Processing of Personal Data


1. Who are we?

For CRIS-TIM FAMILY HOLDING S.R.L. (further refered to as „Cristim”, The Controller” or „The Data Controller”), the confidentiality of your personal data is of utmost importance. In order to accomplish this purpose, we have developed this commitment by which we undertake to respect the confidentiality of your personal data and through which we explain what categories of personal data the Controller collects, how those data are used, and the purpose for which they are subject to processing operations.

This Policy refers only to your personal data that we process through our website We want to assure you that we have taken all the necessary measures to ensure the confidentiality of your data, these being processed only by the staff of the Controller, trained in the processing of personal data and authorized for this purpose.

In order to “know” us virtually, we provide you with our identification data.

The Controller that processes your personal data when you browse the online platform is CRIS-TIM FAMILY HOLDING S.R.L., based in Filipeştii de Pădure village, Filipeştii de Pădure commune, 661 Gării Street, Prahova County, having the Unique Registration Code 13533870, registered at the Trade Register under no. J29/991/2000.

For any questions/concerns regarding the protection of personal data, you are invited to send a request to the address indicated above or to the e-mail address, having written on the envelope, respectively in the subject of the e-mail mentions of “Personal data protection” or “GDPR”.

2. Definitions

  • Personal data” means, within the meaning of applicable national and international law, any information relating to an identified or identifiable natural person. An identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

! For the purposes of this policy, the personal data that will be processed may refer to: name, surname, telephone number, e-mail address, as well as any other information that you provide to us by filling in the available forms. on the website.

  • Processing of personal data” means any operation or set of operations performed on personal data, by automatic or non-automatic means, such as collecting, recording, organizing, storing, adapting or modifying, extracting, consulting, using, disclosure to third parties by transmission, dissemination or otherwise, joining or combining, blocking, deleting or destroying.

! For the purposes of this policy, data processing refers to those processing performed at the time of your browsing on the website, filling in the forms available on the site or subscribing to our newsletter.

  • Controller” means the person who, alone or together with others, establishes the purposes and means of processing personal data. For the sake of clarity, for the purposes of this Privacy Policy, the Controller is represented by Cristim.
  • Data subject” represents the person whose personal data are processed. In the context of this Policy, the data subject is the user/ visitor of the site
  • Consent” of the data subject means any manifestation of free will, specific, informed and unambiguous of the data subject by which he accepts, by a statement or by an unequivocal action, that the personal data concerning him to be processed.

! Regarding the consent, as a legal basis based on which Cristim may process personal data belonging to the data subject who browses its website, it will be granted, respectively requested in the context of the user’s subscription to the newsletter, following that the data processing that exceeds the subscriptions to be made on the basis of the grounds specified below.

  • Third party” means the natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process personal data.
  • Processor” means the person who processes personal data on behalf of the controller.
  • Recipient” means the natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities to which personal data may be communicated in the course of a particular investigation in accordance with Union or national law shall not be considered as recipients. The processing of such data by the respective public authorities shall comply with the applicable rules on data protection, in accordance with the purposes of the processing.

3. What types of personal data do we process?

Your browsing on the website and the interaction with it involves the processing of two categories of personal data, namely:

  1. personal data that you disclose to the Controller voluntarily (eg. through the contact form, the recruitment form, the complaints form or by subscribing to the newsletter), these being collected individually;
  2. data that you provide unintentionally, by simply browsing our website.

The Controller may collect, based on the voluntary provision of the data subject, the following personal data: name and surname (for identification), telephone number (for communication), e-mail address (for communication), data contained in the CV for recruitment) and any other personal and special data that the user may make available to Cristim through the forms available on the website.

  • Through the contact form on the site, the Controller will process the following personal data: name and surname, telephone number, e-mail address, county, as well as any other information that you provide by filling in the “Message” box.
  • Completing the complaint and notification form involves processing the following categories of data: name and surname, e-mail address, telephone number, as well as any other data that you provide to the Controller by filling in the “Message” field or by uploading video / image files.
  • Through the recruitment form, the Collector can process the following categories of personal data: name and surname, e-mail address, telephone number, county, as well as the data contained in the CV uploaded by the candidate who wishes to fill a position within Cristim, but also the data provided by completing the “Message” section.
  • Last but not least, by subscribing to the user’s newsletter, Cristim will be able to process a series of personal data such as: name and surname, e-mail address. The subscription to the newsletter is made only on the basis of obtaining the prior consent of the data subject for the processing of data for this purpose.

The user is properly informed about the processing of his personal data when he makes his data available to the Controller through the forms on the website, respectively in the context of subscribing to the newsletter, thus the latter fulfilling its legal obligation to inform data subjects about the processing of data.

The Controller also processes marketing and communication data, based on user consent, but also technical data and related to browsing actions through cookies and similar technologies. For more information about the cookies used on our website, you can access our cookie policy here.

