nebkas.ro is provided by NEBKAS S.R.L., who is the owner and the manager of nebkas.ro (“Site”). NEBKAS S.R.L. is a limited liability company, incorporated and functioning according to Romanian laws, having its registered office in Romania, Bucharest, 3rd District, 10 Lt. Nicolae Pascu Street, block 5, 6th entrance, 1st floor, ap. 151, registered with the Bucharest Trade Registry under no. J40/8047/2021, Sole Identification Code 44223314, e-mail address email@example.com, represented by Marcel Meinardus – Director (“Company” or “we”/“us”/”our” or “Controller“).
We offer validation and staking services within Crypto.org Chain blockchain, a public, open-source and permissionless blockchain which is a fully decentralized network (“Service” or “nebkas” or “Validator”), as provided within the Terms of Service. Crypto.org Chain operates its native asset CRO. CRO can be staked by validators to help secure the network, paid as rewards for participating in consensus on the chain, and used for CRO transactions. For further details on Crypto.org Chain please visit https://crypto.org/ .
For the avoidance of any doubt, considering the particularities of Blockchain (as defined below) as being of a decentralized, public and permissionless nature, the identity of other data controllers depends on the perspective that is adopted. At a micro-level – which is of greater relevance than the macro-level where the purpose of processing is to provide the related service (such as the CRO transaction), and the means are the software used by nodes and validators – the purpose of processing is to record a transaction onto the blockchain, whilst the means relate to the choice of the blockchain platform.
- Validator runs the PoS protocol, can add data to the Blockchain and store a copy of the Blockchain on its computer via nebkas explorer: https://explorer.nebkas.ro/ . Since nebkas does not determine the purposes of a specific transaction, nebkas is not a data controller in relation to each specific transaction to be validated by the Validator. In light of the aforementioned, in connection to Transactional Personal Data, you, as the natural person or legal entity who initiate a transaction, are the controller of such data. For instance, you initiate a CRO transaction, and you are the controller of the personal data of the party you are buying CRO from or selling it to. You determine the purposes of processing (buying or selling CRO) as well as the means (choosing to rely on the Blockchain). Moreover, in case of smart contracts, if the provider develops unique solutions for using personal data in the smart contract, it can be a joint data controller, together with the parties to the contract.
- Regarding personal data relating to others, Blockchain Users may be both data controllers, for the personal data that they upload to the Blockchain, and data processors, by virtue of storing a full copy of the Blockchain on their own computer.
- Regarding the personal data relating to Users themselves, nebkas is a controller in relation to Personal Data as detailed at section 4 herein.
- Nodes, construed as the computers that store a full or partial copy of the Blockchain and participate in the validation of new blocks. Once a validator validates a transaction, it broadcasts its hash to other nodes, which subsequently verify whether the hash is valid (i.e. whether it meets the specifications of the PoS protocol) and where this is the case, they add the new block to their own local copy of the Blockchain. Since each node that initiates a transaction (and thus distributes information to all other nodes) or that saves a transaction in its own copy of the database is a controller, considering that in doing so, the node pursues its own purpose: participation in the network. In doing so, the node registers, orders and stores data and can freely use the data that is registered on its own node.
nebkas is a controller in relation to the subsequent verification of the validity of the hash, jointly with other nodes.
In certain circumstances we process Personal Data jointly with our Joint Controllers, as applicable (as defined below). In accordance with Article 26 of the GDPR, Joint Controllers are Blockchain nodes – as applicable, we jointly process Personal Data with other Blockchain nodes, as detailed herein below.
We have also agreed with our Joint Controllers the following: (i) that nebkas is responsible for providing Data Subjects with the information on joint Processing of Personal Data, as mentioned herein below; (ii) after the joint Processing, Blockchain nodes are responsible for the exercise of your rights under Articles 15-20 of the GDPR also provided herein below.
Our Site may include links to third-party websites (“Third-Party Sites“). Clicking on those links may allow third parties to collect or share data about you. We do not control these Third-Party Sites and are not responsible for their privacy policies. When you leave our Site, we encourage you to read the privacy policies or notices of every Third-Party Site you visit or use.
