Back
Sign Up
Book a Demo

CO2Later

Privacy Policy

  1. INTRODUCTION
    This Privacy Policy (hereinafter referred to as the “Policy”) defines the procedure for processing and protecting personal data within SOFTCO2 S.R.L., a limited liability company organized and operating in accordance with the provisions of Romanian law, headquartered in Romania, Intr. Gheorghe Simionescu, no. 19, apt. B26, Bucharest, Sector 1, registered at the Bucharest Trade Register under no. J40/571/2024, with Fiscal Code 49678244 (hereinafter “SOFTCO2 S.R.L.” or the “Controller”), and establishes procedures aimed at preventing and documenting any breaches of the applicable law regarding personal data.
    This Policy has been drafted in accordance with the legislation of Romania and the European Union, in particular with the following documents:
  • The General Data Protection Regulation (GDPR), adopted by the European Parliament and the Council on April 27, 2016;
  • Any other local law on personal data protection applicable in Romania.

  1. PURPOSE OF THE DATA PROTECTION POLICY
    The purpose of this Policy is to explain which personal data we process, why we process it, and what we do with it. Considering that personal information belongs to each user, we do our best to store it securely and process it carefully. We do not provide information to third parties without first fulfilling our obligation to inform.

  2. SCOPE AND AMENDMENT OF THE DATA PROTECTION POLICY
    This data protection policy applies to SOFTCO2 S.R.L. and the company’s employees. The data protection policy extends to all processing of personal data.

The most recent version of the data protection policy can be accessed along with the information on data confidentiality on the www.co2later.com website.

  1. BASIC DEFINITIONS
    For the purposes of this Policy, the following definitions are used:

“Data Protection Officer (DPO)” means the person responsible for monitoring the application of the GDPR and other applicable laws regarding the protection of data subjects whose personal data is processed, and who performs the functions assigned to them by this Policy and other applicable legislation, providing advice to the management of SOFTCO2 SRL regarding personal data protection.

“Personal data” means any information regarding an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, especially by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more specific elements, characteristic of that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

“Processing” means any operation or set of operations performed upon personal data or upon sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Restriction of processing” means the marking of stored personal data with the aim of limiting their future processing.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects of a natural person, particularly to analyze or predict aspects regarding performance at work, economic situation, health, personal preferences, interests, reliability, behavior, the physical location of that natural person, or their movements.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, establishes the purposes and means of the processing of personal data. For the purposes of this Policy, “Controller” means SOFTCO2 SRL.

“Processor” means the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller.

“Recipient” means the natural or legal person, public authority, agency, or other body to which personal data is disclosed, whether or not it is a third party.

“Third party” means a natural or legal person, public authority, agency, or body other than the data subject, the Controller, the Processor, and the persons who, under the direct authority of the Controller or the Processor, are authorized to process personal data.

“Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they agree, by a statement or by a clear affirmative action, that the personal data relating to them may be processed.

“Personal data breach” means a security breach that accidentally or unlawfully leads to the destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data that are transmitted, stored, or otherwise processed.

“Health data” means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which disclose information about that person’s health status.

“Cross-border processing” means either the processing of personal data which takes place in the context of the activities of offices in more than one Member State of a controller or a processor in the territory of the Union, if the controller or processor has offices in at least two Member States; or the processing of personal data which takes place in the context of the activities of a single office of a controller or processor on the territory of the Union, but which significantly affects or is likely to significantly affect data subjects in at least two Member States.

