Data and privacy - GDPR
Table of Contents
I. The Controller and contact information
III. General aspects regarding the security of personal data
IV. Non-collection through the website of personal data of minors/children
V. Personal data processing hypothesis, as the case may be
2. If you are a candidate for a position within the Controller
3. If you are a natural person client/potential client of the Controller
VI. The means of processing personal data by the Controller
VII. Possible recipients of personal data
VIII. Rights of the Data Subject and how they can be exercised towards the Controller
IX. Changes to this Informing Note
a. For this information, each of us (in the generally referred way to herein as "Controller"), Forvis Mazars Romania SRL, Forvis Mazars Consulting SRL, Forvis Mazars Tax Consulting SRL, Forvis Mazars Global Services SRL, Forvis Mazars Management SRL, headquartered at 4B and 2-4 Ing. George Constantinescu Street, 5th floor, 2nd District, Bucharest, having phone +40 31 229 2600, fax +40 31 229 2601, with the email addresses of the Data Protection Officer ("DPO") GDPR.Compliance.ro@forvismazars.com or dpo.ro@forvismazars.com, respectively the postal address mentioned above, if you wish to communicate with the DPO; [if you write to the DPO by post/courier, please mention on the envelope "To the attention of the Data Protection Officer" and specify which entity Forvis Mazars (Romania) of the above you understand to address], we provide this Informing Note together, although each Romanian Forvis Mazars company mentioned above generally acts individually, as an independent Controller. Therefore, please read and interpret this note concerning the respective Controller with which you are connected.
[However, exceptionally, for those processing operations for which the Forvis Mazars companies (Romania) jointly decide the purposes and means of processing, it is also possible that two, several, or if applicable all of the companies mentioned above, could act as joint controllers. For such cases, we will usually specify the role in processing.]
b. We specify that, by way of exception, the above-mentioned Romanian companies Forvis Mazars process personal data when the case also as Joint Controllers, for common projects or joint management: (i) data and information regarding the use of the www.forvismazars.com/ro website, (ii) when applicable in the joint list the data of participants in joint events, (iii) when applicable, on the above common email address the collection of requests to exercise rights of Data Subjects to send afterward to the appropriate Controller to respond to it, (iv) possible data and information from the joint social media accounts mentioned below, (v) given the use of a single internal capture and management system, the images captured by surveillance cameras at reception and access routes from their premises located at the above-mentioned address, (vi)possible information generated by cookies. (vii) possible information generated by your access to the links in the newsletters, by your downloading, as the case may be, of the informative materials or those accompanying the newsletters from Forvis Mazars the above-mentioned controllers companies, in order for us to know the interest or not in each of our informative materials (viii) filling in the list and then managing the Forvis Mazars alumni database by the above-mentioned controllers companies, management of the agreements expressed by alumni as Data Subjects. For the processing of data as joint controllers in such a context, the Data Subject may usually exercise his/her rights by addressing to any of the Controllers, using the contact details for requests to exercise rights mentioned herein.
This Note which does not exclude the exceptions mentioned in letter b. Chapter I., above, usually concerns the processing of personal data by each Controller as an (independent) Controller and it is structured as follows:
1. Controller and contact information
2. Structure of this Note
3. General aspects of personal data security
4. Non-collection/non-processing as Controller(s) of data of minors
5. Processing hypotheses detailing on each mentioned situation the categories of data, respectively of the data subjects, the purposes, the legal grounds for processing, the source/sources of the data, the obligation or not to communicate the data, the duration of data processing:
6. Means of data processing used by the Controller;
7. Possible recipients of personal data;
8. The rights and freedoms of the Data Subject and how to exercise them;
9. Subsequent amendments to this Informing Note;
10. Applicability.
For Forvis Mazars (Romania) the security, integrity and confidentiality of your personal data are very important. Forvis Mazars (Romania) ensures that it takes all organizational and technical measures deemed appropriate in this regard, for the protection of personal data.
The Controller understands the importance of protecting children's privacy, especially in an online environment, but not only. As a rule, we do not knowingly collect or maintain information about anyone under the age of 18 (“minor” or “children”) as Controller for the working assumptions mentioned in this Note. If you are a minor child, please ask your parents, and legal guardians, to read this Note before communicating with us.
The www.forvismazars.com/ro website concerns the professional, business activities of each of Forvis Mazars companies mentioned, being intended for professionals, and clients, if you are a candidate for your first interaction with us as a potential employer, respectively for informing purposes in general. Forvis Mazars does not intend to interact with children or collect data and/or information about any minor children visitor, which is why we ask these persons, third parties who want to communicate/use data of minor children not to communicate such data, information, not to use this website, the forms contained therein with/for such data.
1. If you are a visitor of www.forvismazars.com/ro website, and/or interact with a social media account of the Controller;
Information in this subchapter 1.V. applies to interactions with our website https://www.forvismazars.com/ro/ as well as to any other situation described here.
