INFORMATION NOTE ON THE PROCESSING OF PERSONAL DATA BY THE DERMATO-AESTHETIC CENTRE - SKINMED
Effective date: July 2024
See also GDPR version May 2018 | See also GDPR version May 2019 | See also GDPR January 2024
We at DERMATO-AESTHETIC CENTRE - SKINMED (Pipera nr. 2/III bis, Spațiul Comercial 1, parter, jud. Ilfov ) we have a great respect for your personal data and, with this information notice, we provide you with details of how we process your personal data. Our priorities include ensuring that we process personal data in accordance with data protection legislation and best practice.
We therefore encourage you to take the time to read it fully and carefully and make sure you fully understand it. Do not hesitate to let us know if you have any questions.
1. Scope of this information note
The EU General Data Protection Regulation (GDPR) notice explains how the "Clinic" uses your personal data and may include the personal data of third parties when you provide us with their personal data. We will treat this information as personal data of those individuals and give them the necessary protection as well. In all cases, we will ensure that we strictly comply with our obligation of professional (including medical) secrecy to you and will not inform these persons of this processing in order to comply with our obligation of professional (including medical) secrecy to you.
This notice also gives details of how we process your personal data, the reasons why we process it, to whom we may pass it on, and also discloses your personal data rights.
2. Personal data we process
The Clinic collects and processes your personal data which may come directly from you or from persons authorised by you to provide us with such data. Personal data includes all information that identifies you or can be used to identify you.
General personal data:
- identification data - name; surname; gender; date of birth (strictly for those who give their consent for marketing), signature, CNP (personal identification number);
- contact date: mobile/fixed telephone number; mailing/billing address, email address,
- payment details - bank account or bank card number/ IBAN code; name and surname of the holder of the bank account or bank card (it can be someone other than you if someone else has made a payment for a service on your behalf); financial history with the Clinic; statement of outstanding payments;
- contract details for service packages: start and end date of the contract, contract value, billing details.
- opinions about our services and used products- any opinions and views you share with us or any opinions and views you publicly post about us on social media or share with other public channels;
- communication and other personal preferences - data relating to the services provided by the Clinic and your interaction with us, such as: records of your interactions with us; details of the history of services provided by us to you;
Special personal data:
- image data - video recordings via CCTV video surveillance cameras installed in the common areas of the Clinic premises - these are indicated by visible signs;
- voice data - your voice and the information provided during the entire telephone call to the Call Center, in case you call our Call Center service or we call you for scheduling purposes;
- health data - symptoms; previous illnesses; past medications; blood type; allergies; diagnosis; services you access at the Clinic; results of tests we perform on you; treatment we prescribe or administer; doctor you have accessed; medical referrals; private insurance status, data on your family's medical history; other information you provide us with regarding your family members; all medical documentation - records, photographs, imaging, MRI scans and anything that may be tangible medical results. All of this can be uploaded and sent by the patient to one of the Clinic's doctors;
- genetic data - analysis data, sample code, analysis results, only if you perform specific analysis.
3. The purposes for which we process your personal data
The processing of your personal data includes the lawful ways in which we may record, organize, structure, store, adapt or modify, retrieve, consult, use, disclose by transmission or even make available, restrict, delete or destroy your personal data.
We may process your personal data for the following purposes:
- Making appointments at the Clinic or through the Call Centre service for the provision of medical services in the clinic and in telemedicine;
- Making appointments in order to provide body beauty services to you;
- Providing medical services to you in the clinic and telemedicine system; communication of the results of investigations carried out within the Clinic or through third parties with whom the Clinic has a service contract; communication of information on the safety of the product used in the procedure applied, receipt and reporting of adverse reactions;
- Providing body beauty services to you;
- Marketing communications - carrying out promotional activity regarding medical services to clients/potential clients by email or sms (strictly for those who have expressed their consent to do so);
- Promotion of the Clinic's services on social media channels by using photos and/or videos of patients and doctors; photos/videos of patients who have given their consent will be used only;
- Monitoring interactions we have with you (online and offline) to check on improvements to our services or new services - feedback form preparation and archiving;
- Financial management - issuing vouchers, invoices and receipts to you; receiving payments from you including recording payments made by another person on your behalf; recovering debts from you; sending notices and taking legal action in the event of debts not recovered amicably; drawing up financial reports, issuing financial statements;
- Administration of communications and IT systems, audit reporting, database security management and all IT systems;
- Keeping track of medical services, keeping track of appointments in IT applications, handling complaints received from patients or other data subjects, archiving all medical documentation;
- Physical integrity of property and persons inside the clinic using video surveillance;
- Fulfilling our legal obligations on archiving, record-keeping and other obligations imposed on us by law;
- Dispute settlement, court proceedings and investigations by the authorities - representing you before the courts and public authorities; dealing with your complaints and requests.
Where we process your data for purposes other than those stated, we will send you an information notice before processing your personal data for those purposes so that, where such processing is subject to your consent, you can freely and expressly express your consent for each processing operation.
