ARMAD statute

   CONDUCT MANUAL FOR MAMIPULATING PERSONAL DATA IN DIRECT MARKETING


Explanatory memorandum

ARMAD is the association that represents direct marketing in Romania.

The association in constituted in conformity with the dispositions of OG 26/2000 by the founding members.

ARMAD exists and functions as Romanian legal person of private law, with a non-profit, non-governmental and apolitical character.

ARMAD is a non-patrimonial character association created with the purpose to protect the interest of physical and legal persons that have an active profession in direct marketing.

ARMAD’s purpose is to promote direct marketing in Romania, to defend its member’s interests nationally and internationally from authorities, economic and governmental organizations, and especially from personal data and telecommunications regulations companies

ARMAD represents directly or indirectly the direct marketing probationers, its goal being that of sketching a conduct manual for direct marketing operators that manipulate personal data. This essential tool is an interpretation of law no. 677/2001 that uses terms familiar to the direct marketing operators that include conduct standards.

The manual is designed primarily as a tool of correct practice and built as a reference to the applicable law structure. Direct ARMAD members will act upon the established standards of the ARMAD Conduct Manual, but it is their obligation to conform to existing national laws and regulations. This code does not intend to reduce or substitute the applicability of national laws and regulations.

ARMAD hopes and tries to induce this manner to other direct marketing operators, members or not, as a general conduct rule for the entire industry.

ARMAD recognizes that this Conduct Manual is only a first step in developing a better practice in data protection. In time this Manual will have to become more and more complex in order to reflect the operators growing expectations as well as Romania’s and EU’s major legislation changes.

The present Conduct Manual proposes to establish specific requests in the direct marketing area conform to the available legislation, as mentioned in the 677/2001 law, for personal protection regarding personal data manufacturing and the free circulation of these data, in accordance to law no. 676/2001 regarding personal data manufacturing and private life protection in the field of telecommunication, as well as through law no. 682/2001 regarding the Strasbourg Convention’s ratification for person protection from automatic personal data manipulation, adopted in Strasbourg on January 28 1981. The terms and definitions included by the present legislation prevails or completes the terms and definitions used in the Conduct Manual.

It is well to remember that the laws protecting personal data apply to data manipulation from any domain, with the exceptions mentioned by the law.

This manual must be seen in connection with other ARMAD conduct rules including European principles regarding the use of the telephone as a medium for business or electronic commerce.


Special Categories of Data

Any personal data that reveals any of the following information about a physical person are to be considered susceptible and their manipulation is forbidden with the exceptions stipulated in the law:

  • racial or ethnical origin
  • political believes
  • membership of a syndicate
  • religious or philosophical believes
  • physical or mental condition
  • sexual life
  • commitment of any breaking of the law, criminal convictions or safety measurements against the person, administrative or conventional measurements


Direct marketer
Any physical or legal person (including charitable foundations and political parties) who defines the goal and the ways of manipulating data, who transmit through any ways (post, phone, fax, on-line services, etc.) any advertising or promotional material which is directly addressed to a physical person.

Referred Person
A physical person whose personal data can be identified and are being under manipulation.

Operator representative regarding Personal Data Protection
A physical person appointed by an Operator to pursue the functions described in this code.

Personal Data Operator
Refers to any physical or legal person which defines (alone or together with other physical or legal persons) the purposes and the ways in which or must be done the manipulation of the personal data.

 
Note:

Personal Data Operator must not be confused with the owner of the Data Base.

For example, an organization can be the owner of the Data Base (because has the possession of material rights of using the data base) and in the same time Operator. The Operator and The Personal Data Empowered Person’s abilities are not always the same.

The Personal Data Empowered Person is not always and Operator.

The Personal Data Empowered Person
Any physical or legal person, other than an employee of the Operator, which manipulates personal data exclusively under the instructions, responsibility and in the name of the Operator.

Third Parties
Any physical or legal person which is not the Referred Person, not the Personal Data Operator, nor the Personal Data Empowered Person, nor agent or employee of the Operator or of the Personal Data Empowered Person, which under the direct authority of the operator or of the Empowered Person, are authorized to manipulate data.

