---

Privacy Policy

Minex Group International SRL

 

Last Modified: September 26, 2025 

 

Introduction and Scope

Minex Group International SRL (referred to as "Minex Group", "we", "us", or "our") is committed to protecting and respecting your privacy. We are a specialized industrial business operating predominantly in the EU, functioning as a distributor and producer of industrial equipment, and a provider of technical consultancy for large-scale surface treatment projects. This Privacy Policy describes the categories of personal data we process in connection with your use of our digital and physical services, and explains how and why we process that data, in accordance with GDPR-EU Regulation 679/2016.

This Policy applies to personal information collected through our website (e.g. minexgroup.eu), digital services, omnichannel communications (SEO, social media, SEM, AI chatbots, email marketing, marketing automation), events, and interactions with our sales team. By sharing your personal information with us or continuing to use our websites, you confirm that you have read and understood the terms of this Privacy Policy. We will update this Policy as needed to remain compliant with applicable laws and best practices.

 

Data Controller and Contact Information

Data Controller: Minex Group International S.R.L. (a Romanian limited liability company) is the controller responsible for your personal data in relation to our services. Our registered business details are:

• Company Name: Minex Group International S.R.L.
• Registered Address: B-dul Metalurgiei nr. 85, camera 4, Sector 4, 041832, București, Romania
• Registration Number: J40/4219/2009
• Unique Registration Code (CUI): RO25370700
• VAT Number: RO25370700

Contact for Privacy Matters: If you have any questions about this Policy or how Minex Group handles personal data, or if you wish to exercise your data subject rights, please contact us:

• Email: gdpr@minexgroup.eu (Privacy Office)
• Data Protection Officer (DPO): gdpr@minexgroup.eu – You may contact our DPO for any privacy-related inquiries or complaints. We will respond to requests without undue delay and within one month, or within three months for complex requests (as permitted by GDPR).

Supervisory Authority: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the: Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP). (Website: www.dataprotection.ro, Phone: +40 31 8059211, Email: anspdcp@dataprotection.ro). We would, however, appreciate the chance to address your concerns directly before you approach the ANSPDCP or another EU supervisory authority.

 

Personal Data We Collect and How We Collect It

We collect and process various categories of personal data, depending on your relationship with us (e.g. as a website user, client, supplier, or other business contact). In general, we only collect what is necessary for the purposes described in this Policy, and we obtain it either directly from you or through your interactions with our services. The categories of personal data we process include:

• Identity & Professional Data: e.g. your name, surname, job title, company name, and professional qualifications. How collected: Provided directly by you via electronic interactions (such as when creating an account, requesting a quote or information, subscribing to services/publications) or through in-person interactions (for example, exchanging business cards at events, or corresponding with our sales team).
• Contact Data: e.g. business address, country of residence, email address, telephone number. How collected: Provided by you when filling out website contact forms, through email or phone communications, or via other business exchanges.
• Transaction & Project Data: e.g. details of your technical inquiries and project specifications, records of solutions or products you have requested or purchased, order history, and any related warranty or support information. How collected: Collected during electronic interactions (such as placing an order, requesting a quote, or submitting support requests on our website) and through offline interactions (communications with our sales and technical teams).
• Technical & Usage Data: e.g. your IP address, login credentials, browser type and version, operating system, device identifiers, geographic location, and usage patterns or behaviors on our website. How collected: Collected automatically via cookies and similar tracking technologies when you navigate our websites or use our online services. (See Cookies and Tracking Technologies below and our [Cookie Policy] for more details on what data is collected by cookies and how it is used.)
• Marketing & Preference Data: e.g. your preferences for receiving marketing communications, newsletter subscriptions, and your engagement with our marketing content (such as email open and click-through rates). How collected: Collected with your consent when you subscribe to our newsletter or other publications, or when you indicate your marketing preferences on our website or in communications. We may also infer some preferences from your interactions with our emails or website (using tracking pixels or analytics tools).

In certain cases, you may also provide data about other individuals to us. For example, if you refer a colleague or provide a contact person’s details for a project, we will collect and process that personal data. In such cases, you are responsible for ensuring you have the other individual’s permission to share their information with us.

