Data Protection Policy


The Privacy Policy sets out how Asociația Cartier Creativ (referred by “we”, “our”) collects and protects any information that you give to Asociația Cartier Creativ while using our website. The current policy includes information regarding how we process your personal data and your rights regarding information we collect.

The policy determines the way personal date can be used, processed and collected; data that has been directly received from you.

We are committed to ensuring that the privacy of any user’s data visiting our website – – is protected according to the General Data Protection Regulation 2016/679 UE on data protection and privacy of all individuals and free movement of data (referred by “GDPR” or “Regulation”), implemented from 25th of May 2018.

Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured it will only be used in accordance with this privacy statement.

Asociația Cartier Creativ is a data Controller following the GDPR 2016/679/UE.

Terms and conditions enclosed in this section are applicable to collecting personal data of individuals, including company representatives, NPOs or other entities, following the filling of participation form (referred also by festival) to Creative Quarter Design Festival, of Creative Quarter’s newsletter or other existing forms on the website.

Legal framework

According to GDPR 2016/679/UE on data protaction and privacy of all individuals and free movement of data and the Directive 95/46/CE, implemented from 25th of May 2018, we have the obligation to ensure safety conditions and only for specified reasons of personal data we collect directly from you through

For more details regarding the normative act, please visit the following link:


According to the 4th article of GDPR:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;

‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, Controller, processor and persons who, under the direct authority of the Controller or processor, are authorized to process personal data;

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘representative’ means a natural or legal person established in the Union who, designated by the Controller or processor in writing pursuant to Article 27, represents the Controller or processor with regard to their respective obligations under this Regulation;

Means of controlling

Personal data collected through and personal data we have collected from you, third parties or public sources will be used in the specified purposes in this privacy policy. Depending on our current or future relationship, we can use your personal data with the following purposes, based on the 6th article of the Regulation. You can consult the 6th article on the following link:

We can use your personal data in when:

  1. There is a contractual obligation/in order to execute a contract, when data processing is imperious for fulfilling the declared purposes on the website;
  2. In case of our lawful interests;
  3. In case of fulfilling a public interest duty;
  4. Conforming with a lawful imperative.

Categories of collected data

Types of information we can collect:

  • name and surname;
  • address;
  • email address;
  • telephone number;
  • Internet protocol address (IP);
  • cookie identificatory;

Source of personal data:

The collected data processed by the collector are the ones you have given us directly and/or indirectly, necessary for fulfilling the stated purposes above.

Recipient or categories of recipients to whom personal data is disclosed:

The Controller can disclose your personal data to third parties when fulfilling lawful obligations. Your personal data can be disclosed to and by our trusted partners, assuring that processing will be made by respecting lawful applicable dispositions.

Storage period of personal data:

The Controller can store personal date for as long as the law provides or during the existence of the agreement signed by the individual. Particularly, the Controller can store data until the end of the event where you have agreed to participate as exhibitor/volunteer.

RIGHTS OF INDIVIDUALS – can be consulted on the following link:

  1. Right of access by the data subject (art. 15.)
  2. Right to rectification (art. 16)
  3. Right to erasure (“right to be forgotten”) (art. 17)
  4. Right to restriction of processing (art. 18)
  5. Right to data portability (art. 20)
  6. Right to object (art. 21)
  7. Right to lodge a complaint with a supervisory authority (art. 77)
  8. Right to an effective judicial remedy against supervisory authority or against a Controller or processor (art. 78 and 79)

Disclosing and transfer of personal data

Information we collect from you will be processed by the Economic European Space. Based on your agreement, some date (such as name and surname) will appear on if you are a participant of the competition.

We can also disclose your personal data:

  • if we are bound by law;
  • according to any judicial procedure in progress or potential;
  • to establish or defend legal rights (including disclosing information to other individuals in order to prevent fraud).

Third party websites

This website can contain hyperlinks or details about third party websites. We do not have any control on them and are not responsible for their privacy policies.

Security breach

Security breaches happen when the personal data suffers a security incident that leads to, illegally or accidentally, compromising the confidentiality, availability or integrity of personal data, such as, destruction, loss, modification or unauthorized disclosure of personal data.

Such incidents of security breach can happen because of a cybernetic attack, but also when devices are lost (telephone, laptop etc.) that store personal data or in the situation of a miss sent email to another recipient than the intended receiver.

Any individual that recognizes a security breach must contact the Controller, whom together with the IT responsible will analyze and decide on a course of action.

In the situation that might impose risks on rights and freedoms of individuals, the Controller must contact The National Supervisory Authority For Personal Data Processing in maximum 72 hours from the moment a security breach was made known for him.

Final dispositions

The current policy about personal data protection was comprised to inform you about the processing of your personal data and your rights, following the General Data Protection Regulation and the national legislation.

If any questions arise, please address them by sending a request at our address 104-104 Știrbei Vodă Street, floor 2, Bucharest – Asociația Cartier Creativ or on our email address / mobile number 0731 080 535.

Please contact us by the means presented above to update or correct your personal data.