CARDIOSCIENCE regulation regarding the protection and processing of personal data

This regulation is based on:

  • EU Regulation 2016/679 of the European Parliament and of the Council,
  • Decision no. 200/2015 of the President of the Supervisory Authority, published in the Official Gazette no. 969 of December 28, 2015
  • Decision no. 52 of May 31, 2012 regarding the collection, recording, storage, use, transmission, disclosure or any other operations of image processing by means of video surveillance
  • Law no. 95 of April 14, 2006, as subsequently amended and supplemented
  • Law 227/2015 “Fiscal Code” with subsequent additions and modifications (updated April 03, 2018).
  • Law no. 333/2003, regarding the safeguarding of the objectives, assets, values ​​and protection of persons, with subsequent modifications and completions
  • Law no. 129 of June 15, 2018 for amending and supplementing Law no. 102/2005 regarding the establishment, organization and functioning of ANSPDCP, as well as for the repeal of Law no. 677/2001 for the protection of persons with regard to the processing of personal data and the free movement of such data
  • Decision no. 99 of May 18, 2018 regarding the cessation of the applicability of normative acts with administrative character issued in application of Law no. 677/2001 for the protection of persons with regard to the processing of personal data and the free movement of such data

 

Observation: Art. 4 para. 2 of Law 129/2018: All references to Law no. 677/2001, as subsequently amended and supplemented, from the normative acts shall be construed as references to the General Regulation on data protection and to the legislation for its implementation.

Excerpts:

Art. 32 of the EU Regulation 2016/679 : The consent should be granted by an unequivocal action that constitutes a freely expressed, specific, knowing and clear cause of agreement of the data subject for the processing of his personal data, as by for example, a written statement, including electronic, or verbal. This could include ticking a box when the person visits a site, choosing the technical parameters for the information society services, or any other statement or action that clearly indicates in this context the data subject’s acceptance of the proposed processing of his personal data. Therefore, the absence of a response, the boxes previously checked, or the absence of an action should not constitute consent. The consent should cover all processing activities carried out for the same purpose or for the same purposes. If data processing is done for more than one purpose, consent should be given for all purposes of processing. If the consent of the data subject has to be granted following an application transmitted electronically, the request must be clear and concise and not unnecessarily disrupt the use of the service for which the consent is granted.

* Art. 4. EU Regulation 2016/679: For the purposes of this Regulation:

  1. “personal data” means any information about an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, identification number, location data, an online identifier, or to one or more many specific elements, specific to its physical, physiological, genetic, psychological, economic, cultural or social identity;
  2. “processing” means any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction;
  3. “processing restriction” means the marking of personal data stored with

the purpose of limiting their future processing;

  1. “profiling” means any form of automatic processing of personal data consisting of the use of personal data to evaluate certain personal issues relating to a natural person, in particular to analyse or foresee performance issues on the spot; work, economic situation, health, personal preferences, interests, reliability, behaviour, the place where the natural person is or their travels;
  2. “pseudonymisation” means the processing of personal data in such a way that they can no longer be assigned to a particular data subject without the use of additional information, provided that such additional information is stored separately and subject to measures of a technical and organizational nature that ensure the non-attribution of the respective personal data to an identified or identifiable natural person;
  3. “data record system” means any structured set of personal data accessible according to specific criteria, be they centralized, decentralized or distributed according to functional or geographical criteria;
  4. “operator” means the natural or legal person, the public authority, the agency or another body which, alone or in conjunction with others, establishes the purposes and means of processing personal data; when the purposes and means of processing are established by Union law or national law, the operator or the specific criteria for its designation may be provided for in Union law or in national law;
  5. “person empowered by the operator” means the natural or legal person, the public authority, the agency or another body that processes personal data on behalf of the operator;
  6. “recipient” means the natural or legal person, public authority, agency or other body to whom (to whom) personal data are disclosed, whether or not it is a third party. However, public authorities to whom personal data may be communicated in a particular investigation in accordance with Union or national law are not considered as recipients; the processing of this data by the respective public authorities complies with the applicable data protection rules, in accordance with the purposes of the processing;
  7. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, the operator, the person empowered by the operator and the persons who, under the direct authority of the operator or the person empowered by the operator, are authorized to process personal data;
  8. “consent” of the data subject means any manifestation of free, specific, informed and unambiguous will of the data subject by which he accepts, by a statement or an unequivocal action, as personal data concerning him to be processed;
  9. “breach of the security of personal data” means a breach of security that results in accidental or unlawful destruction, loss, modification, or unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to them;
  10. “head office” means:

