Privacy Policy and Personal Data Protection
1. Who We Are
The www.sepsimetro.ro Platform is administered by the Intercommunity Development Association SEPSI METROPOLITAN AREA (hereinafter referred to as the “Operator”), with its registered office in the municipality of Sfântu Gheorghe, 1 Decembrie 1918 Street, no. 2, Covasna County, Romania. The Operator acts in the public interest, coordinating sustainable development projects within the metropolitan area of Sfântu Gheorghe.
In the context of personal data processing, the Operator acts as a data controller, determining the purposes and means by which data are collected and used within the Platform. The Operator is responsible for the protection of personal data and ensures compliance with applicable legislation regarding their confidentiality and security.
To facilitate communication and the exercise of data subjects’ rights, the Operator’s contact details are as follows:
Email: zmsepsi@gmail.com
2. Purpose of the Privacy Policy
This Privacy Policy explains how the Operator collects, processes, uses, and protects the personal data of Users of the www.sepsimetro.ro Platform. The purpose is to ensure transparency, security, and compliance with the rights of data subjects, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national legislation.
This Policy applies to all persons who interact with the Platform, regardless of their role, and in all situations where data are collected through the Platform, including contact forms, online requests, or other means made available by the Operator.
The Operator may update this Policy to include new categories of personal data, new processing methods, or new Platform functionalities, ensuring at all times compliance with applicable legislation and respect for data subjects’ rights.
Data subjects have the right to request access to, rectification, erasure, or restriction of processing of their personal data, as well as other rights provided under the GDPR, by contacting the Operator using the contact details available on the Platform.
This Policy should be read together with the Terms and Conditions and the Cookie Policy, as well as any other relevant data protection documents available on the Platform.
3. Definitions
For the purposes of this Privacy Policy, the following terms shall have the meanings set out below:
Operator – the Intercommunity Development Association SEPSI METROPOLITAN AREA, the entity that administers and manages the www.sepsimetro.ro Platform, responsible for the collection and processing of personal data in its capacity as data controller (“data controller”), determining the purposes and means of processing.
Platform – the website available at www.sepsimetro.ro, including all its subpages and online services, as well as any tools or applications made available to Users.
User – any natural or legal person who accesses or uses the Platform, regardless of their role or purpose of interaction with it.
Content – all information and materials published on the Platform, including texts, images, graphics, multimedia materials, official documents, databases, and any other elements available for consultation.
Personal data – any information relating to an identified or identifiable natural person, directly or indirectly, in accordance with applicable legislation (GDPR).
Data subject – the natural person whose personal data are collected and processed by the Operator.
Authorized person – an employee, collaborator, or any other person who has legitimate access to personal data within the Operator’s organization, in accordance with assigned responsibilities and roles.
Processing – any operation or set of operations performed on personal data, including collection, recording, storage, modification, access, transfer, anonymization, deletion, or any other handling of such data.
Contact form / private messages – tools made available to Users through which they may submit requests, questions, or other information to the Operator.
Cookies / cookie files – small data files stored on the User’s device, used to facilitate navigation on the Platform, analyze traffic, personalize the experience, and improve services (as detailed in the Cookie Policy).
GDPR – Regulation (EU) 2016/679 adopted by the European Parliament and the Council of the European Union on 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Automatically collected data – information collected automatically through the use of the Platform, without direct intervention by the User, including but not limited to: IP address, browser type and version, operating system, pages visited, session duration, and other technical data that enable monitoring and optimization of Platform performance, traffic analysis, and improvement of user experience.
Online services / Platform functionalities – any applications, modules, tools, or mechanisms available on the Platform that enable User interaction with content and the transmission of data to the Operator.
Privacy Policy – the document that explains how the Operator processes Users’ personal data and their rights.
Cookie Policy – the document providing details regarding the use of cookies on the Platform, the types of data collected, and the purposes for which they are used.
Terms and Conditions – the document establishing the rules for using the Platform, Users’ responsibilities and obligations, as well as the Operator’s rights.
Applicable legislation – all legal acts in force in Romania.
Purpose of processing – the explicit and specific reason for which the Operator collects and processes personal data, including but not limited to: communication with Users, provision of Platform services and functionalities, statistical analysis and reporting of traffic and interactions, personalization of user experience, improvement of services, and compliance with legal obligations.
Consent – any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which the data subject agrees, by a clear affirmative statement or by a clear affirmative action (e.g. completing a form, ticking a consent box), to the collection, storage, and processing of personal data concerning them by the Operator for the specified purposes. Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to its withdrawal.
Storage period – the period of time for which personal data are retained by the Operator, determined based on the purpose of processing, administrative needs, legal obligations, and the rights of the data subject. Upon expiry of this period, the data shall be securely deleted or anonymized, in accordance with internal data protection procedures.
4. Categories of Processed Data
On the www.sepsimetro.ro Platform, the Operator collects and processes different types of personal data, depending on how Users interact with the available content and services.