Detailed information on each other hypothesis of data processing by the Controller, for interactions with it that go beyond visiting only the website www.forvismazars.com/ro please find in the dedicated chapter, as listed above in the description of Chapter II Structure of this Note.
In addition, we remind you that the legal terms of interaction with the www.forvismazars.com/ro website are also available on its opening page, at https://www.forvismazars.com/ro/en/legals/data-and-privacy/legal-information .
A. With regard to the general interaction with the www.forvismazars.com/ro website, this may lead for Forvis Mazars in Romania, to the collection of statistical, anonymous information, respectively to the collection of information that may also lead to personal data, as the case may be.
a. The software on which the operation of the website is based may lead to the collection of information that may also constitute personal data, directly or in association with other information from that interaction, [IP addresses and/or domain names of computers and terminal equipment used by the visitor, URI/URL addresses, information regarding the time of the visit, the browser used to transmit a data request to the server, a response code regarding the response status (success/error) and other parameters related to the user's operating system and device environment)] as part of the operation of the website, respectively the inherent feature of Internet communication protocols.
b. On the other hand, Forvis Mazars in Romania also uses Google Analytics to collect aggregated/statistical information for visitors to its website, segmented on the following criteria: country, city, gender (male or female), domain(s) of interest, by age groups (starting from 18 years old), language, platform used, type of device and operating systems, type of browsers used. This information is processed statistically, and anonymously.
B. The information in the above categories is useful to Forvis Mazars in Romania regarding the use and availability of its website and, when / if applicable, for processing for statistical purposes, for analysis purposes, for optimizing the functionalities of the Forvis Mazars website in Romania, for ensuring an adequate level of security of the website and its operation, respectively so that Forvis Mazars in Romania can make its activity known, to ensure an environment of interaction with potential clients, candidates, etc.
The storage period by Forvis Mazars of the aforementioned information is 12 months from the time of collection, after which it will be deleted.
C. Regarding interactions with the Controller's social media accounts: LinkedIn, Instagram, respectively Facebook, please read the Terms and Conditions available within each one.
Any information, which may also constitute personal data, from the interaction (replies, comments, discussions, etc.) with the Controller's social media account, is collected and used by the Controller as made available to it by the person interacting with that account, mainly for the Controller 's interaction with that person and for legal grounds, such as the Controller 's legitimate interest in communicating/interacting with third parties, promoting its own activity and/or the interests of third parties such as promoting the activity/events, etc. of companies that operates under the same brand as theController.
D.For information collected through cookies / other similar regarding individuals who visit only our website, from this subchapter 1. Please, you may have the Cookies Policy that you as a visitor, you can read here: Cookies - Forvis Mazars - Romania
And, as for third-party applications, you have here the centralized information on their listing: Third party APIs - Forvis Mazars - Romania
E.Regarding the use of contact forms available on the website and/or interaction with the Controller (and) in a capacity other than only that of the website visitor, such forms have the following purposes:
o as service offer request form to the Controller;
o as subscription form to the Controller's newsletters;
o as registration form for participation in the Controller’s events;
o as contact information communication form and for uploading a CV for recruitment purposes, if you visit the Controller's website as a candidate who wants an employment relationship within the Controller;
o as reporting forms, on reporting and notification procedures such as whistleblowing.
The personal data (usually contact data) in these forms, the Controller collects directly from you (if you use at least one of such forms), and processes them initially automatically/electronically, then also humanly. The mentioned data are necessary to be able to respond to your request, failure to communicate them may put us in the situation of not being able to follow up on those in the respective form, as the case may be. We keep the completed forms for the time necessary to follow up on the subject matter of the form, and subsequently, as a rule, for a storage/archiving period according to the law.
Note: The Controller can only assume that the respective form is filled in with correct data and by the person authorized to use that data according to the law. If it's not you. authorized person to use such data, please do not use it, and we warn you that also you have the obligation to comply with the law regarding its authorized use.
F. Information on your rights as Data subject and their exercise, possible recipients of the personal data, possible personal data transfer, and the means of personal data processing used by the Controller, please, you can find in chapters VI-VIII below, hereof. We underline that by way of exception, the above-mentioned Romanian companies Forvis Mazars is possible to process personal data as above described in this subchapter 1. Chapter V. also as Joint Controllers. For the processing of data as Joint Controllers in such a context, the Data Subject may exercise his/her rights by addressing to any of the Controllers, using the contact details for requests to exercise rights mentioned herein.
2. If you are a candidate for a position within the Controller
A. Personal data we process: To carry out the recruitment process, we collect the following personal data regarding a potential candidate for a position within the Controller:
B. How does the Controller collect personal data: The Controller collects personal data that you voluntarily provide to it when you apply for a position within the Controller or announce, e.g. on a social media account or recruitment platform, your availability for a career change, and then, if applicable, at the time of the interview and/or assessment.
The Controller also collects personal data within recruitment platforms, from social media accounts, etc. as/if they are accessible according to the normative acts, from recruitment companies when it uses their services.
