I. Who is responsible for data processing? 

The data controller is Petrom Marketing S.R.L. for both its websites www.omv.ro and also www.petrom.ro (generally referred to herein as OMV Petrom).

If you have any questions regarding the processing of your data with respect to OMV Petrom Marketing SRL, please contact:  

Data Protection Officer Mrs. Olguta Dana Totolici
Petrom City
22 Coralilor Street, District 1
013329 Bucharest, Romania
Phone:  +40 (372) 4 83540
mailto: privacy@petrom.com

 

II. What kind of personal data do we process?

We process among others the following data:
• IP-address
• Browser type and version
• Information that the user is providing while filling in a contact form

Moreover, we are processing as well master data (e.g. name, address, contact information), billing information (e.g. billing details, bank data), documentation data (e.g. notifications and emails), and data in order to comply with legal requirements.

We process personal data that we receive from you (or your employer) in the context of a business relationship or the initiation of a business relationship or record in the context of legitimate interests. In addition, we process data that we legitimately obtain from publicly available sources (e.g. commercial register, land register, media).

 

III. For what purposes and on what legal basis will your data be processed?

 1. Use of website 

While operating this website, we collect certain data ("personal data") that may refer to identified natural persons or identifiable natural persons, which are directly provided by the users of this website by filling in forms (e.g. name, first name, postal address, e-mail address, telephone number) or indirectly by visiting the website (e.g. IP-address).

 a. Embedded third party services and content 

Social Media

In order to inform a broad audience on OMV Petrom´s activities, we are using social media sharing buttons of different social media operators, mentioned below. The responsibility for an operation of these services in a manner that is compliant with data protection laws lies with the respective operator. OMV Petrom is only responsible for data collection and transfer to the plugin operator.

A sharing-button is an automated integration of buttons, which contain a link and click event related to the respective service. 

The integration of these sharing buttons takes place for Facebook, WhatsApp, Twitter and LinkedIn by using a so-called two-click solution. This is ensuring a higher standard of data protection due to the absence of data transfer to social media operators up to the point in which the respective button is clicked and login data provided by the user to share the post or the user is already logged in when clicking the button.

Moreover, OMV Petrom is operating profiles and fan pages on social media as for example, Facebook, Instagram, Twitter, YouTube, LinkedIn.

More information on the purpose and scope of processing of personal data by the social media operator as well as on your rights and possibilities to change settings regarding privacy, please consult the privacy policies of the respective social media operator.

Please be aware that personal data processing takes also place in case you are clicking on the links below.

Facebook https://www.facebook.com/privacy/explanation
Instagram https://www.facebook.com/help/instagram/155833707900388
Twitter https://twitter.com/en/privacy
YouTube https://policies.google.com/privacy?hl=en
WhatsApp https://www.whatsapp.com/legal/?lang=en
LinkedIn https://www.linkedin.com/legal/privacy-policy?src=or-search&veh=www.google.com%7Cor-search

Facebook

Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (“Facebook“) is operating its social media button on our website.

With regards to the fanpage, Facebook is providing statistics on visitors and is transferring them to the operator of the fanpage in an anonymized way. Facebook is collecting the following data via the setting of Cookies on the computer or another device with access to internet that is accessing the fanpage, independently from the fact that you dispose over a Facebook profile or not: Age, gender, location, language, and point in time of access, liking of an account and post.

OMV Petrom can access information on who has interacted when with which post on the OMV Petrom fanpage or posted something on his/her own.

OMV Petrom is using Facebook Pixel on its website for the purpose of analyzing, optimization and economical running of our online presence.

