PRIVACY POLICY

This website (the “Site”) is operated by CIT ONE S.A. (“CIT ONE”). In this Policy, CIT ONE may also be referred to as “we,” “us,” or “our.”

1. Scope of this Privacy Policy

The purpose of this Privacy Policy is to inform you about:

1. the processing activities involving your personal data, including in your capacity as a visitor of the website;
2. the security of personal data and the confidentiality of data processing activities.

Our Privacy Policy may be amended from time to time and CIT ONE will publish an updated version of the policy on this page. By regularly consulting this website, you can ensure that you remain informed about the processing activities carried out by CIT ONE.

The CIT ONE website may contain links to other websites operated by entities/legal persons not affiliated with CIT ONE, for which CIT ONE assumes no responsibility. We may also provide links to websites operated by CIT ONE affiliated companies, which are subject to separate privacy policies. If you access such websites through our Site, you should consult their respective privacy policies in order to understand how your information is collected, used, and disclosed.

Below, you will find details regarding the purposes and legal grounds on which we process your personal data, depending on your capacity (please see Section 2 below). You will also find information about the categories of data processed, processing activities requiring your consent, categories of recipients and countries to which your data may be transferred, processing duration, use of cookies, applicable data security rules, as well as the rights you are entitled to. The latter sections are applicable to all data processing activities, regardless of your capacity.

2. How We Process Your Data Depending on Your Capacity and for What Purposes

CIT ONE processes the personal data that you provide directly, as well as data generated on the basis thereof, such as: internal identification codes, information resulting from non-compliances reported by any person, information received from public authorities, data relating to criminal offenses and/or convictions, images, geolocation data of our vehicles, and identification data of client personnel.

Refusal to provide personal data may result in the impossibility of CIT ONE delivering its services and/or fulfilling other processing purposes.

Where, for certain processing purposes, the law requires CIT ONE to obtain your consent, CIT ONE shall request such consent through various means — for example, by asking you to sign an information notice made available by CIT ONE when visiting our headquarters or one of our work points. Such consent may be withdrawn at any time and CIT ONE will duly take into account your preferences.

Depending on Your Capacity, CIT ONE processes your data for different purposes and on different legal grounds, as follows:

1. If you are a visitor of the website www.cit-one.ro, please find below information regarding the use of cookies.
   

   The website www.cit-one.ro is owned by CIT One S.A.

   The website www.cit-one.ro uses cookies.

   For detailed information on the use of cookies, including the categories of cookies used, their purposes, and how you can express or withdraw your consent, please refer to our Cookie Policy .

   In the information presented on this page, you will find details regarding what cookies are, the purposes for which they are used, and the implications for the user/visitor when accepting cookies from the website www.cit-one.ro. Should you require further information beyond what is presented below, you may contact us at data.protection@citone.ro. You may also contact CIT One’s Data Protection Officer at dpo@citone.ro.

   Cookies are small files, usually consisting of text and numbers, which, when a website is accessed, are stored by the browser used on the computer, phone, tablet, or any other device through which the website is accessed. At each subsequent visit, the browser sends this file back to the website’s server, thereby allowing the identification of a returning visitor.

   The cookies used on this website include both first-party and third-party cookies, which enable us to understand the needs and requirements of users in order to facilitate access to the desired information and to ensure optimal use of the services offered by www.cit-one.ro.

   Depending on their duration, cookies may be session cookies or persistent cookies. Session cookies are stored temporarily, only for the duration of the session during which the visitor accesses the website. Once the session or browser is closed, the session cookie expires.

   Persistent cookies are stored on the user’s device and are not deleted when the browsing session is closed. The website www.cit-one.ro uses both session cookies and permanent cookies. The data collected through cookies are transferred to the following categories of recipients: processors acting on behalf of CIT ONE as the data controller. We do not transfer data collected through cookies outside the EU.

   Browsers used to access the internet have built-in settings that allow users to manage their level of security regarding information, including the ability to accept cookies. To configure cookie acceptance levels, in most cases it is necessary to access the “Options” section of the browser and the “Settings” category. Disabling cookie acceptance may result in the inability to access some of the most important websites. Therefore, it is important that you accept cookies only from websites you trust. At any time, you may delete cookies by using the “Privacy” option within the “Settings” category.