Employee and HR Data: (Internal Users) If you work for Minex Group (as an employee, contractor, or job applicant), we collect personal data relevant to your employment. This includes identification details (e.g. name, date of birth, Personal Numeric Code/CNP), contact information, CV/resumé and qualifications, job title and role, work performance evaluations, salary and bank account details, and any other information necessary for human resources management (such as employment contract data, attendance, leaves, health certificates for medical leave, etc.). How collected: Primarily provided by you during hiring and employment (e.g. CV, forms you fill out) or generated internally (e.g. performance notes), and from third parties when applicable (e.g. references or background checks, where lawful). Employee data is used only for internal administrative purposes and to fulfill obligations in the employment context, as described in the Purposes section below. (Employees receive a detailed internal privacy notice; this Policy provides a high-level overview of employee data processing for transparency.)

Special Categories of Personal Data: We do not actively seek to collect any sensitive personal data about you, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, or information concerning a person’s sex life or sexual orientation. In the normal course of our industrial equipment business, such data is generally not required. Please do not send us any sensitive personal information unless it is absolutely necessary for a specific service and we have requested it. If we do need to process any special categories of data for a particular purpose, we will only do so with your explicit consent or where specifically permitted by law with appropriate safeguards (for example, as allowed under Romanian Law No. 190/2018). Any incidental sensitive data that you provide without request (for example, voluntarily in a free-text field) will be treated with strict confidentiality and securely deleted if not needed.

 

Purposes and Legal Bases for Processing Data

We process personal data only for legitimate purposes and in accordance with the lawful bases permitted by GDPR Article 6. Below we explain why we process personal data (the purposes) and the legal grounds that make each processing activity lawful. We do not use your data for any purpose that is incompatible with these original purposes, and if we intend to do so, we will inform you and, if required, seek your consent beforehand.

1. Contractual Necessity: To Fulfill Contracts or Requests: We process personal data to provide our products and services, including to respond to your inquiries, send quotes/offers, process orders, deliver and install equipment, provide technical consultancy or support, and otherwise fulfill our contractual obligations to you. This also covers pre-contractual steps at your request, such as corresponding with you before you become a customer. Legal Basis: Performance of a contract or steps prior to entering a contract (GDPR Art. 6(1)(b)). If you are an employee, this includes processing your data to perform the employment contract (e.g. paying your salary, providing benefits). Without this data, we cannot perform the contract or handle your requests.
2. Legal Obligations: We process personal data to comply with various legal and regulatory requirements. This includes: maintaining proper business records and books (e.g. invoices, accounting records) as required by financial and tax laws; reporting to authorities; conducting audits; complying with health and safety regulations; and responding to lawful requests from public authorities (such as court orders or administrative requests). For employees, this includes processing required by labor laws (e.g. tax withholding, social contributions, employment record-keeping). Legal Basis: Compliance with a legal obligation (GDPR Art. 6(1)(c)). For example, Romanian fiscal laws require us to retain certain financial documents with personal data for set periods. We will also disclose personal data to government authorities or law enforcement if legally obligated (see Data Sharing below).
3. Legitimate Interests: We may process personal data as necessary for our legitimate business interests, provided those interests are not overridden by your fundamental rights and freedoms (GDPR Art. 6(1)(f)). We only rely on legitimate interests after careful consideration (a balancing test), and we implement safeguards to protect your privacy. Examples include:
   • Business Development and Relationship Management: To manage and improve our relationship with clients and suppliers, including maintaining a CRM database of contacts, analyzing inquiries to better serve customer needs, and sending relevant B2B communications about our products or services.
   • Website Analytics and Service Improvement: To analyze how our website and services are used (via cookies or logs) in order to troubleshoot issues, improve functionality, and enhance user experience.
   • Security and Fraud Prevention: To ensure the security of our IT systems, website, premises and personnel – for instance, we may log access to our systems, use CCTV at our offices (see Employee Data below), and monitor our networks for fraud or cyberattacks. These measures protect our business and your data against unauthorized access, theft or misuse.
   • Debt Recovery and Legal Claims: If necessary, to pursue or defend against legal claims. For example, we may process and share data to collect outstanding payments you owe under a contract, or to establish our legal rights in a dispute.
   • Internal Administration: (for employees) To manage day-to-day operations, internal reporting, and administrative tasks within Minex Group. This includes sharing employee data between departments (HR, finance, management) on a need-to-know basis to run our business efficiently.

In all cases of legitimate interest processing, we ensure that our interests are duly justified and proportionate and that your privacy rights are respected. You have the right to object to processing based on legitimate interests in certain circumstances (see Your Rights below).

