Rompetrol processes personal data in accordance with the provisions of the General Data Protection Regulation no. 679/2016 (“GDPR”) as well as with the applicable legislation on the protection of personal data. In this sense the present policy was drafted with the purpose and role to serve as a mean of information with regard to:
(i) the activities of processing your personal data, thus performed by the companies part of KMG International Group, as Personal Data Operator, in carrying out its activities;
(ii) the security of the data and the confidentiality of the processing of your personal data;
(iii) your rights regarding personal data and how to exercise these rights.
2. Personal Data Operator:
The company KMG Rompetrol is a Personal Data Operator for www.kmginternational.com website, who is also the owner of the site, having the headquarter in Bucharest, 3-5 Piata Presei Libere, City Gate Northern Tower, 5 floor, registered at the Trade Register Office under no J40/9817/2010.
The companies, part of KMG International NV Group with the headquarter in European Union are Personal Data Operators for data processing, carried out by these companies.
Contact details of the companies part of the KMG International NV Group can be found here.
References to "Rompetrol" or "Operator" in this policy mean companies within the KMG International NV Group, including subsidiaries, affiliates, branches, offices of these companies.
3. What categories of personal data we process, the purposes, the legal basis and the period for which your personal data are processed
Depending on the quality you have in relation to our company, Rompetrol as a Personal Data Operator processes certain personal data of yours for different purposes and legal basis, and keeps them for a certain period of time, as follows:
3.1. Visitor of the website
We collect information from you as a visitor of our website by using cookies. This information includes: your IP address (anonymized), browser type, language settings, operating system, device type, domain name, domain host, date and time.
Please access the cookies policy here.
3.2. Gas stations’ clients
3.2.1 Purposes of personal data processing
- in relation to your purchase of LPG products, fuels and other specific products, issuing of financial warranties on amount retained as warranties, as applicable, contracting and managing contracts concluded with you as client and/or user of Fill & Go Personal card, in accordance with art. 6, para. 1, lit. b) from GDPR, namely in order to conclude and execute a contract with you;
- for making payments, respectively for invoicing the service offered, according to art. 6 para. 1, lit. b) from GDPR, namnely in order to conclude and execute a contract with you;
- in order to verify the creditworthiness and to approve the credit limit for Fill & Go Credit clients, according to art. 6, para. 1), lit. f) of the GDPR, respectively the legitimate interest of the Operator to apply credit risk analysis measures;
- in order to fulfill a legal obligation by the Operator and its legitimate interest, respectively in order to ensure security, by video monitoring and analysis of security incidents (Law no. 333/2003 on the protection of objectives, assets, values and protection of persons and GD No. 301/2012 for the approval of the Methodological Norms for the application of Law No. 333/2003 on the protection of objectives, goods, values and protection of persons), transport of goods (transport of dangerous goods - GD No. 1175/2007 for the approval of the Implementing Norms of the activity of road transport of dangerous goods in Romania, Order of the Ministry of Transport, Construction and Tourism No. 1214/2015, Order No. 1044/2003 on the approval of the Regulation for the designation, professional training and examination of safety advisers for road, rail or road transport inland waterways of dangerous goods), implementation of prevention measures of money laundering offenses (Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for amending and supplementing some normative acts), according to art. 6, para. 1, lit. c) and f) of the GDPR
- in order to resolve complaints received at Rompetrol gas stations, either by telephone, by Infoline or by mail, according to art. 6 para. 1), lit. c) and f) of the GDPR, in order to fulfill a legal obligation (Ordinance no. 21/1992 on consumer protection), respectively for fulfilling a legitimate interest of the Operator which consists in analyzing and solving the notified incidents;
- for contacting you in order to obtain your opinion regarding the quality of the services and products of the Operator and of the KMG International NV Group purchased by you, by telephone, e-mail, SMS, website, social media channels and mobile applications in accordance with art. 6, para. 1), lit. f) from GDPR, respectively in the legitimate interest of the Operator to improve its services and products offered to its customers;
- for intra-group reporting, respectively for performing customer service through the entities of the KMG International NV Group, according to art. 6, para. 1), lit. f) from GDPR, in the legitimate interest of the Operator to organize its customer service activities in the most efficient way, thus ensuring a high level of quality of services and products offered;
