Ensuring your right to personal data protection is a fundamental eMAG commitment, therefore we will dedicate all necessary resources and efforts to process your data in full compliance with Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”), as well as any other applicable legislation in Romania. As one of the key principles of this legal framework is transparency, we have prepared this document informing you about how we collect, use, transfer and protect your personal data when you interact with us in relation to our products and services, including through our website or mobile apps.
Who we are and how to contact us
eMAG is the trading name of DANTE INTERNAȚIONAL S.A., a legal entity of Romanian nationality, having its registered office in Bucharest, Șoseaua Virtuții no. 148, sector 6, with number J40/372/23.01.2002 in the Trade Register, unique tax registration code RO14399840 (hereinafter “eMAG” or “we” or “us”). For the purposes of data protection legislation, we are a data controller (the entity that determines the purposes and means of processing personal data) when we process your data in your capacity as a data subject (identified or identifiable natural person to whom the data relates).
What qualifies as personal data and what categories of personal data we process
Personal data is information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In general, we collect your personal data directly from you, so you have control over the type of information you provide to us. By way of example, we receive information from you as follows:
When you want to join our projects, you provide us with: email address, first and last name, phone number;
When you communicate with us by phone, e-mail or otherwise.
We may also collect and further process certain information about your behaviour while visiting our website in order to personalise your online experience and provide you with offers tailored to your profile. You are invited to learn more about this by consulting the section on processing purposes below.
We do not collect or otherwise process sensitive data, which is included by the General Data Protection Regulation in special categories of personal data. We also do not seek to collect or process data from minors who have not reached the age of 16.
What are the purposes and grounds for processing
We will use your personal data for the following purposes:
- For the provision of eMAG services for your benefit
- To improve our services
We always strive to provide you with the best online experience. To do this, we may collect and use certain information about your user behaviour, invite you to complete satisfaction surveys, directly or with the help of partners, market research and studies.
We base these activities on our legitimate interest, always taking care that your fundamental rights and freedoms are not affected.
- For marketing
We want to keep you up to date with the latest sustainability initiatives. To this end, we may send you any type of message (such as: e-mail/SMS/telephone etc.) containing general and thematic information, information on sustainability. We always make sure that these processing operations are carried out with respect for your rights and freedoms and that decisions taken on the basis of these operations do not have legal effects on you and do not affect you in a similar way to a significant extent.
– Contact eMAG using the contact details described above.
In certain situations, we may base our marketing activities on our legitimate interest in promoting our sustainability. In any situation where we use information about you for a legitimate interest of ours, we take care and take all necessary measures to ensure that your fundamental rights and freedoms are not affected. However, you can always ask us, by the means described above, to stop processing your personal data for marketing purposes and we will comply with your request.
- To protect our legitimate interests
There may be situations where we will use or transmit information to protect our rights and business. These may include:
– Measures to protect the website and Users from cyber attacks;
– Measures to prevent and detect fraud attempts, including the transmission of information to the relevant public authorities;
– Measures to manage various other risks.
For how long can we keep your personal dataeMAG will process and store your personal data only for the period of time necessary to achieve the processing purposes set out above.
You may request us to delete certain information at any time and we will comply with such requests, subject to the retention of certain information, where required by law or by our legitimate interests.
With whom do we share your personal data
Where appropriate, we may transmit or provide access to certain details of your personal data to the following categories of recipients:
– to companies within the same group of companies as eMAG;
– IT service providers;
– other companies with whom we may develop joint programs.
When legally required to do so or if necessary to protect a legitimate interest, we may also disclose certain personal data to public authorities.
We ensure that access to your data by third parties who are private legal entities is carried out in accordance with the legal provisions on data protection and confidentiality of information, on the basis of contracts concluded with them.
To which countries we transfer your personal data?
We currently store and process your personal data in Romania.
However, we may transfer some of your personal data to entities located in the European Union or outside the European Union, including to countries that are not recognised by the European Commission as having an adequate level of personal data protection.
We will always take steps to ensure that any international transfer of personal data is carefully managed in order to protect your rights and interests. Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, other safeguards such as standard contractual clauses issued by the European Commission or certification schemes.
You can contact us at any time, using the contact details set out above, to find out more information about the countries to which we transfer your data and the safeguards we have put in place for such transfers.
How we protect the security of your personal data
We are committed to ensuring the security of personal data by implementing appropriate technical and organisational measures in accordance with industry standards.
We transmit your personal data using state-of-the-art encryption algorithms and store it on secure servers while ensuring data redundancy.
Despite the measures taken to protect your personal data, please be aware that transmission of information over the Internet in general, or via other public networks, is not completely secure and there is a risk that data may be seen and used by unauthorised third parties. We cannot be responsible for such vulnerabilities of systems not under our control.
