Notification regarding the protection of personal data

Notification regarding the protection of personal data

1. General Information

a) Introduction

On the 25th of May, 2018, the European Regulation 2016/679 on the
protection of individuals with regard to the processing of personal data
and the free movement of such data (the “Regulation”) becomes

Its main purpose is to increase the level of protection of personal data
and to create a climate of trust that allows each person control over
their own data.

Thus, we consider it a good time to inform you on how we protect your
personal data and how we appropriate the provisions of the

The following notification on data protection is designed to inform you
about the processing of your personal data and about your rights.

Regarding this processing in accordance with the General Data
Protection Regulation (“GDPR”) and the local legislation in force.

b) Operator

We, the Company Grapefruit SRL with headquarters in Iași
Municipality, str. Vasile Pogor nr. 6, mansardă, Iași County, are the
Operator, according to the GDPR and, thus, are responsible for the
processing of the data described below. For questions or requests
regarding data processing, please contact our data protection officer,
whose contact details can be found below.

The collection of this data is done only with your consent

Your refusal determines the impossibility of the operator (Grapefruit
SRL) to conclude the contract for services / sale of products, to send
information or ordered products, because the company lacks one of
the essential conditions, respectively the identity of the parties.

c) Personal data

Grapefruit SRL processes the following personal data:

  •  Surname and forename, home address and e-mail address;
  •  Data from the identity card, Personal Identification Number,
    telephone number;
  • Profile from online social media;
  • The information you provide about your preferences;
  • Information about your use of our website;
  • The communications you carry with us or that you direct towards us through letters, emails, SMS, chat services, calls and social networks;
  • Information about your computer and the visits and use of this website, including your IP address, geographic location, browser type, reference source, duration of the visit and the number of page views, if you opened emails from us, if you accessed links from our emails;
  • Details about why you decided to sign up on the website/ answer the questionnaire;
  • Details about topics / areas of interest to you, answers to our questionnaires; 
  • Information about the services you use to communicate with others or any communication preferences you have provided to us.

2. Information on processing

a) Types of data processing

“Processing” means any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, transmission by transmission, dissemination or making available in any other way, alignment or combination, restriction, deletion or destruction.

 b) Principles of personal data processing

Grapefruit SRL undertakes to respect the principles of personal data
protection (hereinafter referred to as "the Principles") provided by the
GDPR, to ensure that all data is:

1. Processed in a fair, legal and transparent manner;
2. Collected for specified, explicit and legitimate purposes;
3. Appropriate, relevant and limited in relation to the purposes for
which they are processed;
4. Correct and updated;
5. Stored in a form that does not allow the identification of the data
subjects for a longer time than is necessary in relation to the
purpose of the processing;
6. Processed in accordance with the rights of the data subject, in a
manner that ensures adequate security of processing, so that the
data is complete, confidential and available.

 c) Purpose and ground for the processing of data

Registration of users.  We will process the personal data collected
through the registration form on the website www.grapefruit.ro
through which you create an account or subscribe to a newsletter, for
better and easier administration. This processing is based on Art. 6
paragraph thesis 1 letter b) of the GDPR.

Marketing, client analysis and profiling.

1. Personalized marketing. You give us your prior consent to use
your personal data in order to:

– receive a newsletter through which we offer you news, future
campaigns, invitations to various events, information, marketing
messages or articles that may also contain commercial offers;

– communications to you: we use your data to manage our
relationship with you as a user and to improve our services and your
experience with us;

We can provide you with our information via email. This processing is
legitimately based on Art. 6 paragraph 1 thesis 1 letter a) GDPR.

You can unsubscribe from such type of information. You have the right
not to consent or to oppose regarding the commercial or direct
marketing activities, including the creation of a profile for the purpose
of such activities. Your personal data will be deleted when you
unsubscribe from the Newsletter section. You can unsubscribe at any
time by means of the link attached to the received communications or
by a written request addressed to dpo@grapefruit.ro.

2. For the purpose of the relationships with the users, in order to
improve the experience of the clients on our web site and to identify
the preferencies and\or your behaviour, inclusively through automatic
processes, that do not suppose human intervention. We will always
take account of your options. This processing is based legitimately on
Art. 6 par. 1 letter. a) from GDPR.