4. The grounds on which we process your personal data
The applicable legal basis under which we process your personal data for the specific purposes listed above includes the following:
- Making representations at your request before a contract is concluded (Article 6 (1) (b) sentence II of the GDPR);
- Execution of medical services contract and execution of non-medical services contract (Art. 6 para. 1 lit. b sentence I of the GDPR) - if we use processing to fulfill contractual obligations under a contract to which you are a party, you may not be able to object to that processing or if you choose to opt-out or object to our processing, it may affect our ability to fulfill a contractual obligation we owe to you;
- Compliance with applicable laws (Article 6(1)(c) GDPR) - in certain circumstances, we may need to process your personal data to comply with a relevant law/regulation. If we process your personal data to fulfil our legal obligations, you are unlikely to be allowed to object to this processing activity, but you will usually have the right to access or review this information unless it would prevent us from fulfilling our legal obligations
- Our legitimate interest (Article 6(1)(f) GDPR) – We may process your personal data based on our legitimate interests to communicate and manage interactions with you in relation to products and services. In addition to the other rights described below, you have the right to object to the processing of your personal data. You may object by contacting us using the information in the "How to contact us" section below.
- Based on your consent (Article 6(1)(a) GDPR) - îIn some cases, we may require your consent to collect and process your personal data. If you choose to give us your consent, you may later withdraw it (or opt-out) by contacting us using the information in the "How to contact us" section below. Please note that withdrawing your consent will not affect any processing of personal data that has already taken place. Where we process your personal data on the basis of consent, we will provide you with more detailed information at the time we obtain your consent.
5. To whom and when we disclose or transmit your personal data
We will transmit or disclose your personal data to the following entities:
- Third parties that we contract to perform services on our behalf to perform activities or functions related to the purposes of processing your personal data described above. We will require these third parties acting on our behalf to protect the confidentiality and security of your personal data that we transmit to them. These third parties have contractually agreed that they will not use or disclose your personal data for purposes other than those necessary to provide services to us, perform services on our behalf, or comply with applicable laws or regulations. Third parties are represented by: accountants, lawyers, individuals or legal entities acting in relation to the Clinic, as proxies, in various areas: marketing and advertising services, payment services, archiving services. All these persons undertake, by signing contracts with the Clinic, to keep the data confidential.
- Potential third-party buyers. If we decide to reorganise or dispose of a business by sale, merger or acquisition, we may pass on personal data to current or potential buyers. We will require those purchasers to use your personal data in accordance with this notice;
- Legal proceedings. In the event that disagreements arise between you and us that we cannot resolve amicably, we may process your sensitive data (e.g. diagnosis and procedure) for the purpose of establishing, exercising or defending a legal claim against us;
- Collaborating doctors and other health care providers - they have an obligation to keep your data confidential under both the Patient Act and the GDPR.
6. To whom and under what conditions we will transfer your data to a third country
At this time we do not transfer and do not intend to transfer your personal data or any part of it to other companies, organisations or individuals in third countries or to international organisations.
If we need to transfer your data to any of the above destinations, we will send you a prior notice of this.
For specifically defined cases, for the interpretation of specialized analyses, at the express request of our patients, we make these analyses available to a specialized physician located in the USA. The analyses do not bear any personal data of the patient so it is impossible that the interpretation of the analyses can lead to the identification of the person to whom they belong. The analyses are made available to the doctor for interpretation through a highly secure system so that no unauthorised person can learn about them or gain possession of them. The physician located in the USA does not store, process or operate in any way our patients' analyses and any personal data about them.
7. How we protect your personal data
We use industry-standard administrative, technical and physical safeguards to protect your personal data against loss, theft, misuse, unauthorised access, alteration, disclosure and destruction. We allow access to your personal data only to those employees and third parties acting on our behalf who justify a legitimate interest in such access. We will transfer your personal data to third parties acting on our behalf if we have received written assurances that your personal data will be protected in accordance with this notice and our privacy policies and procedures.
8. How long we keep your personal data
Your personal data will be stored for a limited period of time in accordance with the provisions and conditions imposed by the framework legislation. Thus:
- data concerning your state of health will be stored for a reasonable period after the termination of these contracts, in compliance with the applicable legislation; thus, storage will be for 30 years in the case of non-technical documents and 100 years in the case of medical documents;
- personal data necessary for the provision of body beauty services will be stored for a period of 10 years;
- data processed for accounting purposes (those relating to invoicing and payments) will be stored, in accordance with accounting legislation, for a period of 10 years;
- video surveillance and phone call recording data will be stored for 30 days;
- data processed for marketing purposes will be stored for a period of 3 years;
9. What your rights are and how you can exercise them
You have the right to consult and obtaini a copy of your personal data, including an electronic copy that we have, and ask us to make changes in case of inaccurate or incomplete personal data we hold about you. You may also request that we delete your data when they are no longer needed for the purposes for which you provided them to us, to restrict how we process your personal data for certain limited purposes where it is not possible to delete the data, or oppose the processing personal data. In certain situations, you may request the transfer of your data to a third party of your choice.
Also, where we process your data based on your consent, you have the right to withdraw your consent; you can do this at any time, at least as easily as you originally gave us your consent; withdrawing consent will not affect the lawfulness of the processing of your data that we carried out prior to withdrawal.
