PRIVACY POLICY
MARISTAR COM S.R.L. - "MRS RESIDENCE"

CHAPTER 1.
INTRODUCTION

1.1. MARISTAR COM SRL, hereinafter referred to as "the Company," processes the personal data of Data Subjects exclusively for the purpose for which it is collected and stored in accordance with the relevant legal obligations.

1.2. This Policy sets out how the Company complies with its personal data protection obligations and seeks to protect the personal data of Data Subjects.

1.3. This Policy does not cover information collected by third-party websites, including partner websites or those that have purchased advertising space on www.mrsresidence.ro. The website www.mrsresidence.ro also contains links to other websites. If you click on a link to another website, the Company is not responsible for their security and data protection settings. We recommend that you read their privacy policy when accessing information from them.

1.4. The Company reserves the right to review and update this Policy from time to time, annually or whenever necessary in accordance with its own responsibilities, activities, and, where applicable, its obligations regarding the protection of personal data, as established by EU regulations. The Company will ensure that the updated Policy is published on the www.mrsresidenceploiesti.ro Platform each time. The Company draws attention to the importance of checking this Policy each time you use the site so that you are always informed about it. Where possible, the Company will notify Data Subjects by email of any significant changes.

CHAPTER 2. SCOPE AND FIELD OF APPLICATION

2.1. This Policy applies to individuals who access and/or use in any way the Platform owned by the Company ("Data Subjects").

2.2. Data Subjects are not obligated to provide the Company with the personal data mentioned in this Policy. However, if the data mentioned in this Policy is not provided, it will not be possible for the Company to provide the services requested by the Data Subjects.

2.3. The policy regulates the measures to be taken by the Company in its efforts to comply with legislative requirements regarding the protection of personal data.

2.4. This Policy sets out the principles on which the Company processes the personal data of Data Subjects and indicates the responsibilities relating to the processing of personal data.

2.5. The main objective of this Policy is to ensure the protection of personal data collected and processed within the Company from the loss or destruction of such data, whether intentional or unintentional. It also aims to prevent harm to Data Subjects whose data is collected and processed within the Company.

2.6. This Policy explains how the Company handles any personal data it collects from Data Subjects or obtains from a third party and the purposes for which it processes personal data. It also indicates the rights that Data Subjects have regarding the processing of personal data in accordance with Regulation 679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("Regulation").

2.7. This Policy is intended to assist Data Subjects in making informed decisions when using the website, accessing the Company's services, participating in the Company's activities, or applying to work at or with the Company.

CHAPTER 3.
CONCEPTS

3.1. The specific terms used throughout this Policy have the following meanings:

Company - Maristar COM S.R.L., with headquarters in Aleea Terra, no. 8, building C7, Titu – Dâmbovița County, with correspondence address in Bucharest, Sector 1, Sos.Nordului, no.62 D, et.2, sector 1 – Bucharest, registered with the Trade Register under no. J15/1330/2007, unique registration code RO22579117;

Policy - This Privacy Policy;

GDPR or Regulation - General Data Protection Regulation or Regulation No. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Personal data - Any information relating to an identified or identifiable natural person; an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

Data Subjects - persons who access and/or use in any way the Platform owned by the Company;
Website – the website www.mrsresidence.ro;

Controller - The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data: where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 
Processor - The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller;

Consent - Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 
Personal data breach - A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Cross-border processing means (a) either the processing of personal data that takes place in the context of the activities of establishments in more than one Member State of a controller or of a processor in the Union, if the controller or processor has establishments in at least two Member States; or (b) the processing of personal data which takes place in the context of the activities of a single establishment of a controller or a processor in the Union, but which substantially affects or is likely to substantially affect data subjects in at least two Member States;

Supervisory authority - An independent public authority established by a Member State pursuant to Article 51 of the GDPR;

Group of companies - A company that exercises control and the companies controlled by it;

Sensitive data - Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, biometric data for the unique identification of a natural person, data concerning a natural person's sex life or sexual orientation, or other data whose loss/leakage could cause serious harm to the data subjects.

3.2. Any reference in this Policy to the singular shall include the plural and vice versa, unless expressly stated otherwise.

CHAPTER 4.
REFERENCE DOCUMENTS

4.1. This Policy is drafted in accordance with the following legislative acts in force in Romania:

Regulation No. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Law No. 190 of July 18, 2018 on measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Law No. 102 of May 3, 2005, on the establishment, organization, and functioning of the National Supervisory Authority for Personal Data Processing, as amended and supplemented;

The ANSPDCP Organization and Functioning Regulation of November 11, 2005, with subsequent amendments and additions;

Law No. 682 of November 28, 2001, ratifying the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, adopted in Strasbourg on January 28, 1981.