  1. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

a. Fairness and Legality
SOFTCO2 S.R.L. protects the individual rights of natural persons (“Data Subject”) during the processing of personal data, with personal data being collected and processed legally and fairly.
“Legality” – involves identifying the legal basis before processing personal data. These are often referred to as “conditions for processing,” for example, consent.
“Fairness” – for the processing of data to be fair, the data controller must make certain information available to the Data Subjects. This applies regardless of whether the personal data was obtained directly from the data subjects or from other sources.

b. Restrictions to a Specific Purpose (“purpose limitation”)
Personal data is processed only for the purpose defined before data collection begins. Subsequent changes to the purpose are possible only by way of exception, to a limited extent, and require a justification.

c. Transparency
The data subject is informed about how their data is processed. In general, personal data is collected directly from the person concerned. When data is collected, the data subject must be aware or be informed of:

  • The identity of the Data Controller,
  • The purpose of the data processing,
  • Third parties or categories of third parties to which the data might be disclosed.

d. Data Minimization (“minimizing data”)
Before processing personal data, it must be determined whether and to what extent the processing of personal data is necessary to achieve the purpose for which it is performed. Where feasible and when the associated costs are proportionate to the intended purpose, anonymized or statistical data is used. Personal data is not collected in advance and stored for potential future purposes, unless required or allowed by applicable law.

e. Erasure
Personal data that is no longer needed after the expiration of periods related to legal or business processes is erased. If there are indications of interests requiring protection or of the historical importance of this data in individual cases, it is possible for SOFTCO2 SRL to retain the data until such interests requiring protection are legally clarified or the corporate archive has evaluated the data to determine whether it must be retained for historical/archival purposes. If erasing the data may impact SOFTCO2’s IT systems, the data will be irreversibly anonymized so that no information can lead to the identification of the data subject.

f. Factual Accuracy; Updating Data (“accuracy”)
Personal data must be correct, complete, and, if necessary, up to date. SOFTCO2 SRL takes appropriate measures to ensure that incorrect or incomplete data is deleted, corrected, supplemented, or updated.

g. Data Confidentiality and Security (“integrity and confidentiality”)
Personal data is subject to legal obligations to maintain data secrecy. Each SOFTCO2 SRL employee must treat it as confidential, and appropriate organizational and technical measures are provided to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, alteration, or destruction.

h. Accountability Principle under the GDPR
The GDPR includes provisions that promote accountability and governance. They complement the GDPR’s transparency requirements. The accountability principle in Article 5(2) of the GDPR requires demonstrating compliance with the principles and explicitly states that this is your responsibility.
SOFTCO2 will prove compliance with the data protection principles by implementing data protection policies, adhering to codes of conduct, implementing technical and organizational measures, as well as adopting techniques such as data protection by design, DPIAs, a procedure for notification of breaches, and incident response plans.

  1. LEGAL BASES FOR PROCESSING
    The collection, processing, and use of personal data are permitted only under the following bases:

a. Data about customers and partners

a.1. Processing data to fulfill a contract
Personal data of contact persons and representatives of customers, suppliers, and partners can be processed to establish, execute, and terminate a contract. Prior to concluding the contract—during the contract preparation phase—personal data may be processed to prepare offers or purchase orders or to fulfill other requirements from the perspective relating to concluding the contract. Contact persons may be reached during the contract preparation process, using only the information provided by them for contact. Any restrictions requested by the respective contact persons must be respected.

a.2. Consent as the basis for data processing
Where the consent of data subjects is required, data may be processed after receiving the consent of the data subject. Consent must be obtained in writing or in electronic format for documentation purposes. In certain circumstances, such as phone calls, consent may be given verbally. It is mandatory to document the granting of consent.

a.3. Processing data under a legal obligation
Processing personal data is also allowed where applicable law so requires, imposes, or permits it. The type and scope of data processing must be necessary for the legally mandated data processing activity and must comply with the relevant legal provisions.

a.4. Processing data under legitimate interests
Personal data may also be processed if it is necessary for a legitimate interest of SOFTCO2 S.R.L. Legitimate interests are generally legal in nature (for example, collecting outstanding debts) or commercial (for example, preventing contractual violations). Personal data cannot be processed for the purpose of a legitimate interest if, in individual cases, there is evidence that the data subject’s interests requiring protection take precedence. Before processing the data, it is necessary to determine whether there are interests requiring protection.

a.5. Processing sensitive data
SOFTCO2 SRL does not process any information pertaining to race, nationality, political opinions, religious or philosophical beliefs, intimacy, or private life.

