Privacy policy
Date of update: 13.11.2025
Compliance Advisory Team SRL (“the Company” or “we”) is committed to protecting the privacy and security of the personal data of individuals who interact with our organization, in accordance with Regulation (EU) 2016/679 on data protection (“GDPR”), Law no. 190/2018, and other applicable legal provisions.
A policy describing how Compliance Advisory Team SRL collects, uses, and protects personal data in its relationships with its legal entity clients, business partners, and visitors to the website https://complianceat.ro.
We base our activity on the fundamental principles of data protection: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. We apply these principles in all our consulting, professional training, and communication processes with our legal entity partners.
| Data Controller | Compliance Advisory Team SRL |
| Contact details | E-mail:office@complianceat.ro Website:https://complianceat.ro Phone: 0744.997.596 If you have any questions, concerns, comments, or requests regarding this privacy policy or our data practices, please contact us at dataprotection@complianceat.ro. |
Table of contents
1. Processing of Data for Website Users
1.1. What information do we collect and how?
○
Processed Data Purpose of Processing Legal Basis
(Art. 6 GDPR) Contact details - name, e-mail, company, message ○ Managing requests and professional communication.
○ Sending notifications and communications about our services, based on consent.
○ Consent Legitimate Interest Consent
Legitimate Interest Technical Data (necessary cookies) - minimized IP, browser, system, accessed pages. ○ Ensuring the website’s functionality and security.
○ Performance analysis and detection of abusive activities. Legitimate Interest Statistical cookie data - anonymous identifiers, sessions, interactions with the website. ○ Traffic analysis and improving the browsing experience. Consent Marketing cookie data - advertising identifiers, browsing behavior ○ Measuring campaign performance and personalizing promotional content. Consent
(Art. 6 GDPR)
○ Sending notifications and communications about our services, based on consent.
○ Consent Legitimate Interest
Legitimate Interest
○ Performance analysis and detection of abusive activities.
Providing data through the contact form is voluntary, but necessary to be able to respond to you. Refusal to provide the minimum data (e-mail, name, company) may make it impossible to process the request.
For optional cookies (statistical and marketing), processing is carried out only based on consent actively given through the Cookiebot banner, consent which can be withdrawn at any time. For full details regarding the cookies used, please consult Our Cookie Policy.
We do not process special categories of data through the website. The website and services offered by Compliance Advisory Team SRL are intended exclusively for professionals and legal entities. We do not target or intentionally collect personal data from persons under 18 years old. In the event we receive such data, it will be deleted immediately once identified.
1.3. How long do we keep your data?
After the storage period expires, the data is securely deleted or anonymized.
During the retention period, we apply appropriate technical and organizational measures to ensure the confidentiality and security of the data.
| Contact data submitted through the contact form | Up to 3 years from the last interaction or until the request is resolved, if no contractual relationship is initiated |
|---|---|
| Data used for commercial communications (professional or marketing notifications) | Until consent is withdrawn or a maximum of 2 years from the last active contact. |
| Technical and usage data (including necessary cookies) | Up to 12 months |
| Data from statistical or marketing cookies | Up to 12 months or until consent is withdrawn, as applicable. |
After the storage period expires, the data is securely deleted or anonymized.
During the retention period, we apply appropriate technical and organizational measures to ensure the confidentiality and security of the data.
1.4. Automated decision-making and profiling
In limited situations, we may use automated profiling features exclusively for the following purposes:
○ Analyzing and improving the performance of the website, through statistical and analytical cookies that help us understand how the site is used, in order to optimize its content and structure;
○ Personalized commercial communications, based on consent – to send relevant notifications or materials to professionals who have contacted us and requested information about our services.
These activities do not involve automated decisions or complex profiling for the purpose of automatically evaluating professional or personal behavior and do not produce legal effects on the data subjects.
Statistical or marketing cookies are activated only after you provide your consent, and preferences can be modified at any time in the Cookie Settings section.
2. Data Processing – Clients and Business Partners
This section applies to the processing of personal data of contact persons within clients, potential clients, suppliers, collaborators, business partners, institutions, and public authorities with whom Compliance Advisory Team SRL (“the Company”) conducts professional and commercial relationships.
2.1. What information do we collect and how?
Personal data is collected exclusively in the context of professional activities and is obtained through:
- Direct collection: information provided by you during professional interactions (via e-mail, phone, meetings, contracts, events, requests for quotes, etc.);
- Indirect collection: information obtained from public sources (for example: public registers, commercial registers, institutional websites, public professional profiles), when necessary for conducting the business relationship.
