Notice on the processing of personal data in accordance with Regulation (EU) 2016/679 (“GDPR”)

This Privacy Policy describes how Costaș, Negru & Asociații – Societate Civilă de Avocați (“the Firm”, “we”, “us”, “the Operator”) collects, processes, stores, discloses, transfers and protects the personal data of data subjects who access the website, request legal services, contact the firm or interact in any way.

This policy is drawn up in accordance with the following applicable rules:

– Regulation (EU) 2016/679 (“GDPR”);
– Law no. 190/2018;
– Law no. 51/1995 on the organization and exercise of the legal profession;
– Statute of the legal profession;
– ePrivacy Directive and legislation on electronic communications;
– applicable tax, accounting and archival legislation;
– legislation on the prevention and combating of money laundering;
– any other applicable legal provisions.

1. Data of the operator

The operator of personal data, within the meaning of the specific legislation, is:
Costaș, Negru & Asociații – Societate Civilă de Avocați
VAT Code: RO 31599202
Secondary headquarters: Cluj-Napoca, Str. Pitești no. 18, Biroul ABA, Etaj I, 400119, Cluj County, Romania
E-mail: office@costas-negru.ro
Phone/Fax: 0264.236302
Website: www.costas-negru.ro

2. Principles of data processing

The operator processes personal data in compliance with the following principles: legality, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; responsibility (“responsibility”).

3. Categories of processed data

– Identification data: name and surname; domicile/residence; series and number of the identity document; personal numerical code; citizenship; signature; date of birth.
– Contact data: e-mail address; telephone number; postal address; professional position; employer/represented company.
– Financial and tax data: bank account; payment information; tax code/CUI; data from invoices and accounting documents.
– Data related to legal services: information and documents provided within the framework of the professional mandate; legal correspondence; contractual documents; data regarding litigation, administrative or judicial procedures; information contained in legal files and documentation.
– Special categories of data: to the strict extent of the provision of legal services and in accordance with art. 9 GDPR, we may also process: health data; trade union membership; political opinions; biometric data; data on criminal convictions or offenses. These data are processed exclusively to the extent necessary for the exercise or defense of a right in court or the provision of the requested legal services.
– Data collected automatically through the use of the website: when accessing the website, the following may be collected: IP address; online identifiers; browser type; operating system; device resolution; time zone; pages accessed; duration of visit; URLs accessed; data regarding interaction with the website; cookies and similar technologies.

4. Data sources
Personal data can be obtained:

– directly from the data subject;
– through website forms;
– through electronic correspondence;
– from documents and information provided within the mandate;
– from registers and public sources;
– from courts;
– from public authorities;
– from parties to proceedings;
– from collaborators or contractual partners;
– from legal entities in relation to their representatives.

5. Purposes and legal grounds of processing

– Provision of legal services.
– We process data for: conclusion and execution of legal assistance contracts; legal representation and consultancy; file management; drafting of documents; professional correspondence.
– Legal basis:
art. 6 para. (1) lit. b GDPR – execution of the contract;
art. 6 para. (1) lit. c GDPR – legal obligation;
art. 6 para. (1) lit. f GDPR – legitimate interest;
art. 9 para. (2) lit. f GDPR – establishment, exercise or defence of a right.

– Compliance with legal obligations

– We process data for: tax and accounting obligations; archiving; professional compliance; prevention of money laundering; legal reporting; cooperation with authorities.
– Legal basis: art. 6 para. (1) lit. c GDPR.

– Communications and requests sent via the website

– The data provided via forms or e-mail are used for: responding to requests; scheduling; professional communications; sending the requested information.
– Legal basis:
art. 6 para. (1) lit. b GDPR;
art. 6 para. (1) lit. f GDPR.

– Marketing and newsletter

– The data may be used for: sending newsletters; legal updates; invitations to events; commercial communications.
– Legal basis:
art. 6 para. (1) lit. a GDPR – consent;
art. 6 para. (1) lit. f GDPR – legitimate interest, where permitted by law.
The data subject may withdraw their consent at any time.

– Website administration and security

– The data are used for: website operation; technical administration; prevention of fraud and cyber attacks; security monitoring; logging and auditing; traffic and performance analysis.
– Legal basis:
art. 6 para. (1) lit. f GDPR – legitimate interest;
art. 6 para. (1) lit. a GDPR – consent for non-essential cookies.

6. Legitimate interest of the operator

In cases where the processing is based on art. 6 para. (1) lit. f GDPR, the Operator has carried out the analysis of the legitimate interest and concluded that the legitimate commercial and professional interests pursued do not prevail over the fundamental rights and freedoms of the data subjects.
The legitimate interests pursued include: security of the IT infrastructure; fraud prevention; website administration; protection of the legitimate rights and interests of the Operator; management of professional and commercial relationships; verification of conflicts of interest.

7. Cookies and similar technologies
The website uses cookies and similar technologies for the proper functioning of the website, statistical analysis and optimization of the user experience.

– What are cookies? Cookies are small text files stored on the user’s device.
– Types of cookies that may be used:
– Strictly necessary cookies: necessary for the website to function.
– Analysis and performance cookies. Used for: statistics; traffic measurement; analysis of user behavior.
– Functional cookies: allow the user’s preferences to be remembered.
– Marketing and targeting cookies: can be used to personalize content and measure the effectiveness of campaigns.
– Cookie consent. Cookies that are not strictly necessary for the website to function are installed only after the user has given their consent through the consent management platform (“CMP”).
– Users can: accept all cookies; refuse non-essential cookies; select the categories accepted; change or withdraw consent at any time.
– Cookie preferences are stored and managed in accordance with GDPR and ePrivacy requirements.

