Svennis Partner Zoho Europe LogoSvennis

GDPR Policy

Introduction

The protection of your personal data is important to us. As a company that processes personal data, SVENNIS CLOUD SOLUTIONS S.R.L. ("Svennis" or "the Company") complies with the provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR"), as well as applicable national legislation (such as Law no. 190/2018).

This section represents our policy on the protection of personal data (hereinafter referred to as "GDPR Policy") and aims to transparently inform you about how we collect, use, protect, and share personal data, as well as about the rights you benefit from.

The GDPR Policy applies to all personal data processing activities carried out by the Company, both through the svennis.eu website and in the context of providing our software development and consulting services (including as a Zoho reseller and partner).

We are committed to processing personal data lawfully, fairly, and transparently, in accordance with the principles and requirements imposed by GDPR.

Data controller and data processor

Data Controller: The personal data controller is SVENNIS CLOUD SOLUTIONS S.R.L., a Romanian company headquartered in Satu Mare, Str. Careiului nr. 220/E, Satu Mare County, with CUI 29108532. The Company is responsible for determining the purposes and means of processing personal data collected from customers, potential customers, website visitors, and other contact persons.

Controller Contact Details: You can contact us by email at office@svennis.eu or at the postal address mentioned above for any data protection matters. At present, the Company is not legally required to appoint a Data Protection Officer (DPO) pursuant to Art. 37 GDPR, given the size and nature of the processing carried out. However, we have an internal team responsible for GDPR compliance and we are at your disposal for any requests or questions.

Data processors: In conducting our activities, we may engage third parties who act as data processors for processing personal data on our behalf, according to our instructions. A primary example is Zoho Corporation, which provides the software infrastructure (CRM, meeting scheduling applications, etc.) that we use for managing customer contact data and requests.

With each data processor, Svennis has entered into contractual agreements that ensure data is processed in accordance with GDPR, only for the purposes specified by us and with the maintenance of confidentiality and security. The list of our main processors and their role is available upon request – for example: the web hosting provider, the email services provider, the Zoho cloud services provider, etc.

Personal data processing principles

Svennis adheres to the fundamental principles set out in GDPR to ensure that any processing of personal data is carried out lawfully and responsibly. These principles guide how we collect, use, and store data:

  • Lawfulness, fairness, and transparency: We will process personal data lawfully, always having a valid legal basis (consent of the person, performance of a contract, legal obligation, legitimate interest, etc.). We will also act fairly towards data subjects, adequately informing them about how their data is used. Our processing is transparent – meaning we provide you with clear and easy-to-understand information about processing (through documents like this one, through information in collection forms, etc.), in accordance with Articles 12-14 of GDPR.
  • Purpose limitation: We collect and process personal data only for well-determined, explicit, and legitimate purposes. We ensure that we do not subsequently process data in a manner incompatible with the initial purposes. (For example, if you provided data to obtain information about a service, we will not subsequently use it to send you marketing communications, unless you request or consent to this).
  • Data minimization: We respect the principle of "data minimization," meaning we process only personal data that is adequate, relevant, and limited to what is necessary in relation to the declared purposes. We will not request or store information we do not need. For example, our contact form collects only name, email, and message (and IP automatically), avoiding excessive data such as national ID number or physical address, which are not necessary for simple initial communication.
  • Accuracy: We maintain data up to date and accurate. We will take reasonable measures to promptly delete or rectify inaccurate or incomplete data, when we discover or are informed of this. It is in our interest and yours that decisions are made based on accurate data. Therefore, we ask you to inform us if changes occur in the data you have provided (for example, a change of email address).
  • Storage limitation: We store personal data for a period that does not exceed the duration necessary for fulfilling the purposes for which they are processed, in compliance with legal archiving provisions. After the purpose is achieved and no other legal provision obliges us to retain the data, we will delete, securely destroy, or anonymize that data. Our detailed data retention policy is set out in the "Data retention period" section of the Privacy Policy and respects the criteria imposed by GDPR.
  • Integrity and confidentiality: We process data in a manner that ensures adequate security, including protection against unauthorized or illegal processing, against accidental loss, destruction, or damage. We have implemented both technical measures (e.g., encryption, backup, firewall) and organizational measures (e.g., internal policies, staff training, limited access) to protect the confidentiality and integrity of personal data. (Additional details about security in the dedicated section below).
  • Accountability: In accordance with the accountability principle, Svennis assumes responsibility for complying with the above principles and can demonstrate compliance with them. We maintain records of processing activities, periodically assess security and compliance measures, and are prepared to respond to the supervisory authority (ANSPDCP) for how we manage personal data.

