INFORMATION
with regard to the processing of personal data

Information regarding the processing of personal data applies to all interactions with our website: http://www.infomedfluids.com, as well as other situations as described in this document.

Your personal data is collected and processed by Infomed Fluids SRL, a Romanian company based in Bd. Theodor Pallady no. 50, 3rd district, 032266 Bucharest, registered with the Trade Register under no. J40 / 13075/2004, having Unique Identification Number RO16674718 (the “Company“), as a Personal Data Operator.

I Personal data of candidates for a position within the company

  1. Personal data we process

In order to conduct the recruitment process, and also after its finalization, during the work relations, we collect the following personal data from you:

  • your identification (full name, gender, date of birth)
  • your contact details (e.g., phone number, address, email);
  • data entered in the CV you submitted. (including education, professional experience, hobbies); § data on your evaluation information (if appropriate).

Moreover, in the case of an interview or assessment at the Company’s headquarters, the Company uses a video surveillance service, so that in the supervised areas (the Company’s surroundings, access points in the building as well as the production area) your images will be taken.

  1. How we collect personal data

We collect the personal data you provide us voluntarily, when you submit your application, and subsequently, at the time of the interview and / or the evaluation. We inform you that you are free to decide whether or not to provide us with this personal data. However, the process of recruiting, in the absence of certain data necessary for this process, data processed under a legitimate interest justified by the Company is not possible in the absence of their supply. Additionally, we collect the personal data necessary for your recruitment also through recruitment sites (ie bestjobs), if you have applied to a job advert posted on such a site or we have found your resume on such a site.

Your personal data is collected from you verbally by written form, by phone or email .

  1. Purposes and legal bases of the processing

The collection of your personal data is strictly limited to what is necessary for the purposes envisaged by the Company and will be strictly limited to these purposes:

  • Activities related to the recruitment process:
    – Verification of your training and general compatibility within the Company and the desired job.
  • Security Activities within the Company:
    – video surveillance of the Company’s surroundings, building access points, and production area.

as well as any other related activities, if they are compatible with those mentioned.

Any processing of your data for the above mentioned purposes is based on your implicit consent, expressing your interest in the position provided by the Company.

  1. Storage time

Your personal data will be stored for a limited amount of time, for its determination being taken into account the completion moment of the recruitment process and any agreement with you expressing your interest in the event that you will not be recruited for the post in question, to be contacted in the future for informing you about other opportunities that might interest you.

  1. Third parties

Exclusively for maintenance purposes, the company responsible for the maintenance of the video surveillance system has access to the captured images in which you appear. The Company has entered with this service supplier, into a contract containing mandatory clauses to ensure the security, integrity and confidentiality of your personal data.

You will be notified of any future transfer of your personal data to any recipient (whether private, physical or legal person, public authority or any other body), unless such transfer or disclosure is provided for expressly under European Union law or national law.

II Personal data of the Company’s clients / suppliers – natural persons, as well as representatives or other employees of the clients / suppliers – legal persons

  1. Personal data we process
  • Personal data:
  •  your identification data (full name)
  •  your contact details (e.g., phone number, email address, included Skype address); § your position in the company you are part of;
  •  identification data of the company’s shareholders / associates.

Sensitive personal data and special categories of data:

  • PIN, series and no. of your identity card and / or your passport., in case of shareholders / associates of your company.
  1. How we collect personal data

We inform you that you are free to decide whether or not to provide us with this personal data. However, in the absence of such data, the development of contractual relations will not be possible.

Your personal data is collected directly from you verbally by written form, by phone or email .

  1. Purposes and legal bases of the processing

The collection of your personal data is strictly limited to what is necessary for the purposes envisaged by the Company and will be strictly limited to these purposes:

  1. Activities related to your purchase / sale of products:
    – concluding and executing the contract and delivering the order of products;
    – other activities and actions derived from the conclusion and performance of the contract.
  2. Activities carried out to prevent and combat money laundering

Any processing of your data for the above purpose is based on one of the following:

  1. Execution of a contract (ie the contract for the purchase of some products) – the following personal data is processed: your identification data (as a customer, natural person or representative or other employee of a legal person customer), your contact details and your position .
  2. The fulfillment of obligations under the legal provisions in charge of the Company (ie on preventing and combating money laundering and the need to know the clients), to the extent that the conditions for their applicability are fulfilled – being processed for this reason, the contact details and PIN, the series and no. of IC, or passport of shareholders / associates;

iii. The legitimate interest of the Company in transmitting the medical newsletter – for processing your identification and contact information.