1. Consent (Marketing & Optional Activities): We rely on your consent in situations where we do not have another legal basis and consent is required by law – notably, for direct electronic marketing communications. We will only send you newsletters, product updates, or promotional emails if you have opted-in to receive them (or if you are an existing corporate customer in a context that permits simplified rules). You are free to choose whether or not to give consent, and you can withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of any processing we performed before your withdrawal. We may also ask for your consent before processing sensitive personal data (as noted above) or before using your data in a new way that requires consent. Legal Basis: Your explicit consent (GDPR Art. 6(1)(a), and Art. 9(2)(a) for special categories if applicable). For example, if you sign up for our loyalty program or newsletter, we will process your contact and preference data based on your consent; you can unsubscribe at any time and we will stop processing for that purpose.
2. Other Bases (Vital Interests/Public Interest): As a private B2B company, it is unlikely we will need to process data to protect someone’s vital interests (GDPR Art. 6(1)(d)) or for a task in the public interest (Art. 6(1)(e)). We will only rely on these bases in exceptional circumstances, which we would explain to you (for instance, using vital interest if we have to share your information to save your life in an emergency). Any processing in the public interest (if applicable) would be done in accordance with Romanian law and with appropriate safeguards.
3. Special note on National Identification Numbers: In certain cases (especially for employee administration or invoicing), we may need to process national identification numbers (such as the Romanian Personal Numerical Code – CNP). When we process a national identification number, we do so in accordance with Article 4 of Law No. 190/2018, which permits such processing under the GDPR legal bases (Art. 6(1)) with specific safeguards. If we process a national ID based on legitimate interest (Art. 6(1)(f)), we will apply additional measures required by Romanian law – for example, we ensure strict confidentiality and data minimization, designate a Data Protection Officer, set limited retention periods for such data, and train our staff on proper handling.

 

Data Sharing, Disclosure, and Third Parties

We treat your personal data with care and confidentiality. We do not sell your personal information to anyone. However, in order to run our business and fulfill the purposes described, we sometimes need to share your data with third parties. Any sharing of data is done on a need-to-know basis and in compliance with GDPR. The main categories of recipients are:

• Within Minex Group: Your data may be shared internally among departments and personnel of Minex Group International SRL if necessary for the purposes of processing (for example, your inquiry details might be shared between the Sales department and the Technical team to best address your request). Access is restricted to staff who need the information to perform their duties and who are bound by confidentiality.
• Approved Distributors and Business Partners: Since many of our sales are concluded offline via local distributors, we may share your contact and inquiry details with a Minex Group approved distributor or partner in your region in order to follow up on your request, provide local support, or fulfill a contract. These partners will use your data only for providing services on our behalf or jointly with us, and not for their own unrelated purposes. We never share your information with any third party outside our organization or official distributor network for their own independent marketing purposes.
• Service Providers (Processors): We employ trusted third-party companies to perform certain business functions and services on our behalf – for example, IT hosting and maintenance, cloud data storage, email delivery and marketing automation, customer relationship management software, analytics services, legal or accounting services, etc. In such cases, these third parties may need access to personal data to carry out the work we have hired them to do. We only use service providers that have provided sufficient guarantees to handle personal data securely and in compliance with GDPR. Each provider is bound by a written data processing agreement to process data only on our instructions and to keep it confidential. They are not permitted to use or disclose your data for any other purpose.
• Legal and Regulatory Disclosure: We will disclose personal data to third parties when required by law or legal process. For example, we may provide information in response to a subpoena, court order, or a legally binding request by regulatory authorities. We may also share information when necessary to establish, exercise, or defend our legal rights or to protect your vital interests or those of another person. This could include sharing data with our external lawyers, auditors, or with law enforcement agencies (e.g. fraud investigation, protecting against security threats, or pursuing debts through courts or bailiffs).
• Business Transfers: In the event that Minex Group International SRL undergoes a business transition such as a merger, acquisition by another company, or sale of all or part of its assets, personal data we hold may be transferred to the successor entity as part of the transaction. If this happens, we will ensure your data remains subject to the same protections outlined in this Policy and we will notify you of any significant changes.

We require all third parties with whom we share personal data to respect the security of your data and to treat it in accordance with the law. Where those third parties act as “processors” on our behalf, they are contractually obligated to only process data for the specified purposes and to implement adequate security measures.