Categories of personal data processed

Svennis may collect and process different categories of personal data, depending on the relationship we have with you and the context of the interaction. We mainly manage the following types of data:

  • Identity and contact data: Name, surname, email address, phone number, position and organization (in the case of persons contacting us for professional purposes), as well as other contact data you provide. These are usually collected through contact forms on the website, through emails exchanged or by phone, when you request information or become our customer.
  • Technical data regarding website visits: IP address, browser type, operating system, unique device identifiers, approximate location (derived from IP), information about how you interact with the website (e.g., pages visited, time spent, actions performed). This data may be collected automatically through cookies or similar technologies when you browse svennis.eu. (For details about the cookies used and your options, please consult the dedicated cookie section, if available, or the information provided at first visit in the form of a cookie consent banner).
  • Communication content: Messages or details voluntarily provided in the message field of the contact form or in subsequent correspondence (by email, phone, or other means). These may contain, depending on the specific case, other personal data you choose to communicate to us (for example, information about the project for which you want consulting, your business needs, or even data of other contact persons in your organization). Please transmit only necessary information and avoid including sensitive data that is not relevant. If we do receive such data, we will treat it with confidentiality and delete it if it is not necessary.
  • Data necessary for the contractual relationship with customers: If you become our customer or business partner, we will process additional data necessary in this relationship, such as: billing address (may contain personal data if you are a sole proprietor or individual enterprise), financial data (e.g., bank account, payment details, but we note that we do not collect bank card data through the website, as we do not have direct online payments), handwritten or electronic signature on contracts, and any other identification data necessary for entering into and executing the contract (such as the series and number of the identity document in certain cases required by law, although we try to minimize these situations).
  • Data collected through the Zoho services offered: As a Zoho partner, we may facilitate customer access to Zoho services. In this context, we may collect data such as: the email address of users invited to Zoho platforms, configuration preferences, etc. This data is used strictly for configuring the Zoho services requested by the customer and is processed according to Zoho's terms (we will separately inform customers about specific conditions when they access Zoho services through us).
  • Sensitive data: We typically do not collect or process data from the special categories provided by Art. 9 GDPR (data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, sexual life or sexual orientation) or data relating to criminal convictions (Art. 10 GDPR) of visitors or customers, as these are not necessary for our purposes. Please do not communicate such sensitive data about yourself in forms or communications. In the rare event that such information reaches us (for example, you mention it voluntarily in a message), we will treat it with absolute confidentiality and, if there is no clear legal basis for retaining it, we will delete it.
  • Data of minors: Our services and website are not directly aimed at children under 16 years of age. We do not knowingly collect personal data from minors under 16. If, however, a minor contacts us and provides personal data, we will delete it as soon as we become aware of this fact, as we cannot legally process such data without the consent of parents or legal representatives. If you are a parent or guardian and discover that your minor has provided us with personal data, please contact us to have it removed.

Processing purposes and legal bases

We process personal data only for the legitimate purposes for which they were initially collected, and for each processing we rely on a legal basis pursuant to Art. 6 GDPR. Below we list the main purposes for which we process your data and the corresponding legal bases:

  • Communication and request management: When you fill out the contact form on the Website or contact us by email/phone, we use the data provided (name, email, phone, content of the request) to contact you back and manage your request or question. This purpose includes providing requested information about our services, scheduling a demonstration for Zoho products, offering initial consulting, or other interactions prior to a potential collaboration.
    Legal basis: the implicit consent you give us by voluntarily sending the data (Art. 6(1)(a) GDPR) and/or steps taken at the request of the data subject before entering into a contract (Art. 6(1)(b) GDPR) – for example, if you ask us for a quote or details for the potential conclusion of a service contract.
  • Provision of contracted services (execution of customer contracts): If you decide to use our services (for example, you sign up as a client for the implementation of a software solution or purchase Zoho licenses through us), we will process the data necessary for conducting the contractual relationship. This includes communication during the project, service delivery, technical support, invoicing, payment processing, customer account management, etc.
    Legal basis: performance of a contract to which the data subject (or the organization they represent) is a party (Art. 6(1)(b) GDPR). We note that, in a B2B context, the data subject may be the client company's representative – e.g., if you are an employee of a client company, we process your contact data to work with that company; the basis remains the performance of the contract with our client (legitimate interest combined with Art. 6(b), as appropriate).
  • Business administration and fulfillment of legal obligations: Certain personal data may be processed to comply with our legal obligations or for internal business management. Examples: maintaining financial-accounting records (invoices, contracts) – which may contain names and signatures of customers, necessary according to tax legislation; reporting to authorities when required (e.g., to ANAF, ITM in the case of employees, etc.); managing internal mailing lists and electronic archives; anti-fraud or security checks, if required by law.
    Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR) – for example, the Accounting Law requires us to retain supporting documents, or certain laws may require reporting security incidents. When the legal obligation does not directly apply, processing may also be based on our legitimate interest to efficiently and lawfully manage our business (Art. 6(1)(f) GDPR), while also ensuring respect for your rights.
  • Resolution of disputes, complaints, or defense of rights in court: In the event of a conflict, complaint, or legal proceeding (for example, a contractual dispute, an investigation by an authority, or the need to recover debts), we may use and retain relevant personal data to establish, exercise, or defend our legal rights.
    Legal basis: our legitimate interest (Art. 6(1)(f) GDPR) to defend against claims or exercise our rights, as well as to clarify any dispute. This legitimate interest will be carefully assessed so as not to unjustifiably override your rights; as a rule, such processing takes place in limited contexts and only when necessary.
  • Marketing communications and information (ONLY with consent): As stated, Svennis does not currently send unsolicited newsletters or offers. However, if you voluntarily subscribe to an email list to receive news, or if you are already our customer and we could offer you information about services or products similar to those you have benefited from, we may process your contact data to occasionally send you such communications.
    Legal basis: your consent (Art. 6(1)(a) GDPR) – in the case of voluntary subscription to marketing communications – or the Company's legitimate interest to inform its existing customers about additional services that may interest them (Art. 6(1)(f) GDPR), taking into account the previous relationship, but always with a clear option to unsubscribe at any time. Any marketing communication will include the possibility to opt out, and we will immediately honor any such request.
  • Improvement of services and user experience (analysis and statistics): We may process aggregate data about how the Website is used (e.g., number of visitors, popular pages, bounce rate) or feedback received from customers, for the purpose of analyzing and improving our services, optimizing Website content, and understanding customer needs.
    Legal basis: To the extent that this data may be considered personal data (for example, IP addresses in logs), we will rely on our legitimate interest to develop and improve our services (Art. 6(1)(f) GDPR). We will depersonalize or anonymize analytical data whenever possible, so that it can no longer be associated with specific individuals.

In all situations where we rely on legitimate interest as a basis for processing, we conduct an assessment to ensure that your fundamental interests or rights and freedoms do not override our legitimate interest. You can contact us at any time to provide you with more information about our Legitimate Interest Assessment for a particular processing activity.

If we ever wish to use personal data for a new purpose not covered by this GDPR Policy or the information we initially provided to you, we commit to informing you in advance and, if necessary, to obtaining your consent or ensuring that there is another valid legal basis.

Disclosure and transfer of data (to third parties and internationally)

In conducting our activities, we do not disclose personal data except to parties that have a legitimate need to know it and only in accordance with the described purposes. We have detailed in the Privacy Policy, section "Disclosure of data to third parties," the categories of recipients of your data. We reiterate here the main aspects and add information about potential international data transfers:

Main third-party recipients:

  • Data processors engaged by us, such as Zoho Corporation (cloud CRM and business application service provider), the web hosting provider (where website databases are stored), the email service provider (for communications), and possibly other IT consultants or related service providers. All these entities act according to our instructions and cannot use the data for their own purposes. They ensure an adequate level of security and have the legal and contractual obligation to protect data confidentiality.
  • Business partners or subcontractors involved in providing services to you – for example, if a software development project requires collaboration with an external expert, we will share only the necessary data with that expert (who will also be bound by confidentiality). Another example: if you purchase a Zoho product through us, your data may be communicated to Zoho to register the license or user account, according to the procedure.
  • Public authorities, auditors, or external advisors – only if there is a legal obligation or clear legitimate interest (for example, Company legal consultants, who are in turn subject to confidentiality obligations; financial auditors who verify our accounting compliance; law enforcement authorities or government agencies upon legal request).

