GDPR
Our GDPR compliance and your rights regarding personal data protection.
Last updated: September 18, 2025
Effective from: May 25, 2018 (GDPR effective date)
1. What is GDPR?
The General Data Protection Regulation (GDPR) - EU Regulation 2016/679 - is a European law that establishes rules for the collection, storage, and processing of EU citizens' personal data. GDPR came into force on May 25, 2018, and applies to all organizations that process EU citizens' data, including non-profit organizations in Romania.
Taxi Gratis Association fully complies with GDPR provisions and is committed to protecting the personal data of all beneficiaries of our services.
2. Our Role in GDPR
2.1 Data Controller
Taxi Gratis Association acts as the data controller for personal data collected within our medical transport services. This means that:
- We decide what data we collect and how we use it
- We are responsible for complying with GDPR principles
- We implement technical and organizational protection measures
- We respond to the exercise of data subjects' rights
Our Contact Details as Data Controller:
- Name: Taxi Gratis Association
- Address: Bucharest, Romania
- Email: [email protected]
- Phone: 0769 551 385
- Data Protection Officer: Alex Bobes (President)
3. GDPR Principles We Follow
3.1 Lawfulness, Fairness and Transparency
We process data only on valid legal grounds (consent, legitimate interest, legal obligation) and clearly inform you about this.
3.2 Purpose Limitation
We collect data only for specific purposes related to free medical transport and do not use it for other incompatible purposes.
3.3 Data Minimisation
We collect only data strictly necessary for providing services. We do not request information irrelevant to transport.
3.4 Accuracy
We encourage you to inform us of any changes to your personal data and we promptly correct inaccurate information.
3.5 Storage Limitation
We keep data only as long as necessary for the purposes for which it was collected, according to our retention policies.
3.6 Integrity and Confidentiality
We implement appropriate technical and organizational measures to protect data against unauthorized access, loss or destruction.
3.7 Accountability
We can demonstrate compliance with GDPR principles through our documentation, implemented policies and adopted protection measures.
4. Your GDPR Rights
As a data subject, GDPR grants you the following rights that you can exercise at any time:
Right to Information and Access
You have the right to:
- Be informed about data processing (through this page and our privacy policy)
- Obtain a copy of the personal data we process about you
- Find out what purposes the data is used for and who it is shared with
Response time: Maximum 30 days
Right to Rectification
You can request correction of inaccurate or incomplete personal data. For example, if your address or phone number has changed.
Response time: Maximum 30 days
Right to Erasure ("Right to be Forgotten")
You can request data deletion in the following situations:
- Data is no longer necessary for the original purposes
- You withdraw consent and there is no other legal basis
- Data has been processed unlawfully
- You no longer wish to use our services
Exceptions: We cannot delete data if we have legal retention obligations
Right to Restriction of Processing
You can request limitation of data processing in certain situations, for example when you contest the accuracy of the data or when processing is unlawful but you do not want deletion.
Right to Data Portability
You can obtain personal data in a structured, commonly used and machine-readable format (e.g., CSV, JSON) to transfer it to another service provider.
Right to Object
You can object to data processing based on legitimate interest. We will cease processing, except when we have compelling legitimate grounds.
Withdrawal of Consent
When processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
5. How to Exercise Your GDPR Rights
Contact Methods:
- Email: [email protected] (with subject "GDPR Request")
- Phone: 0769 551 385
- Letter: Taxi Gratis Association, Bucharest, Romania
Information Required for Request:
- Full name and surname
- Email address used for our services
- Phone number
- Type of right you wish to exercise
- Justification for the request (if applicable)
- Copy of identity document (for identity verification)
Processing Procedure:
- Receiving the request: We confirm receipt within maximum 3 working days
- Identity verification: For data protection, we verify the requester's identity
- Request evaluation: We analyze whether the request is justified and legal
- Implementation: We execute the requested action
- Response: We inform you about the result within maximum 30 days
6. GDPR Security Measures
6.1 Technical Measures
- Data encryption: Sensitive data is encrypted in storage and transmission
- Secure backup: Backups are protected with passwords and encryption
- Controlled access: Password authentication systems and role-based access
- Software updates: We keep systems updated with security patches
- Monitoring: We track data access and detect suspicious activities
6.2 Organizational Measures
- Staff training: Volunteers are trained on data protection
- Privacy policies: We have clear procedures for data handling
- Need-to-know principle: Data access based on role and necessity
- Incident procedures: Action plan for security breaches
- Internal audit: Periodic checks of GDPR compliance
7. Security Breaches (Data Breaches)
7.1 Our Obligations
In case of a personal data security breach, we commit to:
- Notify ANSPDCP within maximum 72 hours of becoming aware of the incident
- Inform you directly if the breach presents a high risk to your rights and freedoms
- Document the incident and measures taken
- Implement corrective measures to prevent similar incidents
7.2 Information Communicated
In case of an incident, we will inform you about:
- Nature of the breach and types of data affected
- Measures taken to limit the effects
- Recommended measures for your protection
- Contact person for additional information
8. International Data Transfers
Taxi Gratis Association does not transfer personal data outside the European Economic Area (EEA). All data is stored and processed exclusively in Romania, on servers that comply with European data protection legislation.
In the extremely rare case where data transmission would be necessary (for example, for emergency technical assistance), we will only use providers that offer adequate protection guarantees through:
- European Commission adequacy decisions
- EU-approved standard contractual clauses
- Your explicit consent
9. Right to Complaint
Supervisory Authority
If you believe we do not comply with GDPR provisions or you are not satisfied with our response to exercising your rights, you have the right to file a complaint with:
National Authority for the Supervision of Personal Data Processing (ANSPDCP)
- Address: General Gheorghe Magheru Boulevard no. 28-30, Sector 1, Bucharest
- Phone: +40.318.059.211
- Email: [email protected]
- Website: www.dataprotection.ro
Note: Filing a complaint with ANSPDCP does not affect your right to appeal to judicial remedies.
10. Contact for GDPR Questions
For any questions about this GDPR information, about your rights or about how we process personal data, you can contact us:
- GDPR Email: [email protected]
- Phone: 0769 551 385
- Address: Bucharest, Romania
- Data Protection Officer: Alex Bobes (President)
- Schedule: Monday - Friday, 9:00 AM - 6:00 PM
Response time: We commit to respond to all GDPR questions within maximum 10 working days.