PRIVACY POLICY
GDPR Policy
1. INTRODUCTION
The website umfcv.org is hosted by SC Space Ro SRL, a legal entity based in Romania.
This information note presents the way in which your personal data is processed by our unit (UMF Craiova) and how we ensure that your data is processed legally, fairly and transparently.
We, together with our collaborators, respect your personal data and take compliance with it seriously. Our priority is to ensure a transparent and safe environment for our patients, in accordance with the legislation in force on the protection of personal data, for which the staff of our units, our collaborators and partners firmly declare their support.
2 . MEANING OF TERMS USED IN THIS INFORMATION NOTICE
Supervisory Authority for the Processing of Personal Data - independent public institution which, according to the law, has responsibilities relating to supervising compliance with the legislation on the protection of personal data.
Special categories of personal data - personal data relating to a person's racial origin and religion, genetic data, biometric data, data concerning a person's health, and a person's sexual orientation.
Contributors - person or institution that has concluded a collaboration contract with the personal data controller and that provides services to the data controller.
Personal data - any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number (for example: name, location data) or to one or more factors specific to his or her physical, physiological, mental, economic or cultural identity. The term personal data includes the patient's name and surname, his or her home or residence address, e-mail address, telephone number, personal identification number, age, gender, established diagnosis, genetic data.
Consignee - any natural or legal person, whether under private or public law, including public authorities, their territorial institutions and structures, to whom data are disclosed, whether or not they are a third party; public authorities to whom data are communicated within the framework of a special investigative competence shall not be considered recipients.
Operator - any natural or legal person, of private or public law, including public authorities, institutions and their territorial structures, who determines the purpose and means of the processing of personal data; if the purpose and means of the processing of personal data are determined by a regulatory act or on the basis of a regulatory act, the operator is the natural or legal person, of public or private law, who is designated as the operator by that regulatory act or on the basis of that regulatory act. In connection with you, our unit is the operator, and you are the data subject.
Person authorized by the operator - a natural or legal person, of private law or public law, including public authorities, their institutions and territorial structures, who processes personal data on behalf of the operator.
Target person - the natural person whose personal data are processed.
Processing of personal data - any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure to third parties by transmission, dissemination or otherwise, alignment or combination, blocking, erasure or destruction.al
Storing - storing the collected personal data on any kind of medium.
Tert - any natural or legal person, governed by private law or public law, including public authorities, their institutions and territorial structures, other than the data subject, the operator or the processor or the persons who, under the direct authority of the operator or the processor, are authorized to process data.
3. PERSONAL DATA THAT OUR UNIT PROCESSES
The personal data relating to you that we will process are data obtained directly from you, provided by relatives or resulting from the provision of medical services by us. The processed data includes the following categories:
- Personal data: name, surname, gender, date of birth, citizenship, marital status, video recordings (in our premises where we have CCTV surveillance cameras installed, where they exist, these are indicated by visible signs), personal identification number (CNP), CUIM, OAMM, the rest of the information from your identity document;
- Contact details: home address and/or residence, telephone number, email address;
- Data regarding payment for services provided: billing address, IBAN account number, bank card number, name and surname of the account/card holder, if another person pays for the services on your behalf;
- Professional data: social status (employed, retired, self-employed, etc.), membership in a profession, employer;
- Opinions, visions (may include sensitive data) such as: any opinion and view you convey to us or that you post publicly about us on social networks or that you make known on other public channels, religion (in the case of hospitalized patients).
However, we will strictly respect the obligation of professional secrecy that we have towards you.
4. SOURCE OF PERSONAL DATA
• Most information is provided by you when you register on the web platform to participate in the event.
• We constantly try to keep your data as accurate and up-to-date as possible. To this end, we continuously conduct a campaign to collect and update your data.
5. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA (OTHER THAN SENSITIVE DATA)
The grounds for which we process your sensitive personal data, other than sensitive data, are to be able to conclude a participation collaboration with you, at your request, or to execute a contract concluded with you (through which we undertake to provide you with our services).