If personal data is collected, processed, and used on websites or in applications, data subjects must be informed through a privacy statement and, if applicable, provided with cookie information. The privacy statement and any cookie information must be integrated so that they are easily identifiable, directly accessible, and consistently available to data subjects.

b. Employee/future employee data

b.1. Processing data for the employment relationship
In employment relationships, personal data may be processed if necessary for initiating, executing, or terminating the employment contract. At the start of an employment relationship, the applicant’s personal data will be processed. If the candidate is rejected, their data must be deleted in accordance with the required retention period, unless the applicant has agreed to remain on record for a future selection process for 12 months from the application date. Consent is also required for the use of data for additional application processes or prior to sharing the application with other companies in the group.

In an existing employment relationship, data processing must always be related to the purpose of the employment contract, unless none of the other circumstances for permitted data processing applies.

If, during the application procedure, it is necessary to collect information about an applicant from a third party, the relevant requirements of national laws must be respected. In case of doubt, the agreement of the data subject must be obtained.

There must be a legal basis for processing personal data that is related to the employment relationship but was not initially part of performing the employment contract. These may include legal requirements, collective regulations with employee representatives, the employee’s consent, or the legitimate interest of the company.

b.2. Processing data under a legal obligation
Processing personal data of employees is also allowed if the applicable national legislation so provides and imposes it. The type and scope of data processing must be necessary for the legally mandated data processing activity and must comply with the relevant legal provisions. If there is a certain degree of legal flexibility, the interests of the employee that require protection must be taken into account.

b.3. Consent to data processing
Where necessary, employee data may be processed after obtaining the consent of the individual in question. Consent statements must be provided voluntarily. Involuntary consent is invalid. The consent statement must be obtained in writing or in electronic form and will be kept by the controller. In certain circumstances, consent may be given verbally, in which case it must be subsequently documented. If the relevant party voluntarily and knowingly provides data, it can be assumed that consent exists, provided that national law does not require explicit consent.
By “consent,” it is understood that the data subject has agreed to the processing of personal data concerning their own person. The data subject may withdraw their consent at any time by sending an email to privacy@co2later.com.

b.4. Processing data on the basis of a legitimate interest
Personal data may also be processed if it is necessary to uphold a legitimate interest of SOFTCO2 S.R.L. Legitimate interests are generally legal (e.g., filing, exercising, or defending against legal actions) or financial (e.g., company evaluations).

Personal data may not be processed for a legitimate interest if, in individual cases, there is evidence that the employee’s interests that require protection prevail. Before processing the data, it must be established whether there are any interests that require protection.

Control measures that require the processing of employee data can be taken only if there is a legal obligation in this regard or if there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The legitimate interests of SOFTCO2 SRL (for example, compliance with legal provisions and internal company regulations) must be balanced against the employee’s interests that require protection and might be affected by the control measure to be adopted. The legitimate interest of the company and any interests of the employee that require protection must be identified and documented before taking any measures. In addition, any additional requirements under national law must be considered (e.g., co-decision rights for employee representatives and the data subjects’ right to be informed).

b.5. Processing sensitive personal data
Sensitive personal data may only be processed under certain conditions. Sensitive personal data relates to health and underage persons in the care of company employees. In accordance with national legislation, other categories of data may be considered sensitive, or the content of these data categories may be supplemented differently. Furthermore, data that refers to an offense can only be processed in accordance with specific requirements of national legislation.

Processing must be explicitly allowed or mandated by national law. Additionally, processing may be allowed if it is necessary for the responsible authority to fulfill its rights and obligations under labor law. The employee may also explicitly consent to the processing.

b.6. Telecommunications and Internet
Phone equipment, email addresses, the intranet, and internet, together with internal social networks, are provided by the company primarily for work-related tasks. They are a company tool and resource. They may be used in accordance with the applicable legal regulations and the company’s internal policies. In the event of authorized personal use, the laws on telecommunications secrecy and national telecommunications laws must be observed, if applicable.