  1. Storage time

Your personal data will be stored for a limited amount of time, for its determination being taken into account the termination time of the contractual relationships, as well as any existing legal obligations to retain certain data beyond that period.

  1. Third parties

Your personal data is not transferred to any other person, either physical or legal, or governmental authority. In any case, you will be notified of any future transfer of your personal data unless such transfer or disclosure is provided for expressly under European Union law or national law.

III Personal data of people providing contact information to the company

  1. How we collect personal data

We collect the personal data you provide us voluntarily, directly by filling in the contact form available on our site.

  1. Purposes and legal bases of the processing

The collection of your personal data is strictly limited to:

  1. Communicate with you in order to send you a satisfactory response to your message.
    Any processing of your data for the above purposes is based on your default consent, or by sending a message using the form on the site.
  2. Storage time

Your personal data will be stored for a period of time appreciated according to the content of your message and the interest it presents to the Company.

  1. Third parties

Your personal data is not transferred to any other person, either physical or legal, or governmental authority. In any case, you will be notified of any future transfer of your personal data unless such transfer or disclosure is provided for expressly under European Union law or national law.

Personal Data Security

For us, the security, integrity, and privacy of your personal data is very important. The company will take all organizational and technical measures deemed necessary in this respect.

If we find an incident about the security of personal data that poses a risk to your rights and freedoms, we will notify the National Authority for the Supervision of Personal Data Processing (ANSPDCP) within 72 hours. You will also be personally informed about the security incident if it is likely to pose a high risk to your rights and freedoms.

Your Rights

You have the following rights to process your personal data:

  1. Right of access to personal data. You have the right to request access to your personal data about you
  2. Right to obtain the rectification or deletion of personal data; You may request the rectification of incorrect, incomplete or outdated personal data as well as the deletion of your personal data, for example, if it is not necessary or unlawful, or when you withdraw consent to process those data you previously agreed. Personal data whose retention is in accordance with the legal provisions can not be deleted.

iii. Right to obtain restriction of the processing of personal data; In the circumstances provided by law, you may request that you restrict the processing of your personal data.

  1. Right to portability of your personal data; You may request the transmission either to you, or to another data operator, of a copy of the personal data that the Company processes about you.
  2. Right to object to the processing of your personal data. You may exercise this right in respect of personal data not required by mandatory legal provisions that are not necessary for the performance of the employment contract and are not required by the Company on the basis of its legitimate interests. You also have the ability to withdraw your consent to those processing activities based on your consent, a withdrawal that can be expressed at any time that leads to the removal of your personal data from our database in the shortest possible time but not later than 30 days; in respect of personal data collected under a statutory obligation or under a legitimate interest of the Company, the withdrawal of consent has no effect.

Exercise your rights

If you have any questions regarding the processing of your personal data or if you wish to make any requests to us, as well as to exercise any of your rights regarding the processing of your personal data, you can contact us: Blvd. Theodor Pallady no. 50, 3rd district, 032266 Bucharest or the email address GDPR@infomedfluids.ro;

Each request will be reviewed as soon as possible but no later than one month.

If you believe that we have not resolved all of your requests or you are dissatisfied with our responses, you may file a complaint against us with ANSPDCP. The supervising authority will inform you about the state and settlement of the complaint within a reasonable time.

You can also appeal against us and directly before the competent courts of law.

PERSONAL DATA PROTECTION POLICY

INFOMED FLUIDS SRL („The Company”)

[Version 1.0, valid from May 25, 2018]

This Personal Data Protection Policy (hereafter “Policy”) aims to ensure a proper level of protection of personal data, based on the principles and obligations of the General Data Protection Regulation (“GDPR”).

The policy applies to all processing activities within the Company and provides the general conditions regarding the collection, use and storage of personal data while carrying out the Company’s object of activity, imposing obligations on all Company employees as well as on the other persons carrying out activities on its behalf.

During its activities, the Company will collect personal data about employees, customers, suppliers, and any other persons with whom the Company has or may have contact. These will only be processed within the limits and conditions imposed by this Policy, as well as the provisions of the GDPR and the applicable national law.

