PROTECȚIA DATELOR CU CARACTER PERSONAL
The Faculty of Law of Babeș-Bolyai University Cluj-Napoca processes personal data in accordance with the General Regulation 2016/679 on the protection of personal data, hereinafter referred to as GDPR.
- Faculty of Law – personal data controller
UBB Cluj is a state higher education institution, part of the national higher education system in Romania. UBB Cluj is a public interest institution, has legal personality and is apolitical. It was founded in 1919 and received recognition of legal personality in 1924 by the Law for the recognition of the University of Cluj as a legal person, published in the Official Gazette no. 243 of November 2, 1924. The registered office of UBB Cluj is in Cluj-Napoca, Mihail Kogălnicenu Street no. 1, code 400084, Fiscal Code (CUI) is 4305849.
Within UBB Cluj, the Faculty of Law operates, which is a personal data controller, as defined in art. 4 par. 7 of the GDPR and performs operations or sets of operations, through which it processes personal data. Depending on the purpose of the processing, we inform you about the types of personal data processed, the purpose of the processing and the legal grounds on which it processes, stores and transmits personal data.
The Faculty of Law, like UBB Cluj, has at the center of its concerns – in order to ensure the protection of personal data, compliance with all GDPR principles (cumulatively):
– Legality, fairness and transparency (data are processed legally, fairly and transparently towards the data subject);
– Purpose limitation (data are collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with these purposes);
– Data minimization (data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed);
– Accuracy (data are accurate and, where necessary, kept up to date);
– Data are kept only in compliance with the legal deadlines in force;
– Security and confidentiality (data are processed in a manner that ensures adequate security).
In ensuring compliance with the GDPR, the Faculty of Law and UBB Cluj place at the center of its concerns the protection of the rights of the data subjects who entrust us with their personal data.
- What types of personal data are collected?
The personal data collected by the Faculty of Law UBB are necessary to fulfill its mission and to carry out the contractual obligations that both the Faculty and the University have. The request for these categories of data is based on the need to comply with certain legal provisions.
The GDPR specifies that “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
The Information on the processing of personal data presents in detail the types of data, the documents on which they are recorded, the purposes of using these data and the legal grounds. These Informations are made by categories of data subjects.
Below are presented generically the types of personal data that the Faculty generally requests from data subjects. These differ depending on the category of data subjects (employees/teaching staff/students etc.):
– identification data: name, surname, name at birth of the person (where applicable), CNP, series and number of the identity document, passport, home address, mailing address, e-mail, telephone (landline, fax, mobile), online identifier etc.: are necessary for employment, enrollment in studies, occupational health and safety, correspondence etc.;
– data relating to completed or in the process of completing studies: diplomas, transcripts, descriptive supplements, certificates, attestations, etc.: they are necessary for employment, enrollment in studies, occupational health and safety, promotion, etc.;
– data relating to occupation, nature of own activity, data on previous and present professional activity, as well as professional performance, seniority, experience, etc.: necessary for employment, determination of remuneration, promotion, etc.;
– data of a special nature: medical data, disabilities; sick leave, employment, carrying out teaching activities, granting of facilities;
– data of a financial nature: accounts opened with financial institutions, certificates, etc.; these are used for: payments of financial rights, payments of financial obligations;
– data obtained from audio-video recordings of the physiognomy of the data subjects who access the UBB premises guarded by the operator: Necessary to meet the conditions regarding the guarding of objectives, goods and values as well as the protection of persons;
– electronic identification addresses: IP addresses, identifiers of local internet networks or hubs, geographical location, source of reference (from where the UBB website was accessed): Statistical activity; Protection and security against intruders or against accidental or deliberate digital attacks;
– data relating to special situations: situations in private/family life/marital status/dependents, data relating to the legal situation or other situations: declarations, applications, certificates, various extracts, criminal record (necessary for enrollment in study programs): necessary for declaring, informing, certifying personal situations, which have or may have an effect on contractual or lucrative conditions, respectively may influence material rights and/or obligations.
- What are the categories of persons whose personal data does the Faculty process (data subjects)?
