PERSONAL DATA PROCESSING SECURITY POLICY

1. PURPOSE:

The purpose of this policy is to establish the necessary measures and responsibilities of employees of my Geisha, for fulfilling the obligations relating to the guarantee and protection of the fundamental rights and freedoms of natural persons, in particular the right to privacy, family and private life, with regard to the processing of personal data.

2. SCOPE:

This policy applies to all employees of my Geisha with the duties of processing personal data and/ or as the case may be to the empowered persons.

3. TERMS AND DEFINITIONS:

NSAPDP - The National Supervisory Authority for
Personal Data Proces

Personal information - any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Anonymous Data - data which, by reason of their specific origin or method of processing, cannot be associated with an identified or identifiable person;

Operator - any natural or legal person, private law or public law, including public authorities, institutions and their territorial structures, which establishes the purpose and means of processing personal data; if the purpose and means of processing personal data are determined by a normative act or on the basis of a normative act, the controller is the natural or legal person, public law or private law, which is designated as the controller by that normative act or on the basis of that normative act;

Person responsible for the personal data security policy - the person responsible for the proper functioning of the complex information protection system containing personal data, as well as for the elaboration, implementation and monitoring of the observance of the provisions of the security policy of the personal data holder;

Personal data processing - any operation or set of operations which is performed on personal data by automatic or
non-automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure to third parties by transmission, dissemination or in any other way, alignment or combination, blocking, erasure or destruction;

Stocking - keeping the collected personal data on any kind of medium;

User - any person acting under the authority of the controller, the processor or the representative, with a recognized right of access to personal databases.

4. REFERENCE DOCUMENTS:

• 4.1. Law no. 677/2001 for the protection of individuals with regard to the processing of the personal data and the free movement of such data, as subsequently amended and supplemented;
• 4.2. Order of the People's Advocate no. 52 of 18/04/2002 on the approval of the minimum requirements for the security of personal data processing
• 4.3. NSAPDP decision no. 90 of 18/07/2006 on establishing the cases in which the notification of the processing of personal data is not necessary
• 4.4. NSAPDP decision no. 100 of 23/11/2007 on establishing the cases in which the notification of the processing of personal data is not necessary
• 4.5. NSAPDP decision no. 132 of 20/12/2011 on the conditions for processing the personal identification number and other personal data having an identification function of general applicability

5. CLARIFICATIONS:

5.1. GENERAL RULES
my Geisha has adopted appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access. In this respect, at the level of my Geisha, were designated persons responsible for complying with the provisions of Law no.677/2001.
my Geisha has taken measures to securely store information on personal data, so as to ensure an adequate level of protection and security, within the meaning of Law 677/2001.
In order to meet the related legal provisions and to meet the requirements of data and information safekeeping, the institution has developed and implemented organizational and technical measures oriented towards certain action directions:

1. User identification and authentication
2. Access Type
3. Collection of data
4. Computers and Access Terminals
5. Access files
6. Personnel training

5.2. SPECIFIC PROCEDURES

5.2.1. User identification and authentication
In order to gain access to personal data, users must log into the computer systems of my Geisha. Authentication within the computer systems of my Geisha is done by introducing unique and non-transferable authentication credentials acquired because of the electronic identity enrollment and management process, governed by the security policies in force.
Each user has his own identification code (username). The same identification code is never assigned to more than one user and cannot be shared by more than one person. Identification codes (or user accounts) not used for a longer period are disabled and destroyed after a prior check. The period after which the codes must be deactivated and destroyed is determined by the policy of my Geisha.
Any user account is accompanied by an authentication method, by entering an authentication key such as a password. When entering passwords they are not clearly displayed on the monitor. Passwords are changed periodically according to my Geisha's security policies. The information system automatically blocks the access of a user after a fixed number of wrong entries of the authentication key.
Every user who receives an identification code and a means of authentication is obliged by the job description to keep them confidential and to be accountable in this respect to the operator.
A separate administration and management procedure for user accounts is established. Certain users are authorized to revoke or suspend an identification and authentication code, if their user has resigned or has been fired, has terminated the contract, has been transferred to another service and the new tasks do not require access to personal data, has abused the codes received or will be absent for a long period established by the entity.