The Data subject is free to decide whether or not to provide the Controller with personal data. However, carrying out the recruitment process, in the absence of certain data necessary for this process, may not be possible.
C. The Controller processes visual, auditory, computerized and manual/mixed personal data, as appropriate. Personal data can be processed both in our systems but we can also use specialized platforms for which we ask the supplier for assurances that, both in design and implementation, the supplier meets the legal requirements regarding the processing and protection of personal data.
D. Purposes and legal grounds of processing. The processing of personal data is, as a rule, limited to what is necessary for the purposes envisaged by the Controller in its recruitment process, such purposes consisting in general of:
The legal grounds for processing are usually, as the case may be, (i) the legitimate interest of the Controller mainly in carrying out its recruitment process to fill the positions necessary for its activity and conduct of its activity, in defending its own rights, other likewise, (ii) fulfilling the legal obligations incumbent on the Controller to carry out such a process, those regarding the processing of personal data, those regarding the response to possible requests to exercise rights if the Controller receives such requests, (iii) the consent of the Data subject if it is the case of storing his/her personal data / CV / professional summary after the end of the recruitment process and not offering / not hiring that data subject.
E. Personal Data retention
Personal data from a recruitment process will be stored by the Controller in its systems and/or in its own accounts, for a limited period, usually for the duration of the recruitment process. To determine the retention period, the moment of completion of the recruitment process is also taken into account, as well as whether or not the consent of the data subject has been expressed for the retention of data for future recruitment by the Controller. The CV/professional summary of a Data subject not employed in that process, will be subsequently be retained for the duration of his/her consent if a consent was expressed by the data subject in this respect. As a rule, we do not request retention for a period longer than 18 months, but of course the applied retention period will be limited to the duration consented by the candidate if he/she chooses to consent to the storage of his/her professional summary. Concerning the consent (and therefore also the data contained therein), it will usually be kept for another 3 (three) years from the deletion of the CV for the purpose of further recruitment, so that the Controller to be able to prove the existence of consent for further storage, in case of investigation, other similar ones.
F. Information on your rights as Data subject and their exercise, possible recipients of the personal data, possible personal data transfer, and the means of personal data processing used by the Controller, please, you can find in chapters VI-VIII below, hereof.
3. If you are a natural person client/potential client of the Controller
A. The categories of personal data we (the Controller) process in this case are usually
B. The categories of Data subjects usually consist of
C. How do we (the Controller) collect personal data: We collect the personal data that you provide to us voluntarily, at the time of requesting the opening of the contractual relationship, then those communicated by filling in forms such as know-your-customer at the request of the Controller in application of the Romanian Law no. 219/2019, and, when the contract with you is concluded, those from/for the performance of services, those communicated by you during the performance of the contract, and implicitly by/for the fulfilment of the contractual obligations of the Controller, respectively of the legal, statutory-professional ones, etc. incumbent on the latter.
We inform you that you are free to decide whether or not to provide us with personal data, but in the absence of such data, the Controller, as a service provider, will most likely not be able to respond to your request for an offer, afterwards to contract and provide services to you. Your personal data is mainly collected directly from you, through written forms, contracts, and other similar documents, by telephone and/or e-mail.
For certain identification and screening purposes required by law, the Controller may collect and process identificatory information or other data including data relating to public exposure obtained from credible and independent sources, such as public or private databases, to ensure that know-your-customer, anti-money laundering, anti-fraud and/or against tax evasion provisions are properly applied [in the public interest (as mentioned by the law)] and to meet Controller's legal obligations in this respect.
The Controller also monitors the existence or not of reporting criteria to fulfil its reporting duties to the national authorities in Romania, such as the National Office for the Prevention and Combating of Money Laundering.
D. Purposes and legal bases of processing
The processing of your personal data is usually done by the Controller for purposes such as:
Processing of your personal data is usually based on one of the following legal grounds:
E. Personal Data retention
Your personal data will be stored as a rule for a limited period, which is determined on a case-by-case basis, taking into account criteria such as the duration of the contract with you, legal obligations incumbent on the Controller (e.g. for compliance with the requirements of Romanian Accounting Law no. 82/1991, tax law, Romanian Law no. 129/2019 on preventing and combating money laundering and terrorist financing, legal obligations to archive contractual documents, respectively supporting documents for the activities performed), the duration of your consent for processing based on consent, limitation periods, other like these. Upon request, we can provide practical information on the retention of your personal data.
F. Information on your rights as data subject and their exercise, possible recipients of the personal data, possible personal data transfer, and the means of personal data processing used by the Controller, please, you can find in chapters VI-VIII below, hereof.
4. If you interact with the Controller as an associate/shareholder, member, founder, representative, employee, co-worker, etc. of a client/potential client legal person, of the controller or, if you do not interact, but you are the person related to that legal person/its shareholders or associates members, etc.