The Facebook pixel enables Facebook to determine visitors of OMV Petrom´s online presence as target group for advertisements, so called “Facebook-Ads”. In order to show Facebook-Ads only to those Facebook users who are interested in our online presence or who show certain characteristics, e.g. interest in certain topics or products, which are determined by the websites visited, OMV Petrom is transmitting these characteristics to Facebook (so called “Custom Audiences”). By using the Facebook-Pixel, OMV Petrom assures that Facebook-Ads are in line with the potential interest of a user and are not irritating. The Facebook enables OMV Petrom to analyses Facebook-Ads concerning statistic and the performance of market research. This happens e.g. by analyzing whether a user has been redirected to an OMV Petrom website after the click on a Facebook-Ad.

The objection to the collection and usage of your data for the purpose of displaying Facebook-Ads is possible any time.

In order to set which ads are displayed to you while using Facebook, you may change the settings regarding ads based on usage (https://www.facebook.com/help/568137493302217). These settings will apply to all your devices.

The processing of data by Facebook follows Facebook´s Privacy Policy (https://www.facebook.com/privacy/explanation).

General information on Facebook-Ads can be found here: https://www.facebook.com/policies/ads/

Special information on the Facebook-Pixel can be found here: https://en-gb.facebook.com/business/help/742478679120153?id=1205376682832142

Instagram

Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA, a subsidiary of Facebook Inc., (“Instagram”) is providing statistics on the activity, content and target group visitors and is transferring them to the operator of the profile. Thereby, interactions, such as profile visits, website-clicks and conversation are visible. 

Moreover, it can be assessed how many visitors watch our content (posts, stories and promotions) and where they found us. Additionally, data on subscribers and the target group is collected as well as on the growth rate of subscribers. Instagram is administering the mailbox by using the messaging tool; it sorts queries according to relevance of customers and date of receipt.

Instagram is setting Cookies on the computer or another device with access to internet that is accessing the OMV Petrom profile, whether or not you are disposing over a profile on Instagram.

Twitter

Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07
Ireland, is operating its social media button of the micro-blogging service “Twitter” on our website. 

Additionally, we are using a Twitter Feed plugin to display social media content on our website. This is why our website is sending requests to Twitter´s servers in order to display images and videos. These requests may make your IP-address visible for Twitter as well, who may use it on their turn for their purposes as described in their privacy policy.

Each Tweet in the Twitter Feed on our website may directly be replied to, shared or liked. If you choose to interact with these functions, you will connect to Twitter.com, who may collect your IP-address, web browser user agent, set Cookies on your browser and monitor how you interact with the widget. In case you are logged in to Twitter, it will correlate your action within the widget (e.g. liking) with your Twitter account.

Twitter is providing statistics on how often each Tweet has been seen, related to, retweeted or favored by Twitter users, highlights the most powerful tweets and makes influencer of the network of the owner of the Twitter account visible. Moreover, the growth rate, interests and demographic data, e.g. language, gender, location, education, civil status, consumer habits, lifestyle and usage of mobile devices of OMV follower are collected and transmitted to the Twitter account owner. 

Twitter is setting Cookies on the computer or another device with access to internet that is accessing the OMV Petrom profile, whether or not you are disposing over a Twitter account.

LinkedIn

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, (“LinkedIn”), is operating its social media button on our website.

With regards to the LinkedIn profile, OMV Petrom is provided with statistics on visitors via aggregated data on their location, skills, influencer they are following and content, which they deal with the most on LinkedIn.

 
LinkedIn is setting Cookies on the computer or another device with access to internet that is accessing the OMV profile, whether or not you are disposing over a LinkedIn profile.

Furthermore, OMV Petrom uses a LinkedIn-Tag. This is a small JavaScript code snippet, which enables the tracking of applicants coming to the OMV job board via LinkedIn. This is used in order to place job advertisements more efficiently for both, OMV Petrom and potential applicants on LinkedIn. Data collected via this LinkedIn-Tag comprise URL, referrer-URL, IP-address, device and browser settings (user agent) as well as a time stamp. Direct identifiers are shortened or hashed if used across devices. According to LinkedIn, direct identifiers of members are deleted within seven days for pseudonymization. Pseudonymized data are deleted within 180 days. Further information may be found here: https://www.linkedin.com/help/lms/answer/81849/linkedin-insight-tag-haufig-gestellte-fragen?lang=en

WhatsApp

The Messaging service provider WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (“WhatsApp”) is operating its social media button on our website.

