PRIVACY POLICY ON THE PROCESSING OF PERSONAL DATA

1. General Information

This Privacy Policy, the “Policy”, describes how PFI Dr. TOFAN BOGDAN, hereinafter referred to as “the PFI”, collects, uses, stores and protects personal data, including sensitive (health) data, in the context of online medical consultations (functional medicine, naturopathy, nutrition, apiphytotherapy, orthomolecular medicine, gemmotherapy, etc.), as well as in the context of communication by telephone and e-mail.

We undertake to respect your right to privacy and to process your personal data in accordance with the provisions of Regulation (EU) 2016/679 on the protection of individuals (GDPR), as well as the national legislation applicable in Romania.

2. About us

– Operator name: PFI Dr. Tofan Bogdan

– Address. I2 D, Ap. 13, Galați

– E-mail: contact@therapeutica.ro

– Phone: 0768 602 943

The mentioned data can be used for any GDPR communication/request.

3. Types of personal data processed

3.1. Identification and contact data

– Full name

– Telephone number

– E-mail address

– Date of birth

– Sex and nationality (if necessary to establish an accurate medical history)

– NATIONAL SOCIAL SECURITY NUMBER

3.2. Sensitive medical data

– Medical records (analysis, medical records, questionnaires, medical reports, history of illness, investigations, interventions, symptoms, diagnosis, etc.)

– Referrals and treatments (medical records, prescriptions, prescriptions, supplements, nutrition recommendations, medical recommendations, etc.)

This information is collected directly from you (the patient) by phone, e-mail or online consultations.

4. How we collect data

1. Via the website on Contact page:

• We do not directly collect data through forms, but when you click to contact us by email or telephone, you are asked to tick your acceptance of our terms and conditions, your agreement to enter into the contract for the provision of healthcare services, including our Privacy Policy.
• Via the news-letter which you can access after ticking that you agree to our terms and conditions and our personal data processing policy.

2. By phone:

• The answering machine informs you that the call and continuation of the conversation constitutes your consent to the processing of your personal data.
• Information communicated by telephone (name, surname, symptoms, medical recommendations, etc.) will be recorded electronically in order to organize the consultation, taking into account medical confidentiality.

3. By e-mail:

• When sending an email to us, you are informed (by email signature, dedicated text or link to the Privacy Policy that any data submitted (including medical records) will be processed in accordance with GDPR.

4. Through the Zoom application, at the time of the consultation:

• At the time of the appointment, the patient will present his/her agreement to the terms and conditions of the telemedicine consultation, including by accessing the Zoom application.
• The consultation session will not be recorded, and no image or voiceprint will be stored by PFI Dr. Tofan Bogdan as a result of the online consultation session.

5. Purposes and grounds for data processing

5.1. Purposes of processing

– Provision of medical services of general medicine, functional medicine, naturopathy, nutrition, phytotherapy: provision of medical services, registration of medical services provided, activation of the contract on medical services, appointments, patient identification and services provided, informing the patient about the results of the services provided, providing legal documents on the services provided

– Communicating with patients: appointments, clarifications, health follow-up.

– Management of the communication and IT (information technology) system. Management and development of the communication system; IT security management; carrying out security audits on IT networks; issuing reports to the competent institutions in the field of IT security or repairing system errors.

– Fulfilling legal obligations: medical records, reporting, record keeping, archiving, documentation and other legal obligations

– Financial management. Issuance of financial/accounting documents; recovery of debts; restitution of sums of money; sending notices; referrals to court; preparation of financial/operational reports, activity reports and issuance of financial/contract statements.

5.2. Legal bases

1. Art. 6 para. (1) lit. b) GDPR – The processing is necessary for the performance of a contract to which the data subject (patient) is a party or to take steps at the request of the data subject prior to entering into a contract (e.g. medical consultation).
2. Art. 9 para. (2) lit. h) GDPR – Processing is necessary for the purposes of medical diagnosis, the provision of healthcare or treatment or the management of healthcare systems and services, on the basis of applicable medical law and professional confidentiality.
3. Art. 6 para. (1) lit. a) and Art. 9 para. (2) lit. a) GDPR – In situations where we need the patient’s explicit consent for certain processing (e.g. when data is transmitted to other professionals at the patient’s request).

In certain situations, we may also invoke legitimate interest (Art. 6 para. (1)(f) GDPR), but only if it does not override the rights and freedoms of the data subject.

6. How we use the data

– Conduct medical consultations and develop personalized treatment plans.

– Analyzing medical documents (test results, investigations, diagnosis, etc.) in order to formulate recommendations.

– Continuous communication with the patient by e-mail/telephone to follow up the patient’s health status and adapt the treatment.

– Issuing documents (reports, prescriptions, billing, if necessary).

– Conclusion of the contract for medical services

– We do not use personal data for marketing, advertising, sales or other secondary commercial purposes without the patient’s explicit consent.

7. Data storage and security

7.1. Where data is stored

– Electronic data: in our secure e-mail account, in Gemmabio software (password-protected and limited access), and on secure devices (e.g. computer protected by appropriate measures).

7.2. Security measures

– Access control (complex passwords, individual accounts).

– Antivirus and firewall updated on working devices.

