GDRP Policy

Oben fully committed to upholding the principles of the General Data Protection Regulation (GDPR) and ensuring the protection and confidentiality of all personal data processed within its operations.

Policy Statement

Oben fully committed to upholding the principles of the General Data Protection Regulation (GDPR) and ensuring the protection and confidentiality of all personal data processed within its operations.

Definition of Personal Data

The General Data Protection Regulation (GDPR) has broadened the definition of personal data within the European Union. Personal Data refers to any information relating to an identified or identifiable individual. This includes data that may not directly reveal a person’s name, email address, or phone number, yet still permits identification. Personal Data encompasses information originating from, controlled, or processed within the EU. Under the GDPR, such data can include online identifiers (e.g., cookies, IP addresses) as well as member identification numbers. Examples of Personal Data in the EU context include, but are not limited to: name, address, postal or zip code, date of birth, identity card series and number, personal numeric code (CNP), email, telephone number, bank account details, expressed opinions, preferences, images, voice recordings, IP address, and social media accounts.

Definitions:

Personal Data Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable individual is one who can be recognized, directly or indirectly, by reference to identifiers such as name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Processing Any operation or set of operations performed on personal data, regardless of whether by automated means. Processing activities include:
Collectionn Obtaining personal data by lawful means from any source.
Registration Entering personal data into a manual or automated system, such as a registry or database.
Organization Structuring or systematizing personal data according to legal requirements.
Storage Retaining personal data by any method, including backups.
Adaptation/Modification Updating, correcting, or restoring personal data for accuracy.
Extraction Separating certain categories of personal data for distinct use.
Consultation Reviewing or querying personal data for further processing.
Use Utilizing personal data internally, including duplication or printing.
Disclosure Sharing personal data with third parties via transmission or other methods.
Joining/Combining Merging new or existing personal data sets.
Blocking/Restriction Temporarily limiting processing of personal data.
Deletion/Destruction Removing or irreversibly eliminating personal data post-retention period or after fulfilling its intended purpose.
Transformation Anonymizing personal data or using it solely for statistical analysis.
Profiling Automated processing of personal data to assess certain personal attributes (e.g., work performance, health, behavior, or preferences).
Anonymization/Anonymous Data Modifying personal data so it cannot be linked to a data subject without additional information, provided that such information is separately stored and secured.
Data Record System Structured collection of personal data accessible by specific criteria, centralized or decentralized.
Operator (Controller) The party determining purposes and means of processing personal data, either alone or jointly, or as designated by law.
Processor The entity processing personal data on behalf of the operator.
Recipient Any entity receiving personal data, except public authorities acting pursuant to the law.
Third Party Any entity other than the data subject, operator, processor, or persons under their direct authority.
Consent Freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of their personal data.
Personal Data Breach Security incidents leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data.
Genetic Data Personal data concerning inherited or acquired genetic traits that provide unique information about an individual.
Biometric Data Data derived from specific technical processing related to physical or behavioral characteristics enabling unique identification (e.g., facial images, fingerprints).
Health Data Information regarding an individual’s physical or mental health, including healthcare provision.
Binding Corporate Rules Internal policies governing cross-border transfers of personal data within a corporate group in the EU.
Supervisory Authority/ANSPDCP The National Supervisory Authority for Personal Data Processing.
Personal Numeric Code (CNP) Unique numerical identifier used for verifying civil status and identification in IT systems.
Personal Data with General Identification Function Numbers generally applicable for identifying individuals in records (e.g., CNP, ID/passport number, driver’s license, insurance numbers).
User Any authorized individual processing personal data within OBEN, including staff or agents.
Data Protection Officer (Administrator) Individual responsible for ensuring compliance with GDPR and developing, implementing, and monitoring data protection measures.
Data Any information obtained by OBEN during its operations relating to clients, suppliers, or partners.
Know-how Proprietary industrial, commercial, or scientific knowledge, non-disclosable without authorization, necessary for manufacturing or applying processes.
Business Contact Data Information about employees’ business roles (e.g., name, position, business address, work contact details), considered personal data if containing identifiable elements, requiring consent for commercial use.
Statistical Data Processed data used exclusively for statistical or informational purposes, not permitting identification of individuals.

Sensitive Data

Sensitive data encompasses information regarding an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership status, physical or mental health, sexual life, criminal offences, or related legal procedures. Under the General Data Protection Regulation (GDPR), explicit consent from EU data subjects is mandated for processing Sensitive Personal Data, representing a higher threshold than the general consent requirements. Processing such data in the EU without consent is permissible only if one of the following conditions applies:

Processing is necessary for fulfilling obligations under labor, social security, or social protection law or collective agreements;
It is required to protect the vital interests of a data subject who is physically or legally incapable of giving consent;
The information is processed by a non-profit organisation with political, philosophical, religious, or trade union objectives, provided processing concerns only members, former members, or regular contacts and is not disclosed to third parties without consent;
The data has been explicitly made public by the data subject (note: social media or other online postings do not qualify; consult OpCo AL or the EU DPO for guidance);
It is essential for the establishment, exercise, or defence of legal claims or when courts are acting within their judicial capacity;
Processing is required for reasons of substantial public interest based on Union or Member State law, where appropriate measures safeguard the rights and interests of data subjects;
It is necessary for preventive or occupational medicine, medical diagnosis, assessing employee working capacity, provision or management of health or social care systems, under relevant laws or by a health professional;
The processing serves public health interests, such as protection against cross-border health threats, or ensures high standards of healthcare and medical products or devices.
At our organisation, sensitive data is not routinely collected; however, should collection become necessary due to specific circumstances or legal mandates, associated procedures and documentation must include:
Explicit consent for collection and processing of personal data (typically provided via signed employment or dedicated contracts);
In all other scenarios, consent should be obtained through an explicit statement or question requiring active response, never via pre-selected options.

A Data Protection Impact Assessment must be considered prior to collecting or processing sensitive data (refer to the corresponding section in this document).

Our company is committed to the highest standards in the handling and storage of sensitive data, ensuring robust security protocols are applied at all times. Files containing personal data must be password-protected before any external transmission. Inclusion of personal data in email content should be limited strictly to non-sensitive information and minimised wherever feasible, in line with the principle of 'Data Minimization'.

All records—including performance evaluations, complaints, recruitment documents—should be reviewed carefully to identify any personal data, regardless of format or purpose, with an emphasis on minimisation, secure handling, and timely deletion.

Employee personal data is collected solely for statutory purposes, particularly the regulation of employment contracts. The standard contract form used by OBEN solicits only “business contact” information necessary for identification or communication with the CLIENT/BENEFICIARY.

OBEN acts as both data operator and processor, managing clients’ personal data in accordance with written instructions, including the purpose, duration, nature, type of data, categories of data subjects, and respective rights and obligations (art. 28 GDPR). For sensitive data, explicit consent from CLIENT/BENEFICIARIES is required, and such data is protected in strict accordance with legal requirements (arts. 28–29 GDPR).

Processing

Processing refers to any operation performed on personal data, whether automated or manual, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Processing Minor's Data

The GDPR introduces enhanced protections for children’s personal data. Children under 16 cannot provide valid consent themselves; consent must be obtained from a person with “parental responsibility,” such as a parent or guardian, and this relationship must be verifiable.

Any reliance on legitimate interests when processing children’s data will be subject to close scrutiny by Data Protection Authorities and requires sign-off by the company’s Data Protection Officer. Reasonable steps must be taken to verify that parental consent is genuine.

Particular caution is warranted when children’s personal information is processed for marketing or profiling purposes. If age cannot be reliably determined, additional precautions should be considered to avoid inappropriate processing of children's data.

Prior to collecting children’s personal data, necessity must be assessed, and excluding children should be considered where possible.

Methods for verifying parental consent may include:

Asking questions children are unlikely to answer unaided to confirm age eligibility;
Employing verifiable parental consent mechanisms such as:
“Print-and-send” forms requiring signature and return by mail, fax, or electronically;
Separate parental confirmation via email after a delay;
Written confirmation from the parent.

Data Minimization

We must continuously assess our practices to limit personal data collection to only what is strictly necessary and retain such data only for durations justified by business needs or legal obligations. Data minimization principles must be integrated into the design and ongoing management of all projects, systems, applications, and file storage solutions throughout the data lifecycle. Clients should be discouraged from sending unnecessary personal data.

Anonymization And Pseudonymization

Wherever possible, data should be stored in an anonymized or aggregated manner, which removes it from the scope of personal data under the GDPR. If complete anonymization is not feasible, appropriate pseudonymization techniques should be applied to minimize re-identification risks, thereby enhancing security against breaches, loss, or theft.

Legal Grounds For Data Processing

The primary lawful bases for data processing are contractual necessity, consent, legitimate interest, or legal requirement. Of these, “legitimate interest” and “consent” require particular attention.

When relying on “legitimate interest,” a documented assessment must demonstrate proper consideration of data subjects’ rights and freedoms.

Examples of legitimate interest include:

Internal administrative transfers of personal data within a corporate group (subject to international transfer rules);
Processing for information security, including prevention of unauthorized access and mitigation of damage to IT systems.

In every case, data subjects’ fundamental rights and expectations must be weighed against those of the company. If the data subject would not reasonably expect further processing, their interests may take precedence. Public authorities cannot invoke “legitimate interest” when performing official functions.

The purpose for processing must be clear, legitimate, and properly substantiated. If alternative means exist to achieve the same objective, a Data Protection Impact Assessment should identify the least intrusive option. A balancing test between the rights of data subjects and the processor is required, considering reasonable expectations, impact, and available safeguards.

If processing is unnecessary for business operations, legitimate interests cannot be invoked, and explicit consent must be sought. Consent must be informed, affirmative (never implied or by default selection), recorded (preferably in writing or electronically), freely given, easily revocable, and regularly reviewed (ideally annually).

