Via Transilvanica - Privacy policy Via Transilvanica - Privacy policy

Privacy policy

1. Introduction

The ASSOCIATION TĂȘULEASA SOCIAL, as a personal data controller, assures you that it treats the protection of your data with the utmost seriousness. We do not provide information to third parties without informing you and without having a legal basis for doing so. We do not make exclusively automated decisions with a significant impact on you. This document forms the basis of the information about the data processing we do, and if you would like more specific information please contact us.

2. Third party services

This Privacy Policy does not cover other third party applications and websites that you may reach by accessing links on our website or other data processing activities that are not under our direct control.

3. Who are we?

TĂȘULEASA SOCIAL ASSOCIATION, Village Piatra Fântânele, Str. Obcioara nr.97, Comuna Tiha Bârgăului, 427363, jud. Bistrița-Năsăud, Romania, Fiscal Code: RO13681966, email [email protected] is responsible for processing your personal data that we collect directly from you or from other sources and is a personal data controller.

4. Who are you?

According to the law, you are the natural person receiving our services or the person in any kind of relationship with our company, hereinafter referred to as "data subject", i.e. an identified or identifiable natural person. In order to be fully transparent about data processing and to allow you to easily exercise your rights at any time, we have implemented measures to facilitate communication between us, the data controller and the data subject.

5. Data processing principles

We are committed to complying with European and national legislation on the protection of personal data, in particular Regulation (EU) 679/2016, also known as GDPR and the following principles:

Lawfulness, fairness and transparency

We process your data lawfully and fairly. We are always transparent about the information we use and you are properly informed.

Collecting data for specified, explicit and legitimate purposes

We use data only for the purposes described at the time of collection or for new purposes compatible with the original purpose. In all cases, our purposes are compatible with the law. We take reasonable steps to ensure that personal data is accurate, complete and up to date.

Data minimisation

We process only the data we need and do not collect excessive data.

Accuracy and updating of data

We give you control to correct personal data so that it is always up to date.

Storage limitations

We only process personal data for as long as necessary to fulfil the purposes for which it was originally collected. Thereafter personal data is destroyed or de-personalised completely.


We have implemented reasonable security and encryption measures to protect your personal information to the best of our ability. However, please note that no website, no application and no internet connection is completely secure.

6. Changes

We may change this Privacy Policy at any time. All updates and changes to this Policy are effective immediately upon notice, which we will provide by posting on our website.

7. Questions and Requests

If you have any questions or concerns about the processing of your data or wish to exercise your legal rights in relation to the data we hold, or if you have any concerns about the way we handle any privacy issue, you can write to us at: [email protected]

8. What is data processing

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

8.1. What information we collect about you

THE SOCIAL TUSCAN ASSOCIATION processes the data of employees, volunteers, collaborators and business partners and website visitors under its own control.

Therefore, when you send us a request by e-mail or contact us for any other purpose and on any other communication channel, you may communicate the following personal data, which we collect directly from you or from other sources, such as:

  • Name and surname
  • Your e-mail address
  • Telephone number

The basis for processing is our legitimate interest in being able to respond to your requests or queries.

In addition to the information indicated above, we may also collect the following information, depending on the circumstances:

  • How you interact with our advertisements (for example, information about how and when you access our site or what device you use to access the site);
  • Information provided when you complete forms or questionnaires;
  • The content of messages sent through messaging systems and email;
  • Interactions between you and us on social media (e.g. likes, shares, comments);
  • Information we collect about you from other group companies or third parties who have obtained your consent or have another legal right to share this information with us (including publishing or advertising partners/platforms and data aggregators who have obtained that right).
  • IP address
  • Internet browser
  • Location
  • Web pages you access on our website
  • Information from the use of cookies

TThe basis of processing is the legitimate interest in ensuring the activities of our association.

If you are an employee (former, current or future), certain information relating to the performance of your employment contract will be collected. This may include, for example

  • Name and surname
  • Contact details (address, telephone number, email address)
  • Financial data (bank account)
  • Various documents in original or copy (seniority certificates, leave certificates, salary statements, medical certificates, dependants, family situation, work card, appraisal sheets, CVs, various applications, delegations, time sheets, briefing notes and minutes, internal documents, employment documents), employee code number
  • Holographic and digital signature.

The basis of the processing is the contractual relationship and the legal obligations related to it.

When you enter into a contractual relationship with us (whether you are a business partner or a volunteer acting in various projects coordinated by us) we will process the following data (by way of example):

  • Contact data (name, address, phone, email, position, company);
  • Electronic and printed correspondence with you;
  • History of joint activity;
  • Payment data (invoices, receipts), legal obligations (contracts, powers of attorney, agreements);
  • Other data from documents with legal requirements (holographic or digital signature, various notices, notifications);
  • Pictures from the various events you attend as a result of working with us;
  • EVarious items contained in products or services you offer as a result of working with us that may directly or indirectly identify you;

The basis of the processing is the performance of the contractual relationship and the legal obligations related thereto.