– Encryption of communications to the extent possible (e.g. TLS connections for e-mail, if e-mail provider supports).

– Contractual confidentiality: any collaborators/persons involved sign confidentiality clauses and comply with GDPR rules.

We strive to continuously implement technical and organizational measures designed to protect personal data against unauthorized access, disclosure, loss or destruction.

8. To whom we disclose data

– To persons directly involved in the medical act (the PFI holder doctor)

– To providers of ancillary medical services (laboratories, specialists, only with the consent of the patient, if necessary).

– To public authorities (e.g. National Health Insurance House, public health authorities), only when we are required by law to provide data.

– To other third parties with the explicit consent of the patient expressed by the conclusion of the service provision contract, as a legal obligation and under legal conditions to Gemmabio Company.

We do not sell or rent personal data to third parties.

9. Data retention period

Medical data are kept for as long as necessary for:

– the provision of medical services;

– fulfilling legal obligations regarding the archiving of medical records (according to the legislation in force, there may be retention obligations of up to 10 years or even longer, depending on specific regulations).

At the expiration of the legal archiving periods or at the patient’s request (to the extent that the law allows erasure), we will securely erase/destroy personal data.

10. Rights of data subjects

Under the GDPR, you have the following rights in relation to your personal data:

1. The right to access the personal data we hold about you.
2. The right to rectify inaccurate data or complete incomplete data.
3. The right to erasure (“right to be forgotten”), to the extent permitted by law and where there are no medical archiving obligations preventing this.
4. The right to restriction of processing, under certain conditions.
5. The right to data portability, insofar as the processing is based on consent or is necessary for the performance of a contract and carried out by automated means.
6. The right to object to processing, when the basis is legitimate interest.
7. The right to withdraw your consent at any time if the processing is based on consent. The withdrawal does not affect the lawfulness of the processing prior to the withdrawal.
8. The right to lodge a complaint with the national supervisory authority (ANSPDCP) if you believe that your privacy rights have been violated contact@therapeutica.ro

To exercise any of these rights, you can contact us at the details set out in Section 2.

11. International data transfers

We do not normally transfer your data to third countries (outside the European Economic Area). If, in an exceptional situation, such a transfer would be necessary (e.g. a specialist in the US with whom we collaborate for a medical opinion), we will ensure that appropriate safeguards (standard contractual clauses, explicit consent, etc.) are in place in accordance with the GDPR.

PFI Dr. Tofan Bogdan collaborates with Gemmabio Company USA, an authority operating under the EU-US Privacy Framework for Personal Data Privacy, so that the transfer of limited data is done under lawful conditions.

For these transfers, no special authorizations or measures additional to those implemented for any recipient of the data in the European Union and the European Economic Area are required. Even in these situations, we carry out such transfers for limited categories of data.

In certain limited situations, transfers to third countries without adequacy decisions can only be made on the basis of appropriate safeguards – such as standard contractual clauses supplemented by technical and contractual measures.

12. No automated decision-making processes

We do not use automated processes (including profiling) that would produce legal effects or similarly significantly affect you. Any medical recommendation is made by the medical specialist, based on medical data, professional experience and interpretation of reports generated by Gemmabio software.

13. Use of Cookies and Cookie Policy

The Cookie Policy can be found in the separate “Cookie Policy” document made available on the Website. At present, our website is simple and does not directly collect personal data through cookies (apart from possible essential cookies). For details, please refer to the dedicated document available once the website is finalized.

14. Updates to this Policy

This Policy may change from time to time to reflect changes in the law or the way we do business. Any updated version will be published on our website (in the Privacy Policy section) and will be marked with the date of the last update.

15. How you can contact us

For any questions, clarifications, requests regarding your personal data or to exercise your GDPR rights, please contact us by:

– E-mail: contact@therapeutica.ro

– Phone: 0768 602 602 943

16. Terms used in this Policy

Personal Data Processing Supervisory Authority: an independent public authority which, according to the law, has powers relating to the supervision of compliance with personal data protection legislation. In Romania, this personal data processing supervisory authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP).

Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data; biometric data for the unique identification of a natural person; data concerning the health, sex life or sexual orientation of a natural person.

Personal data: any information relating to an identified or identifiable natural person (referred to as “data subject”). A natural person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier, for example: name, identification number, location data, online identifier, one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Thus, for example, the following are included in the notion of personal data: name and surname; home or residence address; e-mail address; telephone number; personal numerical code (CNP); established diagnosis (sensitive data); genetic data (sensitive data); biometric data (sensitive data); geolocation data. The categories of personal data we process are listed above.

Controller: the natural or legal person who decides why (for what purpose) and how (by what means) personal data are processed. By law, the controller is primarily responsible for compliance with personal data legislation. In the relationship with patients we are the controller and you are the data subject.

Processor: any natural or legal person who processes personal data on behalf of the controller, other than the controller’s employees. Data subject: the natural person to whom certain personal data relate (to whom they ‘belong’). In relation to us (the controller), you are the data subject.

Processing of personal data: any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means; for example, the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data or sets of personal data. These are examples only. In practical terms, processing means any operation on personal data, whether automated or manual.

Third State: a State outside the European Union and the European Economic Area.