applicable to Personal Data Processing by Nexia

  1. Introduction
  2. Who we are?
  3. How can you contact us?
  4. What personal data do we process, when and for what purposes?
  5. On what grounds do we process personal data?
  6. To whom do we disclose or transfer personal data?
  7. Where and for how long do we store personal data?
  8. What are your rights as data subject?
  9. How can you exercise your rights?
  10. Cookies Policy
  11. Ensuring personal data security
  12. Final provisions


1. Introduction

Nexia is committed to protecting your personal information and processing it fairly and transparently in accordance with the provisions of EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR/the Regulation”).

Above all, we are faithful to the following key data processing principles:

  • Lawfulness, fairness and transparency –  we process personal data on legal grounds, fairly and in a transparent manner;
  • Purpose limitation –  we collect personal data for specified, explicit and legitimate purposes;
  • Data minimization – we only collect and keep personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • Accuracy – we ensure that the personal data we keep is accurate, kept up to date or otherwise erased or rectified;
  • Storage limitation – we ensure that personal data is stored only for the period of time that is strictly necessary for the fulfilment of our purposes or is otherwise erased or anonymized;
  • Integrity and confidentiality – we ensure appropriate security by implementing organizational measures and adequate technical solutions which are harmoniously combined as to guard personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage;
  • Accountability – we recognize our responsibility for ensuring the lawful processing of personal data.

Your personal information belongs to you and we respect this. It is your right to be fully informed about the processing operations we perform with the personal data you provide us or we collect about you. In order to make available to you all this information in a way that is as accessible and concise as possible, we have drafted this privacy policy (“Privacy Policy”) applicable to online personal data processing operations.

Thus, this Privacy Policy gives you detailed information on the personal data we process, how we collect it, the purposes for which we use personal data, and how we keep it safe. This Privacy Policy also describes what your rights as data subject are, so please review it alongside the Terms and Conditions section.

To facilitate you understanding of this Privacy Policy, please find below definitions and explanations of the specific notions used:

Notion Definition/Explanation
Personal data any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject an identified or identifiable natural person whose personal data is processed.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Consent Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Online identifiers internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags provided by data subject devices, applications, tools and protocols. These may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons and identify them.


2. Who we are?

Describing Nexia International
Nexia CRG is a member of the “Nexia International” network (Nexia).

Nexia is a leading, global network of independent accounting and consulting firms.

When you choose a Nexia firm, you get a more responsive, more personal, partner-led service, across the world. Nexia is a highly active network that drives quality and facilitates collaboration to enable its member firms to provide effective local and global solutions. Nexia member firms deliver a partner-led service to clients which ensures continuity, expertise and a deep understanding of the client’s business. They are characterized by people who have an entrepreneurial spirit and who can relate closely to the SME and owner-managed businesses

Nexia firms are focused on supporting local businesses as they grow and through the Nexia network, they can also help their clients confidently venture into new international markets.

Nexia International Limited, a company registered in the Isle of Man which operates the Nexia International network, does not deliver services in its own name or otherwise. Nexia International Limited and the member firms of the Nexia International network (including those members which trade under a name which includes the word NEXIA) are not part of a worldwide partnership. Nexia International Limited does not accept any responsibility for the commission of any act, or omission to act by, or the liabilities of, any of its members. Each member firm within the Nexia International network is a separate legal entity.

References to Nexia or Nexia International are to Nexia International Limited or to the “Nexia International” network of firms, as the context may dictate.

For more information, visit

3. How can you contact us?

In order to ask us questions about this Privacy Policy or to submit us request for the exercise of your rights as data subject, please write to us or call us using the following contact details

E-mail address
Headquarters address 26 Biharia Street | 1st District | 013981 Bucharest| Romania
Phone number + 40 (721) 202 949
Facsimile + 40 (31) 405 10 18
Contact person Mr. Cezar Daminescu, appointed data protection officer/manager


4. What personal data do we process, when and for what purposes?

4.1. Personal data processed when you visit our website

When visiting our website, your browser could automatically send us information about:

  1. IP address of your device,
  2. Date and time of access,
  3. used browser,
  4. the operating system of your device,
  5. information in relation to your Internet service provider,
  6. status and amount of data transferred during the visit of our websites.

We process the mentioned data for the following purposes:

  1. to ensure a smooth connection to our website and proper use of our website,
  2. for evaluating system security and stability,
  3. for further administrative purposes.

The grounds of processing such data are the performance of the contract for providing you our website and our legitimate interest to ensure that our website functions adequately.