 

International Data Transfers and Safeguards

Minex Group International SRL is based in Romania and we primarily store and process data within Romania or elsewhere in the European Economic Area (EEA). However, in certain circumstances, your personal data might be transferred to organizations or systems located outside of the EEA. For example, if we use a cloud IT provider or an email service whose servers are in the United States, or if one of our approved distributors in a non-EEA country needs your details to assist you, this may involve transferring your data internationally.

Whenever we transfer personal data across national borders, we will ensure an adequate level of protection for the data, in line with Chapter V of the GDPR. This includes:

• Adequacy Decisions: We prefer to transfer data to countries that the European Commission has formally deemed to have an adequate level of data protection (such as Switzerland, Canada, Japan, etc.), so that your data benefits from essentially equivalent protections as under EU law.
• Standard Contractual Clauses: For transfers to countries without an EC adequacy decision (e.g. the United States, if the recipient is not certified under an approved framework), we will put in place EU Standard Contractual Clauses (SCCs) in our contracts with the data importer. These are standard EU-approved data protection clauses that legally bind the foreign recipient to protect your information. Additionally, we will conduct transfer impact assessments to evaluate whether supplementary technical or organizational measures are needed to ensure the data is protected (for example, encryption in transit and at rest, access controls, etc.).
• Explicit Consent for Transfer: In certain cases, if none of the above safeguards is available, we may ask for your explicit consent to transfer your data to a third country. For instance, if you are in a country outside the EEA and request our services, we might need your consent to send your own data back to you or to an overseas partner. In any such case, we will inform you of any risks before obtaining your consent. You have the right to refuse or withdraw this consent, in which case we will not proceed with the transfer unless permitted by another legal exemption under GDPR.

We will document and enforce any necessary agreements for international data transfers. If you have questions about our data transfer arrangements or want a copy of the relevant safeguards (e.g. SCCs), you can contact us via the details provided.

Data Security Measures

We implement strong technical and organizational measures to secure personal data and protect it against unauthorized access, loss, destruction, or alteration. These measures are continually reviewed and updated to meet high security standards. Key measures include:

• Access Controls: Strict controls over who can access personal data. Only authorized personnel with a business need can access your information, and they must use authenticated accounts (secure passwords, multi-factor authentication where appropriate). Staff are trained in their confidentiality and data protection obligations.
• Encryption: We use encryption technology to protect personal data during transmission (e.g. Secure Sockets Layer (SSL)/TLS for our website forms) and at rest in our systems or databases wherever feasible. This means that even if data were to be intercepted or accessed improperly, it would be unreadable without the encryption keys.
• Network Security: Our websites and IT systems are secured against external threats. We employ firewalls, anti-malware tools, intrusion detection systems, and regularly update software to patch vulnerabilities. Remote access to systems is secured via VPN or other secure channels.
• Physical Security: For any physical records or IT infrastructure, we have measures such as locked file cabinets, access badges for offices, and CCTV in sensitive areas. Our premises are secured to prevent unauthorized entry.
• Data Minimization and Pseudonymization: In line with the GDPR’s principles, we strive to collect only the data we need and to pseudonymize or anonymize data where possible to reduce direct identifiers. For example, if we only need aggregated results, we remove or encode personal identifiers in the dataset.
• Regular Testing and Auditing: We periodically test and evaluate the effectiveness of our security measures. This includes reviewing access logs, performing security audits, and, when appropriate, engaging external specialists to conduct penetration testing.
• Incident Response Plan: We have an established procedure to handle any suspected data security incident swiftly and effectively, as explained in the next section.

 

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes we collected it for, including for satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider: the nature and sensitivity of the data, the purpose for processing it, and the applicable legal requirements or business needs.

In practice:

• Operational Data: General inquiries or contact form submissions may be kept for a certain period in case you follow up or to maintain our relationship, but not longer than necessary if they don’t result in a contract.
• Contractual Documents: If you become a customer, we will retain your contract and related transaction data for the duration of the contract and thereafter as required by law (for example, Romanian financial regulations currently require retention of accounting records (which may include invoices with personal data) for up to 10 years).
• Legal Compliance: We retain data to meet legal obligations (e.g. employment records, tax records) for the period mandated by law. Employment records might be kept for the term of employment plus the statutory retention period under labor laws.
• Marketing Data: If you have consented to receive marketing, we will retain your contact details for that purpose until you unsubscribe or withdraw consent. If you do unsubscribe, we may keep your contact information on a suppression list to ensure we respect your opt-out in the future.
• Technical Logs: Website logs and analytics data are typically retained only for a short period (e.g. a few months) unless we need to investigate security issues. Cookies have varying lifespans; see our Cookie Policy for details on cookie retention.

