• SSL Certificate of the online platform CLASS ENTERPRISE INVEST SRL is also used to secure email correspondence, ensuring that clients’ personal data circulates in a secure and regulated environment with a series of security measures to ensure confidentiality.

• Automatic backup – set at a time interval to guarantee information and ensure that all clients are sure that their information and preferences will not be lost or destroyed in the event of a server error.

• Anti-spam and antivirus filters that prevent the infiltration of malicious content or viruses that could process the data without authorization or transmit it to other entities or individuals who have not obtained the consent of the data subject.

• Protection of the client profile content by introducing a rule for generating a more complex password. When creating the account, the client is required to choose a password that meets higher complexity criteria (alphanumeric + special characters);

• Securing modules and scripts that communicate within the platform. The functionality of the elements involved in client-server, server-client interaction is constantly checked.

• Verification and optimization of modules to keep them up-to-date to prevent vulnerabilities. This measure prevents the identification of vulnerabilities in globally used platforms, such as zero-day vulnerabilities that can intercept data exchange and thus personal data during the client’s interactions with the platform or the process manager’s interactions with the client and the platform.

• Classification of access types by the process manager – administration groups, possibility to add or remove rights on a user with full access – personalizing access based on necessity.

• Password protection of the device from which the process manager performs data processing, to prevent unauthorized intervention.

• Firewall – software program and hardware component installed at the server location of the company offering hosting for the online platform, designed to protect the server and network equipment from cyberattacks, unauthorized intrusion attempts, and installation of malicious software that could endanger users’ personal data. The firewall blocks unauthorized access to information stored on the equipment connected to the Internet.

• Access to data processing systems where personal data is processed is only possible after the authorized person has been identified and authenticated successfully (e.g., using a username and password or chip card/PIN), using the most advanced security measures. In case of unauthorized access, access is denied.

• All access attempts, both successful and rejected, are recorded (user ID, computer, IP address used) and archived in a format compliant with audit rules for 3 months. To detect misuse, the server performs repeated random checks;

• Access is blocked after repeated incorrect authentication attempts.

• Constant verification of platform vulnerabilities that could allow the extraction of information and personal data. Hosting has security measures and solutions that recurrently scan processed files and data flows circulating within the platform;

• Combating the risks of security breaches by taking technical and organizational precautions by securing the platform and constantly updating it with stable versions.

• Password protection of equipment that has direct access to the order table and client delivery/billing data to prevent unauthorized access and thus unauthorized processing by unqualified persons.

• Destruction of documents that are no longer necessary (notes, incorrect invoices, etc.) using a document shredder provided to the process manager;

• Eliminating the risk posed by the human factor by prohibiting the processing of information outside the secure platform, except for generating transport notes within the courier company’s platform, which is also a secure environment;

• Adopting security measures without distinguishing between client types (new/existing/potential);

• Adopting an internal policy for verifying processes and data processing when the product is being shipped or the information about an order or possible offer is being received;

• Avoiding distinguishing between clients through mechanisms that may positively or negatively profile the data subject. For this reason, we do not request personal data such as sexual orientation, sexual interests, gender, religion, affiliation with movements or groups, etc. Clients are free to order and choose what they wish. Through this measure, we believe we respect the integrity of the individual and avoid any form of profiling based on these criteria.

• Updating the privacy policy and the Terms and Conditions of CLASS ENTERPRISE INVEST SRL

• Informing clients about the delivery, return, and order processing procedures;

• Training the process manager on the risks of processing personal data outside the online platform.

• Training the process manager on the need to notify in the case of a major security incident.

• Training the process manager on managing situations that may arise during data processing within the platform (errors, user errors).

• Training the process manager on the use of the information they process and awareness of the nature of personal information;

• Prohibiting data processing outside the platform by managing orders directly in the platform’s user interface, as there is no need for data processing in other unsecured and vulnerable environments.

• The process manager is periodically trained on:

• The principles of data protection, including technical and organizational measures
• The requirement to maintain data secrecy and confidentiality regarding the organization’s secrets and commercial secrets, including transactions performed;
• Proper and careful use of data, data environments, and other documents;
• The confidentiality of telecommunications;
• Other specific confidentiality obligations, where necessary;

From a processing perspective, within CLASS ENTERPRISE INVEST SRL, personal data is processed only for the purposes for which the consent of the data subjects has been obtained, including for parallel purposes and for the conclusion of a contract or delivery of a product to the client as requested by them.

Considering that this organization primarily operates online, the personal data of clients is transmitted online through applications and the platform where orders and requests for offers are made. The data collected is minimized and directly related to the purpose for which consent was obtained, and is necessary to contact the client in case of a request for an offer or to deliver and provide the ordered product/service in accordance with the requirements or its return.

CLASS ENTERPRISE INVEST SRL, a legal entity registered with the Trade Registry (no. J03/1598/1993, CUI RO4171267) is the direct operator. The purpose of processing personal data is to provide products and services through the online platform as well as the parallel purposes of these activities: returning products, processing information necessary for delivery, improving the user experience by remembering certain settings or preferences, after obtaining their consent, price changes, product/service characteristics, stock changes, promotions, and billing.

The categories of data subjects are: current clients, potential clients, or visitors to the website.

Methods in which the data subjects are informed of their rights are:

• Privacy Policy;
• Terms and conditions of using the platform/online store;
• On the website in a dedicated section;
• Via email after registering on the platform, as well as if the client requests additional information, offers;
• In the contact form on the website (the document will be attached);

The exercise of rights under law 679 / 2016 (GDPR) is entirely the responsibility of the operator, who has the legal obligation to designate a person responsible for processing personal data within the organization. This person will develop a set of technical and organizational measures to secure the data processing and has the obligation to inform the operator about the nature of the processing operations, the types of information, and how these processes are carried out within the organization. The operator is responsible and obligated to ensure that these measures are implemented, that there is no risk of security breaches or data leaks, and to comply with the applicable legislation regarding data processing and the rights of data subjects.

The following personal data is processed through the online platform:

• name and surname
• email
• phone/fax
• address

CLASS ENTERPRISE INVEST SRL does not process special categories of personal data.

CLASS ENTERPRISE INVEST SRL does not transfer data abroad or to third parties.

The processing of personal data is not connected to other record-keeping systems. The actual activity of the company is to process orders initiated by clients through online platforms, store and process them for billing, shipping, and providing the ordered products.

The information entered by the client into the platform is processed and stored strictly in accordance with the purposes for which their consent was given:

• Billing;
• Delivery;
• Withdrawal from a concluded contract (withdrawal can be done according to the law, taking into account the conditions under which this contract was initially concluded and the legal provisions initially agreed upon);

The purpose of collecting data is to bill orders, send correspondence, and fulfill orders. Your refusal to provide the data makes it impossible to place your order on this site and process it according to the requirements, as well as the inability to fulfill the purpose.

According to Law No. 679/2016 (GDPR), the user has the right to access, the right to be forgotten, the right to carry personal information and data, the right to intervene on the data, the right not to be subject to an individual decision, and the right to appeal to justice. Furthermore, they have the right to object to the processing of personal data and can request the deletion of the data. To exercise these rights, the user can send a written, dated, and signed request to the email address
marketing@metropolitanresidence.ro. Additionally, if any of the user data is incorrect, we kindly ask you to notify us so we can make the necessary corrections.