There are cases in which we process your data based on our legitimate interest, for example when we communicate information necessary to inform you about similar events or a new edition.
We may process your data to fulfill our archiving obligations, obligations to communicate certain information to public authorities upon request, or other legal obligations.
Regarding our marketing communications, we process your data based on your consent to processing for this specific purpose.
Given the specifics of our activity, it is normal for us to collect or process your sensitive personal data.
We will carry out this processing based on the following legal grounds:
- when processing is necessary for purposes related to registration/participation in this event (or similar events), management of attendance certification systems and reporting to institutions that approve certifications, authorizations, etc.
- we may also process your data in medical emergency situations or other situations in which you are unable (physically or legally) to consent to the processing, we may process your sensitive data in order to protect your vital interests (or those of another natural person).
- in the event that disputes arise between you and us that we cannot resolve together amicably, we may process your sensitive data (for example, the results of medical tests on the basis of which a certain diagnosis was decided) for the establishment, exercise or defense of our right in court
6.THE PURPOSES FOR WHICH WE PROCESS PERSONAL DATA
We process your personal data in order to fulfill the following purposes:
- providing services to you: providing services, including providing promotional services or information about our promotions; communicating with you regarding the services provided; identifying you and the services provided; informing you (regarding the results of the services provided);
- financial management: issuing vouchers, invoices and receipts to you; receiving payments from you including recording payments made by another person on your behalf; recovering debts from you (including through companies specialized in debt recovery - details below, in the section regarding the transmission of data about you); returning sums of money to you; sending notifications; sending to court; preparing financial/operational reports, activity reports and issuing financial/contract statements;
- fulfilling our legal obligations: fulfilling our legal obligations regarding archiving, health, security, record keeping and other obligations that the law imposes on us;
- event surveillance/recording: audio-video systems dedicated to recording and live broadcasting; CCTV systems installed for space surveillance;
- dispute resolution: formulating requests and defenses before public authorities and other entities that generate disputes;
- marketing communications: communicating with you by any means (for example, email, mobile or landline phone, telephone messages (SMS), mail, messages sent on social media platforms or in person) news regarding available medical services, newsletter subscription or providing other information that may interest you;
- managing our communications and IT (information technology) systems: managing our communications systems; managing our IT security; conducting security audits on our IT networks, issuing reports to authorized institutions or repairing system errors;
- polls: conducting surveys and asking you questions in order to obtain your opinion on our services;
- improving products and services: identifying potential problems with our existing services in order to improve them (including by conducting audits); testing improvements made to our services or new services; resolving your complaints;
7. TO WHOM WILL WE DISCLOSE YOUR PERSONAL DATA?
As a rule, we will not disclose your data to other individuals or legal entities.
In certain situations, however, it is possible for us to disclose your data to other individuals or legal entities.
It is not possible at this time to provide you with precise information regarding the exact identity of all possible recipients of your data, as we have not determined them in advance for each individual patient.
- natural or legal persons who act as processors for us, in various areas (e.g. payment services, document archiving or destruction services, etc.) from anywhere in the world, whom we will however oblige to comply with the requirements of the legislation that protects your rights – they provide certain services for us;
- your employer – in connection with the assessment of your work capacity for purposes related to medicine and work psychology, but only within the limits of the information established by legal provisions, excluding information regarding the results of medical investigations carried out;
- collaborators and other suppliers of services; each of these being obliged by law or by the contract concluded with us to maintain the confidentiality of your data;
- accountants, auditors, lawyers and other professional consultants our external, from Romania or abroad – they will be obliged by law or by the contract concluded with us or another company in our group to maintain the confidentiality of your data;
- any buyers or potential buyers relevant from the medical sector or from other sectors, from
Romania or from another state – in the event that we sell or transfer all or part of our shares, our assets or our business (including in the event of our reorganization, dissolution or liquidation) – they will be bound by a confidentiality obligation;
- public authorities from any field, from Romania or abroad (especially public authorities in the field of health in Romania: National Health Insurance House, Ministry of Health, College of Physicians, College of Dentists, College of Pharmacists and others) – at their request or on our initiative, in accordance with applicable legislation;
- any relevant person, agency or court from Romania or from another state – to the extent necessary for the establishment, exercise or defense of a right of ours or another company in our group in court;
- our partners, with whom we have contractual relationships – marketing service providers, insurers.