(a) in the case of an operator established in at least two Member States, the place where its central administration is located in the Union, unless decisions on the purposes and means of processing personal data are taken in a another headquarters of the operator of the Union, a headquarters that has the power to order the implementation of these decisions, in which case the headquarters that made the respective decisions is considered to be the main headquarters;

(b) in the case of a person empowered by the operator with premises in at least two Member States, the place where its central administration is located in the Union, or, if the person empowered by the operator does not have a central administration in the Union, from the Union of the person authorized by the operator in which the main processing activities take place, in the context of the activities of a head office of the person empowered by the operator, insofar as it is subject to specific obligations under this Regulation;

  1. ‘representative’ means a natural or legal person established in the Union, designated in writing by the operator or the person empowered by the operator pursuant to Article 27, who represents the operator or person empowered in respect of their respective obligations under this regulations;
  2. “enterprise” means a natural or legal person carrying on an economic activity, regardless of its legal form, including partnerships or associations which regularly carry out an economic activity;
  3. “group of undertakings” means an undertaking exercising control and the undertakings controlled by it;
  4. “mandatory corporate rules” means the policies for the protection of personal data to be respected by an operator or a person authorized by the operator established in the territory of a Member State, as regards transfers or sets of data transfers with personal character to an operator or a person authorized by the operator in one or more third countries within a group of undertakings or a group of undertakings involved in a common economic activity;
  5. “supervisory authority” means an independent public authority established by one

Member State pursuant to Article 51;

  1. “targeted supervisory authority” means a supervisory authority which is concerned with the process of processing personal data because:

(a) the operator or the person empowered by the operator is established in the territory of the Member State of the respective supervisory authority;

(b) the data subjects who reside in the Member State in which the respective supervisory authority is located are significantly affected or are likely to be significantly affected by processing; or

(c) a complaint has been lodged with the respective supervisory authority;

  1. “cross-border processing” means:

(a) either the processing of personal data that takes place in the context of the activities of the premises of several Member States of an operator or of a person empowered by the operator in the territory of the Union, if the operator or the person empowered by the operator has offices in at least two Member States ; or

(b) either the processing of personal data that takes place in the context of the activities of a single head office of an operator or a person authorized by the operator in the territory of the Union, but which significantly affects or is likely to significantly affect data subjects from at least two Member States;

  1. ‘relevant and reasoned objection’ means an objection to a draft decision in order to establish whether there is a breach of this Regulation or whether the measures envisaged in respect of the operator or person empowered by the operator comply with this Regulation, which demonstrate clearly the importance of the risks presented by the draft decision regarding the fundamental rights and freedoms of the data subjects and, where appropriate, the free movement of personal data within the Union;
  2. ‘information society services’ means a service as defined in Article 1 (1) (b) of Directive 98/34 / EC of the European Parliament and of the Council (1); (1) Directive 98/34 / EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and rules on information society services (OJ L 204, 21.7.1998, p. 37).
  3. “international organization” means an organization and its subordinate bodies governed by public international law or any other body which is established by an agreement concluded between two or more countries or under such an agreement.

 

According to the requirements of Law no. 677/2001 for the protection of persons regarding the processing of personal data and the free movement of these data, amended and supplemented, and Law no. 102/2005 regarding the establishment and functioning of the National Supervisory Authority for the Processing of Personal Data, CARDIOSCIENCE has the obligation to administer this data in safe conditions and only for the specified purposes. The personal data will be:

  • processed in good faith and in accordance with legal provisions;
  • collected for specific, explicit and legitimate purposes;
  • appropriate, relevant and non-excessive, in relation to the purpose for which they are collected and subsequently processed;
  • accurate and up to date; inaccurate or incomplete data in terms of the purpose for which they are collected and processed will be deleted or rectified;
  • stored in a form that allows identification of the data subject strictly for the period necessary to achieve the purposes for which the data are collected and processed.