To ensure confidentiality, integrity, and availability of data, SOFTCO2 may implement automated protection measures, including traffic analysis, to detect or anticipate attack vectors or patterns and prevent them, as well as in the case of responding to cybersecurity incidents.

To ensure a high degree of cybersecurity and in order to resolve cybersecurity incidents, the use of phone equipment, email addresses, intranet/internet networks, and internal social networks may be recorded for a limited period.
Evaluations of these data and the identification/profiling of a particular person may be carried out only in a specific and justified situation of suspected legal violations or SOFTCO2 SRL policies. Evaluations may be carried out only by investigation departments, while ensuring compliance with the principle of proportionality.

SOFTCO2 will not process personal data in the absence of one of the above reasons. The same rule also applies in the event that the purpose of collecting, processing, and using personal data must be changed from the original purpose.

  1. TRANSMISSION OF PERSONAL DATA
    Transmission of personal data can be done, based on the law, only to authorized state institutions (Labor Inspectorate, Ministry of Labor, Pension House, National Health Insurance House, NAFA, etc.) and will be stored only as long as necessary.

  2. PROCESSING OF DATA RELATING TO CONTRACTS
    Processing data on its own behalf means that a provider is engaged to process personal data, without assuming responsibility for the associated business process. In these cases, a data processing agreement must be concluded between external providers and SOFTCO2 SRL. The client remains fully responsible for the correct performance of data processing. The provider can only process personal data in accordance with the client’s instructions. When issuing the order, the department placing the order must ensure that the following requirements are met:
    a) The provider must be chosen based on the ability to cover the required technical and organizational protection measures.
    b) The order must be issued in writing. The instructions regarding data processing and the responsibilities of the client and the provider must be documented.
    c) The contractual standards on data protection provided by the data protection officer must be taken into consideration.
    d) Before starting data processing, the client must be confident that the provider will comply with its obligations. A provider can demonstrate compliance with data security requirements, especially by presenting appropriate certification. Depending on the risk of data processing, checks should be repeated regularly during the contract period.
    e) In the case of cross-border data processing in contracts, the relevant national requirements for disclosing personal data abroad must be met. In particular, personal data from the European Economic Area can be processed in a third country only if the provider can prove that it has a level of data protection equivalent to this data protection policy. Appropriate instruments may be:
    i. Concluding the EU Standard Contractual Clauses for contract data processing in third countries with the provider and any subcontractors.
    ii. The provider’s participation in an EU-accredited certification system to ensure an adequate level of data protection.
    iii. Recognition of the provider’s binding corporate rules to establish an adequate level of data protection, by the supervisory authorities responsible for data protection.

  3. RIGHTS OF THE DATA SUBJECT
    In certain circumstances, you have specific rights regarding your personal data, under the legal provisions. To exercise them, please contact us at the dedicated email address.

Access to data
You may ask us:

  • to confirm whether we are processing your personal data;
  • to provide you with a copy of that data;
  • to give you other information about the personal data, such as what data we have, for what purpose we use it, to whom we disclose it, whether we transfer it abroad and how we protect it, how long we keep it, what rights you have, how you can make a complaint, where we obtained your data from if these details have not already been provided in this information notice.

Rectification
You may request us to supplement/modify your personal data so that it is consistent with reality.

Erasure of data (“right to be forgotten”)
You may ask us to delete your personal data, but only if:

  • it is no longer necessary for the purposes for which it was collected; or
  • you have withdrawn your consent (if data processing is based on consent); or
  • you exercise a legal right to object; or
  • the data was processed illegally; or
  • we have a legal obligation in this regard.

We are not obliged to comply with this request if the processing of your personal data is necessary for:

  • compliance with a legal obligation; or
  • the establishment, exercise, or defense of a legal claim,

as well as other circumstances, but these are the most likely.