The categories of processed data may include:
- Data: first name, last name, position, company, professional e-mail address, phone number, other professional contact data;
- Communication data: requests, commercial correspondence, notes from meetings or calls;
- Contractual and billing data: signatures, bank accounts, details regarding provided services, work documents and supporting documents.
- Minimal technical data, such as IP addresses and activity logs, used for securing communications and protecting systems.
We do not request or process special categories of data (within the meaning of Articles 9–10 GDPR).
If such data is accidentally transmitted to us, we will immediately restrict processing and securely delete it.
2.2. Purposes and legal bases of processing
Personal data is processed exclusively for professional and legitimate purposes, mainly for:
| Purpose | Categories of Processed Data | Legal Basis |
|---|---|---|
| Initiation and execution of contractual relationships with clients and corporate partners (negotiations, offers, collaboration, service execution) | Identification data, contact data, signatures, professional correspondence, service details, invoices, etc. | Performance of a contract / pre-contractual steps (Art. 6(1)(b) GDPR) |
| Professional communication and handling of requests (including via e-mail or online form) | Contact data, correspondence content, discussion notes | Performance of a contract / pre-contractual steps (Art. 6(1)(b) GDPR) Legitimate Interest (Art. 6(1)(f) GDPR) |
| Managing participation in training programs | Name, e-mail, position, company, training participation details. | Performance of a contract / pre-contractual steps (Art. 6(1)(b) GDPR) Legitimate Interest (Art. 6(1)(f) GDPR) |
| Fulfillment of legal obligations (accounting, tax, archiving, reporting to authorities) | Billing data, supporting documents, registers, contractual documents, etc. | Legal obligation (Art. 6(1)(c) GDPR) |
| Promotion and professional information regarding offered services, including marketing communications | Name, e-mail, position, company, communication preferences | Consent (Art. 6(1)(a) GDPR) |
| IT security, fraud prevention, incident and risk management | Access logs, net data, technical data, IP addresses, and any other categories of processed data. | Legitimate Interest (Art. 6(1)(f) GDPR) |
| Handling complaints, claims, and requests to exercise rights | Identification and contact data, request content, responses, supporting documents. | Legal obligation (Art. 6(1)(c) GDPR) Legitimate Interest (Art. 6(1)(f) GDPR) |
| Resolution of disputes and defense of rights | Identification data, correspondence, contracts, reports, supporting documents. | Legitimate Interest (Art. 6(1)(f) GDPR) |
| Response to requests from authorities / public institutions | Identification and contact data, contractual/financial documents, other supporting documents. | Legal obligation (Art. 6(1)(c) GDPR) |
| Internal/external audit and compliance monitoring | Identification and contact data, contractual/financial documents, registers, reports, correspondence, other supporting documents. | Legal obligation (Art. 6(1)(c) GDPR) Legitimate Interest (Art. 6(1)(f) GDPR) |
All processing is carried out in compliance with the principles of data minimization and confidentiality.
Our legitimate interests are analyzed and balanced with the fundamental rights and freedoms of the data subjects.
2.3. Services provided by third parties
For carrying out our professional activities and managing business relationships, we use services provided by specialized partners such as domain and e-mail hosting solutions, cloud services, IT maintenance services, information security tools, and technical support, etc.
These services may involve the processing of personal data for the purpose of ensuring secure communication, document management, project administration, and compliance with obligations.
All our providers are carefully selected and process data exclusively for the purpose of providing the contracted services, based on appropriate contractual clauses that guarantee:
○ processing data only for the contractually established purposes;
○ maintaining the confidentiality and security of the data;
○ appropriate technical and organizational measures to protect them.
2.4. Data retention period
Personal data is retained for the duration of the contractual relationship and, usually, up to 5 years after its termination, with the possibility of extending the period if:
○ required by applicable law (e.g., tax or accounting);
○ necessary for defending a right in court or resolving a dispute.
After the retention period expires, the data is deleted or anonymized in accordance with legal provisions.
Throughout the entire period, we apply appropriate technical and organizational measures to protect the confidentiality and security of the data.
2.5. Automated decisions and profiling
Compliance Advisory Team SRL does not use automated decision-making processes and does not carry out profiling that could produce legal effects or a significant impact on data subjects.