Also, when visiting our website, we install cookies and other tracking technologies on your device and use analysis services. For further details, please refer to section 10 hereto representing our Cookie Policy.

4.2. Personal data processed when subscribing to Nexia newsletter

If you have expressly consented, your e-mail address, first name and last name will be used to send you our newsletter on a regular basis. Once your data is recorded in our databases, the newsletter is automatically sent, without the intervention of a human operator.

In addition to this data, we will also be able to process the following data: (upon opening our newsletter) the IP address of your device, the used browser and your location, via the Mail Chimp web signposts integrated in our newsletter.

Your data will be processed exclusively for sending and personalization of the newsletter, as well as for assessing the degree of access to our newsletter.

Such data will only be disclosed to our partner, Mail Chimp (The Rocket Science Group LLC), a limited liability company from the United States (Georgia), which helps us in sending our newsletter to you and provides us with reports on the degree of access to the newsletter. Your data will also be stored on the Mail Chimp servers in the United States. Data processing performed by Mail Chimp complies with the requirements of the EU-U.S. Privacy Shield principles (Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield).

In case you change your mind and wish to withdraw your consent, you can unsubscribe via a link at the end of each newsletter or by submitting a request using the contact details indicated in section 3 above.

4.3. Personal data processed when you submit an enquiry or a request for a brochure or an offer via our contact forms

When submitting an enquiry or a request for a brochure of financial offer on our website you will need to complete contact forms with the following data: name, organization, phone number, e-mail address, enquiry type and a brief description of your enquiry, as the case may be. When submitting a request for offer you will also have the possibility to attach a document considered by relevant for our analysis.

We consider such enquiries and requests pre-contractual approaches, therefore we shall process your data above for the purposes of answering your to your query based on article 6 (1) b) GDPR.

In case no contractual relationship shall be agreed during a 6 months period after your enquiry or request for brochure/offer, we shall delete your personal information or anonymize it and use in such anonymized way for statistical purposes or training of our employees.

4.4. Personal data processed when applying for a vacant position in our companies via the Careers section of our website

When applying for a vacant position within the Group via the Careers section of our website, you are requested to provide us with the following data: name, organization, phone number, e-mail address, enquiry description/letter of intent, education, professional experience and other information you include in your CV, letters of recommendation.

We shall process such information for the purposes of handling your job application, more precisely for evaluating your application; record-keeping related to hiring processes; analysing the hiring process and outcomes; and conducting background checks, to the extent permitted by applicable law.

The processing of personal data is necessary for the conclusion and execution of the individual labour contract. For this purpose, the legal basis for processing is Article 6 (1) (b) of the GDPR.

Following the conclusion of the recruitment process for a particular position, we keep your personal data for a specified period in order to satisfy our legitimate interests, namely to facilitate future recruitment processes, by maintaining a temporary database containing candidates’ have shown potential. In this case, the legal basis for the processing is Article 6 (1) (f) of the GDPR.

Personal information provided to us for the purpose of a job application will be kept for a period of up to 6 – 12 months if your application is unsuccessful or shall be further processed within your employee file for successful applicants.

4.5. Personal data processed when registering and leaving comments on our blog

When registering or leaving comments on our blog you shall be requested to provide us with the following information: username, password, name, e-mail address, comment, your site URL.

We process such data exclusively for operating the blog section of our website and for granting you the possibility to interact with other users and the authors, based on our legitimate interests to obtain feedback and to interact with our subscribers.

We draw your attention to the fact the comments are a public section, therefore you should avoid disclosing personal information in your comments.

We shall keep the personal data above up to a period of 1 year.

4.6. Personal data processed when using the “Send to a colleague/E-mail this link to a friend” option

When sending a message or an article to a colleague or friends of yours we shall collect the following data: your name, your e-mail address, the name of the recipient, his/hers e-mail address and your message.

We process such data exclusively for sending the message/link to the recipient indicated by you, based on our legitimate interest to have our website pages and articles forwarded to all potential interested persons.

We shall keep the personal data above only for a period of 1-6 months.

4.7. Processing of sensitive data or minors’ data

We shall not collect through our website sensitive information, unless legally required for recruiting purposes.

Our website and its content is not intended for or addressed to minors. Thus, we shall not deliberately collect or maintain personal data about minors, unless this is part of a commitment to provide you professional services.