Note:

A Personal Data Operator can appoint company A as his Personal Data Empowered Person. His Personal Data Empowered Person can manipulate personal data only by following the Operator instructions. If the Operator decides to sell a specific list to the company B, this becomes a third party.


Manipulation
Defines any operation or set of operations which are carried out on personal data by automatic or non- automatic means, like: collecting, registration, organization, storage, modification, usage, sharing with the third parties, combination, blocking, deleting or destroying and any other means specified by the law.

This terminology is applied only to direct marketing activities manipulations. Direct Marketing operators must check if there are done any other types of manipulation which must comply with the rule of data protection.

Data Sharing
Means transmitting, revealing, making available in any way personal data, except from the operator.

Children
Any physical person under 18 years.

Child’s Parent
The parent, the legal tutor in the sense o the present Conduct Manual.

Member – Get - Member Company
A company through which a Referred Person is determined to offer the personal data to another referred person, usually a person with similar characteristics.

Robinson List (the List of Preferred Services or MPS, or opposing list)
The list containing the name of the physical or legal persons which do not want their personal data to be manipulated in a direct marketing purpose.

Broker
The intermediate, the physical or legal person, of a operation related to data bases.

Trap Address
The address introduced in a data base of addresses with the purpose to control the usage of that data base.

Combined Mailing
A mailing in which the operator introduces a new promotional material from a third party.


PRINCIPLES OF PERSONAL DATA MANUFATURING IN DIRECT MARKETING

1. Obtaining the personal data

1.1 Direct collection of data from the referred persons


During the collection of information, the operator must assure that this is made correctly and that the right to information of the referred person is respected, as specified in this manual.

General principles for a correct manufacturing:


    * Essential information

The direct marketing operator must assure that all referred persons are informed about:


        - operator’s identity(e.g. name and address)

        - the purpose/purposes of manipulation (e.g. promotional, transactional, etc)

These essential information must be specified at the collection moment besides the situation in which these are clearly expressed in the context (for example, containing information about the identity and purpose of the operator, when the company name is clearly specified in the promotion) or if the referred person already has these information (for example, when the subject has an agreement with the operator)

    * Information about the right to access, correct or oppose the manipulation of personal data.

Direct marketing operator must assure that the referred person is informed about:

        - the right to access and correct the mistakes related to his personal data
        - the right to refuse data usage in direct marketing purposes
        - the right to refuse the personal data manipulation

Conditions for rights exercising:
Any referred person has the right to get form the operator, on request, and free of charge for not more than once per year, the confirmation of the fact that his data are not manipulated by him.

Specific situations  

    * Information about the operator usage of the personal data for direct marketing purposes

In case of the intention to use personal data for direct marketing activities, the operator must assure that the referred person knows about the essential information and about the right to refuse data manipulation (opt-out).

The operator must offer information at the moment of data collection by any necessary effort. In the case in which this is difficult or impossible (e.g. small advertising or marketing space), the information must be given as soon as data collection ends, for example, when the referred person receives the first written document ( invoices, receipts, etc.) or on any support material.

    * Information in the case of data revealing

When third parties data sharing is intended, aside the essential information, the operator must make sure that the referred person is informed on:
        - any personal data recipient or types of recipients and the purpose for which the personal data will be revealed

        - their right to oppose revealing personal data in direct marketing purposes

This information must be offered at the moment of data collection by any necessary means, but in the case in which this is difficult or impossible (e.g. small advertising or marketing space), this information must be given before any type of communication of third parties may take place or as late as the moment of this revealing.

This information can not be delivered if it has been announced via a specific media (e.g.: specific collective communication, accessible enough and pointed towards referred persons)

    * Information in the case of questionnaire or any others forms usage

On top of the essential information, the operator must assure that the referred persons are informed that the answers to the questions are mandatory or optional and of the eventual consequences in case of lack of an answer (e.g. in the case in which the referred person will not receive an award by not filling in data in a questionnaire). Moreover, the operator must assure that only the necessary questions will be answered.
In the case of questionnaire usage, this information must be given at the moment of data collection.