- for the recovery of receivables that you owe to the Operator, amicably / through enforcement, including for resolving various disputes, according to the concluded contracts and the legitimate interest of the Operator to recover the receivables related to the existing contractual relationship with you, according to art. 6, para. 1), lit. b) and f) of the GDPR;
- for solving the various requests addressed to the Operator, analysis of partnership / investment proposals, as well as the provision of information requested by you in writing (including those transmitted on social media channels), according to art. 6, para. 1, lit. c) and f) of the GDPR, namely on the basis of a legal obligation of the Operator to respond within a limited period of 30 days, respectively of its legitimate interest in appropriate and timely settlement of these requests addressed to the Operator;
- for your profiling, respectively in order to be able to provide you with information on standard or customized products and services from the portfolio of entities in the KMG International NV Group, by analyzing the services purchased, the transactions performed and other similar information, in accordance with art. 6, para. 1), lit. a) from GDPR, respectively based on your consent;
- for marketing purposes, by using the means of communication, respectively e-mail, sms, fax, telephone call, notifications through mobile applications, such as for receiving newsletters and other commercial communications to promote the products and services of the KMG International NV Group, of which the Operator is a part, the organization of internal and external events, respectively your invitation to these events, in accordance with art. 6 para. 1), lit. a) from GDPR, based on your consent;
- for participating in raffles and other promotions based on a certain consumption behavior, in accordance with art. 6, para. 1) lit. a) from GDPR, based on your consent;
- for the provision of the services and facilities of the Rompetrol Go Loyalty Program, in accordance with art. 6, para. 1, lit. b) of the GDPR, respectively on the basis of concluding and executing a contract with you;
- for the provision of services, facilities, as well as information regarding the modifications of the Rompetrol Go Loyalty Program, including contacting you in order to inform you regarding the situation of the loyalty points (eg their validity), according to art. 6, para. 1, lit. b) from GDPR in order to conclude and execute a contract with you;
- for recovering the equivalent value from the insurer of a damage caused by you to the Operator, according to art. 6 paragraph 1) letter c) and f) of the GDPR, in order to fulfill a legal obligation (Law no. 132/2017 on the compulsory motor third party liability insurance), respectively to fulfill a legitimate interest of the Operator which consists in recovering the damage;
- for granting the winnings resulting from your purchase of the lottery products, according to art. 6, para. 1), lit. f) of the RGPD, respectively in the legitimate interest of the Operator to prove the correctness of this process;
- for the photo-copying of the registration certificate or of the identity card of the motor vehicle in case the toll or the bridge tax is collected, according to art. 6, para. 1), lit. f) of the GDPR, respectively in the legitimate interest of the Operator to prove the correctness of this process.
3.2.2 Personal Data Processed
a) The data processed for the clients holding a Fill & Go card are the following: name and surname, date and place of birth, other data from the identity document, address (domicile / residence), telephone, indicated e-mail, personal numerical code, series and number of the identity card, gender, marital status, number of children, citizenship, IBAN and bank account, data regarding services and products purchased (such as: quantity, value, date and place of purchase of fuel), Fill & Go and Loyalty card code, data on income, your image, your voice (in case of phone calls through Infoline / call center), Fill & Go card transaction history, car type, studies, hobbies, contact details (name, surname, phone,), ID card copies, data included in the Fill & Go contract, inclusion form in the loyalty program.
b) The data processed for the clients enrolled in the Rompetrol GO Loyalty Program (clients who may or may not have a Fill & Go card) are the following: name, surname, e-mail address, telephone number, gender, date of birth, data regarding date and location of enrollment, points collected, preferences and amount of consumption, frequency and value of purchase, data on services and products purchased (such as: quantity, value, date and place of purchase), data from Rompetrol Go customers who have a card Fill & Go Personal (address, customer code, transactions made).
c) The data processed for customers who do not have a Fill & Go card are the following: your image, your voice, in case of telephone calls through Infoline / call center, photo-copy of identity documents.