5. On what grounds do we process personal data?

When processing your personal data, we rely on the following legal grounds:

  • Consent, as per article 6 (1) a) GDPR – we may (but usually do not) need your consent to use your personal information. You can exercise your right of consent withdrawal by contacting us as described below.
  • Performance of a contract or to take steps at your request prior to entering into a contract with us, as per article 6 (1) b) GDPR – we may need to collect and use your personal information in order to take steps for the conclusion of a contract, to conclude a contract with you, to perform our obligations under a contract with you or otherwise execute the contract.
  • Compliance with law or regulation, as per article 6 (1) c) GDPR – we may use your personal data in order to comply with an applicable law or regulation.
  • Legitimate interest, as per article 6 (1) f) GDPR – we may use your personal information for our legitimate interests, some examples of which are given above.


6. To whom do we disclose or transfer personal data?

Your personal information will be mainly disclosed to our employees from specific departments and to the companies that are part of Nexia, as it will prove to be necessary.

When justified and/or necessary, we may also share your personal information outside our Group. This may include:

  • Third party agents/suppliers or contractors bound by obligations of confidentiality. This may include, without limitation, IT and communications service providers.
  • Third parties relevant to the legal services that we provide. This may include, without limitation, counterparties to transactions, other professional service providers, legal representatives, the employer or potential employer, Romanian Immigration Office, Notaries Public, Trade Register, public authorities and institutions, as empowered by the law to request information on personal data collected during Nexia’s specific activity.
  • To the extent required by law, search warrant or court order, for example, if we are under a duty to disclose your personal information in order to comply with any legal obligation.

In case it will be necessary to transfer your personal information outside the European Economic Area, we will ensure that it is protected and transferred in a manner consistent with legal requirements, including the following:

  • the European Commission has issued a decision recognizing the adequate character of data protection in the envisaged third country or where the recipient is located in the US, it may be a certified member of the EU-US Privacy Shield scheme;
  • the recipient has signed a contract based on “standard contractual clauses” approved by the European Commission, obliging them to protect your personal information, or
  • we have obtained your prior explicit consent.

In all cases, however, any transfer of your personal information will be compliant with applicable data protection law.

You can obtain more details of the protection given to your personal information in case of transfer outside the European Economic Area (including a sample copy of the standard contractual clauses) by contacting us using the details set in section 3 above.

7. Where and for how long do we store personal data?

Your personal data is stored by Nexia mainly on servers located within the European Economic Area.

We process and retain personal data only for as long as is necessary to fulfil our purposes, contractual obligations and other legal obligations of storage / archiving, as the case may be.

We shall retain the data only for as long as is necessary and / or prescribed by law for that purpose. For example:

  • Data processed for billing purposes and supporting accounting documents will be kept for a period of 5 up to 10 years, as the case may be, according to the Accounting Law no. 82/1991;
  • Data processed under your consent will be processed during the validity period of your consent or until you choose to withdraw your consent, or the data is no longer necessary;
  • Data processed under our legitimate interest will be processed for a maximum period of 1 year, after which it will be anonymized and processed for statistical purposes.


8. What are your rights as data subject?

8.1. Right of access

Upon your request, we will confirm that we process your personal data and, if so, we will provide you with a copy of your personal data that is subject to our processing and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom personal data has been or is to be disclosed, in particular recipients from third countries or international organizations;
  4. where possible, the period for which personal data are to be stored or, if that is not possible, the criteria used to determine that period;
  5. the existence of the right to require the operator to rectify or erase personal data or to restrict the processing of personal data relating to the data subject or the right to object to processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where personal data are not collected from the data subject, any available information on their source;
  8. the existence of an automated decision-making process including the creation of profiles and, in those cases, relevant information on the logic used and the significance and expected consequences of such a processing for the data subject.

If we transfer your data outside of the European Economic Area or to an international organization you have the right to be informed of the appropriate safeguards applied.

The first copy of your personal data is provided free of charge. For additional specimens, we may charge a reasonable additional charge, taking into account the related administrative costs.

8.2. Right to rectification and/or completion of personal data

If the data we hold about you is inaccurate or incomplete, you are entitled to correct it or to complete. On order to do so, you can submit a request using the contact details provided above. Unless this proves impossible or involves disproportionate efforts, we will notify each recipient to whom your data has been disclosed of your rectification or completion of your data. Upon your request, we will inform you of those recipients.

In order to keep personal data accurate, we may request you to reconfirm/renew your personal data from time to time.

