(extract from the Personal Data Processing Regulation in IQOS filing system (hereinafter referred to as the Regulation))
I. Personal data controller
1. "PHILIP MORRIS SALES & MARKETING" SRL company, established the purposes and means of processing personal data in the IQOS filing system, thus acting as a personal data controller (hereinafter referred to as controller).
2. The controller is registered under the 0001329 number of the Register of Personal Data Controllers (www.registru.datepersonale.md) and was authorised by the responsible authority to process the personal data of its customers. The authorization by the responsible authority proves that the controller, through the organizational and technical measures adopted, ensures an adequate level of personal data protection.
II. Used terms and their meaning:
customer - any natural person who acts in purposes, other than the commercial ones;
profile creation – means any form of automatic processing of personal data consisting of using personal data to assess certain personal aspects relating to a natural person, especially to analyze or predict aspects regarding the performance at the workplace, economic situation, health, personal preferences, interests, reliability, behavior, location of the respective natural person or their movements;
personal data – any information referring to an identified or identifiable natural person;
special categories of personal data – data revealing racial or ethnic origin of a person, his/her political opinions, religious or philosophic beliefs, social belonging, data relating to health and sex life, as well as those relating to criminal convictions, procedural coercive measures or contravention sanctions;
personal data subject – is any natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more elements specific to his/her physical, physiological, mental, economic, cultural or social identity;
processing of personal data – any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, keeping, restoring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
personal data filing system – any structured set of personal data which are accessible according to some specific criteria, whether centralized, decentralized or dispersed on a functional or geographical criteria;
controller – natural or legal person governed by public or private law, including public authority, any other institution or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data expressly provided by the applicable law;
person authorized by the controller – natural or legal person governed by public or private law, including public authority and its territorial subdivisions, processing personal data on behalf of and in the interest of the controller, based on the instructions received from him;
third party – a natural or legal person governed by public or private law, other than the personal data subject, the controller or the person authorized by the controller and the person who, under the direct authority of the controller or of the person authorised by the controller is authorised to process personal data;
anonymization – means the personal data processing in such a way that it can no longer be attributed to a certain subject without using additional information, provided that this additional information is stored separately and is subject to some technical and organizational measures to ensure that such personal data are not allocated to an identified or identifiable natural person;
responsible authority – is the National Centre for Personal Data Protection, the state institution of the Republic of Moldova, responsible to supervise and control personal data processing;
direct marketing (marketing research) – method of the products and services distribution in which marketing concepts, techniques and instruments are used, including by e-mail, electronic communication services or other forwarding services, carried out in a submission directly oriented to the personal data subject, aiming at a quantifiable reaction.
III. Who can use the website
3. Filling in the form and registration on the website may be done by any natural person on his/her own name and only if he/she reached the age of 18 years.
4. The activities performed by the controller are designed for the residents of the Republic of Moldova or, as the case may be, for other persons in connection with the servicing of IQOS products.
5. All information accessible on the site that relates to the content of the text, image, structure, etc. are designed especially for natural persons with the purpose of personal use and which are protected according to national legislation on copyright and related rights. Any copy or use of this information for any purpose other than the stated one, is forbidden and is subject to liability in accordance with the legislation in force.
IV. Logging in to the system
6. Registration in the system is performed by accessing www.iqos.com web-page, being necessary to enter the following data categories: name, surname, date of birth, sex, residence town, preferred communication language, e-mail address and telephone number.
7. After filling in the listed mandatory fields, the user account will be activated by entering the secret code received at the indicated telephone number or accessing the link that will be sent on the indicated e-mail. The registration will be finished only upon completing all the mandatory fields. The password is confidential and cannot be disclosed to a third party. 8. On the completion of specific fields, the personal data subject confirms by ticking that the introduced personal data are true and belong to him/her.
9. By following these steps, you will be included in the customer list in the “IQOS” personal data filing system (database).
V. Categories of processed personal data
10. The controller collects the following categories of personal data: name, surname, date of birth, sex, residence town, preferred communication language, telephone number, e-mail address, as well as other identifiers of the personal data subject if these data are entered at their request by way of: filing an application, request, complaint or any other way of communication.
11. The collection of special categories of personal data in the IQOS personal data filing system (database) is prohibited.
VI. Purpose of processing data
12. Personal data are collected and processed within the “IQOS” personal data filing system (database), for the purpose of:
a) keeping records of customers who have bought or are going to buy IQOS devices;
b) offering the support with respect to the provided products;
c) performing direct marketing activities;
d) conducting market research;
e) honouring other obligations which result from the legal relationships established with the customers.
13. The controller doesn’t process the personal data for purposes other than those indicated above.
VII. Cross-border transfer notification
14. Personal data will be stored on servers in Ireland, but under the monitoring and control of the controller.
VIII. Legal basis for processing the personal data
15. Processing the personal data in the case of the organization of performing direct marketing activities, by providing promotional information, personalized offers or discount programs, market research or other data processing operations, that are not necessary for the execution of contract, will be made only on the basis of the consent of the data subject.