A. The categories of personal data that the Controller processes, usually in such a working hypothesis, consist mainly of:
B. Categories of Data subjects:
About legal entity clients, in general, the Controller processes the data (as the case may be) of shareholders or associates, of members, of founding members, etc. natural persons, those of the legal representative, respectively of a conventional representative if applicable, of the respective legal entity, as well as professional contact details, position/role in the Controller, (the implicit image and the image within interactions/meetings such as those online) of employees, co-workers, of contact persons generally indicated to the Controller by the client legal entity or who contact the Controller of behalf of its client.
C. How does the Controller collect such personal data: In general, personal data are collected that are provided directly, voluntarily, to the Controller, primarily at the time of requesting the contracting offer, those at the request of the Controller from its forms filled in by the client for “know your customer” assessment and risk assessment following the requirements of the Law no. 129/2019 and with the statutory-professional requirements of the Controller, and afterward, if applicable, personal data that is communicated by the legal entity customer during the negotiation of the contract with the Controller and, finally (implicitly collected in general) if the contract is concluded, the necessary/implicit data during the performance of the contract, and if the case also after termination of the contract if it is still required (e.g. in case of litigation).
Each person is free to decide whether and what information to provide to the Controller. However, in the absence of some data such as those to be communicated according to Law no. 129/2019 or those necessary for contact, negotiation, the conclusion of the contract, conduct of contractual relations with the legal entity client, or other such operations, may not be possible.
For ”know-your-customer” verifications as per the Law no. 129/2019, for those to assure compliance with also statutory-professional requirements, we consult and implicitly process, when appropriate, personal data available from public databases such as trade registers, registers of associates and/or foundations, other centralized public records of non-profit entities, (e.g. public records of tax authorities, databases created from public information but managed by providers specialized in know-your-customer services, identification of the final beneficiary and assessment of exposure risks within the scope of Law no. 129/2019), etc., as per the law. The Controller does not use these forms/data processed for such purposes for commercial purposes, or other similar purposes.
D. Purposes and legal grounds for processing
The processing of personal data by the Controller is limited to what is necessary for the intended purposes, mainly consisting of:
i. Activities related to contracting and performing services:
ii. “Know- your- customer” identification and screening preventing and combating money laundering and terrorism financing, fulfilling other legal obligations incumbent on the Controller in this regard (keeping records in this regard, deleting such personal data at the end of the retention period as required by the Romanian Law no. 129/2019, other similar).
iii. Organizing and inviting to events for scientific and/or professional purposes, to promote the activity of the Controller, of events of the Controller together with other entities related to it and/or acting under the same brand, as the case may be, other similar.
iv. Customer relationship administration/management, by the Controller;
v. Defending and/or exercising its own rights and/or legitimate interests by the Controller, keeping its internal records, responding to requests for exercising rights of data subjects addressed to it in this regard, managing its internal infrastructure to support its activity, internal/external reporting according to the law, according to statutory-professional requirements, other similar.
The legal grounds for processing the personal data by the Controller usually consist of:
i. The legitimate interest of the Controller (i.e. carrying out economic activities such as those regarding the contracted services, improving its relationship with clients, etc.), if there are interests in promoting the common brand, also legitimate interests of other companies related to the Controller / operating under the same brand, the legitimate of third parties, such as those providing event organization services for the Controller's events or events shared with it, support infrastructure management services, etc.
ii. Fulfilment of legal obligations incumbent on the Controller ( i.e. those related to the application of statutory-professional rules, those on preventing and combating money laundering and to “know the client” assessment), those of keeping financial and fiscal records, those of archiving documents, the legal obligation to respond to requests to exercise rights of Data subjects, other similar;
iii.Consent to the transmission of the newsletter and/or invitations to events organized by Forvis Mazars (Romania)- for the processing of the identification and contact information for these purposes, and other such processing for which the Controller announces this legal base, and it requests consent.
E. Personal Data retention
The personal data of the Data subjects will usually be stored implicitly together with the documents/records regarding the relationship with the legal person client, but usually for a limited period, which is determined taking into account criteria such as legal obligations incumbent on the Controller to keep records regarding compliance with the requirements of Law no. 129/2019, duration of the services agreement, legal obligations to archive contractual documents, respectively of having evidence of the activities performed, prescription periods, other similar. Upon request, we can provide information on the applied retention periods concerning personal data.
F. Information on your rights as Data subject and their exercise, possible recipients of the personal data, possible personal data transfer, and the means of personal data processing used by the Controller, please, you can find in chapters VI-VIII below, hereof.
5. If you are the person who interacts in another context with the Controller, mainly for the purpose of communicating with the Controller on various aspects, such as by filling in one of the forms on its website, other such situations;
A. Personal data processed by the Controller
B. How do we collect personal data: We collect personal data that you voluntarily provide to us, usually implicitly, if/when you address our Controller but also later, if applicable, such as during afterward communication/interaction with us, those generated by the interaction with our newsletters.
Until the possibility of verifying the respective data, we receive the data as communicated to us and we can only assume that the sender is authorized to use that data, that the respective data is real, correct, accurate, etc.
