top of page

Privacy Policy

The protection of your personal data is very important for Yellow Tree Group. Yellow Tree is a company group legally domiciled in 61 Irish Town, GX11 1AA, Gibraltar (hereinafter „the Operator”). We want you to be properly informed about the ways and purposes the Operator processes your personal data.

1. Purpose

The purpose of Personal Data Protection Policy (or GDRP Policy) is to outline the principles of personal data processing of the Operator and to establish appropriate technical and organizational measures and the responsibilities of the Operator’s employees (also referred as ”the Operator”) that are tasked with the processing of personal data, and/or, as the case may be, of the persons empowered by the Operator to fulfil the obligations regarding the guarantee and protection of the fundamental rights and freedoms of natural persons, in particular the right to, protection of their personal data during processing.

2. The principles of personal data processing

  1. Personal data is processed by the Operator in good faith, fairly, in a transparent manner in relation to the data subject and in accordance with the legal provisions in force.

  2. Personal data is collected by the Operator for well-defined, explicit and legitimate purposes, and further processing will not be incompatible with these purposes.

  3. Personal data is appropriate, relevant and non-excessive in relation to the purpose for which it is collected and subsequently processed.

  4. Personal data is not to be stored by the Operator for a longer period than is necessary to achieve the purposes for which it was collected.

  5. The Operator has taken appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of illegal processing, as well as the erasure or rectification of inaccurate or incomplete data with regard to the purpose for which they are collected and for which they will be further processed.

3. Types of data and the purpose of using personal data

  1. The personal data referred to in this policy includes identification information such as first and last name, surname and forename of legal representatives, gender, date and place of birth, age, nationality, telephone / fax, home address / residence, e-mail address, personal identification number, identity card / passport serial number, job, profession, training - diplomas - studies, banking data and/or data that can serve to identify a natural person.

  2. The Operator will collect, use, process and provide personal data on a lawful basis for purposes such as contracting professional services, business purposes, marketing, 

  3. advertising, statistics, organizing events (including but not limited to delegations, conferences and fairs), for educational purposes, for organizing training programs, issuing any financial accounting documents, concluding contracts or any other necessary documents in the activity of the Operator.

  4. Personal data is intended for use by the Operator and is collected by designated persons.

  5. Some of this data may be transferred to the contractual partners of the Operator.

  6. The collection and processing of personal data of underage persons by the Operator will be performed only with the explicit consent of the parents or other legal representatives.

4. General Rules

  1. The GDPR Policy sets out the technical and organizational measures implemented by the Operator to meet the obligations regarding confidentiality and security of the processing carried out in the course of its business. 

  2. Minimum security requirements are considered a complex of technical, informational, organizational and logistical measures and procedures that ensure a minimum level of processing security, according to all national and European legal frameworks on the matter.

  3. The Operator has adopted appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, unauthorized access or any other form of illegal processing. In this respect, a person responsible for complying with the provisions of Romanian Law no. 190/2018, the provisions of GDPR 679/2016 and with the provisions of other relevant regulations is designated on behalf of the Operator – DPO – Data Protection Officer.

  4. To meet the legal provisions and requirements on safety of information, the Operator has developed and implemented organizational and technical measures focused on certain courses of action:

  • User identification and authentication; 

  • Type of access; o Data collection; 

  • Backup execution; 

  • Computers and access terminals; 

  • Access files; 

  • Staff training; 

  • Telecommunication systems; 

  • Computer usage; 

  • Data printing.

5. Specific procedures

User identification and authentication

  1. By user it is meant any person acting under the authority of the Operator or a person authorized by the Operator, with a recognized right to access personal data.

  2. To gain access to personal data, users need to identify themselves.

  3. In the case of automated processing, the identification is done by authentication in the IT systems of the Operator. Authentication is done by entering unique login data, consisting of a username and a password. 

  4. Passwords are security strings that are appropriate in terms of length, composition and operational behaviour, in accordance with DIHK in-force security procedures. 

  5. Any user that receives access to the personal information database is informed that he / she must maintain the confidentiality of the authentication data and hold accountability to the Operator in this regard.  

  6. User access to manually managed personal information databases is done strictly based on a list approved by the Operator 's management.

Type of access:

  1. Users can only access the personal data required to fulfil the tasks assigned by the Operator. 

  2. Developers of personal data processing systems have access to personal data under a strict privacy agreement signed with the Operator, exclusively where required, each transaction being documented.

  3. The technical support department may have access to personal data in order to resolve incidents and problems encountered in the use of IT systems. 

  4. Computers and servers containing databases with personal information are located in controlled access rooms. Documents containing personal data of the type considered as special categories of data are kept in restricted access rooms.