– applicants for study programs;
– students (bachelor, master, doctoral students), trainees, trainees;
– employees: teaching staff, associate teaching staff, auxiliary and non-teaching staff, staff employed in projects financed from non-reimbursable European funds, staff employed in research project teams;
– collaborators: service providers;
– contractors: suppliers of goods and services, participants in tenders, bidders;
– visitors: persons registered at access points and or filmed by video surveillance cameras, visitors to web pages;
– persons who submit requests for information or other petitions;
– participants in conferences, summer schools, workshops, symposiums;
– persons who publish in the Faculty’s journals and publishing houses;
– beneficiaries of libraries;
– referees of doctoral theses or other scientific works;
– collaborating scientific researchers;
– persons carrying out verification and control activities.
- What is the purpose of the processing of personal data?
Processing refers to any operation or set of operations which is performed on personal data or on sets of personal data, with or without the use of automated means, such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The purpose of the processing is closely linked to the general and specific mission of the Faculty and, respectively, of UBB – education, research and services addressed to the community – but also in connection with the performance of complementary activities. Also, the data collected by the video surveillance system are necessary for the security of the objectives, goods and values as well as the protection of individuals.
In essence, personal data processing is carried out for all purposes provided for by Law No. 199/2023 or its subsequent legislation, as well as for purposes that derive from the mission of the higher education institution or are closely related to this mission.
Among the purposes of processing, we list: carrying out admission activities, enrollment in study programs, carrying out educational activities, graduation, hiring, promoting personnel, carrying out commercial and service contracts to which the Faculty is a party, carrying out scientific and journalistic activity, providing facilities, etc.
- What is the legal basis for the processing?
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), and with Law no. 190/2018 on measures implementing the GDPR and repealing Directive 95/46/EC, the main law requiring UBB to process personal data is the National Education Law also known as Law no. 199/2023, as subsequently amended and supplemented. Other legal frameworks requiring the Faculty to process personal data are related to its general functioning (labor legislation, tax code, payroll, occupational health and safety, security and protection, granting of facilities, etc.):
– Law no. 288/2004 on the organization of university studies, with subsequent amendments and completions
– Government Emergency Ordinance no. 133/2000 on state university and postgraduate education with fees
– ORDER of the Minister of Education No. 3714/2018 of 21 May 2018 on the approval of the Regulation on the organization, functioning and operationalization of the Single Matriculation Register of Universities in Romania
– Framework Law No. 153/2017 on the remuneration of personnel paid from public funds
– DECISION No. 286 of 23 March 2011, for the approval of the Framework Regulation on the establishment of the general principles for occupying a vacant or temporarily vacant position
– Law No. 333/2003 on the security of objectives, goods, values and the protection of persons
– GD No. 301/2012 for the approval of the Methodological Norms for the application of Law No. 333/2003 on the security of objectives, goods, values and the protection of persons
– Government Ordinance No. 129 of 2000 on the professional training of adults, republished;
– Accounting LAW no. 82 of 24 December 1991 (republished);
– Law no. 227/2015 on the Fiscal Code updated by Law no. 131 of 15 July 2020
– LAW no. 53 of 24 January 2003 LABOUR CODE republished 2011, updated 2018
– Law 307/12 July 2006 on fire protection, text in force since 25 March 2016
– Law 481/2004 (*republished*) – on civil protection*)
– Law 319/2006 – occupational health and safety
– EMERGENCY ORDINANCE no. 97 of 14 July 2005 (**republished**) on the registration, domicile, residence and identity documents of Romanian citizens**), Published in the OFFICIAL GAZETTE no. 719 of 12 October 2011
– Government Decision no. 42/2017 for the approval of the Methodological Norms on the granting of internal rail and metro transport facilities for pupils and students
– Regulation (EU) 2015/759 of the European Parliament and of the Council of 29 April 2015 amending Regulation (EC) no. 223/2009 and the MEN-National Institute of Statistics (INS) Convention on the processing of data for the production of official statistics on education and vocational training;
– Law no. 365/2002 on electronic commerce, republished, with subsequent amendments
– NBR Regulation no. 6/11.10.2006 – Regulation of the National Bank of Romania (BNR) no. 6/11.10.2006 – on the issuance and use of electronic payment instruments and the relations between participants in transactions with these instruments
– Law no. 129/2019 – for the prevention and combating of money laundering and terrorist financing, as well as for the amendment and completion of certain normative acts
– LAW No. 31 of November 16, 1990 on commercial companies (republished)
– Methodology regarding the schooling of Romanians from all over the world in state higher education in Romania, starting with the academic year 2017-2018, approved by joint order MEN no. 3900/2017, MAE no. A10/2046/2017 and MRP no. C/129/2017, published in the Official Gazette no. 628/02.08.2017.