 
1.2 Collection from other sources, other than from the referred person

1.2.1 When personal data are not collected directly from the referred persons a series of actions must be taken so that the referred persons to still receive the information as in the case of a direct agreement with the operator (e.g., data obtained by list lending, data collecting from questionnaires or member-get-member campaigns).

1.2.2 The operator must deliver the essential information as specified at art 1.1
         - at the moment of data registration(manipulation)

         - before the first revealing to a third party, except for the case when the referred person is

           already informed

1.2.3 In the case of personal data manufacturing being initially collected by respecting the data protection rules, as a derogation from the principles specified in art. 1.2.1, the information request mentioned above is not mandatory in certain exceptional circumstances that involve a disproportioned effort. For example, when personal data are obtained from a third party and they will be used after a short time, this would be considered as an disproportioned effort to inform the referred person, it can be waited until the first contact with the referred person.

1.2.4. These factors must always be correlated with the consequences that may appear after such derogation. Examples of circumstances when such derogation may be applied:
          - for personal data kept for the purpose of blocking or checking of addresses
          - for personal data blocked by applying a Robinson List or a List of Preferred Services
          - when the operator uses personal data for eliminating personal data from the list, on

            unmatched profile grounds.

1.2.5 Operators that have established determined factors in applying a derogation, must make sure that there is a written document through which the motives of this decision can be justified, the type of information that the Operator should have given, and he motives for which the referred persons will not be prejudiced when applying the derogation.

1.3 Special data collection

Due to the importance of these data, there are necessary some special measurements for their manipulation. Personal data manipulation regarding racial or ethnical origin, political believes, membership of a syndicate, religious or philosophical believes, physical or mental condition, sexual life is forbidden.

For the manipulation of these data the Operator must specifically request the agreement of the referred person for further collection and manipulation of these data.

The specific agreement refers to that offered willing and expressed in a very clear manner. The specific agreement must not be necessarily given in writing, but this type of agreement if often used in practice because it can be used as proof.

There are situations when this agreement is not necessary:
         - when the manipulation refers to personal data made public in a manifest way, by a referred

           person (e.g. in case of an information obtained from a public source, from a list in which

           referred person had the chance to refuse its inclusion in the list)

         - personal data are manipulated by a non-profit organization to which the referred person

           belongs (political, religious, syndicate), in that case manipulation must be done in a

           non-profit purpose, and must not be shared with a third party without consent. An example

           of this kind of activities can be a church or a religious association which sends or uses an

           intermediary person to send a letter to its members to announce them of the publication of

           a new religious bulletin, to which members can subscribe through a found raising letter for

           help or assistance in certain situations.

Under no circumstances companies should use special data in a way that would prejudice the fundamental rights of referred person.

When the collected personal data regarding direct marketing activities are manipulated later for statistic analysis, this must be done anonymously or transformed in a way that doesn’t allow the identification of the referred persons, except for the case when the operator didn’t obtain the specific agreement.

1.4. Different purposes

1.4.1. If it is intended to manipulate personal data in other purposes than the ones the data were initially collected, the operator must check if the new purpose is compatible with the initially declared purpose for which the data were filled in. In case of incompatibility, manipulation is allowed only if it doesn’t contradict with the personal data protection law.

1.4.2. When establishing compatibility of the new purpose, the operator must consider the following criteria: if the new purposes are considerably different from the initial purpose, if the referred persons could reasonably foresee this new purpose or if it’s possible for the persons to oppose in case they knew the new purpose. The Operator must always consider the legal advice of the Supervising Authority.

1.5. Host Mailings

The Operator of a Host Mailing must be clearly identifiable.
A Host Mailing is when the operator includes in its own mailing material coming from a third party.
Selection criteria that affects the referred person – for example the use of special data about a sale habit as they are mentioned at 1.3 (past acquisition of a pharmaceutical product) – must not be used.

1.6. Specific notes concerning children

1.6.1. When collecting personal data from children, the operator must make sure that all efforts are made that the child or tutor is correctly informed on the purpose of personal data manipulation.
In the case of promotional material directly used on children or of data collecting with this purpose, the information must be visible, easy to read and understood by the children.