3. Data analysis and client profiling. These include market
research, clients opinion surveys, clients analysis, clients
segmentation and client profile realizing, in order to define the
behaviour of the browsing and client activity. It is possible to ask you
for a feedback regarding our information of Newsletter type and to
communicate it to specific members of our staff in order to improve the
services. We can also use notes from the conversations that we have
with you online, by phone or face to face, in order to customize the
information and services that we offer you. For these puropses we will
contact you by e-mail, SMS or by phone. For the purposes mentioned
above, your data will be stored in our data basis and will be enriched
with data that we collect from public sources. It is necessary to follow
our legitimate interests in order to improve our services and client
relationship, that represent a key factor for our success in bussiness.
The collected and stored data helps us to find out more about your
interests and needs. This allows us to take them into consideration
and to act in consequence, that means through customized
communication. This process is based on the Art. 6, paragraph thesis
1 letter f) from GDPR.

4. Improvement and development of services: The analysis on
how you use our services helps us to understand you better and
shows us what we can improve. For instance: we analyse your
purchase history data to provide you with information or tips on how to
best use our services, we analyse the results of our marketing
activities to measure their effectiveness and the relevance of our
campaigns. This processing is legitimately based on Art. 6 par. 1,
letter a) of the GDPR.

5.  Fulfillment of legal obligations. Personal data may be processed
for the purpose of fulfilling some legal obligations. We use your
payment information for accounting, billing and auditing purposes and
to detect and / or prevent any fraudulent activity. This processing is
legitimately based on Art. 6, par. 1, letter c) from the GDPR.

6. In order to recruit people interested in vacancies. On the
website www.grapefruit.ro we periodically display the available
vacancies. Interested persons are asked to send a CV to the email
address shown for recruitment. The candidate’s data will be
processed both within the recruitment process, for the accessed
position, as well as for future vacant positions. If the CV is selected for
the next stage, the candidate will be asked to sign a confidentiality
agreement before the examination. References from the previous
employers of the candidates can become relevant during the
recruitment process. If we need these, we will contact the candidate to
request his/her agreement to obtain them on his/her behalf. If the
candidate does not express his/her consent in this regard, he/she will
need to obtain these references himself, if he wishes to continue the

recruitment process. The candidate has the option to request the
deletion of personal data. In the event that Grapefruit SRL will receive
CVs or requests for employment on channels other than the website
indicated above, it will keep this data until it is requested to delete the
data. This processing is based on Art. 6, paragraph thesis 1, letter b)
of the GDPR.

d) Beneficiaries of the data

To achieve the goals mentioned above in points 2 letter c) we use
service providers, respectively empowered according to art. 28 of the
GDPR, for example our hosting, platform and maintenance service
providers, for sending emails and SMS, telephone contact or printing
of personalized advertising materials, external consultants, all of them
being in Romania or outside it or the European Union / European
Economic Area.

We ensure, for instance, by contractual regulations, that these service
providers process personal data in accordance with the European
data protection law, in order to guarantee a high level of data
protection, (for example, standard contractual clauses, the existence
of compulsory corporate rules, etc.) even if the personal data is
transferred to a country where another level of data protection is
commonly used and for which there is no decision of adequacy
adopted by the EU Commission.

No other transfers of personal data to other recipients are made,
unless we have this obligation by law. For more information on the proper protection of international data transfer or their copy, please contact our data protection officer by e-mail at: dpo@grapefruit.ro.

e) Mandatory / Voluntary Provision of Data and Duration of

1. The provision of the following data is necessary in order to conclude
the contract with you / registration or to contact you for the purposes
shown above:

Surname and forename, residence address and email address

If you do not formulate some of the requested data we will not be able
to conclude a contract with you, you will not be able to open an
account on the website and you will not be able to purchase the
products from the Grapefruit SRL website.

2. In the case of the recruitment process it is necessary to provide the
following data:

Surname and forename, residence address, data from your
identity card, Personal Identification Number, phone number and
email address.

3. The provision of the other data is optional and this data is not a
legal or contractual requirement or a necessary requirement to
conclude a contract. If you do not provide us with this personal data,
this will have no other consequences for you.

We collect personal data:

1. Directly from you when you register on the site or place an order.

2. When provided indirectly: Your information may be distributed to
us by services that already have access to your data (for instance Facebook). Certain data may be made available, including to partner websites.