WhatsApp is setting Cookies on the computer or another device with access to internet that is trying to share the information of OMV Petrom´s website via WhatsApp, whether or not you are disposing over a WhatsApp account.

YouTube

„YouTube“ a subsidiary of Google Inc. with a seat at Google Ireland Limited in Gordon House, Barrow Street, Dublin 4, Ireland, is operating a video platform from which OMV is integrating videos on its own website.

YouTube is providing statistics on visitors via aggregated demographic data on their location, age, gender, which videos are viewed for how long and from which device, while doing so, it is also collected from which website with the embedded YouTube videos, visitors have been forwarded to YouTube or if they searched directly on YouTube etc. This data is transmitted to the YouTube profile owner. 

YouTube is setting Cookies on the computer or another device with access to internet that is accessing the OMV channel, whether or not you are disposing over a Google account.

Web Analysis 

Google

OMV Petrom is using a wide range of services provided by Google Ireland Limited, Barrow Street. Dublin 4, Ireland, which is also processing data on behalf of OMV according to Art. 28 GDPR. The purpose and scope are described in detail in the following. 

Purpose and scope of processing of personal data by Google and on your rights and possibilities to change settings regarding privacy, please consult the privacy policy of Google https://policies.google.com/privacy?hl=en-US .

In Google´s privacy policy as well as in ours, you can find more information on the in the following mentioned cookies.

The data collected by Google are assessed on OMV Petrom´s behalf in order to analyse how our website is used. According to Google, the (anonymized) IP-address transmitted by your browser is not merged with other Google data. A merger can only happen in case the IP-address is not transmitted in an anonymous way and you are logged into your Google account.

Google Analytics is used on the OMV Petrom website to evaluate the use of our website as well as to optimize our online presence. For this purpose, Google is using Cookies. The information generated by the cookie about the use of the website such as browser type/version, operating system, the previously visited page, IP-address, time of the server request are usually transferred to a Google server and stored there. 

OMV Petrom use Google Ads to collects data about your activities that does not personally or directly identify you when you visit our website or other websites and online services where we display advertisements. This information may include the content you view, the date and time when viewing this content, the products you purchase, or your location information associated with your IP address. We collect information about where you saw the ads we serve you and what ads you clicked on. We use the information we collect to serve you more relevant advertisements (referred to as "Retargeting"). 

OMV Petrom uses Google Tag Manager as a tool to administer websites tags on a dashboard. Tags are used for tracking in online marketing. The Tag Manager itself is a cookie-less domain and does not process any personal data, as it is only used to manage other Google Marketing services in our online offering. The Tag manager ensures the triggering of other tags, which may collect data. However, the Tag Manager is not accessing these data. In case there has been a deactivation on domain or cookie level, the deactivation remains for all tracking tags, which are implemented via the Tag Manager.

OMV Petrom is using Google reCAPTCHA in order to assess for the sake of security of our website, whether you are a human and no robot or other spam software. Google evaluates this according to the following data: IP-address of the terminal device, the website visited by you, on which the reCAPTCHA is integrated in, date and duration of visit, browser, operating system, language settings, java script objects and Google account in case you hold such an account and you are logged in at the same time as you visit our website, movement of mouse over the reCAPTCHA field.

OMV Petrom uses Google Doubleclick for the purpose of analyzing, optimizing and the economically operating our online offering by displaying you advertisements across multiple websites. This is done by using a pseudonymous identification number (pID), which is assigned to your browser. This pID enables the service to recognize which ads have already been displayed on you device and which ads have been viewed. The cookies, which are used for this purpose, do not contain any personal data. 