 

What categories of personal data we process

In general, we collect your personal data directly from you, so that you have control over the type of information you provide to us. For example, we receive information from you as follows:

When creating an account, you will send: e-mail address, first and last name;

When placing an order, provide information such as: the desired product, first and last name, delivery address, billing details, payment method, telephone number, bank card details, etc.

You also have the opportunity to register on the CARDIOSCIENCE platform through your Facebook or Google account. If you opt for one of these, you will be directed to a page managed by Facebook Inc / Google LLC, where they will inform you about the transfer of your data to CARDIOSCIENCE. You can view the privacy policies of Facebook and Google respectively, using the following links:

 

https://www.facebook.com/about/privacy

https://policies.google.com/privacy

 

You may also collect and process certain information about your behaviour when you visit our website or using the smartphone application, to personalize your online experience and to provide you with offers tailored to your profile. We invite you to learn more in this regard by consulting the section on processing purposes below.

On our website and in the smartphone application we can store and collect information in cookies and similar technologies, according to the Cookies Policy.

We do not collect or otherwise process sensitive data, included in the General Regulation on data protection in special categories of personal data. Also, we do not want to collect or process data of minors who have not reached the age of 16 years.

 

Purposes and basis of processing

Your personal data will be used for the following purposes:

  1. To provide CARDIOSCIENCE services for your benefit

This general purpose may include, as appropriate, the following:

  1. a) Creation and administration of the account within the platform on the site;
  2. b) Processing of orders, including taking, validating, shipping and invoicing;
  3. c) Solving cancellations or problems of any kind related to an order, to the goods or services purchased;
  4. d) Returning the products according to the legal provisions;
  5. e) Reimbursement of the value of the products according to the legal provisions;
  6. f) Providing support services, including providing answers to your questions regarding your orders or our goods and services.

 

  1. To improve our services:

We always want to offer you the best online shopping experience. For this, we may collect and use certain information regarding your Buyer behaviour, we may invite you to complete satisfaction questionnaires following the completion of an order or we may conduct, directly or with the help of partners, market research and research.

 

  1. For marketing:

We want to keep you updated on the best offers for the products / services you are interested in. In this regard, we can send you any type of message (such as: e-mail / SMS / telephone / mobile push / web push / etc.) containing general and thematic information, information on products similar or complementary to those that you have purchased them, information on offers or promotions, information on products added in the section “My Account / Cart” as well as other commercial communications such as market research and opinion polls, and we can display personalized recommendations on the site- web and smartphone app. We always make sure that all data processing is carried out in compliance with your rights and freedoms and that the decisions taken on them have no legal effects on you and do not affect you in a significant way.

In most cases, we establish marketing communications with your prior consent. You can change your mind and withdraw your consent at any time by:

  • changing the settings in the client account in the “My subscriptions” section;
  • accessing the unsubscribe link displayed in the messages you receive from us or by contacting CARDIOSCIENCE using the contact details described above.

 

In certain situations, we can base our marketing activities on our legitimate interest in promoting and developing our commercial activity. In any situation where we use information about you for our legitimate interest, we take care and take all necessary measures so that your fundamental rights and freedoms are not affected. However, you may at any time request us, by the means described above, to stop the processing of your personal data for marketing purposes, and we will comply with your request within the prescribed terms.

 

  1. To defend our legitimate interests

There may be situations in which we will use or transmit information to protect our rights and commercial activity. These may include:

– Measures to protect the website and users of the eMAG platform against cyber attacks:

– Measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities;

– Measures to manage various other risks.

The general basis of these types of processing is our legitimate interest in defending our commercial activity, being understood that we ensure that all the measures we take guarantee a balance between our interests and your fundamental rights and freedoms.

Also, in certain cases we base our processing on legal provisions such as the obligation to ensure the safeguarding of the goods and values ​​provided by the applicable legislation in this matter.

