Farmexim Privacy Policy

Farmexim is the trade name of Farmexim S.A., a legal entity of Romanian nationality, having its registered office in Bucharest, sector 1, Str. Pictor Rosenthal, Nr. 14, Et. 2, Ap. 3, postal code 011934, and operational headquarters (mailing address in Balotești, Malul Roșu str. nr 4, jud Ilfov, postal code 077015, with number in the Trade Register J40/2033/1991, unique tax registration code RO 335278 (hereinafter "Farmexim" or "the Company"). For the purposes of data protection legislation, we are a data controller when we process your personal data.

When you use this website or interact with Farmexim in general, we may process your personal data in accordance with this Data Privacy Policy, as required by applicable law.

The policy is based on the provisions of Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR") as well as applicable national law.

The GDPR defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity".

Farmexim is committed to implementing the highest standards of confidentiality and transparency with regard to the personal data it processes in its day-to-day business. Full protection and transparency regarding the processing of your personal data in our business are our most important objectives.

Your interaction with Farmexim, where it involves the processing of your personal data, is subject to this Privacy Policy and the Cookie Policy when you browse our website. The purpose of these Policies is to inform you about how we collect, store and use personal data.

These details regarding the processing of your data differ depending on the nature of the relationship you have with Farmexim, i.e.: user of the website, customer, potential customer, legal representative of a contractual partner or the person designated by the latter in the performance of the contract with our Company, candidate for vacancies available within the Company, trainee within the framework of internships organised - under the law - by the Company in partnership with educational establishments/institutions, representative of a regulatory and supervisory authority. Depending on which category you fall into in terms of your interaction with Farmexim, the provisions set out below may become applicable to you accordingly.

As we are always open to hear your views, as well as to provide you with any additional information you may need regarding the processing of your data, we encourage you to contact the Farmexim Data Protection Officer at the e-mail address dataprotection@farmexim.ro, or by post or courier at Str. Malul Roșu nr. 4, com Balotesti, village Balotesti, jud Ilfov, postal code 077015 - with the mention: for the attention of the Farmexim Data Protection Officer.

SPECIFIC PROVISIONS:

  1. DATA ON CANDIDATES IN RECRUITMENT PROCESSES
  1. What categories of personal data we process

In the context of organising and managing the recruitment process, we may process the following categories of personal data about you:

- information that you provide to us when applying for one of Farmexim's vacancies by submitting a CV to us (e.g. by e-mail, via our website, in person) or that we receive from recruitment/ head-hunting agencies or other persons holding your CV. 

The categories of data we may process in this context may include:

- name, surname, e-mail address, date of birth, place of residence, telephone number, education and other qualifications, previous experience, image (CV photo if you have chosen to include it), language skills and/or other skills, 

- information provided in the context of participating in the actual recruitment process (attending interviews/tests), consisting of any other data you may provide us in this context, including data obtained by the Company resulting from testing your skills or knowledge.

  1. The purpose and basis of processing this data

We may collect your personal data provided in the context of active recruitment processes for the purpose of your participation in them, contacting you and organising the interview for a job vacancy. With your prior notice under the conditions set out in the Labour Code, we may also request information from your former employer regarding the duration of your employment and the activities you carried out there.

At the same time, on the basis of your prior consent, we may also collect your personal data in the context of recruitment processes for the purpose of establishing a database of potential candidates for future recruitment processes.

Your personal data provided in this context will be processed on the basis of your consent - Article 6 para. (1) lit. a of the GDPR. In the context of your participation in recruitment processes, you may be asked to provide additional personal data in order to conclude an employment contract or on the basis of legitimate interest, i.e. Art. 6 para. (1)(b) or Art. 6 para. (1) lit. f of the GDPR.

If an employment contract is to be concluded, we may process your personal data also on the basis of legal obligations - Article 6 para. (1) lit. c of the GDPR, under the Labour Code, the provisions on health and safety at work or other relevant legal provisions. Information on the processing of personal data in the context of employment relationships will be made available to you at the time of the employment contract.