More information on the Cookies used on our website, you may find in our Cookie Policy embedded in our Cookie banner.

OMV Petrom is using Google Fonts because they are web optimized and save data volume. This leads to a shorter loading time of the website and a consistent look on all terminal devices and common browsers. When using Google Fonts, your IP-address, language settings, screen resolution and type of browser is transmitted to Google. It is not entirely transparent whether these data are also stored. Apart from this uncertainty, Google is able to rate the popularity of fonts due to the collected usage data. The results are published on Google´s internal analytics pages, e.g. Google Analytics.

More information on Google Fonts can be found here: https://developers.google.com/fonts/faq

Cookies

We collect information from you as a user of our website through the use of cookies in order to make our website more user-friendly, effective and secure. This includes your IP-address (anonymized), browser type, language settings, operating system, type of device, domain name, domain host, date and time. The legal basis for this is your consent, which you express by the appropriate settings of your browser or device to allow cookies or by choosing the respective settings in our Cookie banner. This consent can be revoked anytime. The setting of Cookies is according to Art. 6 para 1 lit. f GDPR also based on our legitimate interest insofar as it is technically absolutely necessary in order to use offered services accessed by you.

More information about the use of cookies on this website and their purposes, as well as your options to control or block the cookies, you find in our Cookie banner. Currently, we are using the following cookies:


Required

Technically necessary cookies are used to enable the technical operation of a website and make it functional for you. The use is based on our legitimate interest to provide a technically flawless website. However, you can generally disable the use of cookies in your browser.

Cookie namePurposeDeveloperRetention periodDomain
(ID)_FORMAT_LONGEnsures the functionality and usability of the page and is used to track errors.Sessionwww.omv.ro
(ID)_FORMAT_SHORTEnsures the functionality and usability of the page and is used to track errors.Sessionwww.omv.ro
__(ID)Ensures the functionality and usability of the page and is used to track errors.1 hourwww.omv.ro
__ZEHICEnsures the functionality and usability of the page and is used to track errors.20 minuteswww.omv.ro
cmpprogramCodeEnsures the functionality and usability of the page and is used to track errors.Sessionwww.omv.ro
cmprewardCatalogDisplayModeSave settings and preferences of the user such as the current language setting.Sessionwww.omv.ro
cmptokenEnsures the functionality and usability of the page and is used to track errors.Sessionwww.omv.ro
cookieconsent_modeContains the information to what extent the user has confirmed the use of cookies.DataReporter GmbH12 monthsapps-omv.com
cookieconsent_statusContains the information to what extent the user has confirmed the use of cookies.DataReporter GmbH12 monthsapps-omv.com
source_sessionCounts the number of sessions and assigns an anonymous identifier to each visitor.1 daywww.omv.ro
source_userSave settings and preferences of the user such as the current language setting.1 monthwww.omv.ro
TS(ID)Counts the number of sessions and assigns an anonymous identifier to each visitor.Sessionwww.omv.ro

Statistics

Statistics cookies collect information about how websites are used to improve their attractiveness, content and functionality. A use takes place only with your consent and only as long as you have not deactivated the respective cookie.

Cookie namePurposeDeveloperRetention periodDomain
_clskContains information to help distinguish users from the page. Gathers data about user visits, such as which pages are relevant.MicrosoftSessionapps-omv.com
_gaContains information to help distinguish users from the page. Gathers data about user visits, such as which pages are relevant.Google1 yearapps-omv.com
_ga_(GA4-ID)Contains information to help distinguish users from the page. Gathers data about user visits, such as which pages are relevant.Google1 yearapps-omv.com
FPIDContains information to help distinguish users from the page. Gathers data about user visits, such as which pages are relevant.Google1 yearomv.ro
FPLCContains information to help distinguish users from the page. Gathers data about user visits, such as which pages are relevant.Google20 hoursomv.ro

Marketing

Marketing cookies come from external advertising companies and are used to collect information about the websites visited by the user. A use takes place only with your consent and only as long as you have not deactivated the respective cookie.

