processing carried out on the basis of consent before its withdrawal.

(i)        The right to file a complaint: if you are dissatisfied, you can contact the National Authority for the Supervision of Personal Data or the competent courts at any time.

8.         Exercise your rights

All the rights can be exercised through a written request sent to:

(a)  Operator’s headquarters, using the contact details mentioned in section 2 of this Policy,

(b)   By e-mail, for the attention of the Data Protection Officer, at the e-mail address: [email protected]

(c)    By calling the following phone numbers: 0800 0800 08 or 0800 0800 12.
 

Your request will be analysed and you will receive an answer within maximum 30 days.