5.2.2. Type of access
Users must only access personal data necessary for the performance of their job duties. For this purpose, the types of access must be established by functionality (administration, introduction, processing, saving, etc.) and by actions applied on personal data (writing, reading, deletion), as well as the procedures regarding these types of access.
The department that provides technical support may have access to personal data for solving incidents and problems occurring in the use of computer systems.

5.2.3. Data collection
my Geisha designates authorized users for the collection and entry of personal data in information systems.
Any modification of personal data must be made only by designated authorized users.
my Geisha will take measures so that the information systems record who made the modification of personal data, the date and time of the modification. For better administration, measures will be implemented for the information systems to keep the data deleted or modified.

5.2.4. Computers and access terminals
Computers and other personal data access terminals located in the headquarters of my Geisha will be installed in rooms with restricted access.
Where these conditions cannot be ensured, the computers will be installed in lockable rooms. If personal data on which no action is taken for a given period, as determined by my Geisha, appears on the screen, the working session will automatically close. The size of this period is determined according to the operations to be performed.
The servers hosting personal data can be accessed only in a controlled manner, based on access rights.
It is not allowed to remove from the institution the mobile storage media (CD/ DVD, USB Stick, Portable HDD) containing personal data, except with the prior approval of the company's management.

5.2.5. Access files
my Geisha makes sure that any access to the personal data base is recorded.
For automated processing, this information is stored in a general access file or in separate files for each user. Any attempt of unauthorized access will also be recorded.
my Geisha keeps the access files for at least 2 years, to be used as evidence in case of investigations. If the investigations are extended, these files will be kept for as long as it is deemed necessary.
The access files make it possible for my Geisha or the authorized person to identify the persons who have accessed personal data without a specific reason, to apply sanctions or to notify the competent authorities.

5.2.6. Personnel training
my Geisha staff is informed about the provisions of Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, to the minimum security requirements of the processing of personal data, as well as to the risks involved in the processing of personal data.
Users who have access to personal data will be trained on their confidentiality and will be warned by messages that will appear on the monitors during their activity.
Users are obliged to close their working session when they leave the workplace.

5.2.7. Using computers
In order to maintain the security of the processing of personal data (in particular against computer viruses), measures must be taken regarding:

1. prohibiting the use by users of software programs that come from unverified sources;
2. informing users of the danger of computer viruses;
3. implementation of automatic anti-virus and malware protection systems and information systems security;
4. disabling the possibility of copying or printing the personal data displayed on the screen outside the normal business flows.

5.2.8. Data printing
Printing of personal data will be done only by users authorized by my Geisha for this operation.

5.2.9. Manual processing of personal data
Documents containing personal data shall be kept in lockers or cabinets with another security mechanism. Documents containing personal data used for carrying out certain operations shall be handed over to authorized persons or shall be closed immediately after their completion.

5.3. The PROCESSING OF PERSONAL DATA WITH A FUNCTION OF IDENTIFICATION OF GENERAL APPLICABILITY, including its disclosure to third parties, is made only under the following conditions:

1. the data subject has expressly given his or her consent; or
2. the processing is expressly provided for by law; or
3. in other cases, with the notice of the National Supervisory Authority for Personal Data Processing and only on condition that adequate safeguards are established to respect the rights of the data subjects.

my Geisha respects the principle of adequacy, relevance and non-excessiveness, as well as confidentiality and security measures for processing. In the case referred to in point 3 above, the following points shall be taken into account:

1. the purpose of the processing is determined, explicitly and legitimately;
2. the establishment and implementation of measures to ensure the exercise of the rights of data subjects;
3. the duration of the data storage is for the period strictly necessary for the fulfilment of the purpose, after which the data will be deleted or destroyed, as the case may be;
4. establishing the modalities of access to the filing systems in order to collect the data, according to which appropriate technical and organizational measures will be established and observed for the protection of the data;
5. use of the data only within the scope of the intended purpose.