– ARACIS standards for distance and part-time education
Internal regulations:
Charter of Babeș-Bolyai University Cluj-Napoca, 2024;
Admission Regulations of Babeș-Bolyai University;
Framework Regulation on accommodation in student dormitories;
Regulation on the organization and functioning of student dormitories;
Faculty of Law Regulations;
Other specific regulations.
In addition to the legal grounds deriving from the obligation for the Faculty to comply with the laws in force, the Agreement or Consent of the data subjects can also be used as a legal justification for the processing of personal data if the processing is based on art. 6 letter a of the GDPR: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Who are the recipients and third parties to whom the Faculty may transfer personal data?
The recipients and third parties to whom the Faculty may transfer certain personal data are public authorities or service providers that request these data, in accordance with the laws governing their activity, more precisely: Babeș-Bolyai University, the Ministry of National Education and Scientific Research which coordinates the activity of the National Council for Financing Higher Education; the National Council for Statistics and Forecasting of Higher Education; the General Directorate of Higher Education within the Ministry of Education; the Ministry of Public Finance, the Court of Auditors of Romania, the National Company Poșta Română (for letter correspondence), the banks with which the teaching staff, employees and students have contracts, Banca Transilvania (for payment of fees and intermediation of card payments of school and admission fees), medical clinics with which UBB has contracts, owners of e-learning platforms, IT service providers (maintenance, software development), archiving in physical and/or electronic format; audit; transport companies that provide free/discounted transport offered by specific legislation (CFR Călători, Compania de Transport Public Cluj-Napoca, etc.), etc., judicial bodies in Romania and other countries (EU, recognized by the EU as complying with personal data protection norms or that have personal data protection agreements with Romania), as well as courts, prosecutors’ offices, central and local public authorities in Romania (e.g. MAI, ANAF, ONPCSB, Competition Council, National Archives), police bodies; Institutions for investigation and support for cybersecurity incidents.
The faculty has taken measures to ensure full security of personal data in the process of transferring it, in accordance with the GDPR.
- How long will your personal data be kept?
Personal data – which have been or will be requested – will be provided by you and will be processed within a period of time provided for in European and national legislation, in accordance with the GDPR and other legal bases that require this, respecting the principles of ensuring their security and respecting your rights. The archival nomenclature of UBB Cluj and, where applicable, of the Faculty of Law provides for the retention period for each category of personal data. This is specified in the Information on the protection of personal data.
- What are the rights of the persons who entrust us with their personal data?
– the right to be informed (art. 13 and 14 of the GDPR) – about the type, purpose, and legal grounds of the processing;
– the right of access to data (art. 15 of the GDPR) – the person has the right to obtain confirmation from the Faculty whether personal data concerning him/her are being processed;
– the right to rectification (art. 16 of the GDPR) – of personal data without undue delay;
– the right to erasure of data (“right to be forgotten”) – (art. 17 of the GDPR) – to obtain from the Faculty the erasure of personal data concerning you, without undue delay, and the Faculty has the obligation to erase personal data without undue delay;
– the right to restriction of processing (art. 18 of the GDPR) – when you consider that the personal data is inaccurate, or you consider that the processing is illegal, or the Faculty no longer needs this data;
– the right to notification regarding the rectification or erasure of personal data or restriction of processing (art. 19 of the GDPR);
– the right to data portability (art. 20 of the GDPR) – you have the right to receive the personal data concerning you that you have provided to the Faculty in a structured, commonly used and machine-readable format in order to be able to transmit them to another controller;
– the right to opposition (art. 21 of the GDPR) – you can oppose, the processing pursuant to Article 6(1)(e) or (f) or Article 6(1) of personal data concerning you, including the creation of profiles based on those provisions;
– the right not to be subject to a decision based solely on automated processing – including the creation of profiles (art. 22) – which produces legal effects concerning you or similarly significantly affects you;
– the right to file a complaint with the National Supervisory Authority for Personal Data Processing (art 15) – anspdcp@dataprotection.ro or https://www.dataprotection.ro/
- Does the Faculty transfer data outside Romania?
