- Updated on 12.10.2021 -
I. THE CONTROLLER’S IDENTIFICATION AND CONTACT DATA
In the European Union, the personal data of natural persons are protected according to the provisions of the Regulation no. 679 from 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (next referred to as “GDPR” or the “European Regulation”), applicable in our country since 25.05.2018.
The website https://www.origyn.ro/ (to which we shall refer as the “Site”) is the exclusive property of FERTIGYN SRL (next called “FERTIGYN”), based in Iași, 3C Palat Street, block E3, 1st floor, Iași County, and work points in Iași, 1-3 Grigore Ureche Street, block Walter Mărăcineanu, mezzanine floor, Iași County, and in Suceava, 2 Meseriașilor Street, commercial space - Pharmacy 72, block 10, ground floor, Suceava County, with the contact phone numbers 0751 263 263 or 0756 379 565 and e-mail firstname.lastname@example.org,registered at the Iași Trade Register Office with the number J22/1673/2009, and with the Tax Identification Number 26102969.
As a controller of personal data, FERTIGYN continuously seeks to ensure that the processing of personal data at the FERTIGYN-owned clinic ORIGYN FERTILITY CENTER (next referred to as the “Clinic”) is done in strict accordance with the principles and rules of the European Regulation.
This Confidentiality Policy is valid starting with 12.10.2021 and aims to inform you that FERIGYN enforces and observes the provisions of the European Regulation with regard to:
- the processing of personal data by the controller in order for it to carry out specific activities defined according to its field of activity;
- the processing of personal data belonging to data subjects as visitors of the Site or users of the Site’s functions.
FERTIGYN may periodically update the present Policy depending on the changes and addenda to applicable legislation, the medical services offered, as well as the level of technological development, in which case it shall inform the data subjects through the Site about any updates before they become applicable.
II. THE CONTACT DETAILS OF THE DATA PROTECTION OFFICER
The data protection officer may be contacted at the email address email@example.com..
- Personal data (PD): any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (e.g., personal identity code CNP), location data (e.g., information resulting from GPS monitoring), an online identifier (e.g., IP address), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- Visitor: any person that accesses or uses the Site;
- Data subject: any natural person whose personal data is processed by FERIGYN as data controller;
- Data filing system: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
- Recipient: a natural or legal person, public authority, agency or another body, to whom/which the personal data are disclosed, whether a third party or not;
- Third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
- Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
- Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person;
- Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- Supervisory authority (the National Supervisory Authority for the Processing of Personal Data - next referred to as “ANSPDCP”): public, autonomous, and independent national authority established by a Member State pursuant to Article 51 of GDPR with the objective of protecting the fundamental rights and freedoms of natural persons who are in Romania, with regard to the processing of personal data and the free movement of such data.
IV. THE PURPOSES OF THE PROCESSING OF PERSONAL DATA
The personal data concerning the categories of data subjects will be processed by FERTIGYN for the following PURPOSES: SCOPURI:
- To fulfil the Clinic’s object of activity:
- scheduling appointments;
- offering medical services to couples with fertility problems (infertility diagnosis, infertility treatments, IVF/ICSI/IMSI procedures);
- conducting consultations and medical investigations with the help of specialised equipment located at the Clinic;
- collecting, storing, and using biological samples in order to conduct laboratory tests;
- drafting medical analysis reports containing the results of investigations;
- presenting the prognosis, establishing the diagnosis, and prescribing treatment;
- monitoring during pregnancy;
- harvesting human reproductive cells;
- processing, preserving, storing, and distributing reproductive cells;
- using human cells for therapeutic purposes (in vitro fertilisation);
- presenting therapeutic strategy proposals;
- describing and conducting medical/surgical interventions;
- conducting real-time PCR testing for COVID-19 (at the Clinic’s laboratory located in Iași, 1-3 Grigore Ureche Street, block Walter Mărăcineanu, mezzanine floor, Iași County), based on appointment.
- To carry out other activities:
- reporting health care services to: the Iași Public Health Department, the National Transplant Agency, the European Society of Human Reproduction and Embryology (ESHRE);
- promoting health care services (based on the consent expressed by the patient);
- conducting scientific research (based on the consent expressed by the patient);
- acquiring products and services;
- receiving and paying invoices;
- signing and carrying out commercial contracts and collaboration agreements;
- selecting and recruiting staff;
- submitting declarations to public institutions in accordance to legal obligations.