 

Keeping personal data

As a general rule, we will store your personal data as long as you have an account on the CARDIOSCIENCE platform. You can ask us at any time to delete certain information or close the account and we will respond to these requests, subject to the preservation of certain information including after closing the account, in cases where applicable law or our legitimate interests require it.

 

Transmission of personal data

Where appropriate, we may transmit or provide access to certain personal data of your own to the following categories of recipients:

– CARDIOSCIENCE partners;

– courier service providers;

– payment / banking service providers;

– IT service providers;

– to other companies with which we can develop joint programs to offer our goods and services on the market.

If we have a legal obligation or if it is necessary to defend a legitimate interest, we may also disclose certain personal data to some public authorities.

We make sure that access to your data by third parties legally owned by private law is made in accordance with the legal provisions regarding data protection and confidentiality of information, based on contracts concluded with them.

Currently, we store and process your personal data on the territory of Romania.

 

Your rights regarding personal data

The General Data Protection Regulation recognizes certain rights in relation to your personal data. You may request access to your data, correct any errors in our files, and / or object to the processing of your personal data. You may also exercise your right to complain to the competent supervisory authority or to bring justice. If applicable, you may also have the right to request the deletion of your personal data, the right to restrict the processing of your data and the right to data portability.

 

Right of access

Any data subject has the right to obtain from the operator, upon request and free of charge for one request per year, confirmation of the fact that the data concerning him are or are not processed by him. CARDIOSCIENCE is obliged, in the case in which it processes personal data concerning the applicant, to communicate to the applicant, together with the confirmation, at least the following:

  • information regarding the purposes of the processing, the categories of data envisaged and the recipients or categories of recipients to whom the data are disclosed;
  • the communication in an intelligible form of the data being processed, as well as of any available information regarding the origin of the data;
  • information on the operating principles of the mechanism by which any automatic processing of the data aimed at that person is performed;
  • information on the existence of the right to intervene on the data and the right of opposition, as well as the conditions under which they can be exercised;

The data subject may request from CARDIOSCIENCE the information through a written, dated and signed application. In the application the applicant can indicate whether he wants the information to be communicated to a specific address, which may also be by e-mail, or by a correspondence service that will ensure that the delivery will be made to him personally only.

CARDIOSCIENCE is obliged to communicate the requested information, within 15 days from the date of receipt of the request.

 

The right to intervene on the data

All data subjects have the right to obtain from CARDIOSCIENCE on request and free of charge:

  • rectification, updating, blocking or deletion of data whose processing is not in conformity with the present law, especially incomplete or inaccurate data;
  • transformation into anonymous data of data whose processing is not in accordance with the Law

For the intervention on the data the data subject will submit a CARDIOSCIENCE request made in written, dated and signed form. In the application the applicant can indicate whether he wants the information to be communicated to a specific address, which may also be by e-mail, or by a correspondence service that will ensure that the delivery will be made to him personally only.

CARDIOSCIENCE is obliged to communicate the measures regarding the data subject, within 15 days from the date of receipt of the request

 

Right of opposition

The data subject has the right to oppose at any time, for well-founded and legitimate reasons related to his particular situation, as data that are aimed at being processed, unless otherwise provided by law. In case of justified opposition, the processing can no longer address the data in the case.

The data subject has the right to oppose at any time, free of charge and without justification, that the data aimed at it are processed for direct marketing purposes, on behalf of the operator or a third party, or be disclosed to third parties in – for such a purpose.

In order to exercise the rights, the data subject will submit a CARDIOSCIENCE application in written, dated and signed form. In the application the applicant can indicate whether he wants the information to be communicated to a specific address, which may also be by e-mail, or through a correspondence service that will ensure that the delivery will be made to him personally only.

CARDIOSCIENCE is obliged to communicate to the data subject the measures taken within 15 days from the date of receipt of the request, in compliance with the possible option of the applicant.

 

Completion of personal data processing operations

The processed data will be stored, according to art. 4 paragraph (1) lit. e) of Law no. 677/2001, for the duration necessary to achieve the purposes for which they were collected and subsequently processed.