The decision to communicate personal data belongs exclusively to the person contacting the Controller. However, we specify that in the absence of some of them, we may not be able to respond to the message, we may not be able to take the necessary measures, etc., which is why, for example, the forms on the website mark the field of the necessary information in the opinion of the Controller.
C. Purposes and legal bases of processing
The request for your personal data from the Controller (through contact forms, through cookies on the website, through images captured during events, etc.) is usually limited to what is necessary for the purposes envisaged by the Controller, purposes such as:
Processing of your personal data for the working hypothesis from this chapter is based on one of the following legal bases:
D. Personal Data retention
Personal data processed in this processing hypothesis will usually be stored for a limited period, which is determined taking into account criteria such as legal obligations incumbent on us to keep some records/evidence on compliance with applicable legal requirements, duration of consent for the processing based on consent, prescription periods, other similar.
Upon request, we can provide information on the applied retention periods of time to personal data.
E. Information on your rights as Data subject and their exercise, possible recipients of the personal data, possible personal data transfer, and the means of personal data processing used by the Controller, please, you can find in chapters VI-VIII below, hereof. We underline that by way of exception, the above-mentioned Romanian companies Forvis Mazars is possible to process personal data as above described in this subchapter 5 also as Joint Controllers. For the processing of data as Joint Controllers in such a context, the Data Subject may exercise his/her rights by addressing to any of the Controllers, using the contact details for requests to exercise rights mentioned herein.
6. If you interact with the Controller as an associate/shareholder, representative, employee, co-worker, member, founding member, beneficiary, etc. of a supplier (including a company under the same brand as the one of the Controller), co-worker, subcontractor, non-profit entity, professional association, auditor of the Controller, etc.
The Controller provides you below with information on the processing of personal data provided by you / your company/organization/association, etc. that you represent, etc., (in your capacity as a representative of the company, respectively as an authorized owner / natural person, owner of the individual enterprise, designated person, non-profit beneficiary - natural person, member/representative, etc. of the association / non-profit organization, foundation, etc., as the case may be, respectively of real final beneficiary of the Controller’s payment, respectively if you are representing any other non-business contracting partner of the Controller ) from the perspective of the Controller on the occasion of concluding and/or carrying out services/contract/relationship of the Controller (as Controller) with you/your company/organization/association etc.
A. The categories of Data subjects whose data the Controller processes in these hypotheses consist mainly of, as the case may be:
B. Personal data the Controller processes
The Controller processes in these activities’ hypothesis, in general, the following categories of personal data, as the case may be, and limited to what is needed:
Exceptionally, for the humanitarian/charitable/voluntary acts of the Controller, data such as bank account, special data regarding the health status of the beneficiary person, and other similar may be implicitly processed.
C. Source of personal data
Personal data is obtained as the case may be: directly from you, from the company/entity you represent, from the signatory of the contract with the Controller, from other legal or conventional representatives, from your website / of the entity you represent, any other allowed source according to the law such as available public information, including those from official registers.
D. Purposes and legal grounds for processing
a. consent if expressed, for purposes such as the transmission of commercial communications, communication of newsletter(s), information/invitations regarding certain events of the Controller, and other similar;
b. negotiating, respectively closing, performing the contract with you as a Data Subject if you are an authorized natural person / natural person beneficiary and interact in this capacity with the Controller;
c. fulfilment of a legal obligation incumbent on the Controller, for purposes such as keeping its own accounts, according to the Accounting Law no. 82/1991, identification of final beneficiaries/owners, fulfillment of other legal requirements in case of application of the Romanian Law no. 129/2019, to respond to possible requests for exercising rights received according to Regulation and/or Law no. 506/2004, for compliance with financial and fiscal rules, etc.;
d. legitimate interests of the Controller and/or of a related third party such as other companies operating under the same brand as the Controller, for purposes such as (if you represent or are a third party related to the contracting party legal person / non-profit entity, etc.) as the case may be: negotiation, conclusion / respectively execution of the contract with the respective legal entity, preservation of the Controller's right of defense, implementation of contractual changes of the Controller, management of operational risks by the Controller, promotion of the economic interests of the Controller, other similar.
E. Personal Data retention
Your personal data will be stored for a limited period, which is determined taking into account several criteria such as legal obligations incumbent on us as Controller to keep evidence of our contracts, the regulated duration for keeping records regarding compliance with applicable legal requirements, the duration of your consent for processing based on consent, prescription periods, other like these.
Upon request, we can provide detailed information on the retention periods applied to your personal data.
F. Information on your rights as Data subject and their exercise, possible recipients of the personal data, possible personal data transfer, and the means of personal data processing used by the Controller, please, you can find in chapters VI-VIII below, hereof.
7.If you are the representative, manager, or person designated according to law from an investigating authority, responding, and communicating as per the law with the Controller;
A. The categories of personal data that the Controller processes in the above context usually consist of:
B. The categories of Data subjects are representatives of authorities, the management personnel, control staff, employees of regulatory, of control, and/or of monitoring bodies, of the authorities that perform controls, respond to requests, perform checks, and requests provide clarifications to the Controller, issue order measures, perform investigations/controls on the premises and/or regarding the activity of the Controller, within the performance of their duties under the law.
