GDPR Privacy Policy
Who collects and processes data?
AMED SERVICII PERSONALIZATE S.R.L. is a trading company with registered office in Bucharest, Bld. Banul Manta no. 31, Ground Floor, Sector 1, registered with the O.R.C.T.B. under no. J40/1885/2021, C.U.I. 43676139, having its working point in Bucharest, Siriului Street no. 74-76, Office 2, Ground Floor, Sector 1, being the legal owner of the eTeledoc platform, and of the brand with the same name, registered with the competent authorities according to the legal provisions in the field, (with the role of Personal Data Controller).
Our employees and collaborators, representing medical staff, or specialists in the medical or related field, who support us in carrying out our activity, according to the object of activity, purpose and objectives, terms and conditions of the eTELEDOC platform (with the role of Authorised Persons).
AMED SERVICII PERSONALIZATE S.R.L. will process personal data in accordance with the applicable personal data protection legislation, i.e. Law No. 190/2018 and the GDPR requirements directly incident to the provision of services, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
In accordance with the GDPR, the object and duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are regulated below. The Processing of Personal Data is in direct connection with the provision of the services of the object of activity of medical advice.
What data? Why?
Personal data for the identification of the patient and medical data for the performance of medical counselling.
The personal data relating to you that we will process are data obtained directly from you or resulting from the provision of services by AMED SERVICII PERSONALIZATE S.R.L. and include the following categories of data:
Medical data (sensitive personal data), such as: diagnoses, symptoms; diseases; test results and medication; blood group; any other medical information; treatments prescribed or administered; information regarding your treating physician(s); medical recommendations; data from your hospital medical records, including data about your or other family members’ medical history; biometric data; any other information you provide us with regarding your family members and your family relationships.
Personal data, such as: name; surname; sex; date of birth/age; nationality; video recordings of medical records provided by us or made available to us by you for the purpose of the requested services; personal identification number (CNP); other information on your identity card (including date of issue, expiry date of card, place of birth).
Contact details such as: home/residence address; mobile/fixed telephone number; fax number; email address.
Payment details, such as: billing address; bank account or bank card number/IBAN code; name and surname of the holder of the bank account or bank card (can be someone other than yourself if someone else has paid a bill on your behalf and for you); date from which the bank card is valid; expiry date of the bank card.
National Health Card details, such as: card number; surname and first name of the cardholder.
Professional details, such as: employer; position; employee brand; identification number.
Insurance details, such as: insured/uninsured status, insurer (in case of private insurance).
Other information (may include sensitive data), such as: any opinions and complaints you send to us or any opinions you publicly post about us on social media or make known through other public channels. You may provide us with information about other people – for example, the medical history of your relatives who suffer from the same medical condition as you. Where this relates to identified individuals or individuals whom we can identify, we will treat this information as personal data of those individuals and afford them the necessary protection.
Data relating to your dealings with us, i.e.: records of your interactions with us; details of the history of services you have accessed with us.
IP address details or other technical data: browser type, location address, type/type of terminal used (data related to accessing websites or other applications we actively use).
The purposes for which we process your personal data may relate to assessing your employability (for employment), making a medical diagnosis, providing health or social care or medical treatment or managing health and social care systems and services.
We may also process your data in medical emergencies or other situations where you are unable (physically or legally) to consent to the processing in order to protect your (or another individual’s) vital interests.
In urgent cases, it may be necessary to process your medical data for reasons of public interest in the field of public health; for example: protection against serious cross-border threats to health, ensuring high standards of quality and safety of healthcare and medicines or medical devices under European Union or Romanian law.
In the case of disputes that we cannot resolve together amicably, we may process your sensitive data (e.g. the results of medical tests on the basis of which a certain diagnosis was decided) for the establishment, exercise or defence of a right of ours in court.
We assure you that we will strictly observe our obligation of professional (including medical) secrecy towards you and will not inform other persons about the processing of the personal data listed above in order to comply with our obligation of professional (including medical) secrecy towards you.
In brief:
Details of the processing of patients’ personal data
Activities carried out in the processing of personal and medical data:
• Collection – YES
• Recording – YES
• Disclosure – NO
• Erasure – NO* *.
• Alteration – NO
• Modification – NO
• Use – YES
* Data is Archived instead of being deleted when patients leave the system. This is necessary as health legal provisions require the retention of patients’ medical records. Data is stored for up to 50 years from the date of the patient’s last consultation.
The patient’s personal data are used to provide medical advice and patient identification services.
Categories of personal data that will be processed:
• Identification data – YES
• Physiological data – YES
• Sensitive medical data – YES
• Workplace data – YES
Categories of medical activities for which the data will be processed:
• Preventive medicine – YES
• Curative medicine – YES
• Occupational medicine – YES
Rights of data subjects
The Controller, within the limits of the applicable legal provisions, will respond promptly to the Patient if it receives a request concerning the exercise by the Patient of his/her right of access, rectification, restriction of processing, erasure (“right to be forgotten”), portability of the data subject to the Processing or the right to object to the processing.
The Controller will not use personal data for sending material for advertising or marketing purposes.