What rights do you have?
The General Data Protection Regulation gives you a number of rights in relation to your personal data. You can request access to your data, correct any mistakes in our files and/or object to the processing of your personal data. You may also exercise your right to complain to the competent supervisory authority or to take legal action. Where applicable, you may also benefit from the right to request the erasure of your personal data, the right to restrict the processing of your data and the right to data portability.
More information on each of these rights can be obtained by consulting the table below.
To exercise your rights, you can contact us using the contact details set out below. Please note the following if you wish to exercise these rights:
Identity. We take the confidentiality of all records containing personal data seriously. Therefore, please send us your requests regarding such records using the e-mail address used at the time of the submission of the personal data. Otherwise, we reserve the right to verify your identity by requesting additional information to confirm your identity. Please note that without these elements, we will not be able to proceed with your request, which will be closed after 7 days from the date of the information request. After this period, you are always welcome to send another request and we will be happy to help you.
Fees. We will not charge a fee to exercise any right in relation to your personal data, unless your request for access to information is unfounded, i.e. repetitive or excessive, in which case we will charge a reasonable amount in such circumstances. We will inform you of any fees charged before we process your request.
Response time. We aim to respond to any valid requests within a maximum of one month, unless this is particularly complicated or if you have made multiple requests, in which case we will respond within a maximum of two months. We will let you know if we need more than one month. We may ask you if you can tell us exactly what you would like to receive or what you are concerned about. This will help us to act more quickly and shorten the response time to your request.
Third party rights. We do not have to comply with a request if it adversely affects the rights and freedoms of other data subjects.
You can ask us:
– To confirm whether we are processing your personal data;
– to provide you with a copy of such data;
– provide you with other information about your personal data, such as what data we hold, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it, what rights you have, how you can make a complaint, where we obtained your data, to the extent that the information has not already been provided to you through this notice.
You can ask us to rectify or complete your inaccurate or incomplete personal data.
We may attempt to verify the accuracy of the data before rectifying it.
Deletion of data
You can ask us to delete your personal data, but only if:
– it is no longer necessary for the purposes for which it was collected; or if
– you have withdrawn your consent (where the processing was based on consent); or if
– you exercise a legal right to object; or if
– it has been unlawfully processed; or if
– we have a legal obligation to do so.
We are not obliged to comply with your request to delete your personal data if the processing of your personal data is necessary:
– to comply with a legal obligation; or
– for the establishment, exercise or defence of legal claims.
There are certain other circumstances in which we are not obliged to comply with your request for erasure of data, although these are the two most likely circumstances in which we may refuse your request.
Restriction of data processing
You can ask us to restrict the processing of personal data, but only if:
– their accuracy is disputed (see rectification section), to allow us to verify their accuracy; or if
– the processing is unlawful but you do not want the data to be deleted; or if
– they are no longer necessary for the purposes for which they were collected, but you need them to establish, exercise or defend a legal claim; or if
– you have exercised your right to object, and verification of whether our rights prevail is ongoing.
We may continue to use your personal data following a restriction request if:
– we have your consent; or if
– to establish, exercise or defend a right in court; or if
– to protect the rights of eMAG or another natural or legal person.
You can ask us to provide your personal data in a structured, commonly used and machine-readable format, or you can request that it be “ported” directly to another data controller, but in each case only if:
– the processing is based on your consent or the conclusion or performance of a contract with you; and if
– the processing is carried out by automatic means.
You may object at any time, on grounds relating to your particular situation, to the processing of your personal data on the basis of our legitimate interest, if you consider that your fundamental rights and freedoms are overridden by that interest.
You may also object at any time to the processing of your data for direct marketing purposes (including profiling), without giving any reason, in which case we will stop such processing as soon as possible.
You may request not to be subject to a decision based solely on automated processing, but only when that decision:
– produces legal effects concerning you; or
– affects you in another similar way and to a significant extent.
This right does not apply if the decision reached as a result of automated decision making:
– is necessary for us to enter into or perform a contract with you;
– is authorised by law and there are adequate safeguards for your rights and freedoms; or
– is based on your explicit consent.
You have the right to lodge a complaint with the supervisory authority about the processing of your personal data. In Romania, the contact details of the data protection supervisory authority are as follows:
National Supervisory Authority for Personal Data Processing
B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, postal code 010336, Bucharest, Romania
Telephone: +40.318.059.211 or +40.318.059.212;
Without prejudice to your right to contact the supervisory authority at any time, please contact us in advance, and we promise to make every effort to resolve any issues amicably.
We remind you that you can contact us at any time by sending your request by e-mail to: email@example.com. Please only use this communication channel in relation to personal data protection issues.