Privacy by Design Policy

1. Introduction
Privacy by Design is a proactive approach to protecting the privacy of individuals. The philosophy of
PbD is embedding privacy from the outset into the design specifications of information technologies,
accountable business processes, physical spaces, and networked infrastructures.
the PbD concept assumes a holistic approach by transforming how an organisation manages the
privacy from policy and compliance to an organisation-wide business issue and strategy. The PbD
approach adopts holistic approach to privacy by:
• ensuring privacy protection is embedded into information technology, business processes,
physical spaces and networked infrastructures from the outset; and
• encouraging organisation to adopt the PbD Principles into all aspects of their operations
wherever and whenever personal information is collected, used, disclosed, retained,
transferred, and/or disposed.

2. Scope
The scope of the Privacy by Design policy is the ellaboration of a set of internal rules ensuring adequate
protection of personal data processed by eMAG, available in databases and archives, in order to comply
with the current personal data protection laws.
This document is applicable for all Platforms & Technology Development Teams of eMAG Group.
(eMAG Group means Dante International S.A. and its subsidiaries. O "subsidiary" is a company in which
eMAG has a direct or indirect contribution, higher than 50%).

3. The 7 Fundational Principles

The objectives of Privacy by Design — ensuring privacy and gaining personal control over one’s
information and, for organizations, gaining a sustainable competitive advantage — may be
accomplished by practicing the following 7 Foundational Principles.

1. Proactive not Reactive; Preventative not Remedial

The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It
anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy
risks to materialize, nor does it offer remedies for resolving privacy infractions once they have
occurred — it aims to prevent them from occurring. In short, Privacy by Design comes before-the-
fact, not after.
Pag. 1
 Data Protection Impact Assessments (DPIAs)
• Consider in advance whether any planned use of data involves technology in ways which
are new, innovative, or which give rise to processing or events that might be unexpected,
intrusive or could present higher risks of harm to individuals
• Where appropriate, conduct a DPIA (according to internal procedures) – contact
gdpr@emag.ro.

2. Privacy as the Default Setting

Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are
automatically protected in any given IT system or business practice. If an individual does nothing,
their privacy still remains intact. No action is required on the part of the individual to protect their
privacy — it is built into the system, by default.
Default system settings are maximally privacy-enhancing. This is sometimes described as “data
minimization” or “precautionary” principle, and must be the first line of defense. Non-collection, non-
retention and non-use of personal data is integral to, and supports, all of the other PbD principles.

Purpose and functionality evaluation

• Clearly define relevant purpose(s) - why we want to collect and use personal data for.
• Purposes must be limited and specific and must be written as functional requirements.
• Update applicable policies with the new purposes (if that’s the case) – contact the Legal
Team – gdpr@emag.ro
Collection ('must-have, or nice-to-have'?)
• Question if we can we achieve our goals without processing personal data at all
• Analyse what steps are needed to minimise the identifiability or linkability of data sets
• Analyse if special category/sensitive data is necessary and justified (eg. NIN collection
only for BG orders with credit)
Collecting from 3rd Parties: ensures that techniques, systems and procedures are put in place to:
• ensure that personal data collection from sources other than the individual are reliable
ones that also collect data fairly and lawfully. This requires that due diligence be
performed before establishing a relationship with a 3rd party data provider. Also, privacy
policies, collection methods, and types of consents obtained by 3rd parties be reviewed
(email – gdpr@emag.ro) before accepting personal data from 3rd party data sources.
• document and, where necessary, seek consent where the software produces or acquires
additional data about individuals.
NOTE: These requirements are specifically for personal data that is collected through a 3rd party.
The general requirements as documented in the above sections also apply.
Data minimisation: minimise the personal data we collect to only what we need for our purposes
Purpose limitation: ensure we only use the data we need for the purposes we have identified

Pag. 2
 Putting the individual first
• Set the default profile or account settings in a way that is most friendly to the user. For
example, where users can share profiles or content, start by automatically making
accounts private instead of public by default.
• Offer genuine, effective controls and options to individuals relating to the data we will
collect and process, rather than providing an illusory choice.
Retention times
• Establish how long do we need to retain the personal data. If we can delete or archive or
aggregate it and, if so, what could be the earliest stage we can do that?
• Consider if the retention and deletion process could be automated to any degree.

3. Privacy Embedded into Design

Privacy by Design is embedded into the design and architecture of IT systems and business practices.
It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential
component of the core functionality being delivered. Privacy is integral to the system, without
diminishing functionality, it is embedded into business practices as an essential component, not as an
afterthought.