8.3. Right to erasure of personal data (“right to be forgotten”)

You may ask us to delete your personal information and we will respond to your request without undue delay, if one of the following situation applies:

  1. Data are no longer required for the purposes for which they were collected or processed;
  2. You withdraw consent to the processing of your data when your data processing is based on your consent and there is no other legal basis on which to process your personal data;
  3. You oppose the processing of your data on our legitimate interest, including the creation of profiles based on this ground, or you oppose data processing for direct marketing purposes, including the creation of profiles for direct marketing purposes;
  4. your data has been processed unlawfully;
  5. Personal data should be deleted to comply with a legal obligation under Union law or national law;
  6. Personal data have been collected in connection with the provision of information services to children and the basis of processing is consent.

Unless this proves impossible or involves disproportionate efforts, we will notify each recipient to whom your data has been disclosed of your deletion of your data. Upon your request, we will inform you of those recipients.

We reserve the right to refuse deletion your data when processing is required for:

  1. For the exercise of the right to free expression and information;
  2. In order to comply with a legal obligation that applies to us as a personal data operator;
  3. for purposes of archiving in the public interest, scientific or historical research or for statistical purposes, insofar as the deletion of the data is likely to render impossible or seriously impair the achievement of the objectives of the processing;
  4. To establish, exercise or defend a right in court.

8.4. Right to restriction of processing

You may ask us to block and restrict the processing of your personal information if one of the situations below applies:

  1. Contest the accuracy of the data – in this case, at your request, we will restrict the processing for the period we perform the necessary checks on the accuracy of your data;
  2. data processing is illegal, and you do not want to delete your data;
  3. We no longer need your data for processing, but processed data about you is necessary to establish, exercise or defend a right in court;
  4. You opposed your processing of your data under our legitimate interest, including the creation of profiles based on this basis – in this case, at your request, we will restrict the processing for the period in which we verify that our legitimate rights do not prevail over your rights.

If your data processing has been restricted, we will only be able to store your data. Any other way of processing out of storage will be done only:

  • after obtaining your consent;
  • for finding, exercising or defending a right in court;
  • to protect the rights of another natural or legal person;
  • for reasons of public interest of the Union or of a Member State.

We will inform you before lifting any processing restriction as set out above.

Unless this proves impossible or involves disproportionate efforts, we will communicate to each recipient to whom your data has been disclosed restricting the processing of such data. At your request, we will inform you of those recipients.

8.5. Right to data portability

You have the right to receive the data that concerns you and that you have provided us with in order to transmit such data to another controller, in the following circumstances:

  1. Your data processing is based on your consent or on a contract between us and you;
  2. Your data is processed by automatic means.

We will provide your personal data in a structured, commonly used and machine-readable format.

If technically feasible, you can request that your personal data be transmitted directly to the controller indicated by you.

8.6. Right to object and automated individual decision-making

You may request us not to further process your personal information for reasons relating to your particular circumstances and if the processing of your data is based on our legitimate interest. We will cease processing of your data unless we demonstrate that we have legitimate and compelling reasons that justify processing and those reasons prevail over your interests, rights and freedoms, or whether the purpose of the processing is to establish, exercise or defend a right in court.

In addition to the above, you may request that we no longer process your personal data for direct marketing purposes, including the creation of profiles related to that direct marketing.

8.7. Rights in relation to automated individual decision-making, including profiling

You have the right not to be subject to a decision when it is based on automatic processing, including not being profiled, if the automatic decision or profiling has legal effects or significantly affects you, except in the following cases:

  1. automatic decision is required to conclude or execute a contract between you and us;
  2. the automatic decision is authorized by European Union or national law applicable to Nexia and also provides for appropriate measures to protect the legitimate rights, freedoms and interests of the data subject;
  3. Automatic decision is based on your express consent.

If the cases indicated in (a) and (c) above apply, you may request that you exercise the following correlative rights:

  • the right to obtain human intervention on our part;
  • the right to express your point of view;
  • the right to challenge the automatic decision.

8.8. Right to withdraw consent

If we rely on your consent (or explicit consent) as the legal basis for processing your personal information, you have the right to withdraw your consent at any time and we will cease processing your personal data.

Withdrawal of consent does not affect the lawfulness of the processing of your personal data on the basis of your consent prior to its withdrawal.

8.9. Right to lodge a complaint with National Supervisory Authority For Personal Data Processing of Romania (“ANSPDCP”)

You have the right to contact the ANSPDCP if you believe the processing of your data is not in compliance with the applicable law. More information about ANSPDCP can be obtained by visiting

8.10. Right to seek judicial remedy

Without prejudice to any other administrative or non-judicial remedy, you have the right to pursue an effective judicial remedy against a legally binding decision of ANSPDCP.