3. When you visit our website: we use cookies to identify you when
you visit our site and to allow us to personalize your online
experience (for example, your login details, information you are
interested in, etc.). www.grapefruit.ro does not send spam
messages. We send emails only to those who have registered to
the list of subscribers and we respect the decision of those who
want to unsubscribe.

4. From other sources when you become our customer or when you
use our products and services.

Only children at least 16 years of age can give their consent. For
children under this age, the consent of the parents or legal guardians
of the children is required.

f) Period of the data storage

Grapefruit SRL stores your personal data for as long as processing is
required and until you ask us to delete them. We will respond to these
requests, subject to the preservation of certain information including

after closing the account, in situations where applicable law or our
legitimate interests require it.

When we no longer need your personal data, we will securely delete
or destroy it. We will also consider whether and how we can minimize
the amount of personal data we use over time and whether we can
ensure the anonymity of your Personal data so that they will no longer
be associated with you or identify you, in which case we may use that
information without further notice.

3. Your rights
You can contact the company for exercising the rights provided by
Regulation no. 2016/679 at the following contact details:

Grapefruit SRL with headquarters in Iași Municipality, str. Vasile Pogor
nr. 6, mansardă, Iași County. E-Mail: dpo@grapefruit.ro

In order to obtain official interpretations related to the exercise of the
rights deriving from the legislation regarding the protection of personal
data or to express your dissatisfaction with the way in which Grapefruit
SRL ensures the processing of personal data, you can contact the
National Supervisory Authority for Personal Data Processing at the
following contact details: (i) by post or courier at the address in
Bucharest, Bulevard General Gheorghe Magheru no. 28-30, sector 1,
postal code 010336, (ii) by electronic mail to:
anspdcp@dataprotection.ro, (iii) by fax to no. 0318.059.602 or (iv) at
phone number 0318.059.211.

According to the GDPR these rights are the following:

1. The right to receive information on the data processing and a
copy of the processed data (the right of access, Article 15

2. The right to request the rectification of inaccurate data or the
completion of incomplete data (right of access, art. 16 GDPR).

3. The right to request the deletion of personal data (the right to
be "forgotten") and, if the personal data has been made public,
to transmit the information regarding the request for deletion to
other operators (the right to deletion, article 17 GDPR).

4. The right to request the restriction of data processing (right
to restriction of processing, article 18 GDPR) – you can request
the restriction of processing if you dispute the accuracy of the
data, as well as in other cases provided by law.

5. The right to receive personal data regarding the data subject
in a structured, commonly used and readable in a mechanical
manner format and to request the transmission of this data to
another operator (right to data portability, article 20 GDPR).

6. The right to oppose data processing with the intention of
ceasing the processing – you can oppose, in particular, to the
data processing based on our legitimate interest, (right to object,
article 21 GDPR).

7. The right to withdraw at any time a given consent in order to
stop a processing of the data that is based on your consent. The withdrawal will not affect the legality of the processing based on the consent granted before the withdrawal (the right of withdrawal of the consent, article 7 GDPR).

8. The right to file a complaint with a supervisory authority if
you consider that data processing is a violation of the GDPR (the
right to file a complaint with a supervisory authority, Article 77

9. Additional rights related to automatic decisions: you can
request and get human intervention on the respective
processing, you can express your own point of view on it and
you can challenge the decision.

In addition, we have appointed a Data Protection Officer who can be
contacted if there are any questions regarding any aspect of personal
data protection, by sending a request to the aforementioned contact

4. Security of processing
Grapefruit SRL has adopted technical and organizational data
processing measures, updated in accordance with the GDPR
requirements, in order to protect your personal data against any
unauthorized access action, misuse or transmission, unauthorized
modification, destruction or accidental loss. All our employees and
collaborators, as well as any third parties acting on behalf and in the
name of Grapefruit SRL, are obliged to respect the confidentiality of
your information and the requirements of the GDPR, in accordance
with the provisions of this Policy.

We make sure that we impose to our contractual partners who have
access to the personal data we process the contractual obligations in
accordance with the legal provisions and that we verify their
compliance with the obligations they have undertook. They will
process the personal data on our behalf and for us, only in
accordance with the instructions received from it and only in
compliance with the security and confidentiality requirements within
the limits imposed.

