1. The objective of the Privacy Policy

Rominserv SRL (“Personal Data Controller” or “Controller”) processes personal data in accordance with the provisions of the General Regulation on data protection no. 679/2016 (“GDPR”), as well as with the applicable legislation on the protection of personal data. Thus, this Privacy Policy has been developed, with the purpose and role of informing you, given your quality as a "data subject", within the meaning of GDPR, regarding:

  1. the activities of processing your personal data, thus performed by Rominserv SRL as a Personal Data Controller, in carrying out its activities;
  2. the security of your data and the confidentiality of your personal data processing;
  3. your rights regarding personal data and how to exercise these rights.

The privacy policy may be modified from time to time, and Rominserv SRL will publish the updated version on the website each time. By frequently consulting this website you can make sure that you are permanently informed about the processing activities undertaken by Rominserv SRL;

This Privacy Policy represents the information according to the provisions of GDPR, following which, depending on the specific purposes of personal data processing, specific information will be transmitted in a timply manner.

Prezenta Politica de Confidentialitate reprezinta informarea conform prevederilor GDPR urmand ca in functie de scoprile specifice de prelucrare a datelor cu caracter personal sa se transmita punctual informari specifice.

  1. Personal Data Controller:

The company Rominserv SRL, is a Personal Data Controller, with its headquarter in Bucharest, P-ta Presei Libere, no. 3-5, City Gate Nothern Tower, Floor 3, sector 1, postal code 013702, registered at the Trade Register Office under no. J40 / 8331/2001, UIC RO 14208851.

Rominserv SRL is part of the KMG International NV Group based in the European Union. 

  1. What categories of personal data we process, the purposes, the legal basis and the period for which they are processed

Depending on the quality you have in relation to our company, Rominserv as a Personal Data Controller within the meaning of GDPR processes certain yours personal data for different purposes, and keeps them for a certain period of time, as follows:

    1. Visitor of the Rominserv website

This website uses cookies. Thus, we collect information from you as a visitor of our website by using cookies. This information includes: your IP address (anonymized), browser type, language settings, operating system, device type, domain name, domain host, date and time.

For additional details please access the Cookies Policy here.

    1. Legal representative, shareholder, employee, contact person of Rominserv's business partners

3.2.1.   Purposes of personal data processing

  1. To carry out the formalities and activities related to the contracting and development of the contracts concluded with the business partners, as clients and / or suppliers of goods, services, works, or in any other quality thereof, according to art. 6 paragraph 1, letter b) of the GDPR;
  2. In order to carry out the procedures regarding the offers selection, organized  directly by Controller or through its proxies, for contracting goods / services / works, etc., for the legitimate interest of the Controller, according to art. 6 paragraph 1, letter f) of the GDPR on data protection;
  3. To perform the process of business partners evaluation (Know Your Counterparty) ,for carrying it out the business activity in full compliance with the applicable legal provisions, in order to strengthen the security of contracts, to avoid conflicts of interest and protect Rominserv's reputation, also, to manage contracts and perform checks and reports  for fulfilling the legal obligations (such as preventing and sanctioning money laundering, establishing measures for preventing and combating the financing of terrorism), according to art. 6 paragraph 1, letter c) of the GDPR, as well as for the protection of the legitimate interest of Rominserv according to art. 6 paragraph 1, letter f) of the GDPR;
  4. To ensure the occupational safety and security of the business partners’ employees, who carry out their activity at the industrial platforms, where Rominserv carries out its actitties as a contractor or at the premises of KMG International NV Group companies, for the fulfillment of the legal obligations related to occupational safety and security, according to art. 6 paragraph 1, letter c) of GDPR, as well as for for the protection of the legitimate interest of the Controller, as per art. 6 paragraph 1, letter c) of GDPR;
  5. For carrying out second-party audits in order to fulfill the legitimate interest (according to art. 6 paragraph 1, letter f) of GDPR) of Rominserv to ensure that the services / products offered by the business partner meet the necessary quality standards;
  6. To contact you in order to obtain the opinion of the company you represent regarding the quality of Rominserv services and products, by phone, e-mail in accordance with art. 6 paragraph 1) letter f) of the GDPR on data protection, respectively in the legitimate interest of the operator.
  7. To contact clients by e-mail directly by the financial audit company that audits the financial statements of Rominserv in order to carry out the annual audit process in accordance with art. 6 paragraph 1) letter f) of the GDPR regarding data protection, respectively in the legitimate interest of Rominserv.
  8. For commercial purposes, by using the means of communication, respectively e-mail, sms, fax, telephone call, newsletter/s and any other commercial communications for the promotion of Rominserv services, etc., in accordance with art. 6 paragraph 1) letter f) of the GDPR, respectively based on the legitimate interest to collaborate with the company you represent.