4.1. Data Provided Directly by Users
When a User completes a form, submits a request, or subscribes to the newsletter, the Platform may process information such as first and last name, email address, telephone number, or the content of the messages and requests submitted. These data allow us to respond promptly and efficiently to Users’ questions and requests, provide personalized services, transmit relevant information, and maintain clear and transparent communication. The information provided also helps us better understand users’ preferences and adapt the Platform experience to their needs. Data are retained only for as long as necessary to respond to requests and provide the requested services, after which they are properly archived or deleted.
4.2. Automatically Collected Data
During the use of the Platform, certain information is collected automatically. This includes, among others, the device IP address, browser and device type, pages visited, or time spent on the Platform. These data are used to ensure the proper functioning and security of the Platform, to prevent unauthorized access, and to analyse how Users interact with the services provided. This allows us to identify areas requiring improvement and to optimize the browsing experience, offering more relevant recommendations and content. Automatically collected information is stored temporarily or in aggregated form and is handled with care to protect users’ privacy.
4.3. Location Data
If a User uses functionalities involving location, such as interactive maps or displaying events in their area, the Platform may collect information about the device’s geographical location, with the User’s explicit consent. These data allow us to provide information and recommendations relevant to each user’s geographical area and to adapt the services offered to the local context. Location data are stored only for the period necessary to provide the respective services and are used, where possible, in anonymized form for analysis and optimization.
4.4. Other Relevant Data
In certain situations, the Platform may also collect other types of information that contribute to improving services, such as notification preferences, newsletter subscriptions, survey responses, or user feedback. This information helps us adapt and refine content, build a more personalized interaction, and better understand the needs of the community using the Platform.
5. Purposes of Data Processing
The personal data collected through the www.sepsimetro.ro Platform are used exclusively for legitimate, transparent, and proportionate purposes, in line with the activities carried out by the Operator, taking into account its public and informational nature.
One of the main purposes of processing is managing communication with Users. When Users submit requests, questions, or messages through the Platform, the provided data are used to correctly identify the requester and to provide clear, complete, and situation-adapted responses. This interaction contributes to maintaining an open and transparent relationship between the Operator and the community.
At the same time, data may be used to provide relevant information regarding the activities, projects, and initiatives carried out by the Operator. This includes the transmission of informational communications, updates, or other materials of public interest, contributing to the correct information of citizens and to increased institutional transparency.
Another important purpose is the continuous improvement of the Platform and its functionalities. By analysing how Users interact with the website, the Operator can identify potential technical issues, optimise structure and content, and adapt the services provided to better meet users’ needs. In this context, technologies such as cookies may also be used, in accordance with the dedicated policy.
Furthermore, data processing is necessary for compliance with the legal obligations incumbent upon the Operator, particularly in the field of public administration transparency and the management of official documents and requests. These obligations may involve the retention of certain information or its disclosure to competent authorities, under the conditions provided by law.
Last but not least, data are used to ensure the security of the Platform and to prevent its abusive or unauthorized use. This involves monitoring system operation, detecting potential security incidents, and protecting both Users’ data and the technical infrastructure.
In all these situations, the Operator ensures that data are processed in a responsible manner, limited to what is necessary, and in full compliance with the rights of data subjects.
Within the activities, events, and programmes organised by the Operator, photo and/or video materials may be created which may capture the image of participants.
These materials are used exclusively for the documentation, promotion, and communication of the Operator’s activities, including publication on the Platform and on its official communication channels.
Participation in such programmes implies acceptance of this processing, under the conditions of compliance with applicable personal data protection legislation.
6. Method of Data Collection
The Operator collects Users’ personal data through several methods, depending on how they interact with the Platform.
Data may be collected directly from Users by completing forms available on the Platform, by sending messages or requests, as well as through the use of other interactive functionalities made available.
In addition, certain information is collected automatically when accessing the Platform, through standard technologies commonly used in the online environment, such as cookies or other analytical tools. These data are used to ensure the correct and secure functioning of the Platform, to analyse traffic, and to continuously improve the Users’ experience.
In certain situations, data may be collected indirectly through third-party services or applications integrated into the Platform, such as interactive maps or modules originating from social networks, in accordance with the privacy policies of these providers.
The Operator ensures that all data are collected in a lawful, transparent, and proportionate manner, being strictly limited to what is necessary for the purposes defined in this Privacy Policy.
7. Legal Basis for Data Processing
The Operator processes Users’ personal data in accordance with the provisions of Regulation (EU) 2016/679 (GDPR), on the basis of one or more of the legal grounds set out in Article 6(1) of the Regulation.
Processing may be based, as applicable, on the data subject’s consent, where the User expresses their agreement freely, specifically, informedly, and unambiguously for one or more specific purposes, such as sending communications, using certain Platform functionalities, or subscribing to updates.
Data may also be processed where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Operator, taking into account the public nature of its activity and its role in implementing and coordinating local development projects.
In certain situations, processing is necessary for compliance with a legal obligation to which the Operator is subject, in accordance with applicable national and European legislation.
Furthermore, processing may be based on the legitimate interest of the Operator, in particular to ensure the functioning and security of the Platform, to prevent abusive or fraudulent use, as well as to improve the services provided, while respecting the fundamental rights and freedoms of Users.
Where processing is based on consent, it may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to its withdrawal.