This may be, as the case may be:

  • the duration of the validity of the contract to be concluded with the data subject for the provision of the services of the operator and for the period of their archiving, established by normative acts;
  • the period necessary for data collection;

With regard to the deletion, destruction and archiving, the internal procedure and the modalities of carrying out these operations, they are established by each operator, except for the procedure that is carried out according to the legal provisions regarding the national archives. CARDIOSCIENCE due to its activity, is obliged, on the basis of special legal provisions, to keep the data for a certain period of time, but after its expiry it must proceed in one of the modalities provided above.

In the case of data transfer to another operator, it is necessary for the original operator to guarantee that the processing carried out by the third party has purposes similar to the initial processing. In this case, our company is obliged, at the time of data collection or, if it is intended to be disclosed to third parties, at the latest until the time of first disclosure, to provide the data subject, the information provided in art. 12 paragraph (1) of Law no. 677/2001.

 

Measures taken to ensure processing safety

Law no. 677/2001 and all the technical and organizational measures appropriate to protect personal data against accidental or illegal destruction, loss, modification, disclosure or unauthorized access.

  1. The users who have access to the database of personal information are only from the management of the unit (administrator, general manager, economic director), each of them accessing the database with their own account name and password (after 3 incorrect entries of the account password Is being blocked). All users are required to maintain the confidentiality of the data they have access to, and at each session end in the database they will close the session. If one or more users are revoked for various reasons, the access accounts will be suspended automatically.
  2. Users access personal data only for the performance of their duties;
  3. Any operation of collection and / or modification of the personal data by the users is permanently registered (the user, date, time and type of modification are recorded); also, all entries and exits of all users to the database are recorded;
  4. At the time intervals, a backup of the database is performed;
  5. The computers from which the database of personal information is accessed are in rooms where access is restricted; the computing units have implemented updated anti-virus, antispam and firewall protection solutions.
  6. The printing of personal data is carried out only by the users authorized for this operation and only for the purposes required by the laws in force.

The company headquarters is equipped with an automatic video surveillance and alarm system, and personal data is stored electronically in secure files, protected by the password. Data resulting from video surveillance is not intended for disclosure / publication. This data is necessary to ensure the security of the premises and the goods of the cabinet. Failure to accept the provision of this data entails the prohibition of access to the CARDIOSCIENCE premises. The information on paper is kept in special files, to which only the employees of the company, who are under the obligation of confidentiality, have access.

 

INFORMATION NOTE regarding the protection of personal data

CARDIOSCIENCE collects the following personal data:

  • video images, by automated means of surveillance, to ensure the monitoring / security of the persons, spaces and / or private assets of the company, according to the provisions of Law no. 333/2003, regarding the safeguarding of the objectives, assets, values ​​and protection of persons, with subsequent amendments and completions. At the entrance is displayed the symbol with video supervised lens, the entrance to the CARDIOSCIENCE area. represents your acceptance.

You are obliged to provide the aforementioned personal data, which is necessary to ensure the security of the premises and the goods of the cabinet, carrying out the activity of CARDIOSCIENCE, and your refusal determines the prohibition of access within the company premises.

 

The registered information is used by the operator only for the purposes specified above, and is not intended for disclosure to third parties / recipients except under the conditions provided by law (eg public authorities to whom data are communicated in a special investigative competence will not be considered recipients). The CARDIOSCIENCE database cannot be the subject of any transaction of any kind with any natural or legal person, private or public law, including public authorities, institutions and territorial structures thereof (eg SC Cardiomed SRL will not apply at the disposal of anyone the database for the realization of advertisements, promotional programs, etc.).

– will contact you by telephone only for reasons strictly related to the bilateral relationship with you (eg order confirmation),

 

According to Law no. 677/2001 you benefit from the right of access, intervention on the data and the right not to be subjected to an individual decision. The exercise of these rights can be achieved through a written, dated and signed request addressed to CARDIOSCIENCE.

The application form will be found on the CARDIOSCIENCE web page, at the address: ……………. or at the company headquarters. You also have the right to appeal to justice.