9. How can you exercise your rights?

Submitting a request.  For the exercise of any rights above, please submit your request in writing or by phone, using the contact details indicated in section 3 above.

Identification of the applicant. In order to be able to properly manage your request, we urge you to identify yourself as completely as possible. In case we have reasonable doubts as to the identity of the applicant, we will ask for further information to confirm your identity.

Response time. We will respond to your requests without undue delay, and in any case within one month from the receipt of the request. Insofar as your application is complex or we are in a position to process a large number of requests, we may reasonably postpone the delivery of your response for up to two months with your prior notice.

Providing our answer. We will provide you with our response and any requested information in electronic format, unless you request them to be provided in another format.

Refusal. In so far as we refuse to meet your request, we will inform you of the reasons which led to such a decision and of the possibility to submit a complaint to ANSPDCP and to apply for a judicial remedy.

Taxes. Exercising your rights as a data subject is free. However, to the extent that your claims are manifestly unfounded or excessive, especially in the light of their repetitiveness, we reserve the right to levy a fee or to refuse the fulfilment of the request.

10. Cookies Policy

10.1. What are cookies?

Cookies are small files of letters and numbers that are stored on your computer, mobile terminal, or other equipment that you use to access the internet. There are two main types of cookies:

  • Session cookies – temporary cookies which allow website operators to link the actions of a visitor during a browser session. They are activated when the browser window is opened. Once you close the browser, all session cookies are deleted.
  • Persistent cookies – remain on a user’s device for a set period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie.

Cookies are installed through the request of our web-server to your browser (eg Internet Explorer, Chrome) and do not contain software, viruses or spyware, and cannot access information from your hard drive.

10.2. What types of cookies do we use and for what purposes?

  • Strictly necessary cookies – are essential to navigate around our website and to use its features. These cookies do not gather personal information about you.
  • Performance cookies – collect data for statistical purposes on how visitors use our website. They do not contain personal information such as names and email addresses and are used to improve your experience on our website. Information supplied by performance cookies can help us understand how you use the website; for example, whether or not you have visited before, what you looked at or clicked on and how you found us. Such data will be used to further improve our services.
  • Analytics cookies – cookies generated by the Google Analytics software to account the activity of visitors, and the frequency of accessing the Site. We have taken care that the data transmitted by these cookies does not lead to your identification.
Name Purpose Expiry
_pk_uid Analytics 13 months
_pk_ses Analytics 13 months
_gat Analytics 1 month
_gid Analytics 3 months
_ga Analytics 2 years
  • Functionality cookies – remember usernames, language preferences and regions, thus allowing user to customize how our website looks for them.
Name Purpose Expiry
9d0baa83813cb2084854e78ee4f5beac language 1 year
  • Advertising and targeting cookies – are used to deliver more relevant advertisements to you, but can also limit the number of times you see an advertisement, and be used to chart the effectiveness of an ad campaign by tracking users’ clicks.
Name Purpose Expiry

10.3. How can you refuse or deactivate cookies?

With the opening pop-up message, you can select which cookies you want to use, except for the strictly necessary cookies. Deactivating strictly necessary cookies will disable essential website services rendering it unusable.

You can also disable cookies by changing your browser settings. For more information about this, please visit your browser’s settings page.

10.4. Social media technologies

“Share with LinkedIn” plugin – when a person visits a site that has integrated such a plugin, LinkedIn receives the following visitor information: the URL of the aside from which it came and the one to which it is going. We also receive information about IP address, proxy server, operating system, web browser and add-ons, device ID and / or ISP and / or mobile phone identifier and features. If the site is accessed from a mobile device, the device will send us your location data according to the visitor’s phone settings.

11. Ensuring personal data security

For ensuring safety of this website we use the SSL (Secure Socket Layer) method in connection with the website visit, in conjunction with the highest encryption level supported by your browser. In general, this is a 256-bit encryption.  Whether a single page of our website is encrypted is indicated by the closed representation of the key or lock icon in the status bar of your browser.

At organizational level, we have adopted and instructed our employees to follow internal procedures aimed at preventing loss or unauthorized access or disclosure. All persons, including our employees, processing your personal data under our authority have pledged to preserve the confidentiality and security of all such personal data.

We have also implemented adequate security measures to protect your data against informatics treats and other potential data breaches. Such security measures shall be continuously improved in line with technological developments.

12. Final provisions

This Privacy Policy is applicable starting with 23th of October 2020.

Nexia reserves the right to modify or amend this Privacy Policy at any time by publishing an updated version here.