CHAPTER 5. CATEGORIES OF PERSONAL DATA PROCESSED

5.1. In general, the following personal data may be processed when using the Platform:

Identification data, namely: surname, first name, gender, date of birth/age;
Contact details, namely: mailing address, telephone number, fax number, email address; 
Technical information regarding the visitor's device (its location, IP address, type of hardware, information regarding the time interval and the date on which the site was used).

5.2. The Company does not collect or otherwise process sensitive data, which is included in the Regulation in special categories of personal data. Furthermore, the Company does not wish to collect or process data of minors under the age of 16.

5.3. For the purpose of advertising, marketing, and publicity, promoting the services provided by the Company, conducting promotional campaigns, sending newsletters and bulletins, tracking and monitoring requests for offers and the behavior of the Company's customers, the following personal data may be processed: first and last name, date and place of birth, telephone/fax, e-mail, address (domicile/residence), habits, preferences, commercial behavior.

Also, if applicable, in promotional campaigns, in order to identify the winners, the Company processes personal data consisting of the personal identification number and the series and number of the identity document. In the case of direct contracting, the personal data necessary for the conclusion of the contract is processed, including name, surname, personal identification number, date and place of birth, domicile, identity document series and number, bank account, and any other data necessary for the conclusion of reservation, promise, sale, etc. contracts.

5.4. For the purpose of customer relations and informing customers about the evaluation of the services offered by the Company, as well as for activities carried out with a view to improving the quality of the services offered and provided, the following personal data may be processed: first and last name, date and place of birth, telephone/fax, email, address (domicile/residence), preferences, behavior, as well as other data that may result from the customer's evaluation of the services offered.

5.5. The Company also processes personal data in connection with the activities described above for archiving purposes (to maintain records related to the activities carried out, in accordance with legal requirements), for evidentiary purposes (to protect rights in court and exercise other rights in accordance with legal provisions), as well as for the administration and monitoring of contracts concluded with its customers.

5.6. Personal data subject to special protection, namely the personal identification number, the series and number of the identity document, will be collected and processed only in accordance with the legal provisions and only under restrictive conditions.

5.7. The Company's website also uses cookies and similar technologies, which you can read about in detail in the Cookie Policy.

CHAPTER 6. HOW WE GET PERSONAL DATA

6.1. Data subjects are the main source from which the Company collects personal data.

6.2. Personal data processed through the Company's Platform is collected:

Directly from the Data Subjects (e.g. when you subscribe to newsletters/offers, when you contact us via a form provided on the website or through other channels such as social networks or via the contact details we provide you with – this category also includes correspondence with you, such as notifications, requests, questions, etc.);

Observed by the Company when you browse the website - when you access the Website, the Company processes a series of personal data automatically transmitted by your browser, such as: IP (internet protocol) addresses; browser type and version; device type and operating system; date and time of access to the Platform; user location (based on IP address).

6.3. The Company uses this information to help it design the Site to best meet the needs of its users. The Company may also use your IP address to help diagnose problems with its server and administer the Site, analyze trends, track visitor movement, and gather broad demographic information to help determine visitor preferences.

6.4. The Company constantly strives to keep the Data Subjects' data as accurate and up-to-date as possible. To this end, the Company continuously conducts campaigns to update the Data Subjects' data.

CHAPTER 7. PURPOSES AND GROUNDS FOR PROCESSING PERSONAL DATA

7.1. The Company will use the personal data of Data Subjects for the following purposes:

7.1.1. Communicate

The company may use personal data to send communications to Data Subjects by email, text message, or telephone. If you have subscribed to any of our newsletters/offers/forms, we will send you these communications to the email address you have provided. The legal basis for processing is your consent.

The company always ensures that such processing is carried out in compliance with the rights and freedoms of the Data Subjects.

Data Subjects may request at any time, by the means described herein, that the Company stop processing personal data for information purposes, and the Company will comply with this request as soon as possible. The withdrawal of consent by Data Subjects will make it impossible to provide information on the status of the services provided, but will have no effect on the legality of the processing carried out previously.

7.1.2. Provision of services and payment

In order to provide services and make payments under the relevant contracts, we may process your personal data, such as identification data, contact details, and bank details. This processing is based on the performance of a contract to which the data subjects are party or on a legal obligation imposed on us.