3.2.3 Data processing period
(a) the documents containing personal data of a financial-accounting nature shall be stored 10 years from the date of the end of the financial year during which they were prepared, according to the Accounting Law no. 82/1991;
(b) the records of the telephone conversations related to the requirements / requests addressed to the Operator, will be kept for 4 months from the date of making the call, except for the records regarding the complaints which will be kept for 3 years from the date of their settlement;
(c) documents, which contain personal data and are processed for the purpose of recovering debts which you owe to the Operator shall be kept until the completion of the recovery procedures or, as the case may be, until the final settlement of any disputes;
(d) personal data for marketing purposes will be kept until your consent is withdrawn or until the termination of the contractual relationship, whichever comes first;
(e) the duration of the storage of video recordings captured by surveillance video cameras is at least 20 calendar days, but not more than 30 calendar days from the date of their making;
(f) the personal data processed in order to solve the various requirements, requests addressed to the Company, analyzes, partnership / investment proposals, as well as the provision of information requested by you in writing will be kept until their resolution;
(g) the data processed under the loyalty program will be kept for the entire period of your enrollment, as well as for the duration of the existence of a legal obligation for their storage.
3.3. Legal representatives, shareholders, employees, contact persons of the companies acting as business partners of KMG International NV Group
3.3.1. The purposes of processing the personal data
a) in order to contract and carry out the service contracts concluded with the business partners, as clients and / or subcontractors, according to art. 6 paragraph 1, letter b) of the GDPR;
b) for fulfilling the legitimate interest of the Operator, in order to carry out the procedures regarding the selection of offers, organized by him for contracting of goods / services / works, etc. according to art. 6 paragraph 1, letter f) of the GDPR;
c) to perform the know your counterparty analysis of the business partner in order to carry out the business activity in full compliance with the applicable legal provisions, in order to strengthen the security of contracts, avoid conflicts of interest and protect the Operator's reputation, in order to manage contracts and perform veirifcation and reporting in accordance with applicable law, as well as for the fulfillment of a legal obligation such as the prevention and sanctioning of money laundering, the establishment of measures to prevent and combat the financing of terrorism. according to art. 6 paragraph 1, letter c) of the GDPR, as well as for the protection of the legitimate interest of the Operator according to art. 6 paragraph 1, letter f) of the GDPR;
d) for ensuring the safety and security at work of the employees of the partners carrying out activities on the industrial platforms where the Operator is the main contractor, on the industrial platforms of the Operator, or at the KMG International NV Group companies premises, in order to fulfill the legal obligations contained in the health and safety legislation. at work, in accordance with art. 6 paragraph 1, letter c) of the GDPR, as well as for the protection of the legitimate interest of the Operator according to art. 6 paragraph 1, letter f) of the GDPR;
e) for carrying out second party audits in order to fulfill the legitimate interest, (according to art. 6 paragraph 1, letter f) of the GDPR) of the Operator to ensure that the services / products offered by the business partner meet the necessary quality standards;
d) for contacting you in order to obtain the opinion of the company you represent regarding the quality of the Operator's services and products purchased, by telephone, e-mail, in accordance with art. 6 paragraph 1) letter f) of the GDPR on data protection, respectively in the legitimate interest of the Operator.
e) for contacting the clients by e-mail directly by the financial audit company that audits the financial statements of the Operator in order to carry out the annual audit process in accordance with art. 6 paragraph 1) letter f) of the GDPR, respectively in the legitimate interest of the Operator.
f) for commercial purposes, by using the means of communication, respectively e-mail, sms, fax, telephone call, newsletter / s and other commercial communications for the promotion of the Operator's services, in accordance with art. 6 paragraph 1) letter f) of the GDPR, respectively on the basis of the legitimate interest to collaborate with the company you represent;
3.3.2. Processed Personal Data
For the purposes indicated in point 3.3.1. above, following data of employees / affiliate/ legal representatives of business partners will be processed: name, surname, position, signature, telephone, email, serial and ID card number, as well as documents attesting certain qualifications / attestations / certifications, ( ex: diplomas, certificates, attestations, authorizations, attestations, permits, etc.).
3.3.3. Data processing period
The storage period of the collected personal data will be determined as follows:
(a) the data processed for contracting, knowing the partners and carrying out the service contracts will be kept for a maximum of 5 years from their conclusion. In case of disputes, these will be kept until the end of the dispute in question.
(b) the financial-accounting data including the contracts concluded depending on their nature will be kept in accordance with the provisions established by the Fiscal Code and the related legislation.