When we use a natural or legal person as a processor for the processing of your personal data, we will ensure that they have concluded a written agreement with us whereby they undertake, among other obligations that the personal data protection legislation provides, the obligations to (i) process the personal data only in accordance with our written instructions that we have provided to them in advance and to (ii) effectively implement measures to protect the confidentiality and ensure the security of the personal data. We will also ensure that the written agreement between us and the processor provides for at least all other obligations that the applicable legislation on the protection of personal data provides for.
8. TO WHOM AND UNDER WHAT CONDITIONS WILL WE TRANSFER YOUR DATA?
A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION
At this time we do not transfer and do not intend to transfer your personal data or part of it to other companies, organizations or individuals in third countries or to international organizations.
If it is necessary for us to transfer data to any of the above destinations, we will inform you in advance of our decision, giving you the necessary time to exercise your rights in relation to the transfer of your data.
In special cases, in order to perform specialized analyses, we transmit personal data to medical centers outside of Romania, including the USA, but only at the request and with the prior consent of our patients.
9. HOW LONG WILL WE STORE YOUR PERSONAL DATA?
We will store your data in accordance with our personal data storage policy for a period of between 6 months and 10 years in the case of medical documents.
The respective periods are based on legal provisions (especially in the field of personal data protection), also taking into account the obligations to store certain data, applicable statutes of limitations, recommended practices in the matter and the purposes of our activity.
To store your data (in electronic format), we use our own servers or those of other companies specialized in electronic archiving.
10. SECURITY OF YOUR PERSONAL DATA
We work hard to protect our customers, other individuals whose data we process, and ourselves from unauthorized access and unauthorized modification, disclosure, or destruction of the data we process.
We have implemented, in particular, the following technical and organizational measures to ensure the security of personal data:
- technical measures specific: we have purchased and use technologies that ensure our customers and others that the security of their data is protected;
- back-ups and security audits: We work hard to protect our systems from unauthorized or accidental access or modification of your data and from other possible threats to its security. We make daily archives (back-ups), which we keep securely for a minimum of six (6) months. All technical equipment we use to process your data is secured and updated to protect the data. We also conduct, at regular intervals, security audits of the IT systems we use to process the personal data of our customers and other persons;
- staff training: we constantly train and test our employees and collaborators regarding the legislation and best practices in the field of personal data processing;
- restricting access to data: we strictly restrict access to the personal data we process to employees, collaborators and other persons who need to access it in order to process it for us. All these companies and individuals are subject to strict confidentiality obligations and we will not hesitate to hold them accountable and terminate their collaboration with them if they do not treat the protection of your data and that of others with the utmost seriousness;
- data minimization: we have ensured that your personal data that we process is limited to that which is necessary, adequate and relevant for the purposes stated in this notice;
- dedicated policies: we adopt and review our practices and policies for processing the data of our customers and others, including physical and electronic security measures, to protect our systems from unauthorized access and other possible threats to their security. We constantly review how we apply our own personal data protection policies and comply with data protection legislation;
- ensuring the accuracy of your data: we may from time to time ask you to confirm the accuracy and/or timeliness of the personal data about you that we process;
- control of our service providers: We include in our contracts with those who process for us (processors) or together with us (other operators – associated operators) clauses to ensure the protection of the data we process; this protection goes at least to the minimum required by law.