Any analysis carried out on the data is strictly professional in nature and is used exclusively for managing contractual relationships, assessing compliance, or improving services.
3. Possible Categories of Recipients of Personal Data
Compliance Advisory Team SRL may transfer personal data only to the extent necessary for fulfilling contractual, legal, or compliance obligations, or for ensuring the proper conduct of its professional activities.
Data may be transmitted to the following categories of recipients, respecting the principle of minimization and confidentiality obligations:
○ Service providers – contractual partners who support us in delivering our services. They process data exclusively on our behalf and according to our instructions, under strict confidentiality conditions.
○ Professional advisors – lawyers, accountants, auditors, or specialized consultants who may have limited access to data only for the purpose of providing their professional services, while respecting confidentiality and professional ethics.
○ Authorities and public institutions – when the law requires us to provide data (e.g., supervisory authorities, tax, judicial, or regulatory authorities).
We do not disclose personal data for commercial purposes.
We take all reasonable technical, organizational, and contractual measures to ensure that the recipients mentioned use the data exclusively for the legal or contractual purposes for which it was provided, implement appropriate security and confidentiality measures, and comply with the requirements of Regulation (EU) 2016/679 (GDPR) and applicable Romanian legislation.
4. International Data Transfers
○
5. Personal Data Security
Compliance Advisory Team SRL is committed to protecting personal data through appropriate technical and organizational measures, proportional to the nature of the processed data and associated risks.
We ensure that information is kept confidential and secure, limiting access only to authorized persons and using solutions compliant with data protection standards.
Processing activities are carried out in accordance with Article 32 of Regulation (EU) 2016/679 (GDPR) and the principles of confidentiality, integrity, and availability of data.
6. Your Rights
We respect the principles of transparency and data protection and ensure the free exercise of data subjects’ rights.
| Withdrawal of Consent | You may withdraw your consent for data processing at any time when processing is based on this legal ground. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. |
| Right to be Informed | You have the right to be clearly and fully informed about how your data is collected and used, the purposes, legal basis, recipients, and data retention period. |
| Right of Access | You may request confirmation whether we are processing your data, obtain a copy of it, and information about how it is used. |
| Right to Rectification | You may request the correction or updating of your data when it is inaccurate or incomplete. |
| Right to Erasure | In certain situations, you have the right to request the deletion of your personal data, for example when it is no longer necessary for the purposes for which it was collected or if you withdraw your consent. |
| Right to Object to Processing | You may object to data processing carried out based on our legitimate interest, for reasons related to your particular situation. We will comply with your request unless we can demonstrate the existence of compelling legitimate grounds for continued processing (e.g., for defending a right in court). |
| Right to Restrict Processing | In certain cases (e.g., contesting the accuracy of data), you may request the restriction of processing. During this period, data will only be used for storage or for the defense of a legal right. |
| Right to Data Portability | You may request the transfer of your personal data in a structured, commonly used, and machine-readable format, to you or to another controller. This right applies when processing is based on consent or the performance of a contract. |
| Right not to be Subject to Profiling and Automated Decisions | You have the right not to be subject to decisions based solely on automated processing, including profiling, which may produce legal effects or significant consequences for you. Compliance Advisory Team SRL does not use such profiling or automated processes. |
| Right to Lodge a Complaint | You have the right to lodge a complaint with ANSPDCP (National Supervisory Authority for Personal Data Processing) or directly in court. |
Exercising Your Rights
To contact us regarding the exercise of your rights, you can write to us at dataprotection@complianceat.ro. We will review your request and respond within 1 month of receipt.
This period may be extended by up to 2 months if the request is complex or involves a large volume of data; in this case, you will be informed within 30 days of receiving the request.
We reserve the right to request reasonable additional information to verify the identity of the person making a request, when there are justified doubts regarding their identity.
In certain situations, it may not be possible to comply with a request, for example if it conflicts with other legal obligations or the rights of other individuals. In such a case, we will explain the reasons for refusal and the applicable legal basis.
7. Updates to the Data Protection Policy
Compliance Advisory Team SRL may periodically update this Data Protection Policy to reflect changes in our data processing activities, legislative changes or regulatory requirements, recommendations, or best practices issued by supervisory authorities or other relevant bodies.
Updated versions of the policy will be published on our website, and the date of the latest update will be indicated at the top of the document, under the policy title.
We encourage you to check this section periodically to stay informed about the most recent changes regarding our data protection practices.