International data transfers:

In principle, we store and process personal data within the territory of the European Union. However, certain providers or partners may have infrastructure or headquarters outside the European Economic Area (EEA). A relevant case is Zoho Corporation: the company has its main headquarters in India (Zoho Corporation Pvt. Ltd.) and entities in the USA and EU (Zoho Corporation B.V. in the Netherlands). When we use Zoho services, it is possible that certain data may be stored in data centers outside the EU (for example, India or the USA), especially if you or Zoho's policy allocates a specific server.

We ensure that any transfer of data outside the EEA is carried out in accordance with GDPR, meaning there are adequate safeguards:

  • Zoho Corporation is a party to the Standard Contractual Clauses (SCC) adopted by the European Commission, to provide a legal framework for transfer. Additionally, Zoho declares GDPR compliance and has implemented robust security measures.
  • For other US-based providers (if any, e.g., email services), we verify their participation in recognized certification systems (such as the Privacy Shield – although invalidated, some may certify under the new Trans-Atlantic Data Privacy Framework if applicable) or, more commonly, also based on the updated Standard Contractual Clauses.
  • In the absence of an adequacy decision or SCC, we will request the express consent of the data subjects for the specific transfer or verify the application of a permissible derogation under Art. 49 GDPR (e.g., transfer necessary for the performance of a contract with you, if applicable).

In any situation, your rights and protections travel with your data. We will take all reasonable measures so that, even when data is managed by entities in other jurisdictions, it benefits from a level of protection equivalent to that offered by European legislation.

Your rights as a data subject

GDPR grants data subjects a series of specific rights related to the processing of their personal data. We fully respect these rights and are committed to facilitating their exercise. We have already detailed in the Privacy Policy (section "Data subject rights") the nature of these rights. In summary, you have the following rights:

  • Right to information: the right to be informed about how your data is processed, from the moment of collection. (This GDPR Policy and the Privacy Policy are part of our transparent information effort, along with specific notifications in forms).
  • Right of access: the right to obtain confirmation that we process data concerning you and to receive a copy of that data, along with information about how we use it.
  • Right to rectification: the right to request the correction of inaccurate data or the completion of incomplete data we hold about you.
  • Right to erasure: the right to obtain, under the conditions of the law, the erasure of personal data (for example, if the data is no longer necessary for the purposes or you have withdrawn your consent and there is no other legal basis).
  • Right to restriction: the right to request the suspension of data processing in a certain context (e.g., during the verification of data accuracy or your objection to processing).
  • Right to portability: the right to receive personal data provided to us in a structured, commonly used, and machine-readable format and to transmit it to another controller, if feasible. This right applies only to data processed by automated means, based on consent or a contract.
  • Right to object: the right to object to the processing of data based on our legitimate interest or on the performance of a task in the public interest. We will comply with your objection except in situations where we have legitimate and compelling reasons that justify the continuation of processing (which we will communicate to you, if applicable). Regarding direct marketing, you have the absolute right to object at any time (see the previous section on consent/unsubscribe option).
  • Right not to be subject to individual automated decisions: the right to request human intervention in the case of a decision made solely on the basis of automated processing (including profiling) that produces legal effects or significantly affects you. (We note that Svennis does not use such automated decisions without human intervention on your data).
  • Right to withdraw consent: in situations where processing is based on consent, you have the right to withdraw your consent at any time, as easily as you gave it. Withdrawal does not affect the legality of processing prior to that moment, but we will cease the respective processing going forward.
  • Right to lodge a complaint with the authority: if you believe your rights have been violated, you may file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP) in Romania, contact details: www.dataprotection.ro, anspdcp@dataprotection.ro, phone +40.318.059.211. You also have the right to address the competent courts, both to challenge the supervisory authority's decisions and directly against us, if you consider that your rights under data protection legislation have been violated.

Exercising your rights:

To exercise any of the above rights, you can send us a request either electronically (by email to office@svennis.eu) or in writing (by mail to our headquarters address). Please clearly specify which right you wish to exercise and regarding which data, to help us process your request efficiently. We may need additional information to confirm your identity (to ensure we do not disclose someone else's data).

We will respond to your request as soon as possible, and in any case within a maximum of one month from receipt. This deadline may be extended by up to two months if the request is complex or if we receive a very large number of requests, but if an extension is necessary, we will inform you within one month.

In general, we do not charge any fee to respond to your rights-related requests. However, if a request proves to be manifestly unfounded or excessive (for example, repeated, redundant requests), GDPR allows us to refuse the request or charge a reasonable fee, taking into account the administrative costs involved in providing the information or the requested action. We assure you that we will resort to this possibility only in exceptional and justifiable circumstances.