When you purchase products through our online shop ( we process the following data (by way of example):

  • Contact data (name, address, telephone, email);
  • Electronic and printed correspondence with you;
  • Purchase history and preferences;

The basis of the processing is the contractual relationship and related legal obligations.

When you pay an invoice, we will process your data (name, surname, address, bank account or card number) for the purpose of preparing accounting documents (invoices and receipts).

The basis for the processing is the contractual relationship and related legal obligations.

When we are defending our rights in court for the recovery of sums due or when we are protecting our interests against claims/claims, we will process your data necessary for the formulation of court actions, other specific requests and documents.

It is possible in some situations that we may transfer your data to third parties in a contractual relationship with us for the recovery of amounts.

In these situations we will use as a basis for processing our legitimate interest in recovering amounts owed to us.

Where we are obliged by law to do so, we will provide the competent authorities and institutions with the data we hold that have been lawfully and justifiably requested.

We will use the legal obligation as a basis for processing.

For marketing services (sending offers, filling in satisfaction forms), tracking your behaviour to provide better services will be collected on a consent basis:

  • Contact data (name, email, phone), behavioural data or preferences;

For the services of monitoring behavior within the website through various monitoring scripts or cookies we will use your consent taken on each individual item.

If you choose to create a user account within the online shop, this is done on the basis of your consent.

Consent can be withdrawn at any time.

We may also receive your data from partner companies, in which case the basis for processing is the fulfilment of a contractual relationship.

8.2. Why do we collect this information?

We collect personal information for the following purposes:

  • For the purpose of entering into or performing a contract between you and us;
  • To respond to your queries and requests and to provide you with customer service;
  • For marketing purposes, but only where we have your prior consent or where there is a legal exception to obtaining consent;
  • To provide and improve the services and products we offer;
  • To diagnose or fix technical problems;
  • To defend against cyber attacks;
  • To create and/or maintain accounts;
  • To comply with legislation, such as compliance with tax law which requires us to keep accounting records for 10 years, or records law which requires us to keep employee records for 50 years;
  • To establish or claim a right in court;
  • For analytical and research purposes;
  • To prevent crime, deception, or fraud;

8.3. What is the legal basis for processing?

We may use the following legal grounds, depending on the specific case:

The processing is necessary for the conclusion or performance of a contract between you and us

The processing is necessary for our or another party's legitimate interests, unless your interests, rights or freedoms prevail

Where we use legitimate interest, we perform a legitimate interest analysis (balancing test) whereby we can balance our interest against your interests Where our interests prevail, we will use legitimate interest. If your interests prevail, we will not use the legitimate interest, and to the extent that we are unable to identify another correct legal basis, we will not carry out the processing activity.

The processing is necessary for the fulfilment of legal obligations (such as compliance with tax legislation which requires us to keep accounting records for a period of 10 years or to provide certain information to the relevant public bodies and institutions).

In some situations, processing may be necessary to protect the vital interests of you or another natural person.

Please note that obtaining consent is not mandatory and we will only proceed to obtain consent from you in situations where we fail to use another legal basis.

Consent to the processing of personal data

However, please note that where you are a collaborator of ours, we may send promotional messages (direct marketing) about similar goods and services without the need for your consent, pursuant to Article 12 para. (3) of Law no. 506/20014 in certain specific situations regulated by law.

However, in all cases, you may object to direct marketing and/or withdraw your consent at any time by following the unsubscribe instructions ("un-subscribe") in each email or by sending a written request to [email protected].

8.4. Where do we get the data from?

We collect most information directly from you (e.g. by filling in a form on the website or on arrival at our premises). Most of the information is as described above, but there may be situations where we collect data from third parties (i.e. partners, advertising platforms), such as information on purchases and interests.

THE SOCIAL TUSCAN ASSOCIATION also processes personal data arising from contracts with employees, as well as those arising from contracts with partners and other service providers.

SOCIAL TEA ASSOCIATION will not collect or process personal data when providing the company's information services directly to children under the age of 18 - or under a younger age - unless with parental consent, in accordance with applicable local law. If we become aware of the accidental collection of a child's personal data, we will delete that data immediately.

8.5. How long do we store data?

We store your personal data only for as long as necessary to fulfil our purposes, but no longer than 10 years after the termination of the contract or the last interaction with us.

Data processed through cookies is stored for a maximum period of 2 years.

After the end of the period, personal data will be destroyed or deleted from computer systems or anonymised for use for scientific, historical or statistical research purposes.

Please note that in certain expressly regulated situations, we store data for the period required by law.