5. Processing of personal data in partnership
Some of the personal data processed through the website
www.grapefruit.ro may be transferred to third parties and you express
your express consent to do so, as well as in cases where there is a
legal obligation for Grapefruit SRL to proceed in this way.

The website www.grapefruit.ro may contain, at one point, links to
other sites whose data processing policies may differ from those of

Please consider and consult the policies regarding the protection of
personal data of the other sites, www.grapefruit.ro cannot assume

6. Liability disclaimer

The site www.grapefruit.ro may contain links to other sites and / or
other websites that are not the property of Grapefruit SRL. Grapefruit
SRL assumes no responsibility for the content of these sites and

therefore will not be held responsible for the content, advertising,
goods, services, software, information or other materials available on
or through these websites. Grapefruit SRL will not be responsible for
the loss of personal data, for any negative effects on the personal data
of the visitors or for other moral and / or patrimonial damages caused
by the access to the respective sites.

7. Automatic processing of .Cookie data

The website www.grapefruit.ro uses Cookie identifiers. Below is our
Cookie Policy and you can exercise your right to disable Cookies:

This policy refers to the use of cookies on the website
www.grapefruit.ro operated by Grapefruit SRL.

What are the cookies?

The cookie is a small file, consisting of letters and numbers, which will
be stored on the computer, mobile terminal or other equipment of a
user accessing the Internet. The cookie is installed by the request
issued by a web-server to a browser and is completely "passive" (it does not contain software, viruses or spyware and cannot access the
information on the user’s hard drive).

What are cookies used for?

These files make it possible to recognize the user’s terminal and
present the content in a relevant way, tailored to the user’s
preferences. Cookies provide users with a pleasant browsing experience and support our efforts to provide user-friendly services
(for instance: online privacy preferences, shopping cart or relevant
advertising) or are used in the preparation of aggregate anonymous
statistics that help us understand how a user interacts with our web
page, allowing us to improve the structure and content, excluding the
user’s personal identification.

What Cookies do we use?

We use two types of cookies: temporary (limited per session) and persistent.

Temporary cookies are stored until the site or browser is closed and persistent cookies are files that remain on the user’s terminal for an unlimited period of time until they are manually deleted by the user.

How are cookies used by www.grapefruit.ro?

Grapefruit SRL uses cookies for the following purposes:

  • Site performance cookies, load-balancing
  • Cookies for visitor analysis, registration, marketing, geo-targeting
  • Third party cookies of various providers of marketing services or other types

Security and privacy issues

Cookies are NOT viruses! They use plain text formats. They are not made up of pieces of code, so they cannot be executed nor can they self-run. Consequently, they cannot be duplicated or replicated on other networks in order to run or replicate again. Because they cannot perform these functions, they cannot be considered viruses.

However, cookies can be used for negative purposes. Because they store information about users’ browsing preferences and browsing history, both on a particular site and on several other sites, cookies can be used as a form of Spyware. Generally, browsers have integrated privacy settings that provide different levels of cookie acceptance, validity period and automatic deletion after the user has visited a particular site.

Deletion of cookies

In general, an application used to access web pages allows the cookies to be saved on the terminal by default. These settings can be changed so that the automatic administration of cookies is blocked by the web browser, or the user is informed whenever Cookies are sent to his/her terminal. Detailed information about the possibilities and ways of managing cookies can be found in the settings area of the application (web browser). Limiting the use of cookies may affect certain functionalities of the web page.

Details about the cookies used

The necessary cookies help to make a site usable by enabling basic functions, such as page navigation and access to secure areas on the site. The site cannot function properly without these cookies.

Statistical cookies help site owners understand how visitors interact with sites by collecting and reporting information anonymously.

Marketing cookies are used to track users from one site to another. The intention is to display relevant and engaging ads for individual users, thus they are more valuable to advertisers and third parties dealing with advertising.

Due to possible changes in the legislation, a modification of these data protection notifications may become necessary. In this case, we will inform you about such changes. To the extent that the changes affect a processing that is based on your consent, we will request a new consent from you, if necessary.

By ticking the acceptance box you express your agreement for the processing of your personal data for the purposes presented above, meaning that we will also use your personal data to provide you with our information by email, SMS, letter, telephone, or fax.