Restriction of data processing
You may ask us to restrict the processing of your personal data in the following cases:

  • you dispute the accuracy of your personal data, for a period that allows us to verify the accuracy of the data;
  • processing is unlawful and you do not agree to the erasure of your personal data, but request instead the restriction of its processing;
  • we no longer need your personal data, but you request it to establish, exercise, or defend a legal claim;
  • you object to the processing of personal data, when the purpose of processing personal data is direct marketing, for the period in which it is checked whether our legitimate rights prevail over yours.

Data portability
You may request us to transmit the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format, and you have the right to transfer such data to another controller, in the following cases:

  • the processing is based on consent;
  • the processing is carried out by automated means.

Objection
You have the right to object to processing when: (a) the processing is necessary for the fulfillment of a task serving a public interest, (b) the processing is necessary for the legitimate interests pursued by us or by a third party, including profiling based on these provisions. In this situation, we will no longer process your personal data, except where we demonstrate that we have legitimate and compelling reasons justifying the processing and which prevail over the interests, rights, and freedoms of the data subject, or that the purpose is the establishment, exercise, or defense of a legal claim.

Automated decision-making
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or that similarly significantly affects you.
This right has certain limitations, specifically:

  • the automated decision is necessary for the conclusion or execution of a contract between you and us;
  • the decision is authorized under legal regulations;
  • we have your explicit consent in this regard.

In such a case, you may send us a request so that your personal data is subject to a manual processing procedure.

  1. CONFIDENTIALITY OF PROCESSING
    Personal data is considered confidential information and will be treated as such. Any unauthorized collection, processing, or use of this data by employees is prohibited. The processing of personal data is confidential. It will be carried out only by persons acting under the authority of SOFTCO2 SRL and only based on its instructions.

Any data processing carried out by an employee that has not been authorized as part of their legitimate duties is considered unauthorized. The “need to know” principle applies. Employees may access personal data as appropriate to the data types and the defined purpose. This is based on a careful breakdown and separation of tasks for SOFTCO2 employees and implies the implementation of roles and responsibilities for each employee.

Employees are prohibited from using personal data for private or commercial purposes, disclosing it to unauthorized persons, or making it available in any other way. Supervisors inform employees at the start of their employment relationship about the obligation to protect the confidentiality of data.

In case of unauthorized use of personal data, employees may be subject to sanctions in accordance with applicable legislation and the regulations in force within SOFTCO2 SRL.

The obligation to maintain the confidentiality of personal data remains in force even after the end of the employment period; the sanctions applicable in case of a breach of the confidentiality obligation are those provided by the legislation in force.

  1. SECURITY OF PROCESSING
    Personal data is protected against unauthorized access and against unlawful processing or disclosure, as well as accidental loss, alteration, or destruction. This applies regardless of whether the data is processed electronically, on paper, or by other means. Before introducing new methods of data processing, especially new IT systems, the technical and organizational measures for the protection of personal data are defined and implemented. These measures must be based on the current state of technology, on the risks related to processing, and on the need to protect the data (determined through the information classification process).

In particular, the responsible organizational structure may consult with the data protection officer. Technical and organizational measures for the protection of personal data are part of the company’s information security management and are continuously adapted to technological developments and organizational changes.

Access to personal data is granted only to those SOFTCO2 SRL employees who need such personal data to carry out their tasks related to any of the aforementioned processing purposes (including the human resources department, Legal department, Financial, IT, Administrative). Any access to personal data by other employees who do not have access rights in accordance with this Policy is prohibited.

SOFTCO2 SRL employees who have access to personal data may only process the data necessary to fulfill their specific work responsibilities related to any of the aforementioned processing purposes.

Documents containing personal data are stored in the structural departments of SOFTCO2 SRL whose employees have access to the personal data needed to carry out their official duties, being responsible for handling the relevant data of the data subject.

A person who processes personal data on behalf of SOFTCO2 SRL must comply with the principles and rules for processing personal data established by this Policy.