Data storage
When a patient loses this status, the controller will archive the patient’s data and make it unavailable in its working environment. The archived data will not be used by the operator’s staff and will not be accessible to the operator, except as required by law for the purpose of proving previous medical relationships. Archived data will be kept for 50 years after the last counselling and if the company is in existence.
At the patient’s request or with the patient’s consent, if the patient provides proof of his/her identity, the operator will import the archived data into its working environment and will reactivate its account when the patient gains access to the operator’s services again, through another employer or another form of contractual relationship.
How will the data be used and by whom? Will third parties be involved?
The data is used exclusively for identifying the patient in the system and conducting medical counselling.
Doctors, internal and external licensed medical staff, other healthcare providers – each of whom are bound by law or contract with us to keep your data confidential – will have access to the data to carry out the service.
Licensed external medical staff will only have access to personal and medical data for the period of the decision to take counselling and for the period of counselling.
External non-medical staff (nutritionists, fitness coaches, psychologists, etc.) will only have access to personal data and those medical data that the patient decides to share during the consultation. Access is only provided for the period of the decision to take counselling and for the period of counselling.
AMED SERVICII PERSONALIZATE S.R.L.‘s internal medical staff dedicated to the eTeledoc platform, with a practice permit, will always have access to the active patient’s records.
Your employer – for the assessment of your work capacity for occupational medicine purposes, but only within the limits of the information established by legal provisions, excluding information on the outcome of medical investigations carried out.
AMED SERVICII PERSONALIZATE S.R.L. – for legitimate reasons related to our activity (including the medical services we provide and the operation of our website), according to the applicable legislation.
Public authorities in any field, in Romania or abroad (public health authorities in Romania: National Health Insurance House, Ministry of Health and others) – at their request or on our initiative, in accordance with applicable legislation.
Insurers in Romania or other countries – in connection with the services you have received in our clinics, accountants, auditors, lawyers, and other external professional consultants of ours or of another associated company in Romania – they will be obliged by law or by contract with us or another company in our group to keep your data confidential.
Natural or legal persons acting as proxies for AMED SERVICII PERSONALIZATE S.R.L., as service providers in various fields (medical software operation services, payment services, debt recovery services, archiving or document destruction services, etc.), will have to comply with the requirements of the legislation protecting your rights.
Any person, agency or court in Romania or another country – to the extent necessary to establish, exercise or defend a right of ours in court.
Any relevant purchasers or potential purchasers in the healthcare or other sectors in Romania or elsewhere – if the event that we sell or transfer all or part of our shares, assets or business (including in the event of our reorganisation, dissolution or liquidation) – they will be bound by an obligation of confidentiality.
Our partners with whom we have contractual relationships – marketing service providers, insurers.
If the processing of your personal data is to be carried out by a natural or legal person, we will ensure that the person or legal entity has entered into a written agreement with us whereby it undertakes, among other obligations under the personal data protection legislation, to (i) process personal data only in accordance with our written instructions that we have provided to it in advance and (ii) effectively implement measures to protect the confidentiality and ensure the security of personal data.
We will also ensure that the written agreement between us and the processor provides for at least all other obligations of the processor under applicable personal data protection law.
AMED SERVICII PERSONALIZATE S.R.L., will ensure that its staff who process personal data are informed of the confidential nature of such data, that they have received training appropriate to their responsibilities and that they are contractually obliged to maintain the confidentiality of the data, and that this obligation continues after the termination of the contract.
AMED SERVICII PERSONALIZATE S.R.L. will take reasonable steps to ensure that the staff processing personal data provides sufficient guarantees for the implementation of technical and organisational measures appropriate to this task.
AMED SERVICII PERSONALIZATE S.R.L., will ensure that access to personal data is limited to those staff who require such access for the purpose of performing the services.
AMED SERVICII PERSONALIZATE S.R.L., will ensure that access to medical data is limited to those medical personnel who require such access for the purpose of performing the services.
Persons affiliated with AMED SERVICII PERSONALIZATE S.R.L., are considered Processors of the Operator, and the Operator or entities affiliated with it will transfer data to third party Processors of other Operators, only for the purpose of providing the Services. Any such Processors shall be entitled to obtain personal data only for the purpose of providing the Services they have undertaken to provide to the Operator and shall be prohibited from using such data for any other purpose.
AMED SERVICII PERSONALIZATE S.R.L., and entities affiliated with it, are in a contractual relationship with each Processor, which includes obligations regarding the protection of personal data, and these obligations are no less protective than the provisions of this Privacy Policy and meet the requirements of Article 28 para. 3 of the GDPR or any equivalent legal provisions, with the limitations imposed by the nature of the Services provided by such Authorised Persons.
AMED CUSTOMIZED SERVICES S.R.L., and each Affiliate shall appoint a Processor in accordance with the provisions of this Section. The list of the Operator’s Sub-Appointees in connection with the provision of its Services is available on the Website, and will be provided upon request and by email. The Patient may at any time request to see the list of all Authorized Persons whose services have been used at any time.