The Controller manages, besides the online platform, the Facebook page @ Cris-Tim, associated with the site, but also the Instagram page

Through the social media pages mentioned above, the Controller can process a series of personal data such as: name/ nickname – the name of the social media user profile, if it is not public, data transmitted through messenger/ message functions, such as and any other information made public voluntarily by the persons concerned through these networks, by the transmission of text, image, audio, video files etc.

In the context of processing this data, the Controller is strictly limited to the expectations of the users of these media channels and does not use the data thus collected for purposes other than statistics or maintaining contact with users (profile/ page views, likes, follow, story views/ messages etc.).

Apart from the data collected through the forms available on the site, the Controller may also process other data of the data subjects in his legitimate interest, within the telephone calls made by Cristim staff, including but not limited to the address of residence/ domicile (for example for delivery of the prizes won after participating in the campaigns organized by the Controller) etc., but also in the context in which it is necessary to make available to the Controller other documents/ files, which can be sent via e-mail / by mail. In general, such processing is performed outside the online platform, which is why specific processing rules will be applied to them, which will not be detailed in this Policy.

Regarding the site, the categories of data processed through it are limited to those listed above. In the event that you send us other data that is not necessary to solve and honor your requests, we reserve the right to remove them from our databases.

The controller may inadvertently collect other personal data that belong to you, namely: IP address, browser version, time zone and location setting, operating system, devices used to access our sites etc. This information will not be used to identify individuals and will not be made public otherwise than under the terms of the Privacy Policy, supplemented by the Cookies Policy.

The controller reserves the right to request additional information, accompanied by supporting documents, by e-mail, printed or in any other way deemed appropriate for it, if applicable.

Your personal data may be communicated by Cristim, for processing, to data controllers or processors, including service providers, business partners, institutions, authorities, competent bodies and institutions or courts, at their request, but also to entities in Controller group.

Cristim may store your personal data even after the registration of a request to delete this data, if the storage is done for one of the following purposes, provided by art. 13 of the GDPR:

  1. fulfillment of a legal obligation that provides for processing under European Union law or domestic law applicable to the controller;
  2. exercising the right to free expression and information;
  3. protecting the vital interests of the data subjects;
  4. fulfilling a task that serves the public interest;
  5. archiving in the public interest, scientific or historical research or for statistical purposes;
  6. the protection of the legitimate interests of the Controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject prevail, which require the protection of personal data, especially when the data subject is a child;
  7. for stating, exercising or defending a right in court.

4. For what purpose do we process personal data?

The controller processes your personal data for the following purposes and having the following legal grounds:

  1. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6 paragraph (1) letter b) of Regulation (EU) no. 679/2016 of the European Parliament and of the Council of April 27, 2016, specifically, for the purpose of recruiting staff for a position within Cristim and for concluding an individual employment contract between the data subject and the Controller, as employer;
  2. the data subject has given consent to the processing of his or her personal data (Article 6 paragraph (1) letter a) of Regulation (EU) no. 679/2016 of the European Parliament and of the Council of April 27, 2016, in case of transmission of marketing communications;
  3. Processing is necessary for the purposes of the legitimate interest pursued by the Controller (Article 6 paragraph (1) letter f) of Regulation (EU) no. 679/2016 of the European Parliament and of the Council of April 27, 2016, for solving problems of any kind regarding the content of the site and for the actions that involve the interaction with the online platform, but also in order to solve the requests and complaints of the users related to Cristim products and services.

Your personal data will be processed by the Controller for the following purposes:

  1. solving the notifications and complaints submitted to the Controller;
  2. providing answers and additional information regarding Cristim offers and products;
  3. delivery/ replacement of products for which customers have expressed dissatisfaction;
  4. registration of the application for employment within the Controller;
  5. registration in promotions/ contests/ campaigns;
  6. designating and informing the winning participants within the campaigns and contests organized by Cristim;
  7. improving the services provided on the platform;
  8. the transmission of the prizes won as a result of participating in the Controller’s campaigns and the organization of the payment of the taxes related to them, if applicable;
  9. making statistical reports, in legitimate interest;
  10. transmission of marketing communications (newsletters regarding the Controller’s offers and products) based on free, specific, informed, unequivocal and explicit consent given by the user;
  11. the transmission of requested information, at the request of the competent authorities, in order to fulfill the legal obligations incumbent on the controllers;
  12. archiving information in order to demonstrate the processing of data exclusively for the above-mentioned purposes;
  13. protection of the controller’s rights.

5. Duration of personal data processing

The personal data processed at the level of the Controller through the website are retained for a reasonable period of time in relation to the purpose of data processing so as not to exceed the period necessary for their processing, depending on the type of data thus processed.

The usual data processing for which there is no retention period imposed by law will be related to the general limitation period of 3 years as the maximum duration of storage in the databases belonging to the Controller.