If SOFTCO2 SRL authorizes another person to process personal data, SOFTCO2 SRL is responsible to the data subject for the processing of personal data for the acts or omissions of that person. The person processing personal data on behalf of SOFTCO2 SRL is responsible to SOFTCO2 SRL.

All personal data must be handled with the highest level of security and must be kept:

  • in a locked room with controlled access; and/or
  • in a locked drawer or cabinet; and/or
  • if computerized, protected by a password in accordance with the requirements of the access control policy; and/or
  • stored on (removable) computer media which are encrypted in accordance with standards in the field.
  1. DATA PROTECTION INCIDENTS
    All employees are required to immediately inform their supervisor or the Data Protection Officer about any cases of breach of this data protection policy or other regulations regarding personal data (data protection incidents), whether it is a breach of confidentiality, data integrity, or availability. The head of the organizational structure is required to immediately inform the Data Protection Officer about the data protection incidents.

In the following situations:

  • improper transmission of personal data to third parties,
  • inappropriate access to personal data, or
  • loss, destruction, or alteration of personal data,

the head of the relevant organizational structure will urgently draft incident reports, in accordance with the rules set for the Management of Information Security Incidents, so that urgent measures can be taken to limit the harm to the owners of personal data and to comply with the obligations to report and notify incidents to the supervisory authority.

  1. RESPONSIBILITIES AND SANCTIONS
    The management of SOFTCO2 S.R.L., as well as its employees and agents, are responsible for the processing of data in their area of responsibility. Therefore, they are obliged to ensure that the legal requirements for data protection and the requirements contained in the data protection policy (e.g., national reporting obligations) are met. The management bodies are responsible for ensuring that there are organizational, human, and technical measures in place so that any data processing is carried out in accordance with data protection rules. Compliance with these requirements is the responsibility of the heads of organizational structures.

The Data Protection Officer at SOFTCO2 SRL is informed without delay of the audits performed by the supervisory authorities regarding data protection.

Improper processing of personal data or other violations of data protection laws may lead to claims for damages. Violations for which individual employees are responsible may lead to sanctions under labor law.

  1. THE RIGHT TO FILE A COMPLAINT
    If you have a complaint regarding the use of your information, we would prefer that you contact us first at privacy@co2later.com so that we can resolve the request amicably. However, you may also contact the National Supervisory Authority for Personal Data Processing for information via the website: www.dataprotection.ro or write to them at the address: 28-30 G-ral. Gheorghe Magheru Blvd, District 1, postal code 010336, Bucharest, Romania.

  2. EFFECTIVE DATE
    This Policy comes into effect on 03.06.2024.
    SOFTCO2 SRL may change or modify this policy periodically. This may happen, for example, due to legislative changes or if SOFTCO2 SRL modifies its business or practices.

At CO2Later, we are committed to transforming how businesses approach their sustainability efforts by offering an innovative platform tailored for the automated management of environmental, social, and governance (ESG) data. Our mission extends beyond mere data collection; we aim to streamline the centralization of critical sustainability information, facilitating seamless compliance with evolving sustainability laws and regulations. Through our advanced solutions, we aspire to empower organizations of all sizes to not only meet their sustainability goals but to set new standards of excellence in corporate responsibility. By partnering with CO2Later, businesses gain the tools and insights needed to navigate the complexities of sustainability reporting, ensuring they are well-positioned to contribute positively to our planet’s future.

CO2Later exists to revolutionize the way businesses engage with sustainability. Our purpose is to equip organizations with advanced, automated data management solutions that streamline the collection and centralization of ESG and sustainability data. In doing so, we enable businesses to navigate and comply with sustainability regulations effortlessly, fostering a culture of corporate responsibility and environmental stewardship. Our vision is a world where every business acts as a custodian of our planet, contributing positively to a sustainable future through informed decision-making and strategic sustainability practices.

CO2Later exists to revolutionize the way businesses engage with sustainability.

Support

RESOURCES

Legal

2025 © CO2Later | All rights reserved.

Developed sustainably by Mango Consulting.

Exit mobile version