- In legitimate interest:
- carrying out rapid tests for COVID-19 in the case of patients who are unvaccinated against the coronavirus;
- requiring patients scheduled for assisted human reproduction procedures and who are unvaccinated against the coronavirus to present with a recent negative COVID-19 test result or to undertake a Real-time PCR test for COVID-19;
- ensuring the security of the venues, goods, and personal protection;
- analysing and monitoring commercial risks;
- identifying and preventing crime, fraud, and money laundry;
- drafting reports about the controller’s activity.
V. THE LEGAL GROUNDS (according to the provisions of art. 6 from GDPR):
- processing is performed based on the consent of the data subject;
- processing is necessary for the performance of a contract to which the data subject is party;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
The legal ground of processing operations is regulated by:
- the provisions of the Regulation and the Romanian legislation for its application;
- the legal framework governing activity in the field of health care in Romania;
- financial, accounting, and fiscal legislation.
VI. THE CATEGORIES OF PROCESSED PERSONAL DATA
The categories of processed personal data depend on the context of interactions and rapport between the data subjects and the controller FERTIGYN and the Site, respectively. FERTIGYN will process the following categories of personal data:
- In the case of natural persons who visit the Site or use the functions on the Site:
- identification data: surname, first name;
- contact data: e-mail address;
- other personal data contained in the message transmitted through the Site.
- In the case of specific activities carried out according to the object of activity, as well as to provide top quality medical services and to comply with applicable legal requirements, FERTIGYN processes the following categories of personal data regarding the patients:
- identification data: surname, first name, citizenship, date of birth, age, sex;
- contact data: home address, telephone/fax number, e-mail address;
- national identification numbers: series and number of identity card, personal identity code (CNP), data from civil status documents;
- special categories of personal data: genetic data (samples of biological material collected from patients in order to conduct medical tests, including for COVID-19 testing), blood type, Rh, biometric data for the unique identification of a natural person, health data (information form the patient’s medical record, medical test results, proposed tests, diagnosis, medical interventions), information regarding sexual activity, allergies, personal antecedents, COVID-19 test results, data from the COVID-19 vaccination certificate;
- other personal data: signature, profession, video footage recorded by the security systems on the premises.
- In the case of employment candidates, FERTIGYN processes the following personal data:
- identification data: surname, first name, citizenship, date of birth, age;
- contact data: home address, telephone number, e-mail address;
- CV data: professional experience, educational background, and other information demonstrating the acquisition/retention of specific competences, participation in professional training;
- national identification numbers: series and number of identity card, personal identity code (CNP), and all the personal data found in copies of the identity card, birth certificate, marriage certificate, and study documents;
- special categories of personal data: health data;
- other personal data: video footage recorded by the security systems on the premises, signature.
- In the case of contractual partners (natural persons), legal representatives of commercial partners (legal persons), and collaborators, FERTIGYN processes the following personal data:
- identification data: surname, first name;
- contact data: home address, telephone number, e-mail address;
- national identification numbers: series and number of identity card, personal identity code (CNP);
- other personal data: signature, position/capacity, video footage recorded by the security systems on the premises.
VII. THE RECIPIENTS OF PERSONAL DATA
FERTIGYN may transmit, grant access and/or disclose processed personal data mainly to the following categories of entities:
- public authorities and institutions (for example, CJAS, DSP, fiscal authorities, other competent state bodies, based on and within the limits of legal provisions, and in response to express requests, etc.);
- commercial partners (suppliers/distributors of products and services);
- service providers, in their capacity of processors on behalf of FERTIGYN as controller, in accordance to the controller’s instructions, only if they comply with data protection laws and any other relevant confidentiality and security measures (for example, service providers in the field of IT who may have access to personal data, medical software suppliers, providers of access monitoring and video monitoring services, partner medical investigation laboratories, etc.).
VIII. THE TRANSFER OF PERSONAL DATA
FERTIGYN does not transfer the personal data of data subjects to third countries or outside of the European Economic Area.