7.1.3. Contests/raffles/etc.

In connection with the participation of Data Subjects in various competitions organized, the Company may collect and process personal data for the purpose of selecting winners, allocating prizes/vouchers, and compiling statistical reports on consumers, as well as communicating with Data Subjects and other persons in connection with the above.

This processing is based on the Company's legitimate interest or on the performance of a contract to which the Data Subjects are party (for example, when you participate or fill out a registration form for such a contest) or on consent, in the case of sensitive data. Participation in any of the contests or sweepstakes organized by the Company constitutes your consent to the collection and processing of the data submitted.

Under the same conditions as above, depending on the nature of a particular contest, we may also publish photos, video recordings, audio recordings, or audiovisual recordings featuring you.

7.1.4. Improving the Company's services

This general purpose may include, as appropriate, the following: identifying potential problems with the Company's existing services in order to improve them (including by conducting audits); testing improvements made to the Company's services or new services.

The Company constantly strives to provide the best experience through its website and in its business activities. To this end, the Company may collect and use certain information related to customer behavior, invite Data Subjects to complete satisfaction surveys, or conduct market studies and research, either directly or with the help of partners.

The Company bases these activities on its legitimate interest in conducting business, always taking care to ensure that the fundamental rights and freedoms of Data Subjects are not affected.

7.1.5. Defending the Company's legitimate interests

There may be situations in which the Company will use or disclose information to protect its rights and business. These may include: (i) measures to protect the Company's website and users of the website from cyber attacks; (ii) measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities; (iii) measures to manage various other risks.

The general basis for these types of processing is the Company's legitimate interest in protecting its commercial activity, it being understood that the Company ensures that all measures it takes guarantee a balance between the Company's interests and the fundamental rights and freedoms of the Data Subjects.

7.1.6. Management of the Company's communications and IT (information technology) systems

This general purpose may include, as appropriate, the following: (i) managing and developing communications systems; (ii) managing IT security; (iii) performing security audits on IT networks; (iv) issuing reports to the competent institutions in the field of IT security or repairing system errors, (v) managing and maintaining this website, which involves storing cookies as described in the section below, based on Art. 6 para. (1) letters a) and f) of the GDPR.

When you use our website, we may ask you to provide certain personal data that can be used to contact or identify you. This personal data may include, but is not limited to, your first and last name, email address, and information that your browser sends whenever you access our website ("Log Data"). Log data may include information such as your computer's Internet Protocol ("IP") address, browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages, and other statistics.

7.1.7. Financial management

This general purpose may include, as appropriate, the following: (i) issuing invoices (ii) receiving payments (iii) recovering debts or refunding money; (iv) sending notifications and/or formulating and supporting legal actions; (v) preparing financial/operational reports, activity reports, and issuing financial statements/contract-related statements.

7.1.8. Dispute resolution

This general purpose may include, as appropriate, the following: resolving complaints and requests;  formulating requests and defenses before public authorities and other entities that resolve disputes/litigations.

7.1.9.  Staff recruitment operations pursuant to Article 6(1)(a) of the GDPR. Through this website, we may collect personal data from candidates, such as their first and last names and the information included in their CVs.

7.1.10. Conducting marketing and advertising activities, including subscribing to our newsletters based on Art. 6 para. (1) lit. a) of the GDPR. For this purpose, we will process personal data such as your first and last name and, if applicable, your image. You can opt out of receiving any or all newsletters, marketing or promotional materials, and other information from us that may be of interest to you by following the unsubscribe link or instructions provided in any email we send.

Our newsletters and event-related emails are sent via MailChimp, an email delivery platform owned by the American company Rocket Science Group, LLC, 675 Ponce de Leon Ave NE # 5000, Atlanta, GA 30308, USA. The email addresses of our recipients are stored on MailChimp's servers in the USA. MailChimp uses this information to send and evaluate emails on our behalf. MailChimp is certified under the US-EU Privacy Shield data protection agreement and is committed to complying with EU data protection regulations.

7.1.11. Security of persons, premises, and/or Company property by CCTV cameras pursuant to Article 6(1)(f) of the GDPR. For this purpose, we may process personal data such as image, first and last name (if identifiable), and car registration number, if applicable.

7.1.12.   Employment relationships, which involve the processing of data for the performance of employment contracts, the fulfillment of the company's legal obligations in connection with these contracts, and/or the pursuit of the legitimate interests of the MARISTAR COM S.R.L. group, namely MRS RESIDENCE, which derive from employment relationships based on Art. 6(1)(b), (c), and (f) of the GDPR. (1) letters b), c) and f) of the GDPR.