Data transfers. AMED SERVICII PERSONALIZATE S.R.L. will not transfer personal data outside the EU without the separate and express consent of the patient.
What options do individuals have and what can they do if they have questions or complaints?
For any questions and complaints, patients can contact us by email at avdanielcovaciu@yahoo.com or by phone on 0724.511.320.
You also have the following rights:
Right of access to data. You have the right to obtain access to your data that we process or control, or copies thereof; you also have the right to obtain information from us about the nature, processing, and disclosure of such data.
Right to rectification of data. You have the right to obtain rectification of inaccuracies in your data that we process or control.
Right to erasure data (“right to be forgotten”). You have the right to obtain from us the erasure of your data that we process or control, except in situations where we have to comply with legal obligations to retain personal data.
Right to restrict data processing. You have the right to restrict the processing of your data that we process or control.
Right to object. You have the right to object to the processing of your data by us or on our behalf.
Right to data portability. You have the right to obtain the transfer to another controller of your data that we process or control.
Right to withdraw consent. Where we process your data on the basis of your consent, you have the right to withdraw your consent; you may do so at any time, at least as easily as you originally gave us your consent; withdrawing your consent will not affect the lawfulness of the processing of your data that we carried out prior to the withdrawal.
The right to lodge a complaint with the supervisory authority. You have the right to lodge a complaint with the supervisory authority for the processing of personal data about the processing of your data by us or on our behalf.
Data Protection Officer. AMED SERVICII PERSONALIZATE S.R.L. has designated a data protection officer pursuant to the legal provisions on the protection of personal data. The designated person can be contacted at the following e-mail address: avdanielcovaciu@yahoo.com
Security
Taking into account the innovations, implementation costs and the nature, scope, context and purposes of the Processing of personal data, as well as the risks inherent to the variety and importance of the rights and freedoms of individuals, AMED SERVICII PERSONALIZATE S.R.L. will implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk. AMED SERVICII PERSONALIZATE S.R.L. will maintain appropriate technical and organisational measures to protect the security, confidentiality and integrity of personal data, measures that meet the requirements imposed on a GDPR Operator as set out in Art. 32 of the GDPR, including among others, as appropriate:
a) pseudonymisation and encryption of personal data;
b) the ability to ensure the confidentiality, integrity, availability and continued resilience of processing systems and services.
c) the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
d) a process for regular testing, evaluation, and assessment of the effectiveness of technical and organisational measures to ensure security of processing.
AMED SERVICII PERSONALIZATE S.R.L. regularly monitors compliance with these protective measures. AMED SERVICII PERSONALIZATE S.R.L. shall not lower the overall level of security of the Services as they are provided.
Breach of personal data security and breach notification
AMED SERVICII PERSONALIZATE S.R.L. shall notify the Patient in the event of any accidental or intentional destruction, loss, alteration or unauthorised disclosure of or unauthorised access to the Patient’s Personal Data that is transmitted, stored or processed in any way by the Controller or its Processors (“Data Breach”), if the security incident is likely to result in a high risk to the rights and freedoms of Data Subjects. The risk shall be assessed on the basis of:
• the type of incident.
• nature, context, volume of data affected.
• the possibility of identifying the data subjects.
• the consequences of the incident for the data subjects.
• the circumstances of the data subjects.
• the circumstances of the controller concerned.
• the number of individuals affected.
AMED SERVICII PERSONALIZATE S.R.L. will consider the severity of the risk, but at the same time will take into account the probability of its occurrence.
AMED SERVICII PERSONALIZATE S.R.L.‘s choice to notify or respond to a Data Security Breach under this Section shall not be construed or interpreted as an admission by the controller of any fault in relation to a possible Data Security Breach.
Notification of Data Security Breaches will be communicated online on the eTELEDOC website, or by email to affected patients where possible to do so. The patient is solely responsible for ensuring that their contact details on the AMED SERVICII PERSONALIZATE S.R.L. support system are accurate and current. The Controller shall inform the Patient of data breaches if the security incident is likely to result in a high risk to the rights and freedoms of Data Subjects within 24 hours M-F and 48 hours on weekends or public holidays, and the information shall include the category of data deemed affected and the method of stopping the breach.
Return or deletion of customer data
AMED SERVICII PERSONALIZATE S.R.L. will return the Patient’s data to the Patient and/or delete (or archive, for medical data) the Patient’s data in accordance with the Controller’s procedures and the legal provisions on personal data protection.
At the Patient’s request, AMED PERSONALISED SERVICES S.R.L. will delete (or archive, for medical data) or return all personal data to the Patient at the end of the provision of the Services and delete existing copies, in accordance with the procedures regulated in Art. 32 of the GDPR, unless the applicable legal provisions on the protection of personal data require the storage of such data.
AMED SERVICII PERSONALIZATE S.R.L. automatically performs data back-up and archiving. A back-up of the data and data archives is carried out periodically, and this back-up is rewritten every 4 weeks. AMED SERVICII PERSONALIZATE S.R.L. reserves the right to increase this period to 8 weeks.
AMED SERVICII PERSONALIZATE S.R.L