- DEFINITION OF TERMS
“Service” means our validation and staking services within Crypto.org Chain blockchain, a public, open-source and permissionless blockchain which is a fully decentralized network;
“PoS” means the Proof-of-Stake consensus mechanism or algorithm, which requires network participants to stake the network’s native asset, i.e. CRO, to achieve distributed consensus;
“Blockchain Users” means natural persons or legal entities who sign and submit transactions to Blockchain;
“Delegators” refer to CRO owners, i.e. token holders, who delegate their CRO/tokens/validation rights to Validator;
“User” means any of the Blockchain Users and Delegators;
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Special Categories of Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
“Public Key” represents the blockchain public key, which consists in a string of letters and numbers representing the User, such as an account number that is shared with others to enable transactions. Public Key data is Personal Data.
“Transactional Personal Data” means the data which is contained in a given transaction, such as a name or address, or someone else’s public key, and uploaded to the Blockchain. Transactional Personal Data may be Personal Data.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Joint Controllers” means controllers who jointly determine the purposes and means of Processing;
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
“Sub-processor” means the processor engaged by the Processor for carrying out specific Processing activities on behalf of the Controller;
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“Third Party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“Third Country” means any country located outside of the European Economic Area.
- PRINCIPLES OF PERSONAL DATA PROCESSING
To the maximum extent permitted by the Blockchain, nebkas processes Personal Data in accordance with legal principles, as follows:
- Personal Data shall be processed in a lawful and transparent manner, guaranteeing loyalty to the persons whose Personal Data are processed (“lawfulness, loyalty and transparency”);
- there shall be specific purposes for Processing the data and the Controller shall indicate these purposes to the Data Subjects when collecting their Personal Data (“purpose limitation”);
- the Company can only collect and process Personal Data that is necessary to achieve these purposes (“data minimization”);
- the Company shall ensure that Personal Data are accurate and kept up to date with regard to the purposes for which they are processed, and correct them where necessary (“accuracy”);
- the Company can no longer use Personal Data for other purposes which are not compatible with the purpose for which they were initially collected;
- the Company shall ensure that Personal Data is not kept longer than necessary to achieve the purposes for which they were collected (“limitation of conservation”);
- the Company shall put in place technical measures and appropriate organizational structures that ensure the security of Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (“integrity and confidentiality”).
- PERSONAL DATA THAT WE PROCESS, PURPOSES AND LEGAL BASIS
|CONTEXT||TYPE OF PERSONAL DATA||PURPOSE||LEGAL BASIS|
|When you stake/ delegate with nebkas or when you submit a transaction for validation purposes within Blockchain|
Carrying out the related staking activities towards our Delegators, such as performing delegation, distributing staking rewards.
Validating the transaction and subsequent processing on the Blockchain.
In light of the append-only nature of the Blockchain, such data will always continue to be processed once it is on the Blockchain, even after the respective transaction has been successfully completed in the sense that it remains stored on the Blockchain, and continues to be processed pursuant to the modalities of the PoS.
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract – Article 6 (1) (b) of the GDPR.
You are not obliged to provide these data, but if you decide not to do so, we will not be able to solve your requests.
For the avoidance of any doubt, your consent to the conclusion of the Terms of Service with us is different from the consent given for Personal Data Processing, where applicable.
|When you contact us via our contact form on the Site, our Twitter, Telegram, Discord profile, or e-mail||In order to communicate with you and solving your requests|
Our legitimate interest – Article 6 (1) (f) of the GDPR.
Legitimate interest of nebkas in processing these data arises from the interest in solving your requests and thus in ensuring and increasing customer satisfaction.
You are not obliged to provide these data, but if you do not provide these data nebkas will not be able to solve your requests.
|Processing is required for compliance with applicable laws||If required by the applicable law, we may process Personal Data which is required for compliance with the respective legal obligation, such as first name, last name, ID card details, e-mail address.||To comply with our legal obligations, for example for information archiving, reporting towards public authorities/ institutions, compliance with laws on prevention of anti-money laundering (AML) and know-your-customer (KYC) requirements.|
Processing is necessary for compliance with a legal obligation to which the Controller is subject – Article 6 (1) (c) of the GDPR.