   Options to prevent online activity tracking are available today in various forms; one of the most widely used is the “Do Not Track” mechanism, implemented by most internet browsers and search engines. The purpose of the “Do Not Track” mechanism is to provide users with the ability to express their personal preferences regarding the monitoring of online activities and to communicate these preferences to each server or web application with which they interact, allowing each service either to adjust its practices accordingly or to reach a separate agreement with the user. It should be noted that not all “Do Not Track” functionalities block cookies.

   Although cookies are stored in the memory of the user’s computer/device, they cannot access or read other information stored on that computer/device. Cookies are not viruses. They are only small text files; they are not compiled as code and cannot be executed. Therefore, they cannot self-replicate, spread to other networks to initiate actions, or be used to spread viruses.

   Cookies cannot search for information on the user’s computer/device; however, they do store personal information. Such information is not generated by cookies themselves but by the user when completing online forms, registering on certain websites, using electronic payment systems, etc.

   The use of cookies and the obligations of providers are regulated under both European Union and national legislation.

   Key documents regulating the use of cookies at the European level include Directive 2002/58/EC (PDF) and Directive 2009/136/EC (PDF) . At the national level, the use of cookies is regulated by Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, as amended and supplemented.

   Further information may be consulted in the following documents and public information sources:

   • UK Information Commissioner’s Office – Guidance on the rule of use of cookies and similar technologies, May 2012
   • Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector (PDF)
   • Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No. 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (PDF)
   • Law No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, as amended and supplemented
   • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)
   • Notice No. 4/2012 of the Article 29 Working Party on Cookie Consent Exemption, June 2012 (PDF)
   • World Wide Web Consortium, Tracking Preferences Expression (DNT), W3C Working Draft, 2 October 2012
   • Secure Cookies
   • Wikipedia – HTTP Cookie
2. If you fall within the category of employees (including candidate, temporary employee, potential employee, family member of an employee, etc.), CIT ONE will process your personal data for some of the following purposes/legal grounds:
   