  1. How long we keep your personal data

We keep your data provided in the context of the recruitment process until it is completed. If the recruitment process has been completed by the conclusion of an employment contract, the data provided in the recruitment process will remain stored in your personnel file and will be processed for the period required by law or internal storage rules.

With respect to data stored following your prior consent, we store this data for the period set out in the consent form, or until consent is withdrawn, whichever is the sooner.

If a dispute arises between Farmexim and you, your personal data will be stored in Farmexim's systems until the final resolution of this dispute.

  1. HANDLING OF REQUESTS, COMPLAINTS, REFERRALS
  1. What categories of personal data we process

When submitting a general request for information, a complaint/report, you may provide us with certain categories of data which may include: name, surname, e-mail address and/or telephone number, position (if applicable), any other personal information you provide us with at the time of the request/complaint.

  1. Purpose and basis of the processing of these data

We may collect such personal data from you for the purpose of corresponding with you or for the purpose of formulating and sending a reply to you. Thus, if you make a request, complaint or referral we will process your data in order to deal with it.

The basis for the processing of your data in this context is the legitimate interest of Farmexim - Article 6 para. (1) lit. f of the GDPR.

There are situations where we have a legal obligation to respond to you and these are dealt with separately in this document.

  1. How long we keep your personal data

We keep your personal data until the final settlement of your request and 3 years after the settlement.

If a dispute arises between Farmexim and you, your personal data will be stored in Farmexim's systems until the final resolution of this dispute.

  1. THE CONDUCT OF RELATIONS WITH THE COMPANY'S COMMERCIAL OR INSTITUTIONAL PARTNERS, RESPECTIVELY WITH PUBLIC AUTHORITIES
  1. What categories of personal data we process

We may have access to information through a contractual relationship with public or private legal entities, or through an interaction with an institutional partner/regulatory and supervisory authority.

To this end, we may process personal data of representatives and contact persons designated by our partners, or of representatives of the authorities, as appropriate.

These may consist of: name, surname, position, telephone number and e-mail address, date of birth, signature. These data are transmitted to us by the representatives of our commercial partners, or by you yourself if you act as their legal representative or as a person involved by them in the process of concluding / executing the contract.

When you are the Company's contractual partner, in addition to the information provided above, we may also process other categories of personal data from your identity document (such as your address, personal number code, series and ID number), as well as financial data consisting of your bank account identification data.

For preliminary due-diligence or know-your-customer activities we may process data of beneficial owners or employees in a managerial position, i.e. first and last name, e-mail address, date of birth, dates of criminal convictions and offences, insofar as these are public.

Personal data such as: name and surname, date of birth, companies in which they are associated, positions held are processed to assess the creditworthiness of potential and current business partners.

For the conduct of business, online meetings (videocalls) may be organized, in which case Farmexim may have access to information such as: account name, function, email address, profile picture (if added by the user), meeting data: date and time, participants, image, voice, chat texts, location (if activated by the participants), date and time of application use, status display.

  1. Purpose and basis of the processing of these data

In this case, we may use the personal data that you provide to us or that we obtain in the manner described above for the purpose of managing your interaction with the authorities, i.e. for the purpose of managing and ensuring the smooth running of the relationship between the parties, including, but not limited to, the signing of the contract, the issuance, payment or collection of invoices issued in the context of that contract, as the case may be. We may also use your personal data for the purposes of internal due diligence or customer due diligence procedures prior to the conclusion of the contract.

Where appropriate, we may use the personal data you provide to us to evaluate the satisfaction of our business partners or for marketing research purposes.

To organise online meetings, Farmexim uses the services of contractual partners, namely Skype for business and MS Teams.

The basis for the processing of your data in the context of contractual relations is the conclusion and performance of the contract with your employer or the legal entity you represent, or even with