If required by relevant applicable law, you must provide us with your Personal Data. Not providing Personal Data for this purpose may entail certain legal consequences, as provided by relevant legal provisions.
|For fraud prevention and security related reasons||In order to be able to prevent frauds and security issues|
Our legitimate interest – Article 6 (1) (f) of the GDPR.
Legitimate interest of nebkas in processing these data arises from the interest in maintaining the Service secure for our Users.
|When you browse our Site (information collected through cookies or similar technologies)||Please read our Cookies Policy.||Please read our Cookies Policy.|
Your consent – Article 6 (1) (a) of the GDPR.
Depending on the types of cookies, your consent may or may not be required – please carefully read the Cookies Policy.
You may express your consent by ticking the boxes on the Site for each type of cookie and data as you will be informed upon and only the cookies you expressed your consent for will be placed on your computer/ device.
nebkas ensures that you are well informed at all times, thus at intervals of 6 months we will again request your consent.
nebkas will take appropriate security measures and safeguards for your rights and freedoms, as provided by the GDPR, including pseudonymisation.
nebkas will not process Personal Data for automated individual decision-making, direct marketing and advertising profiling without your express prior consent for such purposes.
nebkas shall not process Special Categories of Personal Data.
Our Services are not intended for minors below the age of 18 years and we do not knowingly collect Personal Data relating to minors.
- TO WHOM IS YOUR PERSONAL DATA DISCLOSED
nebkas is committed to ensure confidentiality of Personal Data at all times. Nevertheless, there are circumstances when we will disclose Personal Data, as applicable, to certain Recipients as follows:
Within the European Economic Area:
- if we have legal obligations in this respect – for instance, we can disclose Personal Data to National Agency for Tax Administration and other authorities/ institutions requiring them;
- for the purpose of exercising or defending our legitimate rights and interests – for example, to enforce the Terms of Service (for instance, to lawyers etc.);
- you have given your consent for this purpose, as applicable;
- for the purpose of providing you our Service, your Personal Data will be transferred to the hosting service providers (located on the European Union territory), which are Hetzner Online GmbH and Hosterion SRL, and they have the capacity of Processors with respect to your Personal Data.
Outside the European Economic Area/ Third Countries:
As applicable, when nebkas, our Joint Controllers, Processors and Sub-processors engage in such transfers, a variety of legal mechanisms are used, including adequacy decisions approved by the European Commission, standard data protection clauses adopted or approved by the European Commission, binding corporate rules, certification mechanisms.
For further information on the European Commission’s adequacy decisions, please visit the following page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en .
Transfers to countries for which an adequacy decision was adopted will be assimilated to intra-EU transmissions of data, and your Personal Data will be protected in the context of such transfers, without any further safeguard being necessary.
In the context of the Blockchain, which is a public, open-source and permissionless blockchain where anyone may access the network without the need for prior authorization by a central gatekeeper, nebkas may transfer your Personal Data outside the European Economic Area/ Third Countries, in order to provide its Service, as part of the PoS protocol. For further details on the Blockchain’s mechanism, please visit https://help.crypto.com/en/articles/5015391-all-about-crypto-org-chain-cro-staking-on-defi-earn .
Notwithstanding the above, nebkas will exceptionally transfer Personal Data to Third Countries in the following circumstances:
- If required to do so by law, comply with legal process or to comply with a governmental or regulatory request, subject to requirements provided under Article 49 (1) d) of the GDPR;
- To protect and defend the rights or property of nebkas, as part of a transaction where they merge with another organization, files for bankruptcy, or sells its assets or capital stock, where the transfer is necessary for the establishment, exercise or defense of the legal claim in question, under Article 49 (1) e) of the GDPR.
- THE PERIOD FOR WHICH PERSONAL DATA WILL BE PROCESSED AND STORED AND THE CONDITIONS THEREOF
In light of the Blockchain particularities, i.e. the append-only nature of the Blockchain, Personal Data will always continue to be processed once it is on the Blockchain, even after the respective transaction has been successfully completed in the sense that it remains stored on the Blockchain, and continues to be processed pursuant to the modalities of the PoS.