When personal data is no longer needed for its original purpose and we have no other lawful basis to retain it, we will either securely erase, anonymize, or pseudonymize the data. For example, we may archive certain data in an aggregated/anonymized form that no longer identifies you, for statistical or business analysis purposes. In some cases, if deletion is not immediately feasible (e.g. data stored in backups), we will ensure it is isolated and protected until deletion is possible.

Importantly, we do not keep personal data indefinitely “just in case” – all retention is tied to genuine needs or legal obligations. We also periodically review the data we hold and erase or anonymize that which we no longer require.

 

Data Breach Notification

While we strive to protect your information, we want to be transparent about how we would handle a data breach if one occurred. A “personal data breach” means a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. We have put in place robust procedures to detect and handle such incidents. In line with GDPR Article 33 and applicable Romanian regulations, if a data breach occurs that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Romanian Data Protection Authority (ANSPDCP) within 72 hours of becoming aware of the breach (unless the breach is unlikely to pose any risk). Our notification will include information about the nature of the breach, affected data categories, approximate number of individuals concerned, potential consequences, and measures taken or proposed to address the breach.
• If the breach is likely to result in a high risk to you (for example, if sensitive data or financial information is involved), we will also notify you (the affected individuals) without undue delay. We will contact you via appropriate channels (e.g. email or phone) and provide information on the nature of the breach and any steps you should take to protect yourself. We will do this promptly, except in cases where law enforcement requests a delay or other exceptions under GDPR apply.
• We will take immediate action to contain and remediate the breach, such as isolating compromised systems, restoring data from backups, and patching vulnerabilities. We will also take steps to mitigate any harm that may result. For instance, if credentials are compromised, we may temporarily disable accounts and ask users to reset passwords.
• We maintain an internal breach register to document all personal data breaches (even those that don’t meet the threshold for notification), in accordance with GDPR Article 33(5). This includes details of the incident, effects, and remedial actions taken. These records help us learn from incidents and improve our future safeguards.

 

Automated Decision-Making and Profiling

No Automated Decisions Producing Legal Effects: In general, Minex Group does not make any decisions about individuals that are solely based on automated processing (including profiling) which produce legal effects or similarly significant effects on you. For example, we do not use algorithms to reject you as a customer, determine pricing individually, or make hiring decisions without human involvement. Most of our processing involves human assessment and decision-making (for instance, a sales manager reviewing your inquiry and deciding on a tailored offer).

Profiling and Analytics: We may use certain analytics and profiling tools in a limited way, primarily to improve our marketing and customer experience. For instance, we might analyze your browsing behavior on our site or your past interactions to segment you into a particular category of interest (e.g. focusing on welding equipment) and then provide content or offers that we think are relevant. We might also use automated tools to score leads (lead scoring) to prioritize follow-ups. However, none of these will have a substantial adverse effect on you – they are simply used to personalize your experience or help our sales team focus efforts, and human judgment is applied before any action is taken that impacts you.

If we ever need to carry out fully automated decision-making that has a legal or similarly significant effect (for example, a purely algorithmic approval or denial of a service), we will only do so in circumstances allowed by law – i.e. if it is necessary for a contract, authorized by law, or based on your explicit consent (per GDPR Article 22(2)). In those cases, we will also implement suitable safeguards to protect your rights and interests, including the right to obtain human intervention, to express your point of view, and to contest the decision. We will inform you clearly if you are subject to such a decision, and the logic involved, as required by law.

Your rights regarding profiling: You have the right to opt-out of any direct marketing profiling at any time (see Your Rights below – right to object). For instance, if we profile your data to tailor marketing, you can object and we will cease processing your data for that purpose. Additionally, if you believe you have been subject to an automated decision in violation of Article 22, you can contact us and we will review the decision with human intervention.

In summary, while we use modern tools including AI and analytics to enhance our services, significant decisions about you will involve human review. We ensure transparency and fairness in any profiling activities, and we uphold your right not to be subject to a purely automated decision with significant effects unless legally permitted and with your knowledge.