  5. The Operator has established strict ways to destroy personal data.

Data collection 

  1. The Operator designates authorized users for the collection, input and processing of personal data in a computer system or in a manual system. 

  2. Any changes to personal data may only be made by authorized users designated by the Operator.

  3. The Operator has taken steps to ensure that the information system records who has made the change, the date and time of the change. For better management, the Operator has implemented measures so that the information system maintains deleted or modified data.

Backup execution

  1. The computer system automatically performs back-up of the databases on a daily basis for an eventual data recovery in case of loss, destruction or malfunction.

  2. The Operator sets the timeframe for the backups of personal information databases as well as the programs used for automated processing. The users executing these backups are designated by the Operator in a limited number. Backups are stored in locations with restricted access, situated in a different room from where the backup is made.

Computers and access terminals

  1. Computers and other access terminals are installed in lockable, restricted access rooms. If the computers are on without any input for a certain period of time, set by the Operator, the session closes automatically. 

  2. Users are trained so that personal information databases are closed when unauthorized persons are nearby. 

  3. Servers hosting databases can only be accessed in a controlled manner based on access rights

Access files

  1. The Operator takes steps to ensure that any access to the personal information database is recorded in an access file (called a log, for automated processing) or in a register in case of manual personal data processing, that is set by the Operator.  

  2. For automated processing, this information will be stored in a general access file or in separate files for each user. 

  3. The Operator is required to keep access files for at least 2 years in order to be used as evidence for investigations. If the investigations are prolonged, these files will be kept until investigations and any actions related to them are completed.  

  4. Access logs must provide information to identify persons who have accessed personal data and the respective performed operations.

Telecommunication systems

  1. The Operator, through authorized users, periodically checks authentication and access types to detect malfunctions in the use of telecommunication systems. Only personal data strictly necessary will be transmitted through the telecommunication systems.

Staff training

  1. Users who have access to personal information databases are trained on the national and European legal provisions, regarding the provisions of the IT security policy of the Operator, as well as the importance of maintaining their confidentiality and the risks involved in the processing of personal data.

  2. Users who have access to personal data will be notified by messages that will appear on monitors. Users are forced to close their work session when they leave the workplace.

Computer use: to maintain security of the processing of personal data (especially against 

  1. Computer viruses), the following measures are mandatory

  2. Use of software from unsafe sources has been forbidden;

  3. Users do not have administrative privileges on computers; 

  4. Only licensed software is being used; 

  5. Computers are protected through antivirus software; 

  6. The user's activity may be monitored in limited cases, when justified by a legitimate interest of the Operator according to the provision of this policy.

Data Printing

  1. Personal data shall only be printed by the designated users and only for the purposes specified in these Rules.

  2. User access to printers is restricted.

The rights of persons whose personal data are being collected and/or processed

  1. The right to information: any individual has the right to be provided by the Operator, at least the following information

  • The identity of the Operator and its representative; 

  • The purpose of personal data being processed; 

  1. Additional information, such as: recipients or categories of data recipients; whether the provision of all required data is mandatory and the consequences of the refusal to provide them; 

  2. Any other information of which disclosure is required by authorities.

The right of access to data: the individuals have the right to obtain from the Operator, according to the law, upon request, confirmation as to whether or not personal data concerning him or her are being processed and to receive, free of charge a copy of the personal data undergoing processing and access to the following information:

  • the purposes of processing; 

  • the categories of personal data concerned; 

  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, including, in case of transfer to a third country or to an international organization, a description of the appropriate safeguards in place; 

  • the envisaged storage period or the criteria used to determine this period, as 

  • possible; 

  • the right to request from the Operator rectification, erasure, restriction of processing of personal data or to object such processing; 

  • the right to lodge a complaint with the National Supervising Authority (ANSPDCP); 

  • any available information regarding the source of the personal data, if it was not collected directly from the data subject.

For any further copies requested by the data subject, the Operator may charge a fee to cover the administrative costs.

  1. The right to rectification: the individuals have the right to obtain from the Operator the rectification of inaccurate personal data concerning him or her.

  2. The right to erasure: the individuals have the right to obtain from the Operator the erasure of personal data concerning him or her in any of the following cases:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 

  • the individual withdraws consent on which the processing is based and there is no other legal ground for the processing; 

  • the individual objects to the processing and there are no overriding legitimate grounds for the processing; 

  • the personal data have been unlawfully processed; 

  • the personal data have to be erased for compliance with a legal obligation in 

  • EU or Romanian law to which the Operator is subject.  