   1. For the purpose of fulfilling legal obligations, including:
      • ensuring the security of cash-in-transit and cash processing activities, by monitoring/securing access to CIT ONE premises, verifying the identity of client personnel handling valuables, and securing the CIT ONE vehicle fleet (video surveillance of processing centers, monitoring access to processing centers through access cards, video surveillance and GPS tracking of CIT ONE vehicles used for the transport of cash and other valuables), including taking any necessary preventive and corrective measures, including disciplinary sanctions, for any behavior likely to generate risks concerning the security of CIT ONE premises or cash-in-transit operations;
      • complying with labor law obligations regarding human resources administration and occupational health and safety management (e.g., personnel file management, workplace safety and health);
      • carrying out formalities regarding the authorization of the Company/employees for the use of lethal weapons, as well as ensuring the legal conditions for carrying out such activity (including testing the blood alcohol concentration of personnel carrying weapons prior to their handover);
      • drafting responses to requests received from authorities and managing the relationship with public authorities (including reporting to them) or with other persons providing public services (bailiffs, notaries, etc.);
      • completing formalities with the Trade Register;
      • conducting accounting and financial activities;
      • managing data quality and security;
      • complying with legal requirements regarding know-your-customer (KYC) obligations;
      • administrative and financial management and fulfilling tax/accounting obligations;
      • storing/holding (prior to archiving) and archiving contractual documentation (including ensuring operations related to such activities) and/or other documents containing personal data, in accordance with legal provisions;
      • audit and internal control;
      • implementing necessary technical measures to ensure the security of personal data (including by creating backup copies).
   2. For the purpose of concluding and executing contracts, including:
      • entering into and performing employment contracts (training, remuneration, bonuses, performance evaluation, etc.);
      • general human resources purposes, as arising from the rights and obligations under the contracts underlying the employment relationship or the performance of activities within CIT ONE;
      • concluding and managing contractual relationships with CIT ONE suppliers/clients, handling client complaints and related invoicing activities, verifying the status of certain consignments containing meal vouchers, providing operational support, managing operational incidents;
      • recruitment;
      • training;
      • remuneration;
      • bonuses;
      • performance evaluation; monitoring objectives, self-assessment of performance, feedback to and from other CIT ONE employees;
      • verifying compliance with internal policies and regulations;
      • facilitating access to medical and insurance services through service providers;
      • fleet management;
      • managing client relationships;
      • correspondence management;
      • archiving;
      • conducting procurement processes;
      • administering and paying for telecommunications services;
      • managing transport activities;
      • providing employee transportation;
      • managing litigation;
      • drafting responses to authorities (regarding employees tasked with maintaining relations with such authorities);
      • completing formalities with the Trade Register;
      • providing legal services.
   3. For the purpose of fulfilling CIT ONE’s legitimate interests in the context of its business activities, including:
      • carrying out merger and/or acquisition projects or similar transactions involving CIT ONE;
      • monitoring the vehicle fleet (for vehicles not used in cash-in-transit operations);
      • managing transport activities;
      • ensuring the security of CIT ONE headquarters, through video surveillance of access points, in accordance with the physical security risk assessment, and by securing access to the premises;
      • ensuring the security of the services provided by CIT ONE, including by testing the blood alcohol concentration of individuals working in CIT ONE processing centers (other than those equipped with firearms) and by conducting psychophysiological examinations of employees using polygraph techniques;
      • managing conflicts of interest that may arise from extra-professional activities or family relationships;
      • conducting pre-employment and post-employment screening activities (analyzing the reputation and integrity of internal candidates in the promotion process and of external candidates in the recruitment process, to ensure compliance with applicable prudential rules);
      • collecting and centrally storing information necessary and relevant for identifying, through monitoring of technical equipment, the number of pages printed, scanned, and copied by CIT ONE employees, with the purpose of reducing paper consumption (purchased, printed, archived) and optimizing the documents generated within internal processes;
      • resolving technical and/or administrative incidents through internal applications, including the possibility of using employees’ personal devices (e.g., for resetting WAN passwords via SMS);
      • permanently ensuring the technical and organizational conditions for carrying out activities and monitoring workplace discipline, including by implementing reporting channels for irregularities and/or non-compliance signaled by any person in connection with the services provided (whistleblowing), as well as by monitoring IT and telecommunications resources and equipment made available to employees, and ensuring the security of IT systems (including by creating backup copies);
      • improving CIT ONE’s services by enhancing workflows, policies, and internal procedures; recruitment and human resources purposes in relation to CIT ONE candidates and employees;
      • granting benefits to CIT ONE employees and their family members, as applicable;
      • ensuring the security of intervention, maintenance, replenishment, and ATM emptying services provided by CIT ONE;
      • storing/holding (prior to archiving) and archiving contractual documentation (including ensuring operations related to such activities) and/or other documents containing personal data.
   4. With the employee’s consent:
      • image and voice (video and photographs – image; recording of the automatic message from the CIT ONE Dispatch Call Center); for the use of image and voice in the aforementioned context, a separate agreement with employees is mandatory in order to obtain their consent, where applicable.
3. If you are a private individual involved in a relationship with CIT ONE (beneficial owners, client representatives, representatives of clients’ contractual partners, administrators, associates/shareholders, users, delegates, contact persons, sole traders, etc.), CIT ONE will process your personal data for the following purposes and legal grounds (as detailed in the sections below):
   