1. Definitions:

Supervisory Authority

Personal data

Sensitive personal data

Operator

Empowered person Processing

means an independent public authority set up by a Member State under Article 51 of the GDPR; in Romania this is: The National Authority for the Supervision of Personal Data Processing (ANSPDCP)

means any information relating to an identified or identifiable natural person (“the data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more many specific elements of his physical, physiological, genetic, psychic, economic, cultural or social identityș

means the following categories of personal data: data relating to criminal convictions and offenses, data revealing racial or ethnic origin, political opinions, religious confession or philosophical beliefs, genetic data, biometric data, data on a person’s health, sexual life or sexual orientation of a natural person;

means the natural or legal person, public authority, agency or other body which, alone or in association with others, determines the purposes and means of processing personal data.

means the natural or legal person, public authority, agency or other body which processes personal data in the name and on behalf of the Company;

means any operation or set of operations performed on personal data or on personal data sets with or without the use of automated means (eg collecting, structuring, storing, modifying, consulting, using, disclosing by transmission or otherwise, deleting personal data);

Violation of personal means a breach of security that leads, accidentally or unlawfully, to the unauthorized data security destruction, loss, modification or disclosure of, or unauthorized access to, personal

data transmitted, stored or otherwise processed;

2. Principles of processing personal data

Personal data collected by the Company will be processed in accordance with the principles set out in Article 5 of the GDPR.

2.1. Legality, fairness and transparency

The processing of personal data owned by the Company will only be made in accordance with the applicable legal provisions in a transparent manner to the data subjects and in a fair manner. In this respect, the Company will draw up appropriate information notes, which will be made available to the data subjects when collecting their personal data. If the collection is made directly by an employee of the Company, he / she must do all reasonable diligence to ensure that the data subject has been properly informed of the processing of his or her personal data.

2.2. Limitations related to purpose

Personal data will be collected by the Company for determined, explicit, and legitimate purposes and will not be further processed in a manner incompatible with the purpose of the collection. In this respect, any employee of the Company must ensure that the purpose of the processing coincides with that which was communicated to the data subject.

2.3. Minimize data

Personal data must be appropriate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

2.4. Accuracy

Personal data must be accurate and, if necessary, updated. The company will take all necessary measures to ensure that personal data that are inaccurate, in view of the purposes for which they are processed, are erased or rectified without delay.

2.5. Limitations related to storage

The company will not retain personal data more than is necessary to achieve the purposes for which it is processed. The storage life of these and, where the determination of the duration is not possible, the criteria for determining the storage life can be found in the information notes corresponding to each category of data subject.

2.6. Integrity and confidentiality

The Company undertakes to ensure the security of personal data against any unauthorized processing and / or against any loss, destruction or accidental damage; The company will take all necessary organizational and technical measures, taking into account the categories of personal data processed, the current state of the art as well as the likelihood of risks and their severity.

3. Legality of processing activities

3.1. Purposes and legal bases of the processing

Any employee shall process only those personal data strictly necessary for the performance of his / her job duties as provided for in the individual employment contract in the job description and in the Register of processing activities carried out by the Company. During the performance of his / her duties, the employee must ensure that the processing activities carried out are not excessive in relation to the original purpose for which the personal data were collected. Insofar as the processing is done for a later purpose, the employee is required to take all necessary measures in accordance with this Policy and with internal regulations and procedures to meet the Company’s obligations under the GDPR (e.g. obtaining consent for further processing, informing the data subject, etc.).

Also, the employee is obliged to ensure that any processing of personal data carried out is based on a legal basis for processing.

Processing under consent

Where the processing activity is based on the consent of the data subject, the employee who collects the consent of the data subject directly has the obligation to ensure that, before processing the personal data of the data subject, the last one has been informed accordingly and that has expressed its consent to processing in a valid way. The consent expressed by the data subject must be duly documented by the employee. In the case of the processing of personal data of minors under the age of 16, the employee must ensure that the consent of the parents or the legal representative is also obtained. It can be taken in a form similar to the former, or by another way that ensures its taking and validity.

Processing under legitimate interest

Personal data may be processed on the basis of the Company’s legitimate interest insofar as it prevails over the rights and freedoms of the data subjects. The legitimate interest of the Company is, in principle, a legal nature (e.g. recovery of exigible debts) or commercial nature (e.g. avoidance of breaches of contractual provisions) and is established at Company level in the relevant documentation.

Processing under a legal obligation

The processing activity is legal when the applicable legal provisions impose or authorize such processing. In this respect, the employee is obliged to ensure that the processing activities carried out do not exceed the legal framework.

Processing under a contract

If the processing takes place under the performance of a contract, the employee is required to ensure that all personal data collected at the time of the conclusion of the contract are necessary for the conclusion and, respectively, the best execution of the contract. Such an assessment is not necessary when the employee uses a model contract made available by the Company. However, to the extent that there is evidence that the contract is in breach of GDPR’s provisions, the Company’s administrator will be notified as soon as possible.