Any transfer to a third country requires the prior information and consent of the data subject concerned.
IX. THE RETENTION PERIOD OF PERSONAL DATA
As controller, FERTIGYN processes personal data in strict accordance with the length of time necessary to fulfil the processing purposes for which the data was collected, while conforming to internal procedures regarding data storage and security and to internal policies, in compliance with applicable legal provisions, including, but not limited to, the requirements referring to the obligation to archive the data.
X. THE RIGHTS OF THE DATA SUBJECTS
With regard to the processing of personal data indicated in the present Confidentiality Policy, every data subject benefits from the following rights, according to applicable legal provisions:
- the right of access: he or she has the right of access to processed personal data and to information regarding the means of processing;
- the right to rectification: refers to the rectification by the controller of inaccurate or incomplete personal data;
- the right to object: the data subject has the right to object to the processing;
- the right to erasure: grants the data subject the right to request the erasure of stored data when no longer necessary for the fulfilment of the purposes for which it was collected, when the data subject withdraws his or her consent and there is no other legal ground for processing, when the data subject considers that the data was processed illegally, or to comply with a legal obligation;
- the right to restriction of processing: in certain situations, the data subject may obtain the restriction of processing his or her personal data, such as when the processing is considered illegal by the data subject or the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the right to data portability: the data subject has the right to receive the personal data which he or she has provided to the controller, in a structured, commonly used, and readable format, or to request the transmission of those data to another controller.
In addition, the data subjects have the right to withdraw their consent at any time, without affecting the lawfulness of the personal data processing carried out by the controller up to that moment.
Where a data subject considers that the data processing conducted by FERTIGYN infringes on the rights provided by the European Regulation, he or she may submit a written complaint (dated and signed) to the controller FERTIGYN at the address mentioned at the top of the present Policy, or he or she may submit it to the Data protection officer via e-mail at firstname.lastname@example.org..
Concurrently, data subjects have the right to lodge a complaint at the National Supervisory Authority for the Processing of Personal Data (28-30 General Gheorghe Magheru Blvd, Sector 1, postal code 010336, Bucharest, telephone number 0318 059 211, e-mail address email@example.com),).
In all eventualities, the controller FERTIGYN shall respect the rights of data subjects and the provisions of the European Regulation no. 679/2016.
XI. TECHNICAL AND ORGANISATIONAL MEASURES FOR THE PROTECTION OF PERSONAL DATA
FERTIGYN attaches great importance to the confidentiality and security of personal data processed in accordance with the above-mentioned purposes.
FERTIGYN has implemented the technical and organisational measures of conformity to the provisions of the European Regulation no. 679/2016 so that the processing procedures ensure full compliance with the principles of processing stated in art. 5 of the European Regulation:
- lawfulness, fairness and transparency: the data are processed lawfully, fairly, and in a transparent manner in relation to the data subject;
- purpose limitation: the data are collected for specific, explicit, and legitimate purposes, and are not further processed in a manner that is incompatible with those purposes;
- data minimisation: the data are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- accuracy: the data are accurate and may be kept up to date;
- storage limitation: the data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data were collected;
- integrity and confidentiality: the data are processed in a manner that ensures their appropriate security.
XII. AUTOMATED DECISION-MAKING, INCLUDING PROFILING
FERTIGYN does not use automated profiling when processing personal data.
XIII. THE PROVISION OF PERSONAL DATA
The provision of personal data by data subjects may be a contractual obligation or a requirement for entering/performing a contract; it may be necessary in order for the data subject to benefit from the medical services provided by FERTIGYN, to navigate the Site, and to benefit from the facilities offered by this space. The refusal to provide personal data may result in the impossibility to benefit from the services made available through the Site or to comply with the requests of the data subjects concerned.
To respect the rights and freedoms of data subjects with regard to the processing of personal data, FERTIGYN asks for their agreement, but data subjects should take into account the fact that, for processing certain personal data, such prior agreement may not always be necessary according to the provisions of the European Regulation. In such situations, FERTIGYN may invoke other grounds for data processing, such as the fulfilment of legal obligations, the performance of a contract, or a legitimate interest.