1.6.2. In all cases requiring express consent, the operator must obtain the consent of the parent. The form and method of obtaining consent must always respect the existing legislation and the present Conduct Manual.

1.6.3. The Operator must give the parent the same rights on personal data of the child as those registered at 2.5 of this Manual. The Operator must take reasonable measurements in checking that the person exercising these rights is the child’s parent.

1.6.4. The Operator must not condition the child’s involvement in games, award receiving or any type of promotional activity that will obtain more personal data than the ones necessary to attend.


2. The Operator’s Responsibilities

2.1. Principles of Personal Data Protection

2.1.1. The Operator must respect the following principles:
          Personal data

          -  to be manipulated in good will
          -  to be manipulated respecting the laws and contents of this Manual
          -  to be collected for legitimate, explicit purposes
          -  there should not be prior manipulations incompatible with this Manual
          -  to be adequate, relevant and excesive in comparison to the purposes for which they are

             being collected
          -  to be precise and updated by modifications made by the referred persons or available

             public data
          -  to be kept in a form that allows identification of the referred persons while achieving the

             purposes


2.1.2. Operators should have an agreement with the personal data Empowered Persons through which they respect these principles and act only at the Operator’s Instructions. The responsibility for correctly manipulating data belongs to the Operator and cannot be transferred to the Empowered Person.

2.2. Notification of the Supervising Authority

Operators must assure that the manipulating operations are notified in conformity with the applicable law.

2.3. Security Measures

2.3.1. Operators must use specific measures for preventing accidental loss or damage, alteration or unauthorized access to personal data files. For a bigger safety, operators are advised to use trap addresses.  A written agreement between the data broker and the list user is advisable in order to assure that the list is used respecting adequate security measures.

2.3.2. Security measures include, amongst others, the security of the buildings in which personal data are kept and/or manipulated (including building access), keeping a list with persons that have access to data (mentioning their responsibility), adequate identification tools (control passwords, for example) and assuring data transfer security between the operator and the Empowered Person.


2.4. Personal Data Coordinator

2.4.1. Operators must appoint a coordinator that acts as a contact person for personal data protection.

2.4.2. The coordinator’s responsibilities must include at least:
            - personal or team monitoring of the operator’s respect towards the security measures for

              protecting personal data as required by the present legislation, by the Supervising

              Authority or by the present Conduct Manual.
            - providing the information requested by the Supervising Authority.

2.5. Transmitting Personal Data Lists

2.5.1. Operators that transmit lists to other organizations must follow a series of reasonable steps to investigate the intentions of use of these lists (for example to request a copy of the mailing). Operators must make sure that the mailing material is not illegal, it is ethical, doesn’t destroy Direct Marketing’s image I general and does not contain unacceptable materials.

2.5.2 Operators must also assure through an agreement that the users of these lists will respect the content of the present Conduct Manual. This agreement will include conditions through which referred persons’ rights will be respected.

2.5.3 In case of transmitting lists containing personal data to other operators, especially in direct marketing operations, the referred persons will be informed about this transfer by adding mentions on products or services offers.   


3. Solving referred person’s requests

3.1 Access to personal data

3.1.1 Any referred person has the right get from the operator on request and free of charge, for not more than a request per year: confirmation that data regarding referred person are manipulated or not, category of data, and the data recipients or category of data recipients.

3.1.2 The Operator that receives request in writing or in any other way from referred persons that wish to see their personal data, must:

  • Indicate any special information needed by referred person to make sure that this is has the access right and for identifying his personal data (e.g. mailing campaigns)
  • to provide personal data in a eligible way and to add any necessary information, for example a list of codes used by the operator.
  • To inform about any reasonable fee he intends to introduce for providing the data, for the other requests per year except for the free one
  • To inform about the mechanism of any automatic decision based on personal data of the referred person with the purpose of an evaluation that can affect, for example, the credibility of a referred person.

3.2 Intervention right

Any referred person has the right to obtain om request and free of charge the checking of the exact and complete character of their personal data, as well as asking the rectification of inexact or incomplete data, blocking or deleting of any data that is not conform with law 677/2001.