5.4. RIGHTS OF PERSONS WHOSE PERSONAL DATA ARE COLLECTED AND/ OR PROCESSED

5.4.1. The right to be informed
Where personal data are obtained directly from the data subject, my Geisha is obliged to provide the data subject with at least the following information, unless that person already possesses that information:

1. the purpose for which the data are processed;
2. the existence of the rights provided by law for the data subject, in particular the right of access, intervention and opposition, and the conditions under which they may be exercised;
3. any other information the provision of which is required by the supervisory authority, taking into account the specifics of the processing.

The Privacy Policy is posted on the my Geisha website (www.mygeisha.com);
Before filling in personal data, the consent of the persons concerned is requested for their processing;
The registration number of the notification communicated by the National Supervisory Authority is mentioned in any document through which personal data is collected, stored or disclosed;
Buildings that are monitored by video will have, at the entrance, displayed in a visible place, the information regarding the retrieval and storage of images.

5.4.2. Right of access to data
Any data subject shall have the right to obtain from my Geisha (as controller), upon request and free of charge for one request per year, confirmation that data concerning him or her are or are not processed by him or her.

5.4.3. The right to intervene on data
Any data subject shall have the right to obtain from the controller, on request and free of charge:

1. where appropriate, the rectification, updating, blocking or erasure of data the processing of which is not in accordance with the law, in particular incomplete or inaccurate data;
2. where applicable, the conversion into anonymous data of data the processing of which is not in accordance with the law.

5.4.4. Right of opposition
The data subject shall have the right to object at any time, on compelling legitimate grounds relating to his or her particular situation, to data relating to him or her being processed, save as otherwise provided by law. In the event of a justified objection, the processing may no longer cover the data concerned.

5.4.5. The right to address justice

1. Without prejudice to the possibility of lodging a complaint with the supervisory authority, data subjects shall have the right to apply to the courts for the defense of any rights guaranteed by law which have been infringed.
2. Any person who has suffered damage as a result of the unlawful processing of personal data may apply to the competent court for compensation.

5.5. COMMUNICATION OF PERSONAL DATA

1. Personal data may be communicated between my Geisha and its proxies or between my Geisha or its proxies and other public institutions or bodies or entities governed by public or private law in one of the following situations:
2. whether the data subject has given his or her express and unequivocal consent to the communication of his or her data;
• without the consent of the data subject in the cases provided by law.
• The communication of personal data may also be made online, in compliance with the provisions of paragraph (1) and ensuring the security of personal data communication systems.
3. Personal data on which data subjects have exercised and have been granted the right to object can not be processed.
4. Requests for communication of personal data addressed to my Geisha must contain the identification data of the applicant, as well as the motivation and purpose of the request, according to the legal provisions.
5. Applications that do not contain these elements shall be returned for completion, and those that do not fall under the conditions provided by law shall be rejected, stating the reasons why the communication of personal data is not possible.
6. Before communicating personal data, my Geisha checks that they are accurate and, where appropriate, up to date.
7. If it is found that incorrect or outdated data have been transmitted, my Geisha has the obligation to inform the recipients of those data on their non-compliance, mentioning the data that have been modified.
8. When communicating personal data, my Geisha warns the recipients of the prohibition to process the data for purposes other than those specified in the communication request.

FINAL PROVISIONS
For more information, any person can contact SC GEISHA PERFUMES SRL at office@mygeisha.ro.

COMPANY DATA
GEISHA PERFUMES SRL
TIN: 40529923 Trade Register.
J23/413/2019Address: Bragadiru Town, Mărăcineni street, 78A, 1st floor, room 2, Ilfov county
IBAN:RO43INGB0000999908751768
Bank: INGB CENTRAL