top of page
logo IPSTSO 1080 x 1080.png

AGREEMENT ON THE PROCESSING, USE, AND TRANSFER OF PERSONAL DATA

 

FOR THE PURPOSE OF PROVIDING NECESSARY ASSISTANCE IN ACCORDANCE WITH THE PURPOSE AND OBJECTIVES OF THE IPSTSO (International Police Security Technology System Organization)

Data Controller:

The IPSTSO Association (International Police Security Technology System Organization), with its registered office at Drumul Timonierului Street, no. 8, Building 111A, Staircase A, 10th Floor, Apartment 53, Sector 6, registered in the Register of Associations and Foundations under no. 52052568, fiscal identification code 52052568, legally represented by IPSTSO (International Police Security Technology System Organization) (hereinafter referred to as the “Association” or the “Controller”),

e-mail, telephone: +40 790 508 000, website: www.ipstso.org.

Dear User,

By completing and submitting this electronic form, you expressly provide your free, specific, informed, and unambiguous consent, as a data subject, for the processing of your personal data for the purpose of providing assistance as a victim of a cyberattack.

This form complies with Article 4(11), Articles 6, 7, and 9 of the GDPR, as well as Law no. 190/2018. Consent is collected through an explicit affirmative action (unchecked checkboxes), with automatic recording of the date, time, and IP address.

Article 1 – Subject Matter of the Agreement

This Agreement governs the conditions under which the Data Subject provides express, free, informed, and unambiguous consent for the processing and transfer of personal data to third parties for the purpose of:

  • analyzing, managing, and resolving cybersecurity incidents affecting the Data Subject;

  • providing assistance, counseling, and legal/technical guidance;

  • notifying and cooperating with competent authorities and partners of the Association;

  • carrying out necessary legal or technical procedures.

Article 2 – Categories of Processed Data

2.1. The Association may collect, use, and transfer the following types of data:

a) Identification data, namely: first name, last name, personal identification number, identity document series and number, address, telephone number, e-mail address.

b) Technical data and incident-related information: IP addresses, online identifiers; screenshots, conversations, documents, digital files; data regarding affected accounts (banking, social media, commercial, e-mail), without storing passwords; details of fraudulent transactions.

c) Any other data voluntarily provided, only to the extent strictly necessary for resolving the case.

Article 3 – Legal Grounds for Processing

3.1. Data processing is based on 

Regulation (EU) 2016/679 (GDPR), as follows:

  • Article 6(1)(a) GDPR – consent of the Data Subject;

  • Article 6(1)(c) GDPR – compliance with the legal obligations of the Association;

  • Article 6(1)(d) GDPR – protection of vital interests;

  • Article 6(1)(f) GDPR – the legitimate interest of the Association in preventing and combating cybercrime;

  • Article 9(2)(a) GDPR, where special categories of data are processed.

Article 4 – Data Recipients

4.1. Data may be transferred, as applicable, to:

a) lawyers and law firms for the purpose of providing legal assistance;

b) IT experts or cybersecurity companies;

c) public authorities, such as: the Romanian Police, Prosecutor’s Offices, DIICOT, or other competent structures;

d) banking institutions, payment processors, or digital platforms involved in the incident;

e) other consultants (financial, technical) strictly related to the subject matter of the case;

f) any other entities that may support the Association in fulfilling its purpose and objectives.

4.2. The Controller guarantees that any third-party recipient is bound by confidentiality obligations and complies with applicable data protection legislation.

Article 5 – Duration of Data Processing and Storage

5.1. Data are processed for the entire duration of case management and are subsequently stored for the period required by law in relation to the Controller’s obligations, for as long as necessary to defend a right in court or against unjustified claims, or 

for a maximum of 5 years from the closure of the case, unless another legal basis applies.

Article 6 – Rights of the Data Subject

6.1. In accordance with Regulation (EU) 2016/679 (GDPR), the Data Subject has the following rights:

a) the right of access to data and the right to rectification;

b) the right to erasure (“right to be forgotten”), under the conditions provided by law;

c) the right to restriction of processing;

d) the right to data portability;

e) the right to object;

f) the right to withdraw consent at any time;

g) the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).

6.2. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Article 7 – Technical and Organizational Security Measures

The Data Controller implements appropriate security measures, including:

a) access control to data;

b) pseudonymization and encryption, where necessary;

c) internal data protection policies;

d) contractual confidentiality obligations with all recipients;

e) security incident response procedures.

Article 8 – Data Subject Declaration

By this Agreement, I expressly declare and confirm that:

  • I have been fully informed regarding the purposes, legal grounds, and recipients of my data;

  • I have understood my rights and how to exercise them;

  • I agree to the processing and transfer of my data to the third parties mentioned in Article 4 of this Agreement;

  • my consent is given freely and without conditions;

  • I have been clearly informed and understand that I may withdraw my consent at any time by submitting a written request to the Association, without affecting the lawfulness of processing carried out prior to withdrawal.

CRIMINAL COMPLAINT
bottom of page