8. Third-party technologies and services
The website may use services provided by third parties.

– Google Tag Manager: The website may use Google Tag Manager to manage tags and scripts. Provider: Google Ireland Limited. Legal basis: art. 6 para. (1) lit. a GDPR.
– Google Analytics: The website may use Google Analytics to analyze user traffic and behavior. Data collected: pseudonymized IP; device data; website interactions; usage statistics. Legal basis: art. 6 para. (1) lit. a GDPR.
– Google Fonts: The website may use fonts provided by Google. To the extent that the fonts are loaded from Google servers, the user’s browser may transmit to Google: IP address; technical information about the browser and device. The operator recommends using self-hosted variants to reduce data transfers. Legal basis: art. 6 para. (1) lit. a, f GDPR.
– Google Maps: The website may integrate interactive Google Maps maps. By using this service, the following may be processed: IP address; location data; map usage data. Legal basis: art. 6 par. (1) lit. a GDPR; art. 6 par. (1) lit. f GDPR.
– Google reCAPTCHA: The website may use Google reCAPTCHA to prevent spam and protect forms. This service may analyze: IP address; user behavior; cursor movements; browser and device information. Legal basis: art. 6 para. (1) lit. f GDPR – website security; art. 6 para. (1) lit. a GDPR, where necessary.
– Hosting and IT service providers: Data may be processed by providers of: hosting; website maintenance; cloud services; email services; cybersecurity; data backup and recovery. These providers act as processors and process the data exclusively on the instructions of the Operator.

9. Data recipients

The data may be disclosed, to the extent necessary and in accordance with the law: courts; public authorities; tax authorities; bailiffs; public notaries; banking institutions; IT providers; accountants and auditors; collaborators and partners involved in the execution of the mandate; other lawyers; technology service providers. All recipients have a contractual or legal obligation of confidentiality.

10. International data transfers

In certain situations, data may be transferred outside the European Economic Area (“EEA”), including to the United States of America, in the context of the use of Google, Microsoft or other IT providers. In these situations, the Operator implements appropriate safeguards in accordance with art. 44-49 GDPR, including: Standard Contractual Clauses approved by the European Commission; additional technical and organizational measures; assessments of the impact of transfers (“Transfer Impact Assessment”); use of providers certified under the EU-U.S. Data Privacy Framework, where applicable. Data subjects may request additional information on these transfers.

11. Duration of data storage
The data are kept exclusively for the period necessary to fulfill the purposes for which they were collected and in accordance with applicable legal obligations.
In general:

– accounting and tax documents: up to 10 years;
– documents related to the professional mandate: in accordance with legal and professional obligations;
– documents on the prevention of money laundering: according to the deadlines provided by law;
– data from correspondence: as long as necessary to manage the request;
– marketing data: until the withdrawal of consent;
– technical logs and security data: according to internal policies and IT needs.

The exercise of the right to erasure may be limited to the extent that the retention of data is necessary:

– for compliance with legal obligations;
– for the establishment, exercise or defense of a right in court;
– for compliance with professional obligations specific to the legal profession.
After the applicable deadlines have expired, the data will be deleted or anonymized.

12. Data security

The operator implements appropriate technical and organizational measures to protect data against: unauthorized access; loss; destruction; disclosure; accidental or unlawful modification.
The measures implemented may include: data encryption; secure SSL/TLS connections; firewall and antivirus systems; multifactor authentication; role-based access control; access logging and monitoring; periodic backups; internal security policies; confidentiality agreements; periodic audits and evaluations. However, no IT system can guarantee absolute security.

13. Professional confidentiality

As a law firm, all information and documents communicated benefit from the protection of professional secrecy, according to Law no. 51/1995 and the Statute of the legal profession.

Confidentiality obligations apply to: lawyers; collaborating lawyers; auxiliary staff; consultants; authorized persons; suppliers involved in the execution of services.

14. Minors

The website is not intended for minors or persons lacking the capacity to exercise. The operator does not intentionally collect data belonging to minors without the consent of their parents or legal representatives.

15. External links

The website may contain links to websites belonging to third parties. The operator is not responsible for the privacy policies or the content of these external websites.

16. Rights of data subjects
In accordance with the GDPR, you benefit from:

– the right to information;
– the right to access;
– the right to rectification;
– the right to erasure of data;
– the right to restriction of processing;
– the right to object;
– the right to data portability;
– the right to withdraw consent;
– the right not to be subject to an automated decision;
– the right to file a complaint with the competent authority.

Requests can be sent:

– by e-mail to office@costas-negru.ro;
– by mail to the company’s headquarters;
– by fax to 0264.236302.

The operator will respond to requests within the time limit provided by law.

17. Automated decisions and profiling

The operator does not use exclusively automated decision-making processes and does not perform profiling within the meaning of art. 22 GDPR, except in situations permitted by law and strictly necessary for the operation of the technical services used on the website.

18. Supervisory authority

Data subjects have the right to file complaints with the National Supervisory Authority for the Processing of Personal Data (ANSPDCP). Address: B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, Bucharest, Romania.

19. Nature of data provision
The provision of certain data is necessary:

– for the conclusion and execution of contracts;
– for the provision of legal services;
– for the fulfillment of legal obligations;
– for professional compliance and AML/KYC checks.
Refusal to provide these data may make it impossible to provide legal services.

20. Internal GDPR documentation

The Operator implements and maintains internal measures and documentation regarding GDPR compliance, including: processing records; procedures regarding the exercise of data subjects’ rights; retention policies; security policies; procedures regarding security incidents; data processing agreements with suppliers; periodic compliance assessments.

21. Policy modification

The Operator reserves the right to modify this Privacy Policy to reflect legislative, technological or operational changes.
The updated version will be published on the website.
Date of last update: May 2026.