C. The purposes of the processing of personal data by the Controller consist mainly of (i) fulfilling the legal obligations of the Controller as per the law with the regulatory and/or control authorities/bodies, those reporting incumbent on the Controller according to the legislation in force applicable to it; (ii) the possibility of responding to the authorities of the Controller, (iii) performing by the Controller of correspondence and communications according to the law with the authorities, authorized bodies, (iv) the exercise by the Controller of its rights according to the law, (v) the possibility of exercising or defending the rights of the Controller, according to the in force normative acts (vi) keeping its internal records by the Controller in carrying out the above.
The Controller specifies that it does not process in the list, in any records of persons, data of the categories of persons mentioned in this chapter, does not process them in any database as such, respectively does not extract from documents, images, communications, the Unique Control Register, from minutes, etc. any personal data to process it in the list, in databases, other such. The processing for which the Controller makes this chapter of this Information Note is usually implicit, by the communication itself / by the means of communication decided/imposed by the authority, by storing the documents concluded/communicated by the authorities, of the control minutes, those noted by them in the Unique Control Register, etc.
D. The legal grounds for processing consist mainly in the fulfilment of legal obligations, alternatively in the legitimate interest of the Controller in carrying out its activity, respectively in exercising and/or defending its rights according to the law.
E. Personal Data retention
The personal data will be stored in general for a limited period, which is determined taking into account criteria such as legal obligations incumbent on the Controller to store records regarding compliance with applicable legal requirements, prescription periods, duration of a dispute if applicable, and other similar.
Upon request, we can provide detailed information on the retention of periods.
F. Information on your rights as Data subject and their exercise, possible recipients of the personal data, possible personal data transfer, and the means of personal data processing used by the Controller, please, you can find in chapters VI-VIII below, hereof.
8. If you are a practicing student or graduate practitioner and interact with the Controller for a convention and internship
A. The categories of personal data that are processed by the Controller regarding its relationship or interaction with students practicing or wishing to carry out internships within the Controller, respectively with those of you who have expressed the consent to receive newsletters from the Controller, usually consist of:
B. Categories of Data subjects: We process the personal data necessary for the Controller about students, practitioners (possible and/or effective), who address directly to the Controller, including during profile events, students/graduates nominated by the higher education unit for possible practice within the Controller, designated co-workers, etc.
C. How we collect the personal data mentioned above: We usually collect the personal data you provide to us as a potential practitioner with whom/when we interact directly with you, or/and indirectly, from your university that/when it makes it available to us.
D. Purposes of processing personal data mentioned above: The processing of your personal data by the Controller is generally done for purposes such as:
i. Evaluation of potential practice within the Controller,
ii. Where appropriate, for the conclusion and subsequent conduct of the practice agreement;
iii. Granting, respectively withdrawing at the end of your practice, access to the Controller's facilities to the extent that they have been made available by it as necessary for the practice;
iv. Communicating with you and/or your university;
v. Communication with the Controller's support infrastructure / other legal entities in collaboration with the Controller in this regard, third-party co-workers when / if applicable (IT companies, lawyers, etc.);
vi. Storage, access, if applicable, of internal communications with you in limits needed for practice activity;
vii. Compliance by the Controller with its legal obligations, respectively legitimate interests;
viii. If you have expressed consent to newsletters from the Controller, communication of newsletters, respectively management of the consent you have expressed, to know the interest or not for each of those newsletters, respectively for elements contained therein such as links, etc.;
ix. Other purposes related to/compatible with the above, as appropriate.
E. The legal bases of processing consist mainly:
a. The legitimate interest of the Controller to interact with possible practitioners, students having higher education, mainly to promote and develop the potential of the Controller's activity and human resources, the similar legitimate interest of another entity under the same brand, usually from those mentioned herein, if applicable;
b. if you are a potential practitioner for the Controller/practitioner within the Controller, another legal basis may be, as the case may be, the conclusion of the confidentiality and the practice agreements with you;
c. meeting the legal requirements applicable to the Controller's activity about practitioners, [concerning the Controller];
d. if applicable and you have opted in this respect, your consent as a Data subject for specific purposes of processing personal data based on consent, such as newsletters and/or commercial communications.
F. Personal Data retention: If your personal data is collected, processed generally, in one or more of the situations mentioned above, your personal data will be processed and stored by the Controller, generally for a limited period, which may differ considering criteria such as legal requirements for storing the convention of practice, of the confidentiality agreement, professional requirements, applicable to the Controller, other like these. Upon request, we can provide details of the storage periods applied.
G. Information on your rights as Data subject and their exercise, possible recipients of the personal data, possible personal data transfer, and the means of personal data processing used by the Controller, please, you can find in chapters VI-VIII below, hereof.