 

Use of Personal Data in AI Model Training

As part of embracing innovation, Minex Group may explore the use of Artificial Intelligence (AI) and machine learning technologies (for example, an AI chatbot to assist website visitors, or internal AI tools to analyze data). In doing so, we are mindful of the privacy implications of using personal data for training AI models. Our approach is as follows:

• Data Minimization for AI: We aim to use the minimum personal data necessary when training or improving AI systems. Where possible, we will use anonymized or pseudonymized data, or even synthetic data, to teach our AI models, so that individuals are not identifiable in the training process. By anonymizing data (removing or irreversibly altering personal identifiers), we ensure that the training datasets are no longer personal data and thus outside the scope of GDPR. (Note: Truly anonymized data (where no individual can be re-identified) is not subject to GDPR, though we will be cautious in assessing anonymity on a case-by-case basis given the high bar set by regulators.)
• Legal Basis and Transparency: If we use personal data (as opposed to anonymous data) for developing or tuning an AI model, we will ensure we have an appropriate legal basis for that reuse. In most cases, our justification would be legitimate interest – for example, improving our products and services via machine learning might be considered a legitimate interest, but we would conduct a Legitimate Interests Assessment to ensure this does not unfairly prejudice your rights. In situations where legitimate interest is not sufficient or the law requires, we would seek your consent for using your data in AI training. In all cases, we commit to being transparent: we will inform you in our notices (like this Policy) if your data might be used to train AI systems and the context, so you have a choice in the matter.
• Safeguards: Any personal data used in AI development will still be protected under our strict security measures and privacy by design approach. We incorporate privacy safeguards into the AI development lifecycle, such as pre-processing data to remove unnecessary details (data minimization), evaluating the necessity and proportionality of the data use, and assessing potential risks to individuals’ rights (which ties into our DPIA process below). We also consider techniques like data masking, aggregation, or federated learning to further reduce direct exposure of personal data. Moreover, outputs of our AI systems are checked to ensure they do not inadvertently reveal personal data from the training set.
• Compliance with Emerging AI Regulations: We are aware of evolving legal frameworks (such as the proposed EU AI Act) and guidance from data protection authorities regarding AI. We will ensure that our use of AI continues to comply with all applicable data protection laws. The European Data Protection Board (EDPB) has clarified that even if personal data is ingested into an AI model, controllers remain responsible for that data and must uphold GDPR principles throughout the model’s lifecycle. We will regularly evaluate our AI systems to confirm that individuals are not identifiable from the model and that the model cannot output personal data of the training subjects. If any AI system were to start producing results that target specific individuals or use personal data in ways beyond the original scope, we would treat that output as personal data and apply all relevant protections.

In summary, any use of personal data for AI training or profiling will be done cautiously, lawfully, and with respect for your privacy. We will favor anonymized data wherever possible and ensure that we meet all legal requirements, including data minimization and purpose limitation, when personal data is involved in AI development.

 

Data Protection Impact Assessments (DPIA)

Before we embark on any new personal data processing activity that is likely to be high-risk to individuals’ rights and freedoms, Minex Group conducts a Data Protection Impact Assessment (DPIA). A DPIA is a systematic evaluation of a proposed processing operation, intended to identify and minimize privacy risks. Under GDPR Article 35, DPIAs are required especially for types of processing that involve new technologies and could have significant implications for privacy. Examples include: large-scale processing of sensitive data, systematic monitoring of public areas, or automated profiling that affects individuals significantly.

Our DPIA process includes:

• Describing the Process: We document the nature, scope, context, and purposes of the intended processing, including the types of personal data and data subjects involved.
• Assessing Necessity and Proportionality: We evaluate whether the proposed processing is necessary and if it’s proportionate to achieve the stated purpose, in line with the GDPR’s principles (data minimization, purpose limitation, etc.).
• Identifying Risks: We identify potential risks to data subjects’ rights and freedoms, such as the risk of unauthorized disclosure, unfairness or bias, negative impacts on rights, etc.
• Identifying Measures to Mitigate Risks: For each identified risk, we determine measures to mitigate or eliminate it – for example, by applying encryption, additional access controls, data anonymization, or procedurally by training staff and limiting data collection. These safeguards are built into the design of the project (this reflects the “privacy by design and by default” approach).

We will consult our Data Protection Officer (DPO) throughout the DPIA process. If a DPIA indicates that the processing would still result in a high residual risk even after mitigation (meaning we potentially cannot sufficiently protect data subjects), we will consult with the ANSPDCP (the supervisory authority) before proceeding, as required by GDPR Article 36.