16. The need for consent of personal data processing refers also to situations when personal data are entered by subjects other than personal data subjects with the purpose of direct marketing.
17. A separate consent will not be concluded if the data are collected directly from the customer (by face to face or telephone interviewing/questioning, or the data will be recorded in the system through web interface directly by the user, in case of:
a) necessary actions before the conclusion of the contract which relate to user profile creation on the www.iqos.com page or addressing to the IQOS Customer Service Center, filing and considering of the customer form, taking orders;
b) activities essential to the execution of the contract which relate to keeping the customer records, providing the support for the purchased IQOS products, their exchanging or repairing as well as other civil aspects resulting from the established legal relations.
18. In all the cases of personal data processing, in the absence of a consent, the controller or the persons authorized by the controller shall inform the personal data subjects at least about: the purpose for which the data are collected, the ground for collection, the quantity and categories of the data, the storage duration, method of use, the persons authorized by the controller, as well as the personal data subjects’ rights.
19. The personal data controller informs that the personal data may be also used for other purposes expressly provided by the law, such as: at the request of the police or inspection bodies – that is the activities, which the collector cannot pre-determine, but takes it into account when collecting the personal data. In such cases, the controller will verify whether a request complies with the principles of personal data protection and will only execute it, if the legal purpose and ground exist.
IX. The recipients of personal data
20. The controller may disclose the personal data to:
a) persons authorized by the controller;
b) data subject or their legal representative;
c) inspection bodies at their request;
d) companies from the Philip Morris International Inc. group and debt collection companies.
21. Transmission to other third parties is forbidden.
X. The rights of the personal data subjects
22. The right to information – is the right to be informed before the data are collected and processed, about: the identity of the controller, the purpose of the data processing, the data recipients or categories of recipients, the existence of the rights provided by law on personal data protection, as well as the conditions under which they may be exercised.
23. The right of access to data – is the right to obtain from the controller, upon request, the confirmation/denial of whether or not the personal data related to the personal data subject are being processed, information related to the purposes and the categories of the processed data, the recipients or the categories of recipients to whom the data are disclosed, the way the automated data processing is performed, the legal consequences resulting from the data processing for the personal data subject and the way of exercising the right of intervention with respect to personal data.
24. The right of intervention – consists in the initiation, upon request, of the rectification, update, blocking, erasure or anonymization of the information the processing of which doesn’t correspond to the requirements of the law on personal data protection, in particular of incomplete or inaccurate data.
25. The right to object – is the right to object at any time, on substantial and legitimate grounds relating to the particular situation of the personal data subject, to the processing of personal data relating to them, save where otherwise provided by law.
26. The right not to be subject to an individual decision – means a possibility of requesting and obtaining the withdrawal, cancellation or reassessment of any decision, which produces legal effects on the personal data subject, which is based solely on automated processing intended to evaluate certain aspects of their personality, such as performance at work, credibility, conduct or other similar aspects.
27. The right to justice – is the right to go to responsible authority or to the court for the defence or reinstatement in the impaired rights.
28. In order to clarify questions regarding exercising the rights of the personal data subject, you can contact "PHILIP MORRIS SALES & MARKETING" SRL at: 21/3 N. Dimo Street, Chisinau mun., MD-2068, Republic of Moldova.
29. You can also refuse to provide personal data to "PHILIP MORRIS SALES & MARKETING" SRL. The refusal to provide such data can lead to impossibility to access the website or receive support from the company.
30. Data controller processes two types of cookies: per session and fixed. The last ones are temporary files that remain in the user’s terminal until the end of the session or the closure of the application (web browser).
31. Cookies themselves do not require and are not attached to other additional information that could lead to identification of unregistered visitors.
32. At the end of the internet session, the session cookies are automatically deleted.
XII. Blocking the access to the website
33. The access to the site can be blocked when:
a) You have violated the rules and requirements set forth above;
b) The right to object is exercised;
c) You have created more than one authorized user profile on this site.
XIII. Applicable legal framework and jurisdiction
34. The processing operations of personal data carried out in the “IQOS” personal data filing system (database) are performed under the supervision of the controller from the Republic of Moldova.
35. Irrespective of the registered headquarters of the persons authorized by the controller, when processing personal data they will ensure the conformity and the security of the personal data processing at least on the level of the following national and international acts:
- Convention no. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data (http://datepersonale.md/md/international003/);
- The Law of the Republic of Moldova, no. 133 of 08.07.2011 on Personal Data Protection (http://lex.justice.md/md/340495/);
- The Law of the Republic of Moldova, no. 284 of 22.07.2004 on Electronic Trading (http://lex.justice.md/md/328081/);
- The Government of the Republic of Moldova Decision no. 1123 of 14.12.2010 on the Approval of the Requirements for the Assurance of Personal Data Security during their Processing within the Information Systems of Personal Data (http://lex.justice.md/md/337094/) as well as other legal acts.