Cookie namePurposeDeveloperRetention periodDomain
_clckRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.MicrosoftSessionapps-omv.com
_fbcRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.FacebookSessionwww.omv.ro
_fbpRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.Facebook3 monthsapps-omv.com
_gcl_auRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.Google3 monthsapps-omv.com
_gcl_awRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.GoogleSessionwww.omv.ro
_gcl_gsRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.GoogleSessionwww.omv.ro
bcookieRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.LinkedIn12 monthslinkedin.com
FPGSIDRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.30 minutesomv.ro
G_ENABLED_IDPSRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.Sessionwww.omv.ro
IDERegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.Google1 yeardoubleclick.net
li_gcRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.LinkedIn6 monthslinkedin.com
lidcRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.LinkedIn1 daylinkedin.com
NIDRegisters a unique ID that identifies and recognizes the user. Used for targeted advertising.Googlewww.google.com

 b. Hosting

While hosting our website, all data related to operating our website are stored. This is necessary in order to make the operation of the website possible. Thus, all data are processed on the basis of our legitimate interests according to Art. 6 para 1 lit. f GDPR to optimize our website.

c. Server Log - Files

Due to technical reasons, in particular in order to guarantee a functioning and secure web presence, we are processing technical necessary data on accesses on our website in so-called server-log-files. Your browser is transmitting those automatically to us.

The following data are collected:

• Website visited
• Browser type and version
• Operating system
• Websites you visited before ours
• Hostname of the accessing computers
• Time of server request
• Amount of data sent

This data are not connected to natural person and are only used for evaluation and improvement of our website. These data are only transmitted to our Website provider. A connection or aggregation of these data with other data sources does not take place. In case our website is used in an illegal way, we reserve the right to examine the data subsequently. The processing of data is based on our legitimate interest according to Art. 6 para 1 lit. f GDPR to provide for a technical flawless presentation and optimization of our website.

Data are deleted after fulfilling the purpose, normally within a few days, in case there is no need to store data as evidence. In this case, data will be stored until the issue is finally resolved.  

 2. Answering your Inquiries, Requests or Complaints

We will process your personal data, such as name and surname, email address, telephone number and any other information or details you may provide us with in the correspondence, in order to address and answer your queries, complaints or requests, depending on the communication channel you are contacting us. The processing is based on our legitimate interest, allowing us to provide answers to your queries, complaints or requests. However, if you do not provide your personal data, we are unable to answer your inquiries, requests or complaints.

 3. Promotional Games, campaigns / contests

We will process personal data collected from you by filling in participation forms on our website or similar forms to organize promotional campaigns and/or contests or to award prizes to the winners of promotional campaigns, as well as to analyse the effectiveness of our promotional campaigns. Your participation to such promotional campaigns and/or contests is voluntary. Therefore, it is your choice to decide whether to offer us personal data, by filling in participation forms on our website or similar forms as provided by the rules of the respective promotional campaigns or contests. 

This processing is based on various legal grounds applicable depending on the context of the respective game/promotional campaign, these being legitimate interest and also executing the agreement with you, as well as in some cases, consent is also applied as a base of processing. However, if you do not provide us with your personal data, it is not possible to participate in promotional games and raffles. 

More details on personal data processing of the respective promotional game/campaign/ contest are stated in the respective terms and conditions.