Privacy settings and preferences: Integrate and/or include the new system with the existing
controls and/or documentation enabling individuals to review and revise their privacy settings
and preferences.
Opt-in/opt-out: Create controls for opt-in and opt-out of sharing data by the user, detailing the
benefits or consequences of doing so in a clear and objective manner, including any potential
impact to product features or functionality.
Data erasure and destruction: Ensure the systems facilitate individuals' right to delete the data
we hold about them – is integrated with the GDPR Anonymize Application
Pseudonymisation and anonymisation
• Consider pseudonymise the data (so that data subjects cannot be re-identified unless
that data is combined with additional information)
• Consider anonymise and aggregate the data (so there is no chance that data subjects can
be re-identified) Can we use one-way hashing instead of raw data?
• When delivering a product/service requires the data to be identifiable, consider if any
secondary uses (eg analytics, R&D, reporting etc) could use aggregated or
pseudonymised data

Pag. 3
4. Full Functionality — Positive-Sum, not Zero-Sum
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum
“win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are
made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security,
demonstrating that it is possible to have both.

Full functionality
• Users should have full functionality regardless of their privacy settings, except where it is
not feasible to provide the service without their data (eg map apps requiring location
data, or an online shop providing fit recommendations requiring user clothing size data).
• Ensured that features don't require non-necessary personal data in order to access or use
them (e.g. returning a product does not require the collection of the client’s NIN)
Opt-in/Opt-out: Created controls for granular data sharing user preferences (eg opt-in/opt-out),
detailing the benefits or consequences of doing so in a clear and objective manner, including any
potential impact to product features or functionality (e.g. cookies consent, various email
subscriptions etc.).

5. End-to-End Security — Full Lifecycle Protection

Privacy by Design, having been embedded into the system prior to the first element of information
being collected, extends securely throughout the entire lifecycle of the data involved — strong
security measures are essential to privacy, from start to finish. This ensures that all data are securely
retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by
Design ensures cradle to grave, secure lifecycle management of information, end-to-end.

Authentication and access control: Have appropriate user access controls in place, including
appropriate logical access controls, and procedures for deleting old user Ids.
Remote working: Check the protocols for remote access control including the use of two-factor
authentication, one-time passwords and/or virtual private networks.
Wireless networks and firewalls: Ensure the system complies with internal eMAG security
requirements and guidelines.
Encryption: Ensure processes are in place for encrypting data where appropriate.
Incident response plan: During the process of designing a new product/service, consider
updating the incident response plan and evaluate what security measures may be needed in case
of an incident (for example, an access breach, a virus, or physical server damage).
Data back-up and recovery
• Make sure there are appropriate data back-up and recovery systems in place (for
example, if there is a data breach or a natural disaster)
• Include the system in the business continuity plan, and test it regularly.

Pag. 4
 Security and privacy risk assessments
• Ensures that access to personal data is commensurate with its degree of sensitivity, and
is consistent with eMAG’s privacy policies and procedures – contact gdpr@emag.ro.
Updates, patches and vulnerability testing
• Ensure that before the release, the software will be the subject of a security
development lifecycle testing (including regression testing and threat modelling)
Hardware
• Ensure the system have protections in place to prevent personal data being copied to
removable media (CD/DVDs, external hard disks, USB memory sticks etc) according to
internal security procedures .

6. Visibility and Transparency — Keep it Open

Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology
involved, it is in fact, operating according to the stated promises and objectives, subject to
independent verification. Its component parts and operations remain visible and transparent, to
users and providers alike. Remember, trust but verify.

Privacy policy changes: Update regularly the privacy policy/notice in place when we do
something new – contact the Legal Team
Cookies: Update the cookie notice/policy in place if there are changes (new or obsolete cookies)
– contact the Legal Team

7. Respect for User Privacy — Keep it User-Centric

Above all, Privacy by Design requires architects and operators to keep the interests of the individual
uppermost by offering such measures as strong privacy defaults, appropriate notice, and
empowering user-friendly options. Keep it user-centric.

Data portability: we should be able to export personal in a commonly used, machine readable
format
Right to be informed : Make sure we fulfil individuals' rights to be informed about the data we
hold about them – update the privacy policy/notice in place when we do something new –
contact the Legal Team
Right of access: Ensure the system facilitate individuals' right to request access to data the
company holds about them
Right to rectification: Ensure the system facilitate individuals' right to correct the data we hold
about them.
Right to erasure: Ensure the systems facilitate individuals' right to delete the data we hold about
them – is integrated with the GDPR Anonymize Application.

Pag. 5
 Right to restrict processing: Ensure we are able to freeze/quarantine data we hold about an
individual.
Right to data portability: Ensure the system facilitate individuals' right to transmit the data we
hold about them to another organisation if required to (in a commonly used and machine
readable format).
Right to object: Ensure the system have a procedure in place to enable data subjects to object to
how we're using their information, particularly in relation to any direct marketing or higher risk
uses.
Exemptions: Remember that not every right will be applicable in all situations; it will depend on
the type of data being processed, and the legal basis for the processing.
Children's data : If the new system process children’s personal data please contact
gdpr@emag.ro.

Pag. 6