Notwithstanding the above-mentioned provisions and where applicable, nebkas will process your Personal Data for as long as is necessary to fulfil the Processing purposes, as follows:
- in case of performance of a contract with you or arrangements for the conclusion of such a contract – the duration of processing and storage is that required by law for the respective contract. After the termination of the contract, there may be legal obligations for nebkas to maintain records, in which case your Personal Data will be stored for the period provided by law, which will vary, and can be between 1 day and 10 years – under the legal basis provided at Article 6 (1) (c) of the GDPR;
- based on your consent – Personal Data are retained until the consent is withdrawn, unless there are legitimate reasons justifying further processing by nebkas (including a legal obligation in this respect) and prevailing over your interests, rights and freedoms or if this is necessary in order to establish, exercise or defend a right in court, but not later than 3 years from the date when such right could have been exercised;
- based on the requirement to fulfil our legal obligations – Personal Data are processed and stored during the existence of that legal obligation. Depending on the particular situation, this period will vary, and can be between 1 day and 10 years;
- under the legitimate interest of nebkas – during the existence of the legitimate interest, but not more than 3 years from the date when such legitimate interest could have been exercised.
- YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM
In relation to your Personal Data Processing, you have the following rights:
- The right to access – You can request information related to the Personal Data that we process;
- The right to rectification – You can request the rectification of the data if the information is inaccurate;
- The right to the erasure of the data (“right to be forgotten”) – You can request the erasure of the data, in certain conditions (specified in the GDPR), namely:
- if personal data are no longer necessary for the purposes for which they were collected or processed;
- if you withdraw your consent and there is no other legal ground for the processing;
- if you object to the processing and there are no legitimate reasons to prevail;
- if the personal data have been unlawfully processed;
- if personal data must be deleted in order to comply with a legal obligation.
- The right to the restriction of the processing – You can request the restriction of your Personal Data Processing, when one of the following applies:
- the accuracy of the Personal Data is contested by you, for a period enabling us to verify the accuracy of the Personal Data;
- the processing is unlawful and you oppose the erasure of the Personal Data and request the restriction of their use instead;
- we no longer need the Personal Data for the purposes of the processing, but these are required by you for the establishment, exercise or defence of legal claims;
- you have objected to processing pending the verification whether our legitimate grounds override yours.
- The right to oppose – You can oppose to the Processing, in certain conditions (specified in GDPR), namely and where applicable, when we process Personal Data based on our legitimate interest or for direct marketing purposes, including profiling, to the extent that it is related to such direct marketing.
- The right to the portability of your Personal Data – You can request a copy of your data in a structured, commonly used and easy-to-read format, and you can receive it in an electronic format, respectively the right for these data to be transmitted by us to another data controller, insofar as the conditions provided by law are met.
The data to which the right to portability applies are either those obtained by your consent or by a contract with us.
- The right to oppose to an automatic individual decisional process, including profiles creation – as applicable and in other cases than based on your consent, you can oppose to any automatic individual decisional process including profiles creation.
- The right to withdraw consent – Where applicable, namely where Personal Data Processing is based on the legal basis of consent provided at Article 6 (1) (a) of the GDPR, you have the right to withdraw consent at any time, as easy as you originally gave it, without prejudice to the lawfulness of the processing carried out on the basis of the consent before its withdrawal.
- The right to file a complaint with the supervisory authority – You can file a complaint with the National Supervisory Authority for the Processing of Personal Data – https://www.dataprotection.ro.
The above rights may be exercised by submitting a request in this respect, and we are also available for any questions related to the protection of your Personal Data to the following e-mail address: firstname.lastname@example.org.
The answer to your request will be communicated in accordance with the GDPR provisions, in not more than 1 (one) month as of the receipt of the request. This period of 1 (one) month can be prolonged with 2 (two) months if the complexity of the request and/or if the number of requests are imposing it.
Updated on: 16.08.2021