Personal data may additionally be processed to:

Ensure services meet client needs;
Deliver requested services;
Develop optimal client solutions;
Provide access to premium services.

Contractual exchanges may involve emails retained for future reference. Business contact details (such as email addresses and names) may be shared with third parties as appropriate, with client consent.

Other instances of personal data usage include billing, service delivery, and online payments. Disclosure of personal data without client consent is permitted only in the context of legal disputes and must comply with applicable legal requirements.

Right of The Data Subject

Right of Access: Data subjects are entitled to confirmation regarding the processing of their personal data, as well as access to all pertinent information concerning such processing.

Right to Rectification: Individuals have the right to request the correction of inaccurate or incomplete data.

Right to Erasure (“Right to be Forgotten”):

This right applies when data is no longer necessary for the purposes for which it was collected, if consent is withdrawn with no alternative legal basis for processing, if an objection to processing prevails over legitimate interests, or if data has been processed unlawfully.
Where personal data has been made public and erasure is required, reasonable, technologically appropriate measures will be taken to inform other controllers regarding the request for removal of related links, copies, or reproductions.

Right to Data Portability: Data subjects may receive their data in a structured, machine-readable format and have the right to transmit that data to another controller, or to request direct transmission when technically feasible.

Right to Object to Direct Marketing and Profiling: Data subjects must be informed of this right at first contact, presented clearly and distinctly from other information.

Right Not to Be Subject to Automated Decisions Producing Legal Effects: The data subject is entitled to human intervention, to express their viewpoint, and to contest any decision made solely on automated processing. Exceptions apply where necessary for contract conclusion or execution, or with explicit consent.

All information pertaining to these rights must be provided promptly, within one month at the latest, free of charge, concise, transparent, intelligible, easily accessible, and in clear language.

OBEN may disclose personal data to third parties when required by law, or in good faith to (a) comply with legal obligations; (b) protect and defend OBEN’s property rights; or (c) respond to emergencies affecting the safety of employees, product/service users, or the public.

Only data strictly necessary for fulfilling the request will be disclosed upon request or permission.

OBEN does not sell, trade, or rent personal data to third parties.

Record of Processing

Under the General Data Protection Regulation (GDPR), all organizations must maintain up-to-date records of data processing activities, including those conducted by Human Resources and Finance departments.

The Personal Data Inventory Process ensures that any further dissemination of personal data, such as inter-company sharing, remains GDPR-compliant and supports obligations regarding data subject rights, including access requests, erasure procedures, and data breach management. The company maintains this record using its inventory register database.

Data Protection Impact Assement

GDPR mandates that organizations assess whether any processing activity presents a high risk to data subject rights, particularly when implementing or updating technologies or methodologies for large-scale personal data processing.

A Data Protection Impact Assessment (DPIA) aids organizations in identifying and minimizing data protection risks associated with new projects or policies. A standardized model is available at the company level.

Accordingly, before collecting new categories of personal data, initiating new projects, modifying project structures, or updating technology or software, a DPIA is conducted to guide the approach and confirm any requisite authorizations. All processing will adhere to principles of transparency, legality, minimization, accuracy, storage limitation, and integrity.

Security Incidents

GDPR requires prompt notification (within 72 hours of awareness) of personal data security breaches to relevant data protection authorities. In cases of high risk, affected individuals must also be notified. All incidents, regardless of notification status, must be documented in a register.

Any individual who suspects or is certain that a personal data security incident has occurred is obligated to follow the Data Security Incident Notification Procedure.

International Transfers

Transfers of EU personal data to recipients outside the European Economic Area (EEA) remain heavily regulated. Under GDPR, “transfers” include instances where personal data is accessed from outside the EEA.

All international transfers must utilize legally approved methods, such as contracts incorporating EU-approved standard clauses, ensuring compliance.

Storage and Erasure

Personal data shall only be retained for as long as necessary for the original purpose of collection. Once data is no longer required, it should be deleted unless retained for duly documented reasons.

Backups will be preserved only as needed to meet legal requirements and will be designed for accessibility and periodic review. Efforts will be made to remove personal data from backups where possible.

Definitive deletion methods will be applied to electronic files, while paper documents will be securely shredded. Destruction of original documents will occur in the presence of an appointed committee or administrator, with minutes recorded accordingly.

Privacy

Terms

Category	Details	Collected
A. Identifiers	Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name	NO
B. Protected classification characteristics under state or federal law	Gender and date of birth	NO
C. Commercial information	Transaction information, purchase history, financial details, and payment information	NO
D. Biometric information	Fingerprints and voiceprints	NO
E. Internet or other similar network activity	Browsing history, search history, online behaviour, interest data, and interactions with our and other websites, applications, systems, and advertisements	NO
F. Geolocation data	Device location	NO
G. Audio, electronic, visual, thermal, olfactory, or similar information	Images and audio, video or call recordings created in connection with our business activities	NO
H. Professional or employment-related information	Business contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with us	YES
I. Education Information	Student records and directory information	NO
J. Inferences drawn from collected personal information	Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics	NO
K. Sensitive personal Information	N/A	NO