8. Data Recipients and Disclosure to Third Parties
Personal data collected through the Platform may be disclosed or accessed only to the extent necessary for the fulfilment of the purposes defined in this Privacy Policy and in compliance with applicable legal provisions.
The Operator may transfer data to processors or service providers acting on its behalf, on the basis of appropriate contractual agreements, such as IT service providers, hosting services, technical maintenance providers, traffic analysis solutions, or other services necessary for the operation of the Platform. These recipients have limited access to personal data and are obliged to ensure their confidentiality and security.
Data may also be disclosed to public authorities, institutions, or other competent entities where there is a legal obligation to do so, or where such disclosure is necessary for compliance with applicable legislation, for the protection of the Operator’s rights, or for the performance of a task carried out in the public interest.
In all cases, the Operator ensures that data disclosure is carried out in a proportionate manner, limited strictly to what is necessary, and in compliance with the principles of confidentiality and security provided by the GDPR.
9. External Links
The Platform may contain links to other websites or external resources that are not operated or controlled by the Operator.
Access to these links is made voluntarily by Users, and the Operator assumes no responsibility for the content, privacy policy, or practices of such third-party websites.
The Operator recommends that Users review the privacy policies and terms of use of each website they access, in order to understand how personal data are collected and processed by these third parties.
The presence of external links on the Platform does not automatically imply approval or any association between the Operator and the respective entities.
10. Data Retention Period
The Operator retains Users’ personal data only for the period necessary to fulfil the purposes for which they were collected, in accordance with applicable legal provisions and the principles of data minimisation and proportionality.
Data provided through contact forms or other means of communication are retained for a maximum period of 3 years from the last interaction with the User, except where a longer retention period is required for compliance with legal obligations or for the protection of the Operator’s legitimate interests.
Data collected for technical or analytical purposes, including those obtained through cookies, are retained for different periods depending on their type and functionality, as detailed in the Cookie Policy.
Where data processing is necessary for compliance with a legal obligation, such data will be retained for the period required by applicable legislation.
The Operator may periodically review the necessity of retaining data, ensuring that it is not stored for longer than necessary.
Upon expiry of the retention periods, personal data will be securely deleted or anonymised, in accordance with the Operator’s internal procedures and applicable legal requirements.
11. Rights of Data Subjects
In accordance with the provisions of Regulation (EU) 2016/679 (GDPR), data subjects benefit from a number of rights regarding the processing of their personal data.
Thus, Users have the right to request access to the personal data concerning them, as well as information regarding how such data are processed.
Data subjects also have the right to request the rectification of inaccurate data or the completion of incomplete data.
Under certain conditions, Users may request the erasure of personal data (“right to be forgotten”) or the restriction of processing.
Data subjects also have the right to object to the processing of their data, in particular where such processing is based on the legitimate interest of the Operator.
Where processing is based on consent or on the performance of a contract and is carried out by automated means, Users have the right to data portability, namely the right to receive the data concerning them in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller.
Data subjects also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Where processing is based on consent, it may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to its withdrawal.
To exercise these rights, Users may submit a request to the Operator using the contact details available on the Platform.
Data subjects also have the right to lodge a complaint with the competent supervisory authority, namely the National Supervisory Authority for Personal Data Processing (ANSPDCP).
The Operator undertakes to respond to all requests within the time limits provided by applicable law and to facilitate the exercise of data subjects’ rights in a transparent and efficient manner.
12. Data Security
The Operator implements appropriate technical and organisational measures to ensure the security of personal data and to prevent unauthorised access, misuse, disclosure, alteration, or destruction of such data.
These measures include, but are not limited to, the use of secure IT systems, access control to data, protection against unauthorised access, and continuous monitoring of the technical infrastructure used to operate the Platform.
The Operator ensures that authorised persons who have access to personal data comply with confidentiality obligations and use the data exclusively for the purposes for which they were collected.
Furthermore, the Operator makes all reasonable efforts to ensure that service providers involved in the operation of the Platform implement appropriate security measures, in accordance with applicable legal requirements.
In the event of a security incident affecting personal data, the Operator shall act without undue delay to mitigate its effects and, where applicable, notify the competent authorities and data subjects, in accordance with applicable legal provisions.
13. Changes to the Privacy Policy
The Operator reserves the right to modify or update this Privacy Policy at any time, in order to reflect any legislative changes, modifications to the Platform’s functionalities, or changes in the way personal data are processed.
Any modification will be published on the Platform, and the updated version will enter into force from the date of its publication.
The Operator recommends that Users regularly review this Privacy Policy in order to stay informed about how their personal data are processed and protected.
In the event that the changes made are significant, the Operator may take additional measures to inform Users, where this is necessary or required by applicable law.
14. Contact
For any questions, requests, or clarifications regarding this Privacy Policy or the way in which personal data are processed, Users may contact the Operator using the contact details available on the Platform.
Data subjects may also submit requests to exercise their rights provided under applicable data protection legislation via the following email address: zmsepsi@gmail.com
The Operator will make all necessary efforts to respond to requests within the time limits set by applicable law and to provide clear and comprehensive information.