8.6. How do we share your information with others?

We may disclose your data, subject to applicable law, to business partners or other third parties. We make reasonable efforts at all times to ensure that these third parties have appropriate safeguards and security measures in place. We have contractual clauses with these third parties so that your data is protected. In these situations, we will ensure that any transfer is legitimate, based on your consent or other legal basis.

For example, we may provide your data to other companies, such as IT or telecommunications service providers, accountants, legal services, transport and courier service providers and other third parties with whom we have a contractual relationship (marketing service providers, security experts, etc.). These third parties are selected with great care so that your data is processed only for the purposes we indicate.

We may also share your data with business partners as part of a joint effort to provide a product or service.

We also share your data with authorized institutions or other partners in order to obtain approvals, opinions, submit technical supporting documentation in accordance with applicable regulations.

Although unlikely, we may in the future sell the business or part of the business, which will include the transfer of your data.

We may also transfer data to other parties with your consent or as instructed by you, for example, if you exercise a portability request.

We may also provide your personal information to prosecutors, police, courts and other authorised state bodies, based on and within the limits of legal provisions and following specific requests.

The collected data transferred electronically to the recipients use online solutions from the European Economic Area, subject to additional security measures (data encryption in REST and TRANSIT).

8.7. Processing of data of persons under 18 years of age

THE SOCIAL TUSCAN ASSOCIATION does not provide services/sell products to persons under the age of 18.

9. Marketing

To the extent that we have obtained your prior consent we may use direct marketing and targeted advertising technologies, using information collected about you regarding interests, preferences, purchases, age, location, etc. For example, we may send you emails, display advertisements within our website or on social media, or place advertisements on third-party websites, in apps or on other internet-connected devices.

9.1. What kind of data do we collect for marketing?

In order to conduct direct marketing or targeted advertising activities, we may use the following information:

  • Information collected through cookies and other similar technologies (location, device, browser, age, etc);
  • How you have interacted with our services and feedback received from you;
  • Other information obtained from our third party marketing partners, information they have obtained with your consent

9.2. Marketing partners

Our marketing partners, such as Facebook, Google and/or other agencies help us to deliver marketing to you based on information they have collected directly from you and with your consent In some cases, we even share information we have collected from you ourselves We ensure, in all cases, that these transfers are legal as explained in 8.6.

Our partners may place advertisements about our services and products based on data previously collected from you (interests, preferences) on other sites and/or services. Our marketing partners may also use the information collected about you to improve our services and/or algorithms (including algorithms based on artificial intelligence). This privacy policy does not include information on how our partners process your data, but we encourage you to read our marketing partners' privacy policy for more information.

9.3. How can you opt out of direct marketing?

You can object to direct marketing and/or withdraw your consent at any time by following the unsubscribe instructions in each email ("unsubscribe" or "unsubscribe") or by sending a request to [email protected].

To disable interest-based advertising, please refer to our Cookie Policy.

10. What are your rights?

Your rights under the GDPR Regulation are as follows:

  • Right to withdraw consent

    You may withdraw your consent to the processing of your data at any time by sending a request to this effect to [email protected]. Please note, however, that to the extent that we have identified another lawful basis for processing your data, we will continue to process your data on the basis of that lawful basis. We have the legal possibility to use one or more of the following grounds for processing your data

  • The right to be informed about the processing of your data
  • Right of access to your data

    You have the right to obtain confirmation from us as to whether or not personal data relating to you are being processed and, if so, access to that data and to the information referred to in Article 15(1)(b). (1) of the GDPR.

  • Right to rectify inaccurate or incomplete data

    You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you.

  • Right to erasure ("right to be forgotten")

    In the situations set out in Article 17 of the GDPR, you have the right to request and obtain the erasure of personal data.

  • Right to restrict processing

    In the cases set out in Article 18 of the GDPR, you have the right to request and obtain restriction of processing.

  • The right to transfer the data we hold about you to another controller ("right to portability")

    In the cases set out in Article 20 of the GDPR, you have the right to request and obtain data portability.

  • The right to object to data processing

    In the cases set out in Article 21 of the GDPR, you have the right to object to the processing of your data.

  • The right not to be subject to a decision based solely on automated processing, profiling with legal effects or with similar significant effects on you
  • The right to take legal action to defend your rights and interests
  • The right to lodge a complaint with a Supervisory Authority, online, via the website or the email address [email protected]

Please note that:

  • You can withdraw your consent to direct marketing at any time by following the unsubscribe instructions in each email/sms or other electronic message.
  • If you wish to exercise your rights, you may do so by sending a written, signed and dated request to [email protected].
  • The rights listed above are not absolute. There are exceptions, so each request received will be examined to decide whether it is justified or not. To the extent that your request is justified, we will facilitate the exercise of your rights. If the request is unfounded, we will reject it, but we will inform you of the reasons for the refusal and of your rights to lodge a complaint with the Supervisory Authority and to take legal action.
  • We will try to respond to your request within one month. However, the deadline may be extended depending on various aspects, such as the complexity of the request, the large number of requests received or the impossibility to identify you within a reasonable time.
  • If, despite our best efforts, we are unable to identify you and you do not provide us with additional information to identify you, we are not obliged to respond to your request.