For example, if we consider implementing a new employee monitoring system or a highly advanced AI profiling tool, we will perform a DPIA to examine its necessity and impact. In the case of employee monitoring via electronic means or CCTV, Romanian Law No. 190/2018 explicitly requires meeting certain conditions (legitimate interest, prior information to employees, consultation with unions/employee reps, etc.), and conducting a DPIA in such scenarios is considered best practice to ensure compliance. We abide by these requirements diligently.

In summary, conducting DPIAs is part of our commitment to accountability and privacy by design. By identifying and addressing risks early, we aim to prevent harm to individuals and ensure that all high-risk processing is carried out in line with GDPR obligations.

 

Your Rights as a Data Subject

Under the GDPR and Romanian law, you have a number of rights regarding your personal data. Minex Group International SRL respects and upholds these rights. Below is a summary of your key data protection rights and how you can exercise them:

• Right of Access (Article 15 GDPR): You have the right to request confirmation of whether we are processing your personal data, and if so, to obtain a copy of that data, as well as information about how we process it. This is commonly known as a "Data Subject Access Request". We will provide you with a copy of your personal data undergoing processing, along with details such as the purposes of processing, the categories of data, any third parties it’s been shared with, and the envisaged retention period.
• Right to Rectification (Article 16 GDPR): You have the right to ask us to correct or update any of your personal data that is inaccurate or incomplete. We encourage you to contact us if you find that any information we hold about you is wrong or out of date (for example, you changed your email address). We will make the corrections without undue delay.
• Right to Erasure (“Right to be Forgotten”, Article 17 GDPR): You have the right to request the deletion of your personal data in certain circumstances. This right is not absolute, but applies, for example, if the data is no longer necessary for the purposes it was collected, you withdraw consent (where the processing was based on consent), you object to processing and we have no overriding legitimate grounds, or if we unlawfully processed your data. If you ask for erasure, and your request falls within the allowed cases, we will erase your data and also inform any processors or third parties where feasible. Note that we may retain some data if required by law or if an exemption applies (we will inform you if so).
• Right to Restriction of Processing (Article 18 GDPR): You have the right to request that we limit the processing of your personal data in certain scenarios. For instance, if you contest the accuracy of your data, you can request restriction while we verify it; or if you object to our processing based on legitimate interest, you can request restriction while we consider the request. When processing is restricted, we will store your data but not use it (except, for example, to establish legal claims or with your consent).
• Right to Data Portability (Article 20 GDPR): You have the right, in certain cases, to receive your personal data that you provided to us in a structured, commonly used, machine-readable format, and the right to have that data transmitted to another controller. This typically applies to data processed by automated means under consent or contract. For example, if you provided us data and want to re-use it with a competing service, we will help transfer it in a usable format, if technically feasible.
• Right to Object (Article 21 GDPR): You have the right to object, on grounds relating to your particular situation, to any processing of your personal data that we conduct based on legitimate interests. If you lodge an objection, we must stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless it’s needed for legal claims. Importantly, you have an absolute right to object to direct marketing at any time. If you object to marketing, we will immediately stop using your data for that purpose (this includes profiling related to direct marketing).
• Right to Withdraw Consent (GDPR Article 7(3)): If we are processing your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing performed before the withdrawal, but once withdrawn, we will cease the processing for which consent was required. For example, you can unsubscribe from our newsletter or withdraw consent for non-essential cookies, and we will stop those activities.
• Right not to be Subject to Automated Decision-Making (Article 22 GDPR): As noted in the section on Automated Decision-Making, you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you, unless an exception applies. While we do not carry out such processing, remember that you can request human intervention or express your point of view if you believe you have mistakenly been subjected to an automated decision.
• Right to Lodge a Complaint with a Supervisory Authority: If you believe we have not complied with data protection laws, you have the right to file a complaint with a supervisory authority, in particular in the EU country of your habitual residence, place of work, or where an alleged infringement occurred (Article 77 GDPR). As noted, our lead authority is the Romanian ANSPDCP. You also have the right to seek a judicial remedy if you feel your rights have been violated.

We invite you to first contact us or our DPO to address any issues – we are committed to resolving any concerns you might have about your data. You can exercise your rights at any time by reaching out via email (gdpr@minexgroup.eu) or by mail to our address. We may need to verify your identity before executing certain requests, to ensure we do not disclose data to the wrong person. There is normally no fee for exercising your rights; however, if a request is manifestly unfounded or excessive, we might charge a reasonable fee or refuse the request (as permitted by law).