9. If you are a direct user of appointee on behalf of your employer, etc., of an application/software product of Forvis Mazars in Romania;
A. First of all, to use the respective software product of the Controller (application, user account, etc.) the user must be authorized to do so, which means that you directly if applicable, respectively the entity for which you use the software product of the Controller, must comply with the terms and conditions of access and use of that product.
Then, the use of the software product contracted with the Controller may also make necessary the processing of certain personal data, such as those regarding the authorized user, those of contacting him/her in certain situations, and other like these.
B. The categories of personal data concerned that are processed by the Controller regarding the use by its client of a software product made available by the Controller, usually consist of:
1. General identifiers (full name);
2. Usually professional contact details (e.g. phone number, email address, photo image if associated);
3. Professional activity/position within the Controller/employment relationship and/or education;
4. IP address;
5. The user name for the software in case one is assigned/associated.
C. Categories of Data subjects:
According to the expressed options, the Controller’s client natural person, respectively employees designated by the legal entity client, its legal and/or contractual representatives, of the designated co-workers, etc., to use and/or have access to the respective software product of the Controller, on behalf of its legal entity client.
D. How we collect the personal data mentioned above: We collect the personal data you provide to us as a natural person client, respectively as an employee / as a representative of our legal entity client or/and when the legal entity client communicates them, updates them, modifies them, as appropriate. The respective data is not mandatory, but in the absence of some, it is possible that it cannot be used in an authorized manner access to the software product.
E. The purposes of processing personal data mentioned above consist mainly of:
F . Processing of your personal data for the above purposes is based on legal grounds such as (as the case may be):
1. If you are a natural person customer, the performance of the contract with you;
2. Regarding the relationship of the Controller with the legal entity customer, the legitimate interest of the Controller, and, if applicable, that of third-party providers / other entities under the same brand as the Controller, for their possibility to provide the infrastructure/services necessary for the respective software;
3. Legal provisions applicable to the Controller's activity;
4. Consent, for certain processing for specific purposes such as marketing, and newsletters, options for that product, other similar.
G. Personal Data retention:
Your personal data will be processed and stored by the Controller, in general, for a limited period and the duration is established on criteria such as the duration of use of the respective software product, the duration of consent if it is processing based on consent and it has been expressed, the legal terms for keeping records of access/use, limitation periods, other like these. Upon request, we can provide detailed information on the retention applied to your personal data.
H. Information on your rights as data subject and their exercise, possible recipients of the personal data, possible personal data transfer, and the means of personal data processing used by the Controller, please, you can find in chapters VI-VIII below, hereof.
10. If you are a former employee who wishes to maintain contact with Forvis Mazars in Romania, according to your options, and thus you to appear in our alumni data base
A. Personal data processed in this relationship with you are initially processed by the Romanian Forvis Mazars company, your former employer, as Controller for the creation of a list of former employees for the purpose of maintaining a common database, then by the Romanian Forvis Mazars companies mentioned above as Joint Controllers, to keep in touch with former employees and communicate with each of them.
The categories of personal data processed in this activity are usually:
B. How we process personal data: Initially each former employer company collects your contact data (name, surname, contact data) internally, from the information stored to contact former employees, then these are processed electronically in the common list by Forvis Mazars companies, as Joint Controllers, in to contact them and keep in touch with them if they wish.
By the option form as a former employee in case you want to fill them afterwards, then we receive the data as communicated to us by you. ( We can only assume that it is you, and that you are authorized to use that data and that the data is real, correct, accurate, current, etc.)
Thus, the decision to then communicate your personal data through the dedicated form and to send us your option(s) for the purposes of a database to keep you in touch with us, the Joint Controllers, to receive communications from us, as Joint Controllers, belongs exclusively to you and as you consider.
We specify that:
C. Purposes and legal bases of the processing
Processing of your personal data will be usually limited to what is necessary for purposes such as:
The processing of your personal data for the working hypothesis in this chapter is based on the following legal bases:
D. Retention of personal data
The personal data processed in this case of processing will usually be stored for a limited period as a contact list for the creation of alumni databases and then if you have opted to be in the alumni database for the duration of the consent for the processing based on consent.
With regard to the consent expressed (including the form in this regard, populated with data by you), respectively its withdrawal and/or the opt-out proof, they will be each, if expressed, as a rule kept for a further period of 4 years from the date of the last processing act (which falls under this chapter of the Informing Note), i.e. for the duration of the prescription period of time in our assessment.
Other criteria for determining the duration of the processing are the legal obligations that we have to keep some records/evidence regarding compliance with the applicable legal requirements, the limitation periods, etc.
Upon request, we can provide information about the retention periods applied to personal data in this case of processing.
E. Information about your rights as a Data Subject and the exercise of them, the possible recipients of personal data, the possible transfer of personal data and the means of processing personal data used by the Controllers, please find in Chapters VI-VIII below, hereof.
We emphasise that, in this activity, the Romanian Forvis Mazars companies herein may process personal data as described above, also as Joint Controllers. For the processing of data as Joint Controllers in such a context, the Data Subject may exercise his/her rights by contacting any of the Controllers, using the contact details for requests to exercise the rights mentioned in this Note.