(c) the data to be processed in order to carry out the tender selection procedures will be kept for 3 years from the completion of the procedures.
(d) data processed for the purpose of the second part audit shall be retained for 3 years from the audit complition date.
(e) the processing of data in order to ensure safety and health at work will be done throughout the performance of the service contract.
(f) the processing of data in order to obtain the opinion on the quality of services will be done during the existence of the business relationship.
(g) the processing of data for the purpose of carrying out the financial audit process will be done for a maximum of 1 year from the completion of the business relationship.
3.4.1. The purposes of processing the personal data of former employees of the companies from KMG International NV Group
The personal data of the former employees are processed based on the legal obligations of the former employer in accordance with art. 6 paragraph 1, letter c), and art. 9 letter b) of the GDPR, respectively the obligations to keep these data and to issue certificates at the request of the former employee or to transmit information to the state authorities, as well as based on Operator’s legitimate interest to perform internal audits and verifications or to responds to the requests of external auditors, but also to protect Operator’s interests in court., in accordance with art. 6 paragraph 1, letter f) of the GDPR.
3.4.2. Processed Personal Data
For the purposes indicated in point 3.4.1. above, the following data of the former employees will be processed: the content of the personnel file, without being limited to: name, surname, position held, unique ID, identity data and photo-copies of them, employment contracts, retirement data, data on education and professional experience (CV, copies of diplomas), etc., the payroll and elements contained therein, including the documents that formed the basis for its preparation (not limited to: name, surname, ID data, uniques ID, position, job, salary data, bank account, medical certificates, salary statements, seizures, timesheets, dependents, benefits, etc.).
3.4.3. Data processing period
The data will be kept according to the legal provisions as follows: 75 years the data regarding the personnel file and 50 years the data regarding the salary statement, periods that run from the termination of the employment relationship.
3.5. Candidates who have applied for a vacant position in order to be employed or to complete an internship
3.5.1. Purposes of personal data processing
In order to participate in the recruitment and selection program related to the occupation of one of the existing or future vacancies / positions or to carry out a current or future internship or internship program, where you are a Candidate, your personal data are processed by Operator for purposes related to activities related to the field of human resources. The processing of your personal data in the mentioned context is done in accordance with Article 6 paragraph 1), letter a) of the GDPR, respectively your agreement to participate in the recruitment and selection process.
3.5.2. Processed Personal Data
(b) Checks in the vew of your selection: references / request for references, interview notes, records / test / test results including technical tests and psychometric tests (measures your abilities, skills, behaviors or personality traits).
3.5.3. Data processing period
Your personal data as indicated in point 3.5.2. above are kept 6 months from your agreement or 6 months from the last login in your account created on the career website of the KMG International NV Group in case you applied through it.
3.6. Visitors of our headquarters
3.6.1. Purposes of personal data processing
The personal data of the visitors are processed in order to ensure the security and safety of persons, guarding the assets and goods in accordance with art. 6 lit. f) of the GDPR, namely the legitimate interest of Operator, as well as of the affiliated companies within the KMG International NV Group.
3.6.2. Personal data of visitors
In order to achieve the objectives indicated at point 3.6.1. above, the following personal data of visitors are processed: name, surname, entry time, exit time, visitor's image, the name of your employer or the company you work with (if the visit is for business purposes) and the name of the person visited.
3.6.3. Data processing period
The storage of personal data will be done for the purposes presented above for a maximum period of 2 years, except for the image of the visitor captured by the cameras, this being kept for a maximum period of 30 calendar days.
4. Who receives your data?
4.1 Recipients of your personal data
In order to achieve the purposes described above, Rompetrol uses the services of various contractors or other companies within the KMG International NV Group. According to GDPR, they are divided into several categories, which in relation to the operation of processing your personal data, are classified as follows: operators, processors or associated operators.
Therefore, we specify that, in order to achieve the purposes mentioned in section 3 above, your data can be shared, without being limited to, with the following types of recipients:
- companies ensuring operating of Rompetrol gas stations, in the name and on behalf of Rompetrol;
- IT and telecommunications service providers, security and protection, courier, advertising agencies, other contractual partners (eg lawyers, debt collection companies, auditors bound by the obligation of confidentiality regarding the data transmitted, etc.);
- state authorities such as ANAF, ANPC, etc. based on their competencies provided by the applicable law.