 4. Direct Marketing / Newsletters

We will process personal data to inform you about our products and services, promotional offers and for newsletter subscription. As a general rule, such personal data will be processed for direct marketing purposes only based on your prior expressed consent to receive such communication and by using the communication channels (e.g. email, sms, etc) you agreed with upon providing your consent. However, insofar you have provided us with your email address on the occasion of purchasing a product or service from us, we may use the email address, in compliance with the legal provisions in force allowing us to present you our commercial communications regarding similar products or services, based on our legitimate interest in this respect; in such a case, upon obtaining the email address from you and subsequently, for each marketing message we may send you, we will provide you with the option to oppose to such utilization of the email address (unsubscribe). However, if you do not provide us with your personal data, it is not possible to receive about our products and services. The revocation of your consent to receive the newsletter is possible any time by using the opt-out option, which can be found in the newsletter/ communication or via privacy@petrom.com

 5. Market / Customer Satisfaction Studies

We will process your personal data when you decide to participate to our surveys or market studies, customer satisfaction inquiries or when you provide feedback on our products and services. Such personal data will be processed for the above purpose based on your consent and also having in view our legitimate interest to help us understand the customers’ needs and expectations about our products and services. 

Your participation to such surveys or market studies is voluntary. Therefore, it is your choice to decide whether to offer us personal data (such as name and surname, information regarding your preferences and shopping habits or other personal data that you may offer to provide), by filling in participation forms on our website or similar forms as provided by the respective surveys or studies.

However, if you do not provide us with your personal data (when required), it is not possible to participate in such surveys or studies.

 6. Contract conclusion and execution

We will process your personal data, such as name and surname, position in the company, email address, telephone number, experience, qualifications, signature, etc. provided in order to conclude and execute the contract with you or with the company whose representative / contact person you are. At the same time, during the contractual relationship we communicate with you to ensure the smooth running of the business relationship

 7. Third party check (KYC și AML)

We will process personal data collected from you by filling in the evaluation of third parties forms (mostly legal entities: potential contractors, business partners, big clients and sponsorships beneficiaries) such as general identification data (name and surname), labor related data (job / position data; organization (company/division/department)), profession / education data (professional background), contact data (telephone number/fax number), personal features related data (image/photo), disciplinary/administrative/contravention data (contraventions, criminal record), litigation data (litigation/execution file data), to determine the compliance risks that could emerge from a possible business relationship with you. Based on this analysis prevention, mitigation and treatment measures could be recommended. The checks are based on available public information.

This processing is based on our legitimate interest that ensures the identification of potential compliance risks that could emerge from a possible relationship with these third parties

IV. Who receives your data?

We only transfer your data restrictively.

1. Categories of Recipients

For reaching the purposes described above, OMV Petrom uses the services of various contractors.

Some of them are controllers on their own, other contractors have the quality of processors in connection with your personal data.

Other contractors are third parties who are not intended to process the data but may have access to it upon fulfilling their tasks or interacting with OMV Petrom, such as technical maintenance companies, financial or legal auditors.

Thus, the personal data indicated above may also be made available or submitted to third parties in the following situations: 

(i) public authorities, auditors or institutions competent to exercise inspections on the OMV Petrom’s business or assets, which ask OMV Petrom to provide information, by virtue of the latter’ s legal obligations to comply with a legal requirement or to protect the rights and assets of our company or other entities or people, such as courts of law; 

(ii) to third parties acquisitors, insofar the business of the company would be (totally or partially) transferred and the data subjects’ data would be part of the assets representing the object of the transaction. 

Further on, for the processing purposes set out above, we may share your personal data with the companies from the OMV /Petrom group, companies which will be under the OMV Petrom’ s instructions in what concerns the processing of your personal data.

Hence, with a view to details, in order to achieve the above under point III stated purposes your data may be shared with the following types of recipients:
• Technical maintenance companies;
• Auditors and inspectors;
• Lawyers;
• Authorities and courts;
• Analysts and search engine operators;
• Call centre service providers;
• Advertising and social media agencies;
• Operator of social media platforms;
• Web analytics services;
• Provider of surveys or market surveys / customer inquiries;
• Acquirer of parts of the business to OMV if your data is part of the acquired assets;
• OMV Group companies;
• Petrol station partners

 2. Transfer of data to foreign countries

As part of the data processing described above, transmission of personal data to recipients in countries outside the European Union (so-called third countries) may take place. We only transfer your data to (i) countries for which the EU Commission has determined that they provide an adequate level of data protection or (ii) if we take measures to ensure that the respective recipient provides an adequate level of data protection (in particular by concluding EU Standard Contractual Clauses).