Data processing security

Svennis has implemented appropriate technical and organizational measures to ensure a level of security commensurate with the risks presented by the processing, in accordance with Art. 32 GDPR. Specifically:

  • Technical measures: We use security technologies such as communication encryption (e.g., TLS/SSL for the website and emails, where supported), periodic backup systems to prevent accidental data loss, firewalls and intrusion detection systems on our servers, and regularly update the software used to patch potential vulnerabilities. Data stored in our cloud platforms (e.g., Zoho CRM) benefits from the protections offered by those providers, such as encryption at rest and in transit, and data replication across multiple data centers for redundancy.
  • Access control: Access to personal data is restricted to authorized and trained personnel only (e.g., our project management team, sales/marketing team for customer contacts, technical staff for system maintenance) and only to the extent that such access is necessary for performing their duties. Each person accessing the data is required to maintain its confidentiality. We have implemented strict internal policies regarding data management and have signed confidentiality agreements with our employees and collaborators.
  • Training and awareness: Our personnel have been trained on the importance of data protection, security procedures (for example, use of strong passwords, two-factor authentication where possible, recognition of phishing attempts) and the actions to be taken in case of an incident. We periodically review these practices and update training to match new cyber threats or legislative changes.
  • Physical measures: The Company's headquarters and locations where physical data is stored (if there are printed documents) are secured. The devices we work on (laptops, PCs) are protected by passwords, licensed antivirus software, and other IT security measures. In the case of archiving documents on paper (signed contracts, etc.), these are kept in locked spaces with access limited to authorized personnel.
  • Incident response plan: We have an internal security incident management procedure. In the unfortunate event of a security breach that could affect personal data (e.g., a successful cyber attack, loss of a device containing data, detected unauthorized access), we will act promptly to limit access to data, to remedy the vulnerability, and to assess the impact. In accordance with GDPR obligations, we will notify the supervisory authority (ANSPDCP) within 72 hours of detecting the incident, except in cases where it is unlikely to result in a risk to the rights of data subjects. If the breach is likely to generate a high risk to your rights and freedoms, we will communicate directly to you (clearly and simply) what happened and what measures we have taken, so that you can in turn take the necessary protective measures.

Although we do everything possible to protect data, you should note that no computer system is infallible. Risks can always exist, especially in the online environment. However, our commitment is to constantly implement best practices and to respond quickly to any potential incident, minimizing possible damages.

Policy updates and information

This GDPR Policy may be updated periodically, especially if changes occur in our data processing processes or relevant legislative modifications. The most recent version will always be available on this page on the svennis.eu Website, and the date of the last update will be mentioned below for reference.

We recommend that you check the GDPR Policy from time to time to stay informed about any changes. In the event that we make substantial modifications (for example, if we expand the categories of data collected, change the legal bases, or introduce new data recipients), we will bring these changes to your attention in a more visible way. We may do this by displaying an announcement on the website, by sending an email (if applicable and we have your consent to contact you), or through other appropriate means of communication, so that you can evaluate the changes and, if necessary, exercise your rights (for example, the right to object or to withdraw your consent for the new processing).

Continued interactions with us after the effective date of the new version of the GDPR Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, please communicate this to us and we will try to find a solution that respects your preferences and rights (possibly by limiting certain processing, if possible).

Questions, requests, and contact

For any questions or concerns regarding the GDPR Policy or how Svennis processes your personal data, as well as for exercising any of your rights mentioned above, please do not hesitate to contact us. Our contact details for data protection matters are:

  • Email: office@svennis.eu
  • Postal address: SVENNIS CLOUD SOLUTIONS S.R.L., Satu Mare, Str. Careiului nr. 220/E, Satu Mare County, 440187, Romania
  • Phone (main line): +40 722 945 189 / +40 722 567 135 (Monday to Friday, during business hours). Please specify that it is a data protection-related request, so it can be directed accordingly.

We will analyze and treat any communication received with seriousness. If you write to us to exercise a right, we will follow the procedures mentioned above and respond within the legal timeframes. If you write to us for simple clarifications or advice related to your data, we will respond as quickly as possible, providing you with the requested information.

This GDPR Policy was updated on April 23, 2025. Svennis maintains its commitment to respecting and protecting the personal data of all persons with whom it interacts, strengthening a relationship of trust and transparency.

Thank you for your trust and for the time you spent reviewing this information! If you have any feedback regarding this policy or our practices, it would be helpful to us – we are open to continuous improvement according to the best data protection standards.