Although we take all reasonable steps to ensure the security of your data, we cannot guarantee the absence of any security breach or the impossibility of penetration of security systems. In the unfortunate and unlikely event that such a breach occurs, we will follow legal procedures to limit the effects and inform the data subjects.
11. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?
According to the legislation in force, you benefit from a series of rights regarding the processing of personal data.
We take your rights in relation to the processing of your data very seriously. We will continue to take all reasonable steps to ensure that they are respected.
Your rights are as follows:
Right of access to data. You have the right to obtain access to your data that we process or control or copies thereof;
Right to rectification.If your personal data is inaccurate or incomplete, you have the right to have it rectified by us without undue delay.
The right to erasure of data („right to be forgotten”).You have the right to request that your personal data be erased without undue delay if it is no longer necessary for us to process it.
The right to restriction of data processing.You have the right to ask us to restrict the processing of your data if at least one of the following conditions is met:
• you contest the accuracy of that data – in this case, we will stop processing until we verify the accuracy of that data;
• the processing is unlawful – although you have the right to have your data erased (“right to be forgotten”), you oppose the erasure and, instead, ask us to restrict its use;
• nu mai avem nevoie de acele date, dar dumneavoastră ni le solicitaţi în scopul constatării, al exercitării sau al apărării unui drept în instanță.
However, we will continue to process (and otherwise than by storing) the data whose processing has been restricted by you if and to the extent that:
• the processing is necessary for the establishment, exercise or defense of a right in court;
• processing is necessary for the protection of the rights of another natural or legal person;
• processing is necessary for reasons of important public interest of the European Union or of a Member State of the European Union.
The right to object.You have the right to object to the processing of your data by us or on our behalf.
Right to data portability.You can obtain from us your personal data that we process, to use it for the purposes you wish and to be able to transfer it from one environment to another, in a safe and easy way.
The right to withdraw consent.In situations where we process your data based on your consent, you have the right to withdraw your consent; you can do this at any time, at least as easily as you initially gave us your consent; the withdrawal of consent will not affect the lawfulness of the processing of your data that we carried out before the withdrawal.
The right to lodge a complaint with the supervisory authority.You have the right to file a complaint with the supervisory authority for the processing of personal data regarding the processing of your data by us or on our behalf.
How can you exercise your rights?
To exercise one or more of these rights (including the right to withdraw your consent, when we process your data based on it) or to ask any questions about any of these rights or any provision of this information notice or about any other aspects of our processing of your data, please use the contact details at any time.
We will try to respond as quickly and completely as possible to all your questions and concerns and to facilitate the exercise of your rights.
You can also exercise any of these rights (including the right to withdraw your consent, when we process your data based on it) by downloading and completing the form available at reception. After completing it, you can send it to the email address or physically submit it to our reception.
Important!
All these rights can be exercised through a written, signed and dated request, sent to our headquarters or by email, the necessary contact details can be found on the site.
The right to lodge a complaint with the supervisory authority.If you believe that your personal data rights have been violated, you can also contact and file a complaint with your local data protection authority:
National Supervisory Authority for Personal Data Processing
Address:
B-dul G-ral. Gheorghe Magheru no. 28-30:
Sector 1, postal code 010336, Bucharest, Romania
Email: anspdcp@dataprotection.ro
Central Telephone:
+40.318.059.211
+40.318.059.212
12. CONSEQUENCES OF NOT PROVIDING PERSONAL DATA
You are not obliged to provide us with the personal data we have mentioned in this document. However, if you do not provide us with the data mentioned in this information note it will not be possible for us to provide you with the services you request, to respond to your complaints or requests or to send you communications regarding our services that may be of interest to you.
13. THE LACK OF AN AUTOMATED DECISION-MAKING PROCESS
Our respect for your data includes giving it the necessary human attention, through our staff. We do not make decisions based solely on automated processing of your data (including profiling) that produce legal effects concerning you or similarly significantly affect you.