General Data Protection Regulation

GDPR

Our GDPR compliance and your rights regarding personal data protection.

Last updated: September 18, 2025
Effective from: May 25, 2018 (GDPR effective date)

1. What is GDPR?

The General Data Protection Regulation (GDPR) - EU Regulation 2016/679 - is a European law that establishes rules for the collection, storage, and processing of EU citizens' personal data. GDPR came into force on May 25, 2018, and applies to all organizations that process EU citizens' data, including non-profit organizations in Romania.

Taxi Gratis Association fully complies with GDPR provisions and is committed to protecting the personal data of all beneficiaries of our services.

2. Our Role in GDPR

2.1 Data Controller

Taxi Gratis Association acts as the data controller for personal data collected within our medical transport services. This means that:

  • We decide what data we collect and how we use it
  • We are responsible for complying with GDPR principles
  • We implement technical and organizational protection measures
  • We respond to the exercise of data subjects' rights

Our Contact Details as Data Controller:

  • Name: Taxi Gratis Association
  • Address: Bucharest, Romania
  • Email: [email protected]
  • Phone: 0769 551 385
  • Data Protection Officer: Alex Bobes (President)

3. GDPR Principles We Follow

3.1 Lawfulness, Fairness and Transparency

We process data only on valid legal grounds (consent, legitimate interest, legal obligation) and clearly inform you about this.

3.2 Purpose Limitation

We collect data only for specific purposes related to free medical transport and do not use it for other incompatible purposes.

3.3 Data Minimisation

We collect only data strictly necessary for providing services. We do not request information irrelevant to transport.

3.4 Accuracy

We encourage you to inform us of any changes to your personal data and we promptly correct inaccurate information.

3.5 Storage Limitation

We keep data only as long as necessary for the purposes for which it was collected, according to our retention policies.

3.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to protect data against unauthorized access, loss or destruction.

3.7 Accountability

We can demonstrate compliance with GDPR principles through our documentation, implemented policies and adopted protection measures.

4. Your GDPR Rights

As a data subject, GDPR grants you the following rights that you can exercise at any time:

Right to Information and Access

You have the right to:

  • Be informed about data processing (through this page and our privacy policy)
  • Obtain a copy of the personal data we process about you
  • Find out what purposes the data is used for and who it is shared with

Response time: Maximum 30 days

Right to Rectification

You can request correction of inaccurate or incomplete personal data. For example, if your address or phone number has changed.

Response time: Maximum 30 days

Right to Erasure ("Right to be Forgotten")

You can request data deletion in the following situations:

  • Data is no longer necessary for the original purposes
  • You withdraw consent and there is no other legal basis
  • Data has been processed unlawfully
  • You no longer wish to use our services

Exceptions: We cannot delete data if we have legal retention obligations

Right to Restriction of Processing

You can request limitation of data processing in certain situations, for example when you contest the accuracy of the data or when processing is unlawful but you do not want deletion.

Right to Data Portability

You can obtain personal data in a structured, commonly used and machine-readable format (e.g., CSV, JSON) to transfer it to another service provider.

Right to Object

You can object to data processing based on legitimate interest. We will cease processing, except when we have compelling legitimate grounds.

Withdrawal of Consent

When processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

5. How to Exercise Your GDPR Rights

Contact Methods:

Information Required for Request:

  • Full name and surname
  • Email address used for our services
  • Phone number
  • Type of right you wish to exercise
  • Justification for the request (if applicable)
  • Copy of identity document (for identity verification)

Processing Procedure:

  1. Receiving the request: We confirm receipt within maximum 3 working days
  2. Identity verification: For data protection, we verify the requester's identity
  3. Request evaluation: We analyze whether the request is justified and legal
  4. Implementation: We execute the requested action
  5. Response: We inform you about the result within maximum 30 days

6. GDPR Security Measures

6.1 Technical Measures

  • Data encryption: Sensitive data is encrypted in storage and transmission
  • Secure backup: Backups are protected with passwords and encryption
  • Controlled access: Password authentication systems and role-based access
  • Software updates: We keep systems updated with security patches
  • Monitoring: We track data access and detect suspicious activities

6.2 Organizational Measures

  • Staff training: Volunteers are trained on data protection
  • Privacy policies: We have clear procedures for data handling
  • Need-to-know principle: Data access based on role and necessity
  • Incident procedures: Action plan for security breaches
  • Internal audit: Periodic checks of GDPR compliance

7. Security Breaches (Data Breaches)

7.1 Our Obligations

In case of a personal data security breach, we commit to:

  • Notify ANSPDCP within maximum 72 hours of becoming aware of the incident
  • Inform you directly if the breach presents a high risk to your rights and freedoms
  • Document the incident and measures taken
  • Implement corrective measures to prevent similar incidents

7.2 Information Communicated

In case of an incident, we will inform you about:

  • Nature of the breach and types of data affected
  • Measures taken to limit the effects
  • Recommended measures for your protection
  • Contact person for additional information

8. International Data Transfers

Taxi Gratis Association does not transfer personal data outside the European Economic Area (EEA). All data is stored and processed exclusively in Romania, on servers that comply with European data protection legislation.

In the extremely rare case where data transmission would be necessary (for example, for emergency technical assistance), we will only use providers that offer adequate protection guarantees through:

  • European Commission adequacy decisions
  • EU-approved standard contractual clauses
  • Your explicit consent

9. Right to Complaint

Supervisory Authority

If you believe we do not comply with GDPR provisions or you are not satisfied with our response to exercising your rights, you have the right to file a complaint with:

National Authority for the Supervision of Personal Data Processing (ANSPDCP)

Note: Filing a complaint with ANSPDCP does not affect your right to appeal to judicial remedies.

10. Contact for GDPR Questions

For any questions about this GDPR information, about your rights or about how we process personal data, you can contact us:

  • GDPR Email: [email protected]
  • Phone: 0769 551 385
  • Address: Bucharest, Romania
  • Data Protection Officer: Alex Bobes (President)
  • Schedule: Monday - Friday, 9:00 AM - 6:00 PM

Response time: We commit to respond to all GDPR questions within maximum 10 working days.