3.2. Retaining and deleting

The personal data will not be retained more than is necessary to achieve the purposes for which it is processed. The maximum storage life is provided in the information notes provided to the data subjects. In this respect, employees who carry out personal data processing activities are obliged to delete or destroy, in accordance with the procedural rules implemented at Company level regarding the deletion and / or destruction of personal data, all personal data whose storage life has expired and for which there is no legal or contractual obligation to keep. The same procedure applies to the deletion of personal data as a result of exercising the right to be forgotten by the data subject.

Employees are prohibited from destroying or altering in any way personal data held by the Company otherwise than in compliance with the legal provisions of this Policy and any other mandatory domestic regulations. Also, the employee is not allowed to access, sell or provide personal data held by the Company to any third party unlawfully or in the absence of an authorization.

3.3. Transfer of personal data

When any employee concludes, on behalf of the Company, any contract with a service provider or other business partner for the processing of personal data on his behalf, he / she must ensure that the supplier, as an empowered person will provide a level of protection similar to that provided by the Company with respect to the integrity, security and confidentiality of personal data. Disclosure of personal data to persons other than those mentioned in this section is strictly forbidden.

In this respect, the employee will use the model of the personal data processing contract adopted at the Company level. In the absence of such a contract or the supplier requires the use of his / her own contract model, the employee shall ensure that it contains all the mandatory clauses required by the provisions of the GDPR. To the extent that the employee has doubts about the compliance of the proposed contract with the provisions of the GDPR, he / she will notify the Company’s administrator. The Service Provider or Business Partner will process only those personal data that are strictly necessary for the fulfillment of his contractual obligations to the Company or the Company’s instructions, and not for purposes other than those agreed upon.

In addition, when personal data is disclosed in response to a request from a public authority, the employee must immediately inform the company’s administrator who will decide how to resolve it.

4. Observance of the rights of the data subjects

The data subjects have the following rights, according to GDPR: (i) the right of access to his or her personal data; (ii) the right to obtain rectification of the inaccurate personal data; (iii) the right to request the deletion of his or her personal data; (iv) the right to obtain a restriction on the processing of his or her personal data; (v) the right to the portability of his / her personal data; (vi) the right to oppose the processing of his or her personal data; (vii) the right not to be the subject of a decision taken solely on the basis of automatic means. The company is obliged to respond to any request, regardless of the form and medium of communication by which it was transmitted by the data subject.

Any request from a data subject for the exercise of his or her rights as provided for by the GDPR will be resolved within a maximum of one month by the designated persons. To the extent that, taking into consideration the nature, complexity and number of requests received, the designated person can not solve the request within the legal time limit, he / she shall inform the data subject about it within one month of receipt of the request. In any case, the settlement term can not be extended by more than two months.

The employee appointed to deal with the requests of the data subjects is required to verify the identity of the person submitting the application. Personal data collected for the purpose of confirming the identity of the person concerned will be erased as soon as his / her identity has been validated by the designated employee.

The employee shall promptly notify the Administrator of the Company who will decide upon the data subject’s request.

The employee will respond to the data subject’s request and will properly fill in, after the request has been resolved, the record of the exercise of rights by the data subjects, on how to resolve the request.

If the manifestly unfounded nature of the claim made by the data subject is established, a report shall be drawn up stating the reasons for which the claim of the data subject is manifestly unfounded.

5. Security and privacy of personal data

5.1. Privacy of personal data

Personal data are subject to the obligation of confidentiality, as provided for in the individual labor contract and the internal rules of order. In this respect, any processing of personal data by employees is strictly forbidden for purposes other than the performance of their service duties. Personal data will be processed solely on behalf of and in the interest of the Company, and any processing of such data for private purposes by employees shall be prohibited. The publishing or disclosure of personal data by employees under conditions other than those provided for by law, as well as internal regulations and procedures, is strictly prohibited and may entail disciplinary, civil or criminal liability of the employee.

Employees’ access to personal data will also be restricted to the categories of personal data that are strictly necessary for the performance of their service duties. Appropriate implementation of this measure requires separation and a careful division of roles and responsibilities within the Company. In this regard, each employee must contribute to maintaining the confidentiality of personal data, so that any disclosure or access permission to anyone outside the Company or other employees is prevented. It is forbidden to communicate passwords for access to applications, programs, folders, and any other equipment used to process personal data to any unauthorized person.