Regarding the processing based on consent, the data will be retained until the moment of withdrawal of consent, but their duration of retention will not exceed the general limitation period indicated above.

6. Transfer of personal data

Your data is processed throughout the European Union, through secure internal servers.

Cristim undertakes that the data collected by it will be processed only in accordance with the stated purposes and not to make it public, to sell, rent, license, transfer etc. unauthorized database containing information regarding the data of the persons concerned to any third party not involved in the fulfillment of the declared purposes, except for the situation in which the transfer/ access/ view etc.  is requested by the competent bodies, in the cases provided by the regulations in force at the date of the event.

It is possible that your data may be disclosed to the entities in the Controller group, together with which Cristim processes the data as an joint controller, to the service providers of the joint Controllers (marketing, courier, payment/ banking services, telemarketing or other services), including entities that assist the Controller in data processing as proxies, insurers, public authorities (lawyers, Prosecutor’s Office, Police, courts and other competent state bodies), based on and within the limits of legal provisions and as a result of express requests formulated in this sense. This data will be transferred only on the basis of a confidentiality commitment from the above-mentioned recipients, by which they guarantee that the data is kept secure and that the provision of this personal information is made in accordance with the legislation in force.

These entities are carefully selected to ensure that they meet the specific requirements for the protection of personal data. They have a limited ability to use your information for other purposes than providing us with services.

In addition to the disclosures described in this Privacy Policy, we may disclose information to third parties to whom you consent or request that such disclosures be made.

7. Special provisions for minors

Cristim pays special attention to the data of minors that may be provided by them in the context of interaction with the website, to ensure that any processing of personal data of minors is done only in accordance with legal requirements and in strictly determined cases.

Thus, the Controller does not carry out promotional and marketing activities directly against minors. However, if a minor contacts the Controller through the means provided by him (by phone, via e-mail, through the website etc.), it will be considered that the minor has done so with the consent of his legal representative.

Minors who have not reached the age of 14 are not allowed to request services or participate in contests or campaigns organized by the Controller, unless these operations are performed on behalf of the minor by the legal representative or guardian, according to law.

In this sense, any person who provides Cristim with personal data through the site or other applications or devices covered by this Policy guarantees that he is of age, respectively that he has full capacity to exercise.

Any processing of personal data belonging to minors will be carried out only in accordance with the law and taking into account the above provisions.

8. Links, hyperlinks, third party websites

The site may contain links to third party sites that may collect, in turn, your personal data, including through cookies or other similar technologies. In case of connection to a third party website, the Controller’s privacy policy will not be applicable in case of your browsing on that site.

9. What are your rights as a data subject?

Any natural person who browses our site, as a data subject, has the following rights in relation to Cristim, as a Personal Data Controller:

  • Right of access means the right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the respective data and to information regarding the way in which the data are processed.
  • Right to rectification refers to the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her, having the right to have incomplete personal data completed. These can be modified by sending an e-mail to:
  • Right to erasure (‘right to be forgotten’) of data from the database means he right of the data subject to request that his / her personal data be deleted, without undue delay, if one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing,  the data subject objects to the processing and there are no overriding legitimate grounds for the processing, the personal data have been unlawfully processed, the personal data have to be erased for compliance with a legal obligation, the personal data have been collected in relation to the offer of information society services.
  • Right to restriction of processing may be exercised if the data subject requests the limitation of the processing of his / her personal data, in which case they will be used strictly for the exercise of the other legal rights of the data subject, including to respond to any requests / complaints from him / her.
  • Right to data portability refers to the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract. The processing is carried out by automated means, if this is technically feasible.
  • Right to object concerns the right of the data subject to oppose the processing of personal data when the processing is necessary for the performance of a task that serves a public interest or when it has in view a legitimate interest of Cristim.
  • Right to object to automated individual decision-making, including profiling refers to the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. However, the exercise of this right shall not apply if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, if the decision is authorized by the law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests or if the decision is based on the data subject’s explicit consent obtained in compliance with the legislation in force.
  • The right to address the National Authority for the Supervision of Personal Data Processing. If the data subject considers that the rights provided above have been violated, he / she has the possibility to address ANSPDCP by filing a complaint.

The contact details of ANSPDCP are the following: Bucharest, B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336; Phone: + 40.318.059.211 / + 40.318.059.212; Fax: +40.318.059.602; E-mail:; Website:

In order to exercise the rights provided above, the data subject will address the Controller by sending a request to the postal address: Sat Filipeştii de Pădure, Comuna Filipeştii de Pădure, Str. GĂRII, Nr. 661, Județ Prahova or via e-mail:

10. Final provisions

If the Controller considers that a change in the privacy rules is necessary, it will publish those changes in order to inform the data subjects about the information they collect and how they use it.

The provisions of the Privacy Policy are supplemented by the provisions of the Cookies Policy, available on the website