For these purposes, we will process our employees' personal data, such as their first and last names, ID card details, contact details, and bank details.

7.1.13. The Company also processes data to fulfill its legal obligations, such as those related to anti-money laundering, taxation, archiving, and reporting certain information to public authorities. At the request of the authorities, we may report transactions made by customers.

7.1.14. Withdrawal of consent shall not affect the lawfulness of any processing that took place before the withdrawal. We may also process your personal data, such as identification data, contact details, and residential address, for the purpose of exercising our rights or claims against you in the future. This processing is based on our legitimate interest, as it is necessary for us to exercise our rights in the event of any disputes.

CHAPTER 8. RECIPIENTS OF PERSONAL DATA

8.1. The Company will disclose the personal data of Data Subjects only for the purposes and to the persons described below. The Company will take appropriate measures to ensure that the data is processed, secured, and transferred in accordance with applicable law:

Transfer of data to entities affiliated with the Company - Personal data may be distributed to any other company that is a member of the group to which the Company belongs, if we consider that this is in our legitimate interest, for internal administrative purposes (e.g. data management in internal IT systems, dispute resolution, etc.) or for auditing and monitoring our internal processes. Access to information is limited to personnel who need to know the personal information.

Disclosure of data to other third parties - We may also disclose your personal data to third parties who provide us with certain services that require the processing of your personal data:

(a) companies that provide us with products and services (authorized persons), such as: (i) media or marketing agencies, such as those that organize promotional campaigns, administer the Website, administer the email newsletter, other types of marketing and sales, or customer support; (ii) website services: analytics, advertising; (iii) information technology and support providers, including email archiving, backup and disaster recovery services, and cybersecurity. (iv) real estate agents, service providers, couriers, etc. 
(b) external professional consultants (e.g., accountants, auditors, lawyers, etc.) when their work requires knowledge of the data or when the law requires us to disclose it; 
(c) other entities, such as public authorities and institutions, banks, financial institutions, insurance companies.

8.2. We may also disclose your personal data to other third parties: (i) if you request or consent to this; (ii) to persons who can demonstrate that they have the legal authority to act on your behalf; (iii) if it is in our legitimate interest to do so in order to manage, expand, or develop our business; (iv) if we are required to disclose your personal data in order to comply with a legal obligation or a request from the authorities;

8.3. The third parties to whom we choose to distribute your personal information as described above are limited (by law and contract) in their ability to use personal data strictly for the specific purposes identified by us. We will always ensure that any third parties with whom we choose to share personal data are subject to data protection obligations. However, for the avoidance of doubt, this may not apply where the disclosure is not our decision (for example, if we are required to provide personal data as a result of a mandatory request from a public authority).

8.4. The Company takes legal measures to ensure that third parties' access to the personal data of Data Subjects is carried out in accordance with the legal provisions on data protection and confidentiality of information, based on contracts concluded with them. When the Company uses a natural or legal person as an authorized representative for the processing of the personal data of the Data Subjects, the Company will ensure that they have entered into a written agreement with the Company whereby they undertake, among other obligations provided for by personal data protection legislation, the obligations (i) to process personal data only in accordance with the Company's written instructions and (ii) to effectively implement measures to protect the confidentiality and ensure the security of personal data. The Company shall also ensure that the written agreement between the Company and the authorized person provides for at least all other obligations required by applicable legislation on the protection of personal data.

8.5. Our website may contain links to other websites belonging to third parties. We do not control the privacy policies of these websites.

CHAPTER 9. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR AN INTERNATIONAL ORGANIZATION

9.1. In general, the Company processes the personal data of Data Subjects within the EEA and does not transfer or disclose personal data to third parties outside the EEA.

9.2. However, from time to time, in limited circumstances, we may transfer certain personal data about you to entities located outside Romania. These entities may be located in the European Union or outside the Union, including in countries that the European Commission has not recognized as having an adequate level of personal data protection.

9.3. If it is necessary to transfer data to any of the above destinations, the Company will inform the Data Subjects in advance of both the destination of the transfer and the grounds for it and, where appropriate, will obtain the consent of the Data Subjects in this regard.

9.4. The Company will always take steps to ensure that any international transfer of personal data is carefully managed in order to protect the rights and interests of Data Subjects. Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, other safeguards, such as the safeguard represented by the adequacy decision issued by the European Commission or the conclusion of standard contractual agreements approved by the European Commission.

CHAPTER 10. STORAGE PERIOD FOR PERSONAL DATA

10.1. The duration of personal data processing will be determined by the following considerations:

(a) the personal data are no longer necessary for the purposes for which they were collected or processed;
(b) the Data Subject withdraws the consent on which the processing is based and there is no other legal ground for the processing; 
(c) the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing or the Data Subject objects to the processing;
(d) the personal data have been unlawfully processed; 
(e) the personal data must be erased for compliance with a legal obligation to which the controller is subject under Union or Member State law to which the controller is subject;

10.2. The company may store personal data for the period determined by law, for evidentiary and archiving purposes, as well as for statistical activities, market research and studies, and customer account management.

10.3. If you have been involved in pre-contractual activities, we retain your data for 5 years from the time of the event, your last interaction with the account, or our last contact with you.

10.4. The data necessary for issuing invoices and those contained in legal documents and related documents (e.g., correspondence, minutes) on which the invoices are based shall be kept for 10 years.

10.5. The data we use for marketing purposes will be processed until you unsubscribe from the newsletter service or exercise your right to object, and in any case no longer than 5 years after our last contact with you.

10.6. If we do not provide you with an exact period for the processing of your personal data, we rely on the following principles: (i) we process the information only as long as we need it for the activities mentioned in this Policy / until the legitimate interest ceases; (ii) we always comply with the deadlines imposed by legal provisions; (iii) we assess the security risks in the context of the use and storage of your data.

10.7. The Data Subject may request the deletion of certain information at any time, and the Company will comply with such requests, subject to the retention of certain information even after that time, in situations where applicable law or the legitimate interests of the Company so require.

CHAPTER 11. CONFIDENTIALITY AND SECURITY OF PERSONAL DATA

11.1. The Company works to protect the Data Subjects whose data it processes and the Company itself from unauthorized access and unauthorized modification, disclosure, or destruction of the processed data.

11.2. In particular, the Company has implemented the following technical and organizational measures to ensure the security of personal data:

Dedicated policies. The company adopts and reviews its practices and policies for processing customer and other personal data, including physical and electronic security measures, to protect its systems from unauthorized access and other potential security threats. The company constantly reviews how it applies its own personal data protection policies and complies with data protection legislation.

Data minimization. The company ensures that the personal data it processes is limited to that which is necessary, appropriate, and relevant for the purposes stated in this Policy.

Restricting access to data. The Company strictly restricts access to the personal data it processes to employees, collaborators, and other persons who need to access it in order to process it for the Company. All these companies and individuals are subject to strict confidentiality obligations, and the Company will not hesitate to hold them accountable and terminate their collaboration if they do not treat data protection with the utmost seriousness.

Specific technical measures. The company purchases and uses technologies that ensure Data Subjects that their data security is protected. The Company takes special measures to protect its systems against unauthorized or accidental access or modification of Data Subjects' data and against other possible threats to their security. All technical equipment used for data processing is secured and updated to protect it.

Ensuring data accuracy. From time to time, the Company may ask Data Subjects to confirm the accuracy and/or currency of the personal data it processes.

Data anonymization. Where possible and appropriate to the Company's activities, the Company anonymizes/pseudonymizes the personal data it processes so that the persons to whom it refers can no longer be identified.

Control of service providers. The Company includes clauses in its contracts with those who process personal data for the Company (authorized persons) or together with the Company (associated operators) clauses to ensure the protection of the data they process and makes efforts to verify the implementation of these provisions by suppliers.

11.3. Although the Company takes all reasonable measures to ensure data security, the Company cannot guarantee the absence of any security breaches or the impossibility of penetrating security systems. In the unlikely event that such a breach occurs, the Company will follow legal procedures to limit the effects and inform the Data Subjects.

11.4. Despite the measures taken to protect personal data, the Company draws attention to the fact that the transmission of information via the Internet in general, or via other public networks, is not completely secure, and there is a risk that data may be viewed and used by unauthorized third parties. The Company cannot be held responsible for such vulnerabilities in systems that are not under the Company's control.

CHAPTER 12. RIGHTS OF VISITORS

12.1. The Company treats the rights that Data Subjects have in relation to the processing that the Company carries out on their data with the utmost seriousness. The Company will continue to take all reasonable measures to ensure that these are respected.

12.2. Essentially, the rights of Data Subjects are as follows:

Right of access to data. Data subjects have the right to obtain access to their data processed by the Company or copies thereof, as well as the right to obtain from the Company information on how it processes such data, including the purposes and duration of the processing, the recipients or categories of recipients to whom the data are disclosed, and the source of the data that the Company did not collect directly from the Data Subjects. If you require additional copies, we may need to charge a reasonable fee based on administrative costs.

Right to rectification of data. Data subjects have the right to obtain the rectification of inaccuracies or the completion of their data that the Company processes. If you have the right to rectification and if we have shared your personal data with others, we will inform them of the rectification if possible. If you ask us, where possible and legal to do so, we will also tell you who we have shared your personal data with, so that you can contact them directly.

Right to erasure of data ("right to be forgotten"). Data subjects have the right to have their data deleted if there is no (longer) a basis for processing it, for example if there is no legal obligation or legitimate interest of the Company to retain it. The Company's responses to requests for deletion are always accompanied by explanations regarding the limits of the possibility of exercising this right, depending on the categories of data processed in relation to the Data Subjects. If you have the right to erasure and we have shared your personal data with others, we will inform them of the erasure where possible. If you ask us, where possible and lawful to do so, we will tell you with whom we have shared your personal data so that you can contact them directly.

Right to restrict data processing. Data subjects have the right to restrict data processing for a period specified by them. You can ask us to "block" or stop processing your personal data in certain circumstances, such as when you contest the accuracy of that personal data or have objected to it. If you have the right to restriction and we have shared your personal data with others, we will inform them of the restriction where we are able to do so. If you ask us, where possible and legal to do so, we will also tell you with whom we have shared your personal data so that you can contact them directly.

Right to data portability. Data Subjects have the right to receive directly or obtain the transfer to another controller of their data that they have provided to the Company directly and that is processed by automated means. Please note that this right applies only to automated information, for which you initially gave us consent to use, or where we used the information to enter into a contract with you.

Right to object. Data subjects have the right to object to the processing of data that the Company processes in relation to them on the basis of the Company's legitimate interest.

The right not to be subject to automated individual decision-making, including profiling, without your consent.

Withdrawal of consent. In situations where the Company processes the data of Data Subjects on the basis of their consent, Data Subjects have the right to withdraw their consent at any time, at least as easily as it was initially given; the withdrawal of consent shall not affect the lawfulness of data processing that took place prior to the withdrawal.

Right to lodge a complaint with the supervisory authority. Data subjects have the right to lodge a complaint with the supervisory authority for personal data processing regarding the processing of their data by the Company. In Romania, the contact details of the supervisory authority for data protection are as follows: National Supervisory Authority for Personal Data Processing, B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, postal code 010336, Bucharest, Tel.: +40.318.059.211 or +40.318.059.212; Email: anspdcp@dataprotection.ro.

12.3. To exercise or find out more about any of these rights, Data Subjects may send a request by email to gdpr@maristar.ro or by post/courier to Mun.Bucuresti, Sector 1, Sos. Nordului, nr.62 P, et.2, sector 1, Bucharest, specifying that we may ask you for specific information to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to anyone who is not entitled to receive it. We may also contact you to request additional information regarding your request in order to expedite our response.

12.4. The company aims to respond to any valid requests within a maximum of 20 days, unless this is particularly complicated or you have made multiple requests, in which case it will respond within a maximum of 30 days. We will let you know if we need more than 30 days. We may ask you to tell us exactly what you want to receive or what your concerns are. This will help us act more quickly and shorten the response time to your request.

12.5. In the context of events organized by or in connection with our company, photos/videos may be taken to help us promote our brand and services. It is not our intention to take images that highlight a specific person; our goal is only to make details about our company known to the public. However, if you are identifiable in the photo/video material we distribute, you have the right to object to the processing for reasons related to your particular situation. In any case, in accordance with your right to privacy, we will notify you in advance that images are going to be taken before any photo or video session.

CHAPTER 13. CHANGES TO THE PRIVACY POLICY

13.1. We reserve the right to update or modify our Privacy and Cookie Policy at any time, and you should check this Privacy and Cookie Policy periodically.

13.2. Your continued use of the service after we post any changes to the Privacy and Cookie Policy on this page will constitute your acknowledgment of the changes and your consent to abide and be bound by the revised privacy policy.

13.3. If we make significant changes to this privacy and cookie policy, we will notify you either via the email address you have provided us with or by placing a notice on our website.

CHAPTER 14. SECURITY - DISCLAIMER

The security of your personal data is important to us, but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. Although we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. We constantly strive to provide the most appropriate level of protection for your personal data and, to this end, we have implemented appropriate technical and organizational security measures. We are constantly working to improve our security measures.