GDPR Policy

1. COMMITMENT

Protecting the security and privacy of personal data (DCP) is important to us. Therefore, all activities conducted comply with applicable data protection laws (Regulation (EU) 2016/679 – GDPR, and national legislation).

This policy clearly and transparently explains what type of data we collect, how and why we process it, how we protect it, and how we respect the rights of data subjects.

2. WHO DOES THIS POLICY APPLY TO?

This GDPR policy (hereinafter referred to as the "Policy") applies to the following categories of individuals:

• Employees and collaborators of ASOCIAȚIA CAIAC FAN;
• Job applicants and persons involved in recruitment processes;
• Representatives of clients and partners with whom we have contracts;
• Representatives of suppliers of products and services;
• Individuals participating in events, courses, webinars, and sports competitions organized by CAIAC FEST;
• Participants in training programs or other activities carried out by the Organizer.

Processing personal data (PDCP) includes any operation performed on such data, including: collection, recording, organization, storage, consultation, use, disclosure, deletion, or destruction.

3. CATEGORIES OF PERSONAL DATA PROCESSED

The personal data we collect depends on the category of the data subject, as follows:

✅ For employees and collaborators:

• Name, surname, address, personal identification number, phone, email;
• ID card details, professional qualifications;
• Banking information for salary payments;
• Health status information (medical aptitude certificate);
• Biometric data (video recordings if applicable).

✅ For job applicants:

• Name, surname, contact details, professional qualifications, CV.

✅ For event participants:

• Name, surname, phone number, email, signature;
• Photos/videos recorded during events.

✅ For representatives of clients/suppliers:

• Name, surname, job title, contact details, signature.

4. PURPOSE OF DATA PROCESSING

Personal data is processed solely for the purposes for which it was collected, in compliance with GDPR regulations. It may be used for:

• Fulfilling contractual obligations (e.g., managing event registrations, invoicing, technical support);
• Recruitment and selection of personnel;
• Managing relationships with partners and suppliers;
• Meeting legal and fiscal obligations;
• Promoting CAIAC FEST activities (e.g., using event photos/videos for promotional purposes, with participant consent);
• Ensuring security (e.g., video surveillance in event venues).

5. WHO RECEIVES PERSONAL DATA?

The collected data is shared only with entities necessary for conducting CAIAC FEST activities, in compliance with GDPR regulations:

• Public authorities (e.g., tax authorities, labor offices) as required by law;
• Banks and financial institutions for processing payments;
• Contractual partners (e.g., service providers, collaborators, subcontractors);
• Online payment processors, for handling online transactions.

‼️ Personal data will NOT be sold, transferred, or used for commercial purposes without the explicit consent of the data subject!

6. PERSONAL DATA SECURITY

To protect collected data, CAIAC FEST implements technical and organizational security measures, including:

? Physical protection – restricted access to documents and archives;
? IT security – encryption, firewall protection, secure authentication;
? Internal confidentiality policies – employees and collaborators are trained to protect data.

Data transfers to third parties are carried out only under secure conditions, in compliance with applicable regulations.

7. DATA RETENTION PERIOD

Personal data is retained only for the period necessary to fulfill the purposes for which it was collected, in accordance with applicable legal requirements.

‼️ If data retention is no longer necessary, the data will be deleted or anonymized!

8. RIGHTS OF DATA SUBJECTS

Under GDPR, data subjects have the following rights:

✅ Right to access – request information about your stored personal data;
✅ Right to rectification – request correction of incorrect or incomplete data;
✅ Right to erasure ("right to be forgotten") – request deletion of your personal data under certain conditions;
✅ Right to object – object to your data being used for marketing purposes;
✅ Right to data portability – receive your data in a structured, commonly used format;
✅ Right to file a complaint with the National Data Protection Authority.

To exercise these rights, you can contact us at info@caiacfest.ro.

9. FINAL PROVISIONS

? Authorized personnel responsible for processing personal data are designated through internal decisions and are trained to maintain confidentiality.
? Data processing is carried out only with the explicit consent of the data subject, in compliance with GDPR regulations.
? We commit to making all necessary efforts to ensure the protection and confidentiality of collected personal data, both in physical and electronic format.

‼️ This GDPR Policy is supplemented, where applicable, by our Privacy Policy.