GDPR & Your Data Rights

Last updated: 21 May 2026

Your rights matter to us. As a company based in Romania (EU), Info Data SRL (TachoCard) is fully subject to the General Data Protection Regulation (GDPR). This page explains all rights you have regarding your personal data and how to exercise them — quickly and without unnecessary barriers.

1. Who Is Responsible for Your Data?

The data controller — the entity legally responsible for how your personal data is processed — is:

Info Data SRL

Trading as: TachoCard

Incorporated in Romania, European Union

Email: privacy@tacho-card.com
Subject line: "GDPR Request — [Your Name]"

2. Legal Framework

TachoCard's data processing is governed by:

  • Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR), directly applicable across the EU including Romania
  • Romanian Law 190/2018 on measures for the implementation of GDPR
  • Romanian Law 506/2004 on personal data processing in electronic communications
  • Romanian Law 363/2018 on the protection of natural persons with regard to personal data processing by competent authorities

3. Your Rights Under GDPR

Under GDPR Articles 12–22, you have the following rights. All requests are processed free of charge within 30 calendar days, extendable to 90 days for complex requests (we will notify you within the initial 30 days if an extension is needed).

3.1 Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about:

  • The purposes of processing
  • The categories of data involved
  • Any recipients or third parties receiving the data
  • The retention period or criteria used to determine it
  • Your other rights listed in this document

How to request: Log in to your TachoCard account → Account Settings → "Download my data", or email us at privacy@tacho-card.com.

3.2 Right to Rectification (Art. 16)

You have the right to have inaccurate personal data corrected without undue delay. You may update your name, email address, and other profile information directly in your Account Settings at any time.

If any data cannot be corrected via the application, contact us at privacy@tacho-card.com.

3.3 Right to Erasure — "Right to Be Forgotten" (Art. 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and no other legal basis applies
  • You object to processing and no overriding legitimate interests exist
  • The data has been unlawfully processed

How to request: Account Settings → "Delete my account", or email us. We will erase all personal data within 30 days, except data we are legally required to retain (e.g., invoices must be kept for 10 years under Romanian tax law — Legea nr. 227/2015 privind Codul Fiscal).

3.4 Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your data (i.e., we store it but do not further process it) in the following circumstances:

  • You contest the accuracy of your data — during the period needed to verify it
  • The processing is unlawful and you prefer restriction to erasure
  • We no longer need the data but you require it for legal claims
  • You have objected to processing — pending verification of legitimate grounds

How to request: Email privacy@tacho-card.com with subject "Restriction Request".

3.5 Right to Data Portability (Art. 20)

Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and to transmit it to another controller.

How to request: Account Settings → "Export my data" (available for account data and tachograph activity records), or email us.

3.6 Right to Object (Art. 21)

You have the right to object at any time to processing of your personal data based on legitimate interests (Art. 6(1)(f)). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or for the establishment, exercise, or defence of legal claims.

You may also object at any time to processing for direct marketing purposes (we do not currently send marketing emails, but this right is available).

How to request: Email privacy@tacho-card.com with subject "Objection to Processing".

3.7 Rights Related to Automated Decision-Making (Art. 22)

TachoCard uses automated algorithms to calculate AI-based driver risk scores. These scores are informational tools for decision support only — no decisions with legal or similarly significant effects on you are made solely on the basis of automated processing without human review.

You have the right to request human review of any automated assessment and to express your point of view. Contact us at privacy@tacho-card.com for any concerns regarding automated scoring.

4. How to Exercise Your Rights

Option 1 — Via the Application

Log in to TachoCard → Account Settings → Privacy section. You can download, export, or delete your data directly from here.

Option 2 — By Email

Send an email to privacy@tacho-card.com with the subject line: "GDPR Request — [Your Name] — [Right]"

Include: your full name, the email address registered with TachoCard, and a clear description of your request. We may ask you to verify your identity before responding.

5. Response Timescales

Request TypeTimeframe
Acknowledgement of receiptWithin 5 business days
Response to standard requestWithin 30 calendar days
Complex or multiple requestsWithin 90 calendar days (extension notice within first 30)
Account deletionData erased within 30 days of confirmation

All responses are provided free of charge. If requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act, in accordance with GDPR Art. 12(5).

6. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Art. 33–34. Notification will be sent to your registered email address and will include:

  • The nature of the breach and categories of data affected
  • Estimated number of individuals affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

7. Right to Lodge a Complaint with the Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of alleged infringement, if you consider that processing of your personal data infringes the GDPR.

The competent supervisory authority for Romania is:

ANSPDCP

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal

Address: Bd. G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, Romania
Phone: +40.318.059.211 / +40.318.059.212
Email:anspdcp@dataprotection.ro
Website:www.dataprotection.ro

EU citizens residing in another member state may also contact their local data protection authority. The full list is available at edpb.europa.eu.

8. EU Online Dispute Resolution

The European Commission provides an Online Dispute Resolution (ODR) platform for resolving disputes out of court: ec.europa.eu/consumers/odr.

9. Further Information

For a detailed description of what data we collect, how long we keep it, and the legal bases for processing, please read our full Privacy Policy. For information about cookies specifically, see our Cookie Policy.

10. Contact

Info Data SRL (trading as TachoCard)
Email:privacy@tacho-card.com
Subject line: "GDPR Request — [Your Name]"