5.2. Personal Data Security

The company takes all necessary steps to ensure the security and confidentiality of the personal data of the data subjects by implementing appropriate technical and organizational measures. These measures include:

  • Implement appropriate technical and organizational measures on the identification, prevention, detection, response and recovery of data in case of personal security incidents;
  • Developing and implementing an access control system for personal data for employees (both with respect to personal data stored digitally and stored on paper).
  • Testing, evaluating and periodically reviewing the technical and organizational measures implemented (e.g. anti-virus update, firewall update, etc.) to ensure security of processing;
  • Encryption of personal data stored by the Company, including those stored on portable storage devices as well as personal data in transit;
  • Use appropriate means and procedures for destroying or deleting personal data, in accordance with legal provisions.All employees are required to comply with the technical and organizational measures implemented by the Company and not process personal data in a manner that can not ensure their confidentiality and security.Personal data stored on a support must be kept in a way that ensures their confidentiality and security. In this respect, the employee must ensure that documents containing personal data are stored in places that do not allow access by unauthorized persons (i.e. it is forbidden to keep copies of documents containing personal data on the desk, if they could be consulted by unauthorized persons). All copies made for a specific purpose will be destroyed as soon as the employee fulfills the intended purpose. The employee remains responsible for the disclosure of personal data to unauthorized persons.When personal data is stored electronically, employees are required to ensure that they are protected against unauthorized access. In this regard, employees will use complex passwords and save any documents exclusively on storage devices authorized by the Company through their internal regulations and procedures (e.g. saving documents on personal devices or in your personal mailbox is forbidden).

5.3. Security and confidentiality of personal data in the context of email and Internet usage

Telephone, e-mail, intranet, and internet addresses provided to employees by the Company for the sole purpose of being used for professional purposes in accordance with the applicable legal provisions and internal regulations and procedures of the Company.

For data security reasons, some web pages will not be accessible through the internal network and are blocked by the network administrator. Access to these websites by employees, by circumventing the technical measures implemented by the Company is strictly forbidden. In duly justified cases, access to blocked Internet pages may be made via a written request addressed to the IT department. Any irregularity observed by employees during Internet surfing will be reported to the IT department as soon as possible. Employees remain liable for any damage to the Company caused by inappropriate use of the internal network and the Internet, in particular unauthorized access to Internet sites that present a major risk from a cyber security perspective.

The use of email by employees will be done in accordance with applicable law, regulations and internal procedures. In the case of the transmission of confidential or sensitive data, the employee is responsible for the proper qualification of the content. Also, in the case of receiving confidential or sensitive information, the employee will ensure that downloading and saving of those documents is done in a secure and confidential manner.

6. Liability in the event of non-compliance with the Policy

Failure to comply with the provisions of this Policy by employees during their service duties constitutes disciplinary misconduct and will be sanctioned in accordance with the Company’s internal regulations and procedures. Also, non-compliance with this Policy will result in the civil, contravention or criminal liability of the employee.

In this respect, the disciplinary sanctioning of the employee does not exclude the Company’s right to seek redress against it for any damage suffered as a result of non-compliance with personal data protection provisions, including but not limited to fines, material damages or moral rights granted to the data subjects, damage to the image of the Company, etc.

Any employee who becomes aware of a violation of this Policy is required to report as soon as possible to the Company’s administrator. If the event also constitutes a breach of personal data security, the employee is required to follow the instructions in the Security Incident Reporting Policy.

7. Training

The company will organize, for all employees who process personal data, at least once every two years, a training on personal data protection, in accordance with the applicable legal provisions and this Policy.

8. Roles and responsibilities

All employees who process personal data are required to comply with all personal data protection provisions. However, the following persons have key competences in the field of personal data protection:

Company Administrator / Administrators are responsible for:

  • compliance by the Company with all its obligations under GDPR and national law;
  • verifying and periodically updating this policy to reflect any change in the Company’s processing activities.
  • ensure that the review and revision of relevant documents from the perspective of personal data protection is carried out with a view to aligning them with GDPR provisions;
  • Ensure that information and assistance are provided to the Company and its employees on their obligations under GDPR provisions;
  • ensure that the Company’s compliance with GDPR provisions is monitored, as well as the training of employees with duties involving the processing of personal data;
  • cooperation and consultation with the supervisory authority;
  • analysis of requests received from the data subjects;

IT Manager is responsible for:

  • implementing and monitoring appropriate technical measures to meet the security standards required byGDPR provisions;
  • Verify on a regular basis the technical measures implemented to ensure that they operate at optimal parameters;
  • Technical assessment of any external applications / platforms used by the Company in the conduct of its activities;
  • Drafting, reviewing and adapting the Company’s security policies;

REFERENCE DOCUMENTS

ANEXA 1 – REFERENCE DOCUMENTS

• EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data and Directive 95/46 / EC repealing );