The right to restriction of processing: the individuals have the right to obtain from the Operator restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the individual, for a period 

  • enabling the Operator to verify the accuracy of the personal data; 

  • the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead; 

  • the Operator no longer needs the personal data for the purposes of the processing, but they are required by the individual for the establishment, exercise or defence of legal claims; 

  • the individual has objected to processing pending verification whether the legitimate grounds of the Operator override those of the data subject.  

When one of the cases of processing restriction is applicable, with the exception of storage, the personal data shall only be processed with the individual’s consent or for limited purposes listed by GDPR.    

  1. The right to data portability: the individuals have the right to receive the personal data concerning him or her, which he or she has provided to the Operator, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Operator in the following cases:

  • the processing is based on the consent given by the individual for one or more specific purposes or the processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract; and the processing is carried out by automated means.

Where technically feasible, at the request of the individual, the Operator shall transmit the personal data directly to another controller.

  1. The right to object: the individuals have the right to oppose at any time to the processing of personal data concerning them by the Operator which is necessary for the purposes of the legitimate interests pursued by the Operator. In this case, the Operator shall no longer process personal data unless the Operator demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.

  2. The right to object to processing for direct marketing purposes: the individuals have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the individual objects to processing, the Operator shall no longer process the personal data for such purposes.

  3. The right not to be subject to an individual decision: the individuals are entitled to request and obtain the withdrawal / annulment / re-evaluation of any decision having legal effect on them, adopted solely on the basis of a personal data processing carried out by automated means intended to produce legal effects concerning him or her or similarly significantly affects him or her (i.e. to evaluate some aspects of their personality, such as professional competence, credibility, behaviour or other such issues).

  4. The right to appeal to justice: the individuals have the right to appeal to the courts for the defence of any rights guaranteed by law.

  5. In order to exercise these rights, the individuals may address the Operator with a written, dated and signed request transmitted using the public contact details of the organization.

The Operator, through its designated users for data collection, ensures all data subjects are informed in writing about the processing of their personal data and all relevant information. 

At the time of collecting personal data from a data subject, the Operator will provide the data subject with the following information:

  1. The identity and contact details of the Operator and the Operator’s representative;

  2. The purposes of the processing, as well as the legal basis or legitimate interest pursued by the Operator for the processing;

  3. The recipients or categories of recipients of the personal data, as applicable;

  4. The intention to transfer the personal data to a third country or international organization, as applicable;

  5. The storage period or, if the period cannot be established, the criteria used to determine that period;

  6. The individual’s right to request from the Operator access to, rectification, erasure of personal data, restriction of processing concerning the individual, to object to processing, as well as the right to data portability; the right to object to processing shall be presented clearly and separately from any other information;

  7. The individual’s right to withdraw consent at any time, where the processing is done based on the individual’s consent; the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal;

  8. The right to lodge a complaint with ANSPDCP;

  9. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.

Whenever the personal data is not collected directly from the data subject, at the latest within 30 days from the collection or at the latest at the time of the first communication to the data subject or when the personal data are first disclosed to another recipient, the Operator will provide the data subject with the following information:

  1. The identity and contact details of the Operator and the Operator’s representative; 

  2. The purposes of the processing, as well as the legal basis or legitimate interest pursued by the Operator for the processing;

  3. The categories of personal data concerned;

  4. The recipients or categories of recipients of the personal data, as applicable;

  5. The intention to transfer the personal data to a third country or international organization, as applicable;

  6. The individual’s right to request from the Operator access to, rectification, erasure of personal data, restriction of processing concerning the individual, to object to processing, as well as the right to data portability; the right to object to processing shall be presented clearly and separately from any other information;

  7. The right to lodge a complaint with the National Supervising Authority (ANSPDCP);

  8. The source where the personal data originates and, if applicable, whether it came from publicly available sources.

The Operator will provide the data subject with the relevant information in writing, either in a printed form or by electronic means, using the notification templates annexed to the Privacy and Security Policy for the Processing of Personal Data of the Operator.

Whenever the Operator intends to further process the personal data for a purpose other than that for which the personal data were initially collected, the Operator shall provide the data subject prior to that further processing with information on that other purpose and any other relevant information and, if necessary, obtain the consent from the data subject.

Disclosure of personal data to third parties

  1. Collected data are disclosed to third parties only if the Operator is under a legal obligation to do so.

  2. In all other cases, any disclosure to third parties of personal data will be made only with the prior express consent of the owner of the respective personal data.

6. Contact

For questions or other queries please contact the Operator using the contacts details provided on the Operator’s website.

7. Final provisions  

This document is filled with the whole set of security procedures for the processing of personal data approved by the Operator’s management, including the Operator’s Information Security Policy.

bottom of page