   1. For the purpose of fulfilling legal obligations, including:
      • managing data quality and security;
      • complying with legal requirements regarding customer due diligence, prevention of money laundering and combating the financing of terrorism, managing conflicts of interest, and handling audits/inspections from authorities in connection with client relations;
      • fulfilling all CIT ONE obligations related to prudential banking supervision and reporting to supervisory authorities;
      • ensuring the security of transports carried out by CIT ONE, including through video surveillance and GPS monitoring of CIT ONE fleet vehicles and by verifying the identity of client personnel handling valuables;
      • ensuring the security of CIT ONE premises;
      • administrative and financial management, and fulfilling tax/accounting obligations;
      • storing/holding (prior to archiving) and archiving contractual documentation (including ensuring operations related to such activities) and/or other documents containing personal data, in accordance with legal provisions;
      • audit and internal control;
      • managing cash-in-transit and cash processing activities;
      • managing relations with public authorities or other persons providing public services (bailiffs, notaries, etc.);
      • implementing technical measures to ensure the security of personal data (including creating backup copies).
   2. For the purpose of concluding and executing contracts, including:
      • conducting any legal relationships arising from contracts concluded between CIT ONE and you, or the company you represent;
      • ensuring the proper execution of transactions, for the purpose of developing/optimizing the services provided by CIT ONE;
      • debt collection/recovery of receivables (including preliminary activities, such as due diligence);
      • adequate monitoring of all obligations undertaken by CIT ONE’s contractual partners (natural persons) and/or by clients.
   3. For the purpose of fulfilling CIT ONE’s legitimate interests in the context of its business activities, including:
      • implementing an internal reporting line for non-compliance incidents reported by any persons in connection with the services provided;
      • improving the services provided by CIT ONE by optimizing workflows, policies, and internal procedures;
      • testing and using existing IT systems or new IT services;
      • managing complaints received from you regarding CIT ONE’s services;
      • carrying out merger and/or acquisition projects in which CIT ONE is involved;
      • establishing, exercising, or defending CIT ONE’s legal rights in court, as well as gathering evidence for this purpose;
      • designing, developing, testing, and using existing or new IT systems and services (including database storage);
      • ensuring the security of intervention, maintenance, replenishment, and ATM emptying services provided by CIT ONE.
4. If you are a contractual partner of CIT ONE (including representative of a partner, appraiser, agent, service provider, tenant, owner and/or representative of the owners of properties leased or purchased by CIT ONE, insurance agents, brokers, intermediaries, etc.), we will process your personal data for some of the following purposes:
   
   1. Data regarding actions taken on the platform (order creation, approval, modifications, timestamp) are automatically recorded for traceability, contractual audit, and operational security purposes.
   2. For the purpose of fulfilling legal obligations, including:
      • managing data security;
      • complying with legal requirements regarding customer due diligence, prevention of money laundering and combating the financing of terrorism, managing conflicts of interest, and handling inspections by authorities in connection with client relations;
      • fulfilling all CIT ONE obligations related to prudential banking supervision and reporting to supervisory authorities;
      • ensuring the security of transports carried out by CIT ONE, including by video surveillance and GPS monitoring of CIT ONE fleet vehicles and by verifying the identity of client personnel handling valuables;
      • ensuring the security of CIT ONE premises;
      • administrative and financial management, and fulfilling tax/accounting obligations;
      • storing/holding (prior to archiving) and archiving contractual documentation (including ensuring operations related to such activities) and/or other documents containing personal data, in accordance with legal provisions;
      • audit and internal control;
      • managing cash-in-transit activities;
      • managing relations with public authorities or with other persons providing public services (bailiffs, notaries, etc.);
      • implementing technical measures to ensure the security of personal data (including by creating backup copies).
   3. For the purpose of concluding and executing contracts, including:
      • conducting any legal relationships arising from contracts concluded between CIT ONE and you or the company you represent;
      • ensuring the proper execution of transactions, in order to develop/optimize the services offered by CIT ONE;
      • debt collection/recovery of receivables (including preliminary activities such as due diligence);
      • entering into and/or executing contracts with CIT ONE subcontractors;
      • adequate monitoring of all obligations undertaken by CIT ONE’s contractual partners (natural persons) and/or clients.
   4. For the purpose of fulfilling CIT ONE’s legitimate interests in the context of its business activities, including:
      • implementing an internal reporting line for non-compliance incidents reported by any persons in connection with the financial-banking services provided;
      • improving CIT ONE’s services by enhancing workflows, policies, and internal procedures;
      • testing and using existing IT systems or new IT services;
      • managing complaints received from you regarding CIT ONE’s services;
      • carrying out merger and/or acquisition projects in which CIT ONE is involved;
      • establishing, exercising, or defending CIT ONE’s legal rights in court, as well as gathering evidence for this purpose;
      • designing, developing, testing, and using existing or new IT systems and services (including database storage).