The right to lodge a complaint with the supervisory authority. You have the right to lodge a complaint with the supervisory authority for the processing of personal data about the processing of your data by us or on our behalf.
To exercise any of these rights, please contact us as indicated in the "How to contact us" section below.
Your request will be examined with the utmost seriousness and a response will be sent to you within the legal deadline of 30 calendar days from receipt of the request, as provided for in the GDPR.
10. What happens if we revise this information note?
There is a possibility that "CENTRUL DERMATOESTETIC- SKINMED" may amend this policy on the processing of personal data to reflect changes in legislation, internal practices and procedures for processing personal data, website features or technological developments in recent times. These changes can be seen in the updated policy both on the SKINMED DERMATOESTETIC CENTRE's website and at the clinic reception desk.
11. Lack of automated decision-making process
Our respect for your data also means that, as a user of our services, you will not be subject to a decision by us based solely on the automatic processing of your data (including profiling) that produces legal effects concerning you or similarly affects you to a significant extent. If we decide to create such a profile, we will ask you to give your explicit consent.
12. How can you contact us if you have questions or concerns?
If you have any comments, suggestions, questions or concerns about any of the information in this notice or any other issues relating to the processing of your data that we carry out, please do not hesitate to contact our Data Protection Officer at any time. Depending on your preferences, you may contact us through any of the communication channels below.
Our entire team will make every reasonable effort to ensure that we respond to you as quickly and completely as possible.
Our contact details:
Address of registered office and place of business: Bucharest, Alba Iulia Square no. 2, bl. I1, Section 1, sector 3
Phone numbers: 021.9030 and 0786 356 361 (available between 09.00-17.00, Monday - Friday)
Email address: office@skinmed.ro
Contact details of our data protection officer:
Correspondence address: Bucharest, Alba Iulia Square no. 2, bl. I1, Section 1, sector 3
Email address: dpo@skinmed.ro
13. What solutions are available to you?
For more information about your privacy and data protection rights, or if you are unable to resolve an issue directly with us and would like to make a complaint, please contact the country-specific data protection authority (National Supervisory Authority for Personal Data Processing, Bucharest, Bdul General Gheorghe Magheru 28-30, postal code 010336, Romania, Phone: +40 31 805 9211).
14. What do the terms used in this information note mean?
- Supervisory authority for the processing of personal data: an independent public authority which, according to the law, has powers relating to the supervision of compliance with personal data protection legislation. In Romania, this supervisory authority for personal data processing is the National Supervisory Authority for Personal Data Processing (ANSPDCP).
- Special categories of personal data - personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical convictions or trade union membership, sex life or sexual orientation, data concerning criminal convictions, genetic data, biometric data, health data;
- Consent - any freely given, specific, informed and unambiguous indication of the data subject's wishes, by which the data subject signifies his or her agreement, by means of a statement or unequivocal action, to the processing of personal data relating to him or her;
- Personal data -any information relating to an identified or identifiable natural person. A natural person shall be regarded as identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier, such as, for example, an online identifier; A natural person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, an online identifier, one or more specific elements specific to that person's physical, physiological, genetic, mental, economic, cultural or social identity. Thus, for example, the following are included in the notion of personal data: name and surname; home or residence address; email address; telephone number, personal identification number (CNP); diagnosis established (these are sensitive data); biometric data (these are sensitive data). The categories of personal data about you that we process are listed above.
- Health data - personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about that person's state of health;
- Personal data controller - natural or legal person, and any public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data;
- Processing of personal data - any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Authorised person - the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
- The person concerned - the natural person whose personal data are processed by the controller or by the processor;
- Telemedicine - is an asynchronous communication, as the sender and the recipient do not need to be present at the same time in the same place. Everything takes place on secure medical communication platforms where data confidentiality is strictly preserved. Each individual specialist can provide medical services without direct contact with the patient, send diagnostic and treatment recommendations back to the person who requested it. In this way, even people who are unable to travel and those in remote areas can access specialists. Interactive telemedicine can be a viable alternative when face-to-face consultation is unavailable, not feasible or impossible (due to distance, cost, weather and economic conditions). This method can be comparable to a consultation, with the issuing of a diagnosis, prescription and associated medical advice.
- Third country - country outside the European Union or the European Economic Area.
DERMATO-AESTHETIC CENTRE - SKINMED consists of the following affiliated companies:
- SKINMED CLINIC - provider of medical services, based in Bucharest, Piața Alba Iulia nr. 2, bl. I1, Tronson 1, sector 3; J40/7447/2014, CUI 33307037 and working points in Bucharest, Piața Alba Iulia nr. 2, bl. I1, Tronson 1, sector 3 and in Voluntari, Bld Pipera nr. 2/III bis, Spațiu Comercial 1, parter, jud. Ilfov
- SKINMED CENTER - body beauty service provider, with headquarters and working point in Bucharest, Piața Alba Iulia nr. 2, bl. I1, Tronson 1, sector 3, J40/7446/2014, CUI 33306791.