 3. Data transfer to the USA / discontinuation of the Privacy Shield

We would like to expressly point out that as of July 16, 2020, due to a legal dispute between a private individual and the Irish supervisory authority, the so-called "Privacy Shield", an adequacy decision of the EU Commission pursuant to Art 45 GDPR, which confirmed an adequate level of data protection to the USA under certain circumstances, is no longer valid.
The Privacy Shield is therefore no longer a valid legal basis for the transfer of personal data to the USA!
If a data transfer by us to the USA takes place or if a service provider based in the USA is used, we explicitly refer to this in this privacy policy (see in particular the description of the technologies on our website).
What can the transfer of personal data to the USA mean for you as a user and what are the risks in this context?
Risks for you as a user are in any case the powers of the U.S. intelligence services and the legal situation in the U.S., which currently, according to the ECJ, no longer ensure an adequate level of data protection. Among others, these are the following:
• Section 702 of the Foreign Intelligence Surveillance Act (FISA) provides no restrictions on the surveillance activities of the intelligence services and no safeguards for non-U.S. citizens.
• Presidential Policy Directive 28 (PPD-28) does not give data subjects effective remedies against actions taken by U.S. authorities and does not provide for barriers to ensuring proportionate measures.
• The Ombudsman provided for in the Privacy Shield does not have sufficient independence from the executive branch; he cannot issue binding orders against the intelligence agencies.
Legally compliant transfer of data to the USA based on the standard contractual clauses?
The standard contractual clauses adopted by the Commission in 2021 (2021/914 from 4. June 2021), Art. 46 (2) c GDPR, are still valid under the condition that the level of protection for personal data equivalent to that in the European Union is ensured. Thus, not only the contractual relationships with our service providers are decisive, but the possibility of access to the data by authorities in the USA and the legal system there must also be evaluated.
What measures do we take to ensure that data transfers to the USA are legally compliant?
Wherever US providers offer the option, we choose to process data on EU servers. This should technically ensure that the data is located within the European Union and that access by US authorities is not possible.
For the further use of US tools, we take the following measures:
As far as possible and not already provided for by law (for example FATCA), your consent will be requested before using a US tool and you will be informed transparently in advance about how a service works. The risks involved in transferring data to the USA can be found in the corresponding passage in our privacy policy.
With US providers we make every effort to conclude the mentioned EU standard contractual clauses and to demand additional guarantees.

V. How long do we store your personal data?

We process your personal data as long as reasonably necessary to achieve the above mentioned purposes and in addition, in accordance with the legal obligations for storage and documentation, which result, among others, from the relevant laws or for asserting, exercising or defending legal claims. 

Generally, your data will be deleted after withdrawing your consent or successfully claiming rights in respect to the processing of your data (like objection, erasure). Therefore, processing of a possible application procedure needs to be completed and provided that the storage of data is not necessary to fulfill a legal obligation or to assert, exercise or defend legal claims. Further processing will only take place if you have expressly consented to the further use of your data or if we have the legitimacy to further process the data under the permission of applicable laws. 

Instead of deleting your data, it is possible that the data may be made anonymized. In this case, any personal reference will irretrievably be removed, which is why the deletion obligations under data protection law also cease to apply. In this case, the restoring of personal data reference is not possible anymore. 

Mobile apps

When deleting the accounts on OMV Petrom mobile apps, the request will be sent for each OMV Petrom mobile application through the dedicated "Delete account" option, usually located in the Profile section. In this case, the data will be anonymized, except for the data related to the purchase transactions made through the respective applications, which will be retained for the period corresponding to the statutory retention obligations for financial transactions.