3.2.2.   Processed Personal Data

For the purposes indicated at point 3.2.1. above, will be processed the data of employees / collaborators / legal representatives of business partners that is as follows: name, surname, position, signature, telephone, email, serial and ID card number / passport / residence permit, individual OSH training file (which can includes compared to the data already described above: domicile address / date of birth), as well as documents attesting certain qualifications / attestations / certifications (ex: diplomas, certificates, attestations, authorizations, attestations, permits, etc.).

3.2.3.   Data processing period 

The storage period of the collected personal data will be determined as follows:

  1. The data processed for contracting, knowing the partners and carrying out the service contracts will be kept for a maximum of 5 years from their termination. In case of disputes, they will be retained at the end of the dispute in question.
  2. The financial-accounting data including the contracts concluded depending on their nature will be kept in accordance with the provisions established by the Fiscal Code, the Fiscal Procedure Code and the related legislation.
  3. The data processed in order to carry out the tender selection procedures will be kept for 3 years after the completion of these procedures.
  4. The data processed for the purpose of the second-party audits will be kept for 3 years from the date of completion of the audit.
  5. Data processing in order to ensure safety and health at work will be carried out throughout the performance of the services contract.
  6. The processing of data in order to obtain the opinion on the quality of the Controller services will be done during the existence of the business relation.
  7. Data processing in order to carry out the financial audit process will be done maximum 1 year from the end of the business relationsh.
    1. Former Rominserv employee

3.3.1.   The purposes of processing the personal data of former employees

The personal data of the former employees are processed based on the legal obligations of the former employer in accordance with art. 6 paragraph 1, letter c), letter f) and art. 9 letter b) of the GDPR, respectively the obligations to keep these data and to issue certificates at the request of the former employee or to transmit information to the state authorities, as well as based on Rominserv's legitimate interest to perform internal audits and verifications or to responds to the requests of external auditors, but also to protect Rominserv's interests in court law.

3.3.2.   Processed Personal Data

For the purposes indicated in point 3.3.1. above, the following data of the former employees will be processed: the content of the personnel file, without being limited to: name, surname, position held, brand, identity data and photo-copies of them, employment contracts, retirement data, data on education and professional experience (CV, copies of diplomas), etc., the payroll and elements contained therein, including the documents that formed the basis for its preparation (not limited to: name, surname, ID data, brand, position, job, salary data, bank account, medical certificates, salary statements, seizures, timesheets, dependents, benefits, etc.).

3.3.3.   Data processing period

The data will be kept according to the legal provisions as follows: 75 years the data regarding the personnel file and 50 years the data regarding the salary statement, periods that run from the termination of the employment relationship.

    1. Candidate who has applied for employment or for an internship

3.4.1.   Purposes of personal data processing 

In order for you to participate as cadidate in the recruitment and selection process related to the occupation of one of the existing or future vacancies positions or to carry out a current or future internship programs, your personal data are processed by Rominserv for purposes related to activities related to the field of human resources. The processing of your personal data in the mentioned context is done in accordance with Article 6 paragraph 1), letter a) of the GDPR, respectively the agreement to participate in the recruitment and selection process.

3.4.2.   Processed Personal Data 

  1. General information when registering the CV in our database: Name, surname, date of birth, marital status, telephone number and email address, nationality, citizenship, gender and details regarding any disabilities or work restrictions, photography you, any other information that is found in your CV;
  2. Checks made for selection: references / request for references, interview notes, records / test / test results including technical tests and psychometric tests (measures your abilities, skills, behaviors or personality traits).

3.4.3.   Data processing period

Your personal data as indicated in point 3.4.2. above are kept 6 months from your consent or 6 months from the last login in your account created on the career website of the KMG International NV Group in case you applied through it.

    1. Visitors at Rominserv headquarters  

3.5.1.   Purposes of personal data processing

The personal data of the visitors are processed in order to ensure the security and safety of persons, guarding the objectives and goods in accordance with art. 6 lit. f) of the GDPR, namely the legitimate interest of Rominserv, as well as of the affiliated companies within the KMG International NV Group.

3.5.2.   Personal data of visitors 

In order to achieve the objectives indicated at point 3.5.1. above, the following personal data of visitors are processed: name, surname, entry time, exit time, visitor's image, the name of your employer or the company you work with (if the visit is for business purposes) and the name of the person visited.

3.5.3.   Data processing period 

The preservation of personal data will be done for the purposes presented above for a maximum of 2 years, except for the image of the visitor captured by the cameras, which will be kept for a maximum of 30 calendar days..

  1. Who receives your data?

4.1       Recipients of your personal data

In order to achieve the purposes described above, Rominserv uses the services of various contractors or other companies within the KMG International NV Group. According to GDPR, they are divided into several categories, which in relation to the operation of processing your personal data, are classified as follows: Controllers, Processors or Joint Controller.