Processing of personal data on the grounds and, respectively, for the above-mentioned purposes, consists mainly of the operations and/or set of operations of written registration, electronic registration, organization, list structuring, storage in Forvis Mazars systems / used by Forvis Mazars and/or own, extraction, consultation, use, alignment or combination, disclosure, archiving, erasure or destruction, by automatic, manual and/or mixed means, as the case may be, by persons authorized to do so by the Controller. For the avoidance of doubt, the Controller informs that, at the date of this note, it does not carry out any processing exclusively by automated means for deciding on the Data subject, e.g. from the perspective of the relationship with suppliers, customers, natural persons, candidates, as the case may be.
Internally, the employees/representatives of the Controller with responsibilities in that processing, are usually recipients of the data (who must maintain the full confidentiality of personal data and, respectively, to comply with the internal rules and procedures of the Controller in this regard).
In general, the Controller does not transmit personal data outside, to third parties/recipients, except in circumstances where this is necessary, such as for the performance of legitimate professional and commercial tasks, when required by law, or to respond to your requests, to meet its professional standards, other such situations.
The example of exceptional situations, from the previous paragraph, can therefore be taken into consideration as the category of recipients:
a. service provider companies / other such persons, contracted by the Controller for (as the case may be):
b. other professionals who provide the Controller with various other support services, access to data being an exceptional rule, when they must also have access to personal data to provide support for the Controller to carry out its activity (such as legal services, IT&C services, back-up services, cloud storage, maintenance services for systems/databases, security and protection services, etc.) to fulfil its legal obligations (providers in compliance area), etc.;
c. contractual partners involved in the performance of the contract concluded by the Controller (subcontractors, other companies operating under the same brand, other similar);
d. supervisory and control authorities such as National Office for Preventing and Combating Money Laundering, ITM, those operating in the field of taxation, and other authorities when/to whom data must be transmitted to fulfil an obligation provided by law, by EU regulations or rules;
e. auditors, persons authorized by law to carry out compliance checks with statutory norms, with professional ones, and other similar;
There is also the possibility of sharing certain data, such as, for example, contact details but possibly also other data when necessary, with other Forvis Mazars companies (companies operating under the same brand, in the European Economic Area and/or outside it), generally for administrative purposes, or to manage a joint event in which you are going to participate, or to provide a contracted service that we subcontract to that company operating under the same brand, and/or implicitly for example when/if technical support is received from a company operating under the same brand, in other similar situations, or if you send us a request as a Data Subject but we need to communicate it to that Forvis Mazars other company which is the controller that carries out the processing to which your request relates.
The data to which access will be made possible will be adequate, relevant, and not excessive with the purpose of such processing/communication.
The recipients mentioned above are entities/persons, usually with offices in Romania and/or in other Member States of the European Union.
Regarding transfers of personal data, in general, the Controller does not transfer your personal data outside the European Economic Area.
However, for certain communications, especially for marketing/newsletter purposes, or for the purpose of customer relationship management, we may use platforms with holders from outside the European Economic Area, such as Mailchimp (The Rocket Science Group, LLC) a third-party provider that may process your personal data for the services that make it available to us: you can read their privacy policy here: Read their privacy policy .
Upon request, we may provide details to the Data subject of the actual recipients of his/her personal data.
The Data subject has the following rights regarding the processing of his or her personal data by the Controller:
[We emphasize that, on the date of availability of this dedicated information, your personal data is not processed exclusively automatically by the Controller to make a decision based solely on automated processing, including profiling, likely to affect you as a Data subject.]
How the Data subject may exercise his/her rights towards the Controller: If you have any questions regarding the processing of your personal data by the Controller, or if you wish to address any request to us, respectively to exercise any of your rights regarding the processing of personal data by the Controller, you can contact Forvis Mazars (Romania) Controller with which you interacted at the address of the headquarters mentioned at the beginning hereof by post/courier or by e-mail using one of the e-mail addresses GDPR.Compliance.ro@forvismazars.com or dpo.ro@forvismazars.com.
Each request will be approached as soon as possible, but, as a rule, no later than one month after receipt. Please note that to be able to respond and approach a request to exercise rights received from you, we need relevant identification data from you, otherwise, it may be impossible to identify you/identify the processing of your data and to respond to you.
If you are dissatisfied with the response of the Controller, you can file a complaint with A.N.S.P.D.C.P./National Supervisory Authority for Personal Data Processing based in Bd. Gheorghe Magheru no. 28-30, Sector 1, Bucharest, postal code 010336, Romania, by letter to its address, or by e-mail to anspdcp@dataprotection.ro. You can also apply to the competent courts.
Forvis Mazars in Romania/the Controller may change this without note, based on applicable legal requirements. We encourage you to periodically read this notice to stay informed about how Forvis Mazars in Romania protects your data and to stay up to date with it.
This Informing Note applies from 1 January 2025.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.