We will respond to your request without undue delay and within one month of receipt. If your request is complex or if you have made numerous requests, we are allowed to extend this period by up to two further months, but we will inform you of the extension and the reasons for it. In case we cannot fulfill your request (for example, if an exemption applies or we have overriding grounds to continue processing), we will explain our decision and your options.

 

Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to provide a smooth user experience and to help us understand how our sites are used. Cookies are small text files placed on your device that can store preferences and other information. 

Specifically, we use cookies to:

• Ensure proper functioning of the website: Some cookies are essential for the site to operate (for example, to remember your session or preferences). Without these, the website may not function correctly.
• Analyze website usage and performance: We use analytics cookies (e.g. Google Analytics) to collect aggregate information on how visitors navigate our site, which pages are most popular, etc. This helps us improve the website’s design, content, and performance.
• Provide personalized content and advertising: With your consent, we may use cookies that remember your site interactions and preferences so we can personalize content for you. For instance, cookies might track which products you viewed to show you related products. We may also use third-party cookies (like LinkedIn Insights or Facebook Pixel) to measure the effectiveness of our ads and possibly to present relevant ads on other platforms.
• Remember your preferences: We set cookies to recall choices you’ve made (e.g. language selection) so you don’t have to re-enter them on each visit.

When you first visit our site, we present a cookie consent banner where required by law. You can choose to accept or reject non-essential cookies. Strictly necessary cookies (which are required for site operation) do not require consent, but for others (analytics, marketing) we will obtain your consent. You can also control cookies through your browser settings at any time – for example, you can set your browser to refuse all or some cookies, or to alert you when cookies are being set. If you disable certain categories of cookies, note that some features of the site may become unavailable or behave differently.

For detailed information on the cookies we deploy and how to change your preferences, please see our Cookie Policy on our website (which provides a list of each cookie and its purpose). That policy is incorporated into this Privacy Policy by reference.

 

Third-Party Websites and Social Media Links

Our websites and communications may contain links to third-party websites or incorporate features from platforms like LinkedIn, YouTube, X (Twitter), or Facebook. For example, our site might include social media “share” buttons or you might follow a link to a partner’s website for more information. Please note: if you click on a third-party link or interact with a third-party service, you will be leaving our site and going to a site not controlled by us. This Privacy Policy applies only to Minex Group’s own websites and services. We are not responsible for the privacy practices or content of external sites. We recommend that you read the privacy policies of every website or service you visit, especially when you leave our site. However, if you have concerns about a site we linked to, feel free to inform us.

The same applies if you engage with Minex Group on social media. For instance, if you visit our official pages on LinkedIn or Facebook, or communicate with us via those platforms, your interactions are also subject to the privacy policies of those platforms. We will handle any personal data we receive from social media in line with this Policy, but the platform providers (e.g. Meta/Facebook, LinkedIn) have separate responsibilities and obligations to you as well. Be mindful of what personal data you choose to share on public forums or social pages.

 

Children’s Privacy

Our services and websites are designed for industrial B2B use and are not intended for children or anyone under the age of 16. We do not knowingly collect personal information from children under 16 years old (which is the age threshold for consent in Romania, per Law No. 190/2018) without verifiable parental consent. If you are under 16, please do not provide any personal data to us.

If we learn that we have inadvertently collected personal data from a child under 16 (for example, if a minor posed as an adult to submit an inquiry), we will promptly delete that information. Parents or guardians who believe we might have any information from or about a child under 16 may contact us to request deletion of the child’s data.

 

Policy Updates and Review

We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update the Policy, we will revise the "Last Modified" date at the top of this document. If changes are significant, we may also notify you through additional means (such as by posting a notice on our website or sending you an email notification, where appropriate).

We encourage you to periodically review this Policy to stay informed about how we are protecting your information. Past versions of our Privacy Policy can be obtained by contacting us.

This Policy is approved by the management of Minex Group International SRL and is reviewed at least annually for compliance with applicable data protection laws and guidance.

 

Contact Information for Data Protection Matters

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please do not hesitate to contact us:

• Email: gdpr@minexgroup.eu
• Postal Address: Minex Group International SRL, B-dul Metalurgiei nr. 85, cam. 4, Sector 4, 041832 Bucharest, Romania.

We will gladly assist you and aim to resolve any issue to your satisfaction. Your privacy is important to us, and we are committed to upholding the principles and procedures described above in all aspects of our operations.