   When using the online ordering platform (customer dashboard), CIT One processes your account data (name, email, role, IP, login details, platform activity) for the purpose of registering and processing orders, operational traceability, internal order approval, sending notifications related to order status, as well as for internal audit and contractual reporting purposes. The legal basis for this processing is the performance of the contract, namely CIT ONE's legitimate interest in providing a secure and efficient service to its customers.

5. If you are a third party with no direct relationship with CIT ONE, CIT ONE may process your personal data for some of the following purposes:
   1. For the purpose of fulfilling legal obligations, including:
      • ensuring the security of transports carried out by CIT ONE, including through video monitoring — your image may be processed if you enter the field of view of cameras installed on CIT ONE armored vehicles;
      • ensuring the security of CIT ONE premises — your image may be processed if you visit one of CIT ONE’s offices/branches;
      • managing relations with public authorities or with other persons providing a public service (bailiffs, notaries, etc.) — insofar as CIT ONE receives certain documents and/or requests from such entities, CIT ONE may receive your identification data and other information, as applicable (for example, data on garnished accounts and the amount of outstanding debts, in the event of receiving garnishment notices issued in your name).
   2. For the purpose of fulfilling CIT ONE’s legitimate interests in the context of its business activities, including:
      • ensuring the security of intervention, maintenance, replenishment, and ATM emptying services provided by CIT ONE.

3. Recipients of Personal Data

For the achievement of the processing purposes, CIT ONE may disclose certain categories of personal data to the following categories of recipients: the data subject and/or their legal representatives, judicial authorities or other public authorities of any kind, providers of goods and services, as well as other contractual partners and/or processors acting on behalf of CIT ONE.

4. Transfer of Personal Data

At present, for the purposes mentioned above, it is possible for CIT ONE to transfer certain categories of personal data outside Romania, to states within the EU/EEA (Austria).

In the course of its activities, the transfer states mentioned above may change. You may obtain an updated list of the countries to which personal data are transferred by sending a request to data.protection@citone.ro.

5. Duration of Processing

For the achievement of the processing purposes set out herein, CIT ONE will process personal data for the duration necessary to perform the specific services, as well as thereafter in order to comply with applicable legal obligations, including, without limitation, legal archiving requirements. Upon expiry of the applicable archiving terms, CIT ONE may anonymize the data, thereby depersonalizing it, and continue to process the anonymized data for statistical purposes.

6. Data Security

CIT ONE places particular importance on your personal data and undertakes to ensure their security throughout processing activities. To this end, CIT ONE implements appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with the types of data processed and the processing operations performed.

7. Data Subject Rights

Under the conditions laid down by personal data protection legislation, as data subjects you benefit from the following rights:

• the right to be informed, i.e., the right to receive details regarding the processing activities carried out by CIT ONE, as described in this document;
• the right of access, i.e., the right to obtain confirmation from CIT ONE as to whether your personal data are being processed, as well as details regarding the processing activities;
• the right to rectification, i.e., the right to obtain from CIT ONE the rectification of inaccurate data and the completion of incomplete data;
• the right to erasure (“right to be forgotten”), to the extent that the legal conditions are met — however, following a deletion request, CIT ONE may anonymize such data (thus removing their personal character) and continue processing in these conditions for statistical purposes;
• the right to restriction of processing, to the extent that the legal conditions are met;
• the right to data portability, i.e., (i) the right to receive personal data in a structured, commonly used, and machine-readable format and (ii) the right to have such data transmitted by CIT ONE to another data controller, where the legal conditions are met;
• the right to object — with regard to processing carried out for direct marketing purposes, including profiling, the right to object may be exercised at any time by submitting a request as indicated below;
• the right to not be subject to a decision based solely on automated processing, including profiling;
• the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing or to seek a remedy before the competent courts, as you may deem necessary.

For further details regarding the processing activities carried out by CIT ONE, as well as regarding your rights in this context, please submit a request (in hard copy or electronically by e-mail) to data.protection@citone.ro.

You may also contact CIT One’s Data Protection Officer at any time at dpo@citone.ro (following their appointment at CIT ONE).

If you have suggestions regarding this Privacy Policy, we encourage you to send them to: data.protection@citone.ro.





N.I. 431/28.03.2024