4.2 Transfer of your data to foreign countries
In the context of the operations described above, your personal data may be transferred to countries of the European Union ("EU") or the European Economic Area ("EEA").
We hereby inform you that any transfer made by the Operator to an EU or EEA member state will comply with the legal requirements established by GDPR. As part of the processing of the data described above, the transmission of personal data to recipients from countries outside the European Union may also take place. The transfer in this case will be made to: (i) countries for which the EU Commission has established that they provide an adequate level of data protection, or (ii) countries or operators in relation to which we ensure that there is an adequate level of protection of data (especially by concluding agreements containing standard contractual clauses for data transfer and / or any other measures imposed as the case may be).
6. Security of your personal data
Rompetrol guarantees that it processes your data in conditions of legitimacy and legality, implementing at the same time adequate technical and organizational measures to ensure the integrity and confidentiality of the data according to art. 25 and 32 of the GDPR.
7. Your rights rearding personal data:
As the data subject, you have the following rights provided by GDPR, regarding exclusively your personal data:
(a) The right of access means your right to obtain a response from the Operator whether or not it process personal data concerning you and, if so, you may have access to those data and to the information provided by art. 15 of the GDPR.
(b) The right to data portability refers to the right to receive personal data in a standard, structured, commonly used and automatically readable format and the right to have your data transmitted to another operator without hindrance from Rompetrol, if these data are processed automatically and, the data are processed based on your consent expressed according to art. 6 para. 1) lit. a) or art. 9 para 2) lit. a), respectively on the basis of a contract according to art. 6 para. 1) lit. b) of the GDPR.
(c) The right to object represents the right to oppose, for reasons related to your particular situation, to the processing of personal data concerning you, including the creation of profiles based on those data, when the processing is carried out pursuant to art. 6 paragraph 1) letters e) and f), respectively for the achievement of a legitimate interest of the operator or for the accomplishment of a task that serves a public interest.
(d) The right to rectification refers to the correction, without undue delay, of inaccurate personal data. You have the right to obtain the completion of personal data that are incomplete, including by providing an additional statement, and the rectified data will be communicated to each recipient who received the data, unless this proves impossible or involves disproportionate effort.
(e) The right to delete data ("right to be forgotten") means the right to request the deletion of personal data, without unreasonable delay, if: the data are no longer necessary for the purposes for which they were collected or processed; you withdraw your consent and there is no other legal basis for processing; you object to the processing and there are no legitimate legal reasons prevailing; personal data have been processed illegally; personal data must be deleted in order to comply with a legal obligation; personal data were collected in connection with the provision of information society services. The deletion of the data will be communicated to each recipient who received the data, unless this proves impossible or involves disproportionate efforts.
(f) The right to restriction of data processing refers to the case where you challenge the accuracy of the data, for a period that allows the operator to verify the correctness of the data: if the processing is illegal and the person opposes the deletion of personal data, requesting instead the restriction of their use; if Operator no longer needs the personal data for the purpose of processing, but you request them for the ascertainment, exercise or defense of a right in court; if you objected to the processing for the period of time in which is needed to verify whether the legitimate rights of Operator prevail over those of the respective person.
(g) The right not to be subject to a decision based solely on automatic processing, including the creation of profiles, which produces legal effects that concern or significantly affect you, with the exception of processing for the conclusion or performance of a contract with you, such processing is authorized by the applicable legal provisions or the data processing is performed based on your freely expressed consent.
(h) The right to withdraw your consent. When the processing of personal data is carried out on the basis of your consent, you have the right to withdraw your consent at any time, without affecting the legality of the processing carried out on the basis of consent before its withdrawal.
(i) The right to file a complaint: if you are dissatisfied, you can contact the National Authority for the Supervision of Personal Data or the competent courts at any time.
8. Exercise your rights
All the rights can be exercised through a written request sent to:
(a) Operator’s headquarters, using the contact details mentioned in section 2 of this Policy,
(b) e-mail, for the attention of the Data Protection Officer, at the e-mail address: firstname.lastname@example.org
(c) by calling the following phone numbers: 0800 0800 08 or 0800 0800 12.
Your request will be analysed and you will receive an answer within maximum 30 days.