ARMAD members will keep an evidence of complaints regarding the exact or complete character of the data, that have not been solved, and in the case that these data have been transferred to other operators or have been shown to third parties, rectified data will be communicated or regarding those with unsolved complaints. Data base actualization will be done by means of information communicated from the referred persons.


3.3. The right of opposition

The referred person has the right to oppose in any moment, from well established and legitimate reasons regarding his particular situation, that his/hers data make the object of any manipulation, excepting the case in which there are contrary legal dispositions. In case of justified opposition the manipulation can no longer be carried out on that data. If this right is carried out on manipulating personal data, for direct marketing operations, it will be sustained by formulating a request or by including in the opposing persons list of the persons that want to retreat their data, at the moment of the implementation of these lists by ARMAD. The person will be announced of the forming of the lists, as well as the possibility of being included in such a list.


3.4. Data Source

When the Operator receives requests from referred persons regarding the source of the data, it can communicate the source to the solicitor, within legal boundaries, and when this source can be identified through reasonable efforts. If personal data is the result of a multi-source character, the operator is encouraged to keep an evidence of these sources.


3.5. Time intervals for finding solutions to the referred persons’ requests

3.5.1. The Operator must provide the requested information in a short period of time that must not overpass the admitted period conform to the 677/ 2001 law, meaning 15 days.


4. The Preferred Services System

4.1. Internal Blocking

4.1.1. The Operator must assure the functioning, in the own data base, of a system that blocks data from persons that do not want to participate in direct marketing campaigns (name blocking, telephone numbers blocking, e-mail address blocking, etc.).

4.1.2. If the Operator receives a request to not contact a certain person, he must block that persons data, in the shortest period of time, no longer than 15 days.

4.1.3. If a person requests that it’s not be used, the operator must explain that this thing can not be applied to materials that have already been published before receiving the request. The Operator must take reasonable measures so that the solicitor will not receive in the future direct marketing materials, as soon as possible.

4.2. The Preferred Services System (Robinson List or MPS), Known as the Opposing List

4.2.1. The Operator must obey to the preferred service system from the moment that ARMAD adopts it, and when it uses data from other countries to use the preferred system list accordingly to the Global Convention of Preferred Services.

4.2.2. The requests for blocking data is kept in the preferred services system as long as it is mentioned in the regulations of the preferred services system.

The owner or manager of the preferred services system must inform the solicitor about the period of time available that includes the blocking request, and the information is carried out usually on the occasion of the solicitation.

 


5. Data Transfer to Countries outside the EU

In the case of data transfer to countries outside the EU, that have an adequate level of data protection, the Operator must adopt the security measures necessary by signing an agreement conform with the regulations of the 677/2001 law, rule no. 6/2003 and to obtain an authorization form the Supervising Authority.


6. Monitoring

6.1. ARMAD’s Responsibility


ARMAD is responsible for strictly applying the principles included in the Conduct Manual.

6.2. Solutions to complaints

  • ARMAD must name a person responsible with solving complaints and that will act as a contact person for ARMAD. The name of this person must be communicated to the Supervising Authority.
  • If ARMAD is incapable of solving a complaint because of aspects containing extreme elements, it must inform FEDMA which will name someone to solve the complaint.
  • ARMAD must work as much as possible with the Supervising Authority.


6.3. Sanctions for principle braking

ARMAD may act upon any member or non-member in defending professional ethics. The sanction measures decided include excluding from ARMAD, informing the National Supervising Authority or justice actions, without being limited to the above.


6.4. Protection Data Committee

The Committee is established by ARMAD to monitor the application of ARMAD’s Conduct Manual. The Committee reports the results to ARMAD’s Board of Council. It is composed from people established by the Board of Council. Until the express nomination of the Personal Data Protection Committee, its attributions belong to the Board of Council.

These attributions include:

  • annual revision of the Conduct Manual (if necessary)
  • elaborating reports regarding the functioning of national and international activities.
  • solving complaints and reclamations
  • establishing a set of procedural regulations.