Therefore, we specify that, in order to achieve the purposes mentioned in section 3 above, your data can be shared, without being limited to, with the following types of recipients:

  1. companies within the KMG International Group such as, but not limited to, KMG Rompetrol SRL, KMG Rompetrol Services Center SRL, which provide consulting services, human resources, procurement, financial accounting, internal audit, etc. ;
  2. IT, telecommunications, security and protection, courier, advertising agencies service providers and other contractual partners (eg lawyers, debt collection companies, auditors bound by the obligation of confidentiality regarding the data transmitted, etc.);
  3. state authorities such as ANAF, ANPC, etc. based on their competencies provided by the applicable law.

4.2       Transfer of your data to foreign countries

In the context of the operations described above, your personal data may be transferred abroad to countries of the European Union ("EU") or the European Economic Area ("EEA").

We hereby inform you that any transfer made by Rominserv to an EU or EEA member state will comply with the legal requirements established by GDPR. As part of the processing of the data described above, the transmission of personal data to recipients from countries outside the European Union may also take place. The transfer in this case will be made to:

  1. countries for which the EU Commission has established that they provide an adequate level of data protection, or
  2. countries or Controllers in relation to which we ensure that there is an adequate level of protection of data (especially by concluding agreements containing standard contractual clauses for data transfer and / or any other measures imposed as the case may be).


  1. Security of your personal data

Rompetrol guarantees that it processes your data in conditions of legitimacy and legality, implementing at the same time adequate technical and organizational measures to ensure the integrity and confidentiality of the data according to art. 25 and 32 of the GDPR.

  1. Your personal data rights:

As data subject, you have the following rights according with GDPR:

  1. The right of access means your right to  know whether data concerning to you are being processed by the Controller and, if so,  you can have access to the respective data and to the information as per the provisions of Article 15 of the GDPR.
  2. Dreptul la portabilitate a datelor  refers to the right to receive personal data in a standard, structured, commonly used and automatically readable format and the right to have your data transmitted to another Controller without obstacles from the Controller, if such data is processed by automatic means and, the processing is performed based on your consent expressed according to art. 6 para. (1) lit. a) or of article 9 paragraph (2) letter a) or the processing is carried out on the basis of a contract according to art. 6 para. 1) lit. b) of the GDPR.
  3. The right to object represents the right to oppose, for reasons related to your particular situation, the processing of personal data concerning you, including the creation of profiles based on those data, when the processing is carried out pursuant to art. 6 paragraph 1) letters e) and f), respectively for the achievement of a legitimate interest of the operator or for the accomplishment of a task that serves a public interest.
  4. The right to rectification refers to the correction, without unreasonable delay, of inaccurate personal data. You have the right to obtain the supplement of personal data that are incomplete, including by providing an additional statement, and the rectified data will be communicated to each recipient who received the data, unless this proves impossible or involves disproportionate effort.
  5. The right to delete data ("right to be forgotten")  means the right to request the deletion of personal data, without unreasonable delay, when: the data are no longer necessary for the purposes for which they were collected or processed; you withdraw your consent and there is no other legal basis for processing; you object to the processing and there are no legitimate legal reasons prevailing; personal data have been processed illegally; personal data must be deleted in order to comply with a legal obligation; personal data were collected in connection with the provision of information society services. The deletion of the data will be communicated to each recipient who received the data, unless this proves impossible or involves disproportionate efforts.
  6. The right to restrict processing refers to the case where you want to restrict the processing because: you challenge the accuracy of the data, for a period that allows the Controller to verify the correctness of the data; the processing is illegal, and you oppose the deletion of personal data, requesting in return the restriction of their use; The Controller no longer needs personal data for the purpose of processing, but you request them to establish, exercise or defend a right in court; you have objected to the processing, for the period of time in which it is verified whether the legitimate interest of the Controller prevail over yours.
  7. Rights in relation to not be subject of automated decision making and profiling, which produces legal effects concerning you or which significantly affects you, except for processing aimed at concluding or performing a contract with you, such processing is authorized by the applicable legal provisions or the processing of data is carried out on the basis of your freely expressed consent.
  8. The right to withdraw your consent. When the processing of personal data is carried out on the basis of your consent, you have the right to withdraw your consent at any time, without affecting the legality of the processing carried out on the basis of consent before its withdrawal.
  9. The right to file a complaint: if you are dissatisfied, you can contact the National Authority for the Supervision of Personal Data or the competent courts at any time.
  10.  Exercising your rights

 All these rights can be exercised by a written request, sent:

  1. using the contact data mentioned in section 2 of this Policy,
  2. by e-mail to the attention of the data protection officer of Rominserv, at the address:   
  3. by calling the telephone numbers 0800 0800 08 or 0800 0800 12.

Your request will be analyzed, and you will receive an answer within a maximum of 30 days.

Date when this policy was updated: 27th of May 2022