Processing of data of children under the age of 18

All personal data processing presented herein refers exclusively to persons that are at least 18 years old. The use of the systems, as well as the results of the processing is conditioned for children between 14 and 18 years by the approval of the parents/ tutors and forbidden to children under 14 years except where the consent of their parents/tutors was attained. In case despite our reasonable efforts to prevent it, such processing occurs, we will cease it upon noticing the fact that the users are under the age mentioned above.

Security of data processing

OMV Petrom hereby informs you that it constantly evaluates and upgrades the security measures implemented as to ensure a secure personal data processing.

 

VI. Your Rights

Within the context of personal data processing, you benefit of the following rights:

a. The right of access to the processed personal data: you have the right to obtain a confirmation whether or not your personal data are being processed, and, if affirmative, to have access to the type of personal data and to the conditions of processing, by addressing a request in this respect to the data controller;

b. The right to request the rectification or erasure of personal data: you have the possibility to request, by sending a request in this respect to the data controller, the rectification of inaccurate personal data, the supplementation of incomplete data or the erasure of your personal data in case (i) the data are no longer needed for their original purpose (and no new lawful purpose exists), (ii) the lawful basis for the processing is the data subject's consent, the data subject withdraws that consent, and no other lawful ground exists, (iii) the data subject exercises the right to object and the controller has no overriding grounds for continuing the processing, (iv) the data have been processed unlawfully, (v) erasure is necessary for compliance with EU law or Romanian law, or (vi) the data were collected in connection with the informational society services offered to children (if the case), where specific requirements regarding consent are applicable;

c. The right to request the restriction of processing: you have the right to obtain the restriction of processing in cases where: (i) you consider that the processed personal data are inaccurate, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful, however you don’t want us to erase your personal data, but to restrict the use of data; (iii) in case the data controller no longer needs your personal data for the above-mentioned purposes, but you are requiring the data for establishing, exercising or defending a legal claim or (iv) you have objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject;

d. The right to withdraw your consent for processing, when the processing is based on consent and you have prior granted such consent, without affecting the lawfulness of processing undertaken until the withdrawal of consent;

e. The right to object to the data processing on grounds relating to your particular situation, when the processing is based on legitimate interest and to object at any moment to the data processing for direct marketing purposes, including profiling;

f. The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects the data subject in a significant manner;

g. The right to data portability, meaning the right to receive your personal data, which you provided to us, in a structured, commonly used and machine-readable format and the right to transfer those data to another data controller, if the processing is based on your consent or the performance of a contract and is undertaken by using automatic means;

h. The right to file a complaint with the Data Protection Authority and the right to address to the competent courts of law.

The exercising of the above rights may be performed at any time. 

If the processing of your personal data is based on our legitimate interest, you have the right, to object any time to the processing of your data for reasons arising out of the particular situation; this applies in particular to the processing of data for the purpose of direct marketing.

If the processing of your data is based on your consent, you have the right to withdraw the consent at any time with future effect. Such withdrawal shall not affect the lawfulness of the data processing up to the date of withdrawal.

In order to exercise the aforementioned rights, please contact us via the contact details stated above in point I. or use the Data Protection Rights Form available on this website in the Data Protection section.

If you believe that our processing of your data is violating applicable data protection laws or if your privacy rights have otherwise been violated, please contact us using the contact details provided in point I above. In this way, we get to know and understand your concerns and can respond accordingly. You also have the right to file a complaint with the national competent data protection authority. In Romania it is the National Supervisory Authority for Personal Data Processing (ANSPDCP) - https://www.dataprotection.ro/

Changes to this Policy

This Privacy Policy may be changed and updated by OMV Petrom from time to time as it could become necessary. OMV Petrom will notify you of any material or substantive changes to this Privacy Policy and will ensure that the notification is made in a way which ensures that you acknowledge them, for example by use of the e-mail address that you have provided to us, or any other appropriate means that ensure effective communication.