11. Security of personal data

In particular, we have implemented the following technical and organisational measures to ensure the security of personal data:

  • Dedicated policies.

    Adoptăm și ne revizuim practicile și politicile de prelucrare a datelor clienților noștri și ale altor persoane, inclusiv măsurile fizice și electronice de securitate, pentru a ne proteja sistemele de acces neautorizat și alte posibile amenințări la securitatea acestora. Verificăm constant modul în care aplicăm propriile politici de protecţie a datelor cu caracter personal şi în care respectăm legislaţia protecţiei datelor.

  • Data minimisation.

    We have ensured that the personal data we process is limited to that which is necessary, appropriate and relevant for the purposes stated in this notice.

  • Restricting access to data.

    We strictly restrict access to the personal data we process to employees, collaborators and others who need to access it in order to process it for us. All these companies and individuals are subject to strict confidentiality obligations and we will not hesitate to hold them accountable and terminate our collaboration with them if they do not treat the protection of your and other people's data with the utmost seriousness.

  • Specific technical measures.

    We use technologies within the SOCIAL TUSCAN ASSOCIATION to assure data subjects that the security of their data is protected.

We include in the contracts with those who process for us (processors) or with us (other operators - associated operators) clauses to ensure the protection of the data we process; this protection goes at least to the minimum required by law.

Although we take all reasonable steps to ensure the security of your data, THE SOCIAL TUSCAN ASSOCIATION cannot guarantee the absence of any breach of security or the impossibility of penetrating security systems. In the unfortunate and unlikely event that such a breach occurs, we will follow legal procedures to mitigate the effects and inform the data subjects.

12. Absence of an automated decision-making process

Our respect for your data includes giving it the necessary human attention through our staff. Under the current conditions, as a user of our services, you will not be subject to a decision by us based solely on automated processing of your data (including profiling) that produces legal effects concerning you or similarly affects you to a significant extent.

13. Meaning of terms used

Personal Data Processing Supervisory Authority: an independent public authority which, under the law, has powers relating to the supervision of compliance with personal data protection legislation. In Romania, this supervisory authority for the processing of personal data is the National Supervisory Authority for Personal Data Processing (ANSPDCP).

Special categories of personal data (sensitive personal data/sensitive data): personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data; biometric data for the unique identification of a natural person; data concerning the health, sex life or sexual orientation of a natural person.

Collaborators: natural or legal persons who have entered into a collaboration contract with us and who provide services to our clients.

Personal data: any information relating to an identified or identifiable natural person ("data subject"). A natural person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier, e.g. name, identification number, location data, online identifier, one or more factors specific to that person's physical, physiological, genetic, mental, economic, cultural or social identity. Thus, for example, the following are included in the notion of personal data: first and last name; home or residence address; email address; telephone number; personal identification number (CNP); established diagnosis (this is sensitive data); genetic data (this is sensitive data); biometric data (this is sensitive data); geolocation data. The categories of personal data about you that we process are listed above.

Controller: the natural or legal person who decides why (for what purpose) and how (by what means) personal data are processed. According to the law, the primary responsibility for compliance with personal data legislation lies with the controller. In our relationship with you, we are the controller and you are the data subject.

Processor: any natural or legal person who processes personal data on behalf of the controller, other than employees of the controller.

Data Subject: the natural person to whom certain personal data refer (to whom they "belong"). In relation to us (the controller), you are the data subject.

Processing of personal data: any operation/set of operations which is/are performed upon personal data or sets of personal data, whether or not by automatic means; for example: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of such personal data/sets of personal data. These are only examples. Basically, processing means any operation on personal data, whether by automatic or manual means.

Third State: a State outside the European Union and the European Economic Area.

Declaration of conformity

THE SOCIAL TEA ASSOCIATION declares on its own responsibility that it has taken all the measures it considered necessary in order to comply with the instructions of Regulation EU 2016/679 (GDPR) on the collection, use and storage of personal data in the member countries of the European Union.

THE SOCIAL TUSKER ASSOCIATION certifies that it adheres to the notification, opt-in, transfer, data security and integrity, access and enforcement requirements of the instructions of Regulation EU 2016/679 (GDPR) on the collection, use and storage of personal data in the member countries of the European Union.

Date 24.07.2023


Contribute to the maintenance and development of the Via Transilvanica path, through a simple or recurring donation!