GDPR Policy
Last updated: April 2026
1. Introduction
Constsoft Systems ("we", "us", "our") is committed to ensuring compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 — "GDPR") and Romanian Law 190/2018 on measures implementing the GDPR.
This GDPR Policy outlines the principles we follow when processing personal data, the categories of data subjects and data we handle, the technical and organizational measures we take to protect that data, and how individuals can exercise their rights. It applies to all personal data collected through our website at constsoftsystems.com. This policy should be read alongside our Privacy Policy and Cookie Policy.
2. Data controller information
Constsoft Systems
Central Business Plaza, Str. Ploiesti Nr. 9
Cluj-Napoca, Romania
Email: hello@constsoftsystems.com
Constsoft Systems is the data controller for all personal data processed through our website. For any questions regarding data protection, please contact us at the email address above.
3. GDPR principles we follow
We adhere to the core principles of data protection as set out in Article 5 of the GDPR:
Lawfulness, fairness, and transparency
We process personal data lawfully, fairly, and in a transparent manner. We clearly inform data subjects about how their data is used through this policy, our Privacy Policy, and our Cookie Policy.
Purpose limitation
We collect personal data only for specified, explicit, and legitimate purposes (responding to contact form inquiries, recruitment and talent evaluation, and ensuring website functionality) and do not process it further in a manner incompatible with those purposes.
Data minimization
We collect only the data that is adequate, relevant, and limited to what is necessary. Our contact form requests only the information needed to understand and respond to your inquiry.
Accuracy
We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. You may request correction of any inaccurate data at any time.
Storage limitation
We retain personal data only for as long as necessary. Contact form data is retained for a maximum of 12 months after resolution of the inquiry, unless a longer period is required by law. Recruitment/candidate data, including CV files, is retained for a maximum of 12 months from submission and then permanently deleted.
Integrity and confidentiality
We implement appropriate security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Accountability
We take responsibility for compliance with these principles and can demonstrate compliance through our policies, records of processing activities, and technical measures.
4. Categories of data subjects
We process personal data relating to the following categories of individuals:
- Website visitors— Individuals who browse our website. Minimal data is collected (server logs; localStorage preferences stored only on the visitor's device).
- Potential clients— Individuals or representatives of companies who submit inquiries via our contact form, providing name, email, and project details.
- Job candidates / applicants— Individuals who submit applications through our Careers page, providing name, email, area of interest, and a CV/resume.
5. Categories of personal data processed
We process the following categories of personal data:
- Identity data— Name, company name (optional)
- Contact data— Email address
- Inquiry data— Service of interest, message content
- Technical data— IP address, browser type, referring URL, timestamps (collected automatically via server logs)
- Recruitment data— Name, email address, area of interest, and CV/resume contents which may include phone number, LinkedIn profile URL, postal address, education history, and work experience
We do not process special categories of personal data (e.g., health data, biometric data, racial or ethnic origin, political opinions, religious beliefs).
6. Legal basis for processing
We rely on the following legal bases under Article 6(1) GDPR:
| Processing activity | Legal basis | GDPR Article |
|---|---|---|
| Contact form submission | Consent | Art. 6(1)(a) |
| Recruitment / talent evaluation | Consent | Art. 6(1)(a) |
| Cookie/localStorage consent | Consent | Art. 6(1)(a) |
| Website security & server logs | Legitimate interest | Art. 6(1)(f) |
| Legal/regulatory compliance | Legal obligation | Art. 6(1)(c) |
7. Data processors and sub-processors
We engage trusted third-party data processors for website hosting, content delivery, and secure data storage, each bound by data processing agreements compliant with GDPR Article 28. These processors handle data only according to our instructions and are contractually required to implement appropriate technical and organizational security measures.
You may request a complete list of our current data processors by contacting us at hello@constsoftsystems.com.
8. International data transfers
Where personal data is transferred outside the European Economic Area (EEA), we ensure compliance with GDPR Chapter V by relying on one or more of the following mechanisms: EU adequacy decisions (Art. 45), Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c)), or binding corporate rules (Art. 47). Currently, international transfers may occur through our hosting provider's content delivery network, which is subject to SCCs.
9. Data subject rights
Under GDPR (Articles 15–22) and Romanian Law 190/2018, every data subject has the following rights:
- Right of access (Art. 15)— Obtain confirmation of whether your data is being processed and request a copy
- Right to rectification (Art. 16)— Have inaccurate or incomplete data corrected without undue delay
- Right to erasure (Art. 17)— Request deletion of your personal data where there is no compelling reason for continued processing
- Right to restriction (Art. 18)— Request limitation of processing in certain circumstances
- Right to data portability (Art. 20)— Receive your data in a structured, commonly used, machine-readable format
- Right to object (Art. 21)— Object to processing based on legitimate interests or direct marketing
- Right to withdraw consent (Art. 7(3))— Withdraw consent at any time without affecting the lawfulness of processing before withdrawal
- Right not to be subject to automated decisions (Art. 22)— Not to be subject to decisions based solely on automated processing. We do not carry out automated decision-making or profiling.
How to exercise your rights
Send your request to hello@constsoftsystems.com. Please include sufficient information for us to verify your identity. We will respond within 30 days of receiving your request. If we need to extend this period (by up to 60 additional days for complex requests), we will inform you within the initial 30-day window.
There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request (Art. 12(5) GDPR).
10. Data breach notification
In the event of a personal data breach, we will:
- Notify the Romanian National Supervisory Authority (ANSPDCP) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects' rights and freedoms (Art. 33 GDPR).
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).
- Document all breaches, including the facts, effects, and remedial actions taken, regardless of whether notification is required.
11. Technical and organizational measures
In accordance with Article 32 GDPR, we implement the following measures to ensure a level of security appropriate to the risk:
- Encryption in transit— All data transmitted between your browser and our website is encrypted via HTTPS/TLS
- Encryption at rest— All stored data is encrypted at rest
- Access controls— Data access is restricted to authorized personnel only
- Infrastructure security— Our service providers maintain industry-standard security certifications and practices
- Data minimization— We collect only the data strictly necessary for our stated purposes
- Regular reviews— We periodically review our security measures and update them as needed
12. Data Protection Impact Assessment (DPIA)
Given the limited scope of personal data we process (basic contact information from voluntary form submissions), our processing activities are not currently considered high-risk under Article 35 GDPR. We do not process special categories of data, conduct large-scale profiling, or carry out systematic monitoring of public areas. Should our processing activities change in a way that could present high risk to data subjects, we will conduct a DPIA before commencing such processing.
13. Records of processing activities
In accordance with Article 30 GDPR, we maintain records of our processing activities. These records include the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and a general description of technical and organizational security measures. These records are available to the supervisory authority (ANSPDCP) upon request.
14. Supervisory authority
If you are not satisfied with how we handle your personal data or respond to your request, you have the right to lodge a complaint with the competent supervisory authority:
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1
010336 Bucharest, Romania
15. Changes to this policy
We may update this GDPR Policy to reflect changes in our processing activities, legal requirements, or best practices. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.
16. Contact us
For any questions about this GDPR Policy or to exercise your data protection rights, please contact us:
Constsoft Systems
Central Business Plaza, Str. Ploiesti Nr. 9
Cluj-Napoca, Romania
See also our Privacy Policy, Cookie Policy, and Terms & Conditions.