The data transfer may be made either on the basis of an adequacy decision issued by the European Commission under Article 45 of the GDPR attesting that the third country meets the respective criteria, or on the basis of appropriate safeguards, which may be provided by standard data protection clauses adopted by the ANSPDCP and approved by the Commission in accordance with the examination procedure, or may be provided by means of provisions to be included in an administrative agreement between the Faculty and/or UBB and the entity to which the data are transferred, which includes enforceable and effective rights for the data subjects, and which must receive authorisation from the ANSPDCP.
The data subjects will be informed no later than the date on which the data transfer is to be carried out. The purpose of these transfers is to facilitate the participation in international mobility of students and teaching staff of the Faculty.
In order to achieve the purposes of processing by UBB, presented above, it is possible for the Faculty to transfer some categories of personal data outside Romania or the EU/EEA states to the states to which the data subject consents for the data transfer or to other states (based on appropriate safeguards such as standard contractual clauses or administrative agreements to which the Faculty or UBB is a party).
- Does the Faculty have security measures regarding the protection of personal data processed through information systems?
The Faculty uses administrative, organizational, technical and physical methods to ensure the security of personal data both on the website and within the institution (servers, computer networks). Security measures are designed to maintain an appropriate level of confidentiality, integrity and availability of data. The Information and Communications Technology Department implements and manages systems to ensure the security of information systems.
The Faculty has adequate measures to ensure that the data of website users is protected against unauthorized access, use or modification, unlawful or accidental destruction and accidental loss.
The Faculty encourages community members to use the institutional email service as well as the online and/or e-learning platforms managed by the Faculty / UBB in partnership with providers based on contracts with specific security and confidentiality clauses.
However, we recommend that any user be aware that there is always a risk of transmitting information via the internet and to manage this risk by adopting appropriate behavior.
- Is personal data of minors processed? (persons under 16, according to the EU definition)
The Faculty does not systematically process personal data of persons under 16 years of age. These data are collected through the video surveillance system based on the legislation on the guarding and protection of objectives, goods, persons and values, during occasional or organized visits (Open Day, Altfel School, etc.)
The Faculty website does not intentionally collect information from users under 16 years of age. If a parent or legal guardian notifies us of the existence of such personal data, all necessary measures will be taken to delete the information. If you believe that information of a person under 16 years of age has been collected through the Faculty website, please contact us at the following e-mail address: sergiu.golub@law.ubbcluj.ro.
- How to obtain advice and file a complaint
If you have any questions or concerns regarding the processing of your personal data, you can contact the Data Protection Officer (DPO) of Babeș-Bolyai University at the e-mail address dpo@ubbcluj.ro / of the Faculty at the e-mail address sergiu.golub@law.ubbcluj.ro.
In these requests, please do not disclose sensitive personal data (information regarding religious beliefs, ethnic or racial origin or any other information related to health or trade union membership) when contacting us.
We respond to the requests of the data subjects without undue delay or motivate the data subject for the delay and, if they do not intend to comply with the request, motivate this refusal. Where the data subject submits a request in electronic format, the information shall be provided in electronic format where possible, unless the data subject requests another format.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive nature, the controller may:
– either charge a reasonable fee taking into account the administrative costs of providing the information or communication or of taking the requested action;
– or refuse to act on the request
In such cases, the burden of demonstrating the manifestly unfounded or excessive nature of the request lies with the controller. The Faculty is also responsible for taking all reasonable steps to verify the identity of a data subject requesting access to data, in particular in the context of online services and online identifiers.