According to the requirements of the Law no. 129 of 15 June 2018 for the modification and completion of the Law no. 102/2005 on the establishment, organization and functioning of the National Authority for the Supervision of Personal Data Processing, as well as for the repeal of the Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data, SC Romleas SRL has the obligation to manage safely and only for the specified purposes, the personal data you provide us.
The purpose of data collection is: to provide services and products according to the current offer, as well as to register web domains on behalf of and according to customers’ orders.
They are necessary to be able to identify the recipient of the services or products provided, or to register domains on your behalf (as a customer).
Your refusal makes it impossible to provide the service or product, or to register the domains ordered. The registered information is intended for use by the operator and, where applicable, is communicated only to the following recipients: national/European/global web domain registration/administration authorities or their partners (ROTLD, EURid, Directi).
Any person has the right to object, free of charge and without any justification, to the processing of his/her personal data for direct marketing purposes.
According to Law no. 677/2001, you have the right of access, the right to intervene on data, the right not to be subject to an individual decision and the right to take legal action. You also have the right to object to the processing of your personal data and to request the deletion of your data. To exercise these rights, you can send a request to info@funnyhost.ro.
You also have the right to take legal action.
GDPR rules
On 25 May 2018, the European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data became applicable.
Its main purpose is to increase the level of protection of personal data and to create a climate of trust that allows each person to control their own data.
Through this document – Policy on the Protection of Personal Data we inform you how we protect your personal data and how we comply with the provisions of the Regulation.
Who is Romleas SRL?
Romleas SRL is a Romanian legal entity, established and operating under Romanian law. Romleas SRL has its registered office with activity in B-dul Stefan cel Mare 126 B, Oradea, Bihor, Romania, is registered at the National Office of the Trade Register with number J05/766/1994, with unique registration number 5277445 and fiscal attribute RO.
How can you contact us?
For any complaint regarding the personal data processed by Romleas SRL you can contact us in writing, at the address of the registered office, by phone at +4 0756 439 365, by email at info@funnyhost.ro or through the ticketing system accessible from the customer account.
What are personal data and what personal data does Romleas SRL process?
Personal data is information relating to a natural person who can be identified, directly or indirectly.
Romleas SRL processes the following categories of data:
– Identification data: name, surname, CNP, mailing address, e-mail, telephone (landline, mobile, fax), online identifier (IP address);
– Bank information: bank and branch, IBAN code.
The principle on the basis of which we collect and process this data is that we will only request the minimum personal data necessary to provide the contract and fulfil legal obligations.
What does it mean that Romleas SRL processes personal data?
Processing means operations such as: collecting, recording, organizing, storing, modifying, retrieving, consulting, using, transmitting, combining, blocking, restricting, deleting, destroying, archiving personal data.
Who owns the personal data that Romleas SRL processes?
Romleas SRL processes personal data relating to customers.
In the case of corporate clients, Romleas SRL processes the personal data of the client’s contact persons.
The natural persons whose personal data are processed are called “Data Subjects”.
Where does Romleas SRL obtain personal data?
In the case of individual clients, the data is obtained directly from the client.
In the case of corporate clients, the data are obtained from the client’s representatives.
Romleas SRL does not obtain/collect personal data from third parties.
For what purposes does Romleas SRL process personal data?
The purposes for which Romleas SRL processes personal data are:
– providing hosting and related services
– registration and administration of internet domains
– registration of SSL certificates
– contacting the customer/other data subject via communication means for the purpose of solving technical support requests
– invoicing of services provided
– customer account management
On what grounds does Romleas SRL process personal data?
Romleas SRL processes your personal data for the purposes mentioned above on the following grounds:
– for the performance of the contract to which the customer/data subject is a party. The contract can be in written form as well as online, signed by the client by accepting the Terms and Conditions of service provision.
– Consent
– legitimate interest
To whom do we transmit your personal data?
For the vast majority of services provided by Romleas SRL, personal data are not transmitted to third parties.
In the case of Internet domain registration and maintenance services, we transmit personal data to authorized domain registrars.
For payment services we will transmit the necessary personal data to authorized payment processors.
Reseller services:
We ensure the protection of personal data submitted by our resellers in order to provide domain registration services, web hosting, SSL certificates, payment intermediation, etc. according to this document.
In the case of SSL certificate issuance services, we will transmit personal data to providers authorized to issue these types of services.
How long does Romleas SRL process personal data?
In order to achieve the above-mentioned purposes, personal data will be processed by Romleas SRL throughout the contractual relationship and after its completion in order to comply with the applicable legal obligations in the field, including, but not limited to, the provisions on archiving.
What are your rights and how can they be exercised?
The data subject has the following rights:
– Right to information – the right to receive detailed information on the processing activities carried out by Romleas SRL, as provided for in this document;
– Right of access – may request and obtain confirmation as to whether or not his/her personal data are processed by Romleas SRL, and if so, may request access to them, as well as certain information. Upon request, Romleas SRL will issue a copy of the personal data processed free of charge;
– The right to rectification – the right to have inaccurate personal data rectified and incomplete data completed;
– Right to erasure of data (“right to be forgotten”) – in situations expressly regulated by law (in particular in case of withdrawal of consent or if it is found that the processing of personal data was not lawful), you can obtain the erasure of such data. Following such a request, Romleas SRL will proceed to erase the data, except in cases provided for by law.
– Right to restriction of processing – in situations expressly regulated by law (in particular if the inaccuracy of the data is contested on the basis of the time necessary to determine this inaccuracy or if the processing is unlawful, and it is not desired to delete the data, but only restriction);
– The right to object – may object at any time, for reasons related to the particular situation in which he/she finds him/herself, to processing based on the legitimate interest of Romleas SRL.
– Right to data portability – may receive personal data in a structured, machine-readable format or request that such data be transmitted to another controller.
– The right to lodge a complaint – may lodge a complaint against the processing of personal data by Romleas SRL to the National Supervisory Authority for Personal Data Processing;
– Right to withdraw consent – in cases where the processing is based on consent, consent may be withdrawn at any time.
– Additional rights related to automated decisions used in the process of providing Romleas SRL services
– Where Romleas SRL makes automated decisions in relation to personal data, the data subject may: (a) request and obtain human intervention in relation to the processing; (b) express his or her point of view on the processing; (c) challenge the decision.
The client may exercise these rights, either individually or cumulatively, by sending a written request, dated and signed, to the Romleas SRL headquarters, B-dul Stefan cel Mare 126 B, Oradea, Bihor, Romania or by E-mail: info@funnyhost.ro.
Automated decision-making processes
Romleas SRL does NOT use automated decision-making processes, does NOT create profiles exclusively by automated means, resulting in decisions being made about the customer.
How do we apply GDPR to minors?
Romleas SRL does not provide services to minors under the age of 16 and does not collect personal data on minors.
Recording of telephone calls
With the consent of the Client/data subject expressed before each telephone call, Romleas SRL may record and store telephone calls to/from the Romleas SRL call center. Romleas SRL will use this information exclusively for the purpose of investigating certain situations, to prove certain operations/instructions/agreements given by the Client/other data subject, to use it as evidence in court in case of a dispute, as well as to improve its services.
Video monitoring
In order to ensure a high level of security appropriate to the data centre activity, the server room operated by Romleas SRL is video monitored. In this location there are appropriate markings with specific video recording symbols, followed by the message “Video monitored area”.
How do we protect personal data?
For the security of personal data, Romleas SRL has implemented a series of security measures that are in line with industry standards.
Information security and privacy statement of Romleas SRL
1. General note
Romleas SRL is committed to protecting the security and privacy of all customer and employee data.
Our information security and protection program is based on the ISO 27001 standard on information security and ISO 29100 and follows a risk-based approach encompassing people, processes and technologies. The Information Security (IS) team within Romleas SRL is dedicated to data protection and reports directly to the management.
2. Information security measures for the protection of personal data
Information Security Policies – set of rules for information security, approved by the company management, published and communicated to employees and relevant external parties.
Review of information security rules – to ensure effectiveness and continued appropriateness, we review our information security rules at planned intervals or when significant changes occur.
Information security roles and responsibilities – we establish and assign specific information security responsibilities to all employees and external collaborators.
Segregation of duties – we separate areas of responsibility to reduce the chances of unauthorised or unintended disclosure, modification or use of organisational assets.
Information security in project management – we address information security in project management, regardless of the type of project.
Mobile device rules – we use rules and security measures to address risks related to the use of mobile devices. We use security rules and measures to protect information accessed, processed or stored on mobile devices.
Security management during employment – we conduct checks on all applicants for available jobs in accordance with relevant laws, regulations and ethics commensurate with business requirements, classification of information to be accessed and perceived risks. The contractual agreement between us and our employees specifies responsibilities of both parties regarding information security. Information security responsibilities and duties that remain valid after termination of employment or change of employment within the organization are defined, communicated to the employee or external contractor and are enforceable.
Management responsibilities – the management of the company requires that all employees and contractors comply with information security in accordance with the rules and procedures established by the organisation.
Information security awareness, education and training – all employees of the organisation are continuously made aware of organisational rules and procedures relevant to their job function.
Management and disposal of removable media – we use procedures that implement the management of removable media devices. When no longer required, removable media devices are destroyed, ensuring that data can no longer be read.
Transfer of physical materials – materials containing information are protected against unauthorised access, misuse or unauthorised use and corruption during transport.
Access control and management – we use an access control policy that is reviewed based on business and information security requirements. Users are only given access to the networks/network services they have been authorised to use.
Management and use of user authentication passwords – we use a process to control the allocation of authentication information. Users follow best practices in the use of secret authentication information. We use the password management system to ensure quality passwords.
Information access restriction – access to application information and functions is restricted in accordance with access control rules.
Secure login – access to systems and applications is controlled through a secure authentication process.
Physical location and protection of equipment – IT&C equipment is located and protected to reduce risks from environmental threats and hazards and the possibility of unauthorised access.
Utilities and cable security – equipment is protected from power failures and other interruptions caused by utility support failures. Power and telecommunications cables carrying data are protected from interception, interference or damage.
Equipment maintenance – equipment is continuously and properly maintained to ensure its availability and integrity.
Secure verification and reuse of equipment – multiple data overwrites and low level formatting of storage media are provided to ensure that sensitive information and licensed software is securely removed or overwritten prior to disposal or reuse of equipment.
Clear desk / clear screen – we have adopted clear rules for documents and removable storage media and a clear screen rule for information processing facilities.
Document operating procedures – we have defined operating procedures and made them available to all users who need them.
Separation of development, testing and operational environments – we use separate environments for development, testing and operation to reduce the risk of unauthorized access or changes to the operational environment.
Controls against malware – we implement detection, prevention and recovery controls to ensure protection against malware and combine these controls with appropriate user awareness.
Backups – we regularly back up information and systems. The number of backups is correlated to the potential risks of the information and systems backed up.
Event logging and log file protection – we regularly produce, store and review event logs that record user activities, exceptions, faults and information security events. Log files are protected.
Installation of software on operating systems – we have established rules governing the installation of software on operating systems, in particular installation by users.
Vulnerability management – technical vulnerabilities are managed by mitigating them in a timely manner, assessing the organisation’s exposure and taking appropriate measures that address the associated risk.
Restrictions on changes to software packages – we use rules on software modification, limiting this action to necessary changes.
Addressing security in supplier agreements – we review, document and agree information security requirements with our suppliers to reduce the risks associated with supplier access to the organisation’s assets.
Reporting information security events and incidents – when information security events are noted, they are reported through the appropriate management channels in a timely manner. Employees and contractors note and report any observed or suspected weaknesses in systems or services.
We assess and classify information security events we encounter accordingly. We respond in a timely manner and in accordance with our internal procedures to information security incidents. We use the knowledge we gain when analysing and resolving information security incidents to reduce the likelihood or impact of future incidents. We have a process for identifying, collecting, acquiring and retaining information that can serve as evidence.
Intellectual property rights – we implement appropriate procedures to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and the use of proprietary software products.
Technical compliance review – IT systems are regularly reviewed to comply with the organisation’s security rules and standards.
3. Confidentiality measures to protect personal data
Purpose identification and documentation – we identify and document the specific purposes for which personal data are processed.
Identify the legal basis – we determine, document and comply with the legal basis for processing personal data for the identified purposes.
Determining when and how consent is obtained – we determine and document a process for demonstrating when and how consent is obtained from data subjects.
Obtaining and recording consent – we obtain and record the consent of data subjects according to documented requirements.
Records relating to the processing of personal data – we determine and maintain the records necessary to demonstrate compliance with our obligations relating to the processing of personal data.
Rights of the owners of personal data – we ensure that the rights of data subjects in relation to the processing of personal data are respected and provide the necessary means for them to exercise their rights.
Provision of information to individuals – we provide data subjects with clear and easily accessible information relating to the personal data processed.
Providing a mechanism to change or withdraw consent – we provide mechanisms for data subjects to change or withdraw their consent.
Provide a mechanism to object to processing – we provide a mechanism for data subjects to object to the processing of their personal data.
Awareness of the rights exercised by the owners of personal data – we take steps to inform third parties to whom we have disclosed personal data of any modification, withdrawal or objection resulting from the exercise of data subjects’ rights.
Correction or erasure – we implement a mechanism to facilitate the exercise of data subjects’ rights of access, correction and erasure of personal data.
Provision of copy of personal data processed – we are able to provide a copy of the personal data that are processed, in accordance with the retention and erasure rules, upon request of the data subject.
Management of requests – we have the means to deal with legitimate requests from data subjects.
Automated decision making – we identify and resolve any obligations, including legal obligations, to data subjects resulting from decisions based solely on automated processing of personal data.
Limiting collection and processing – we limit the collection of personal data to the minimum that is relevant, proportionate and necessary for the identified purposes. We limit the processing of personal data to what is appropriate, relevant and necessary for the purposes identified.
Compliance with the objectives of minimisation and anonymisation of personal data – we identify and document the mechanism by which personal data are processed in a timely manner so that the extent to which personal data can identify or be associated with data subjects meets the objectives of minimisation and anonymisation of personal data.
Deactivation and erasure of personal data – we either erase personal data or transform it into a form that does not allow identification of data subjects, as soon as the original personal data are no longer necessary for the identified purpose.
Temporary files – we ensure that temporary files and documents created as a result of processing personal data are deleted.
Retention – we do not keep personal data longer than necessary for the purpose for which the data is processed.
Collection procedures – we ensure that personal data is accurate, complete and up to date as necessary for the purposes for which it is to be processed, throughout the life cycle of the personal data.
Identify the basis for the transfer of personal data – we identify and document the relevant basis for the transfer of personal data.
Countries and organisations to which personal data may be transferred – we specify and document the countries and international organisations to which personal data may be transferred.
Records of personal data transfers – we record transfers of personal data to or from third parties and ensure cooperation with those parties to support the exercise of future access rights to data subjects.
Records of disclosures of personal data to third parties – we record disclosures of personal data to third parties, including what personal data has been disclosed, to whom and when.
Electronic communications
Romleas will process personal data for the purpose of informing its customers and partners of changes or notifications necessary to carry out contracted services.
These emails will not fall under the concept of Email Marketing because they are absolutely necessary for a smooth running of the contract.
The client may ask Romleas not to receive these emails, assuming the consequences arising from this.
Email Marketing
Romleas offers its customers the possibility to choose both at the account registration and later, in the customer account, if they agree to receive informative emails about Romleas products and services.
We will not use or provide our customers’ personal data to any other provider or other entity except with the consent of each individual customer and for specific purposes or to the bodies authorized to request such data by law.
We will not use personal data to send advertising emails for another company. We will strictly limit ourselves to the products and services in the Romleas portfolio.
Romleas will not provide personal data to any entity outside the EU unless that entity is a Romleas partner, supplier or subcontractor. Romleas will ensure that the partner complies with at least one of the GDPR rules in this regard.
Romleas is obliged to apply the same protection and security measures to the personal data provided by the reseller as it does to the personal data of its direct customers. All personal data received by Romleas will be processed in accordance with the provisions of this document.
Instructions for DATA PROCESSING
Romleas undertakes the following:
– will process personal data in accordance with this document
– will process personal data in good faith, in accordance with applicable regulations and in a transparent manner
– will collect personal data for accurate, legitimate and lawful purposes
– will collect personal data in a non-excessive way, strictly necessary for the provision of services
– will collect personal data as accurately and as up-to-date as possible
– receive and transmit personal data in an exclusively secure manner
– will take the necessary steps to verify and complete inaccurate or incorrect data
– take measures against accidental or unlawful use, processing, loss or disclosure of personal data
– will take measures to ensure the protection of personal data by employees by introducing access control through cards, encrypted keys, authentication passwords, etc.
Technical and organisational measures:
– definition of security zones
– restricting access routes
– establishing access procedures for employees and third parties
– access control systems (magnetic cards, encrypted keys, etc)
– locking doors, electric openers, etc.
– video surveillance of access areas
– securing personal access devices used by employees
Virtual Access:
– user identification, authorisation and authentication procedures
– password security (minimum length, special characters, two-step authentication, etc.)
– automatic access restriction for incorrect authentication data
Access to Personal Data
Romleas is obliged to take the following measures to control and ensure that personal data is used by authorized persons:
– internal access and processing procedures
– differentiated access by departments, persons, levels, etc.
– supervision and verification of access
– issuing access reports
Transmission of Personal Data
Romleas will ensure that personal data transmitted to authorized partners will be in a secure manner so as to prevent unauthorized, accidental or unlawful disclosure.
Secure storage of Personal Data
Romleas undertakes to take the following measures for the secure storage of personal data:
– ensuring a backup procedure for data
– ensuring the mirroring of hard disks by RAID write system
– ensuring continuous power supply through redundant power supplies and backup power sources (electric generator)
– remote archiving and storage
– firewall and antivirus protection
– reconstruction plans and business continuity plan in case of force majeure and disaster
Separation of processing types
Romleas ensures through its systems architecture a clear separation of personal data managed according to specific usage purposes. Production and testing environments, differentiated staff access and internal regulations are some of the organisational measures implemented by Romleas to separate the processing of personal data.
Staff Training:
Romleas provides regular and compliant training to staff who have access to personal data or who ensure access protection and supervision.
Romleas ensures the instruction of the staff on the purposes of data processing, separation of data processing each according to the strict purpose for which they were requested.
Romleas ensures through regular checks and through confidentiality acts, clauses and agreements that the staff employed is aware of and fully complies with the personal data protection rules as defined and presented in this document.
Server Security
Romleas uses three levels of access control on its servers on which it provides services and stores personal data.
– Access by linux encrypted key
– Access via linux secret port
– Access from strictly defined static ip’s
Access at administration level on linux servers only is done by authorized and trained personnel in accordance with the requirements of administration of Linux-type information systems.
Servers are protected by responsibly configured antivirus and firewall.
Personal Data Storage Location
Customers’ personal data is securely stored on our servers in Europe. Some specific personal data, such as email, phone, first and last name, will also be stored with international partners when using international domain services (.eu, .com, .net, etc). Personal data specific to .ro domains will also be stored by the official partner ICI Rotld. Access data such as email will also be stored on servers in Europe.
CUSTOMER responsibility
Romleas informs its customers that they are fully responsible for the management of personal data collected from them through their websites.
According to the technical specifications and according to the software used by Romleas access between accounts is not possible on Linux systems running our services.
The software and scripts used by customers for the construction and running of their own sites are the sole responsibility of the customer.
The security of the account, its protection, retention and saving of access data are also the responsibility of the customer. The customer is responsible for the maintenance and updating of the scripts used, the configuration of ftp, ssh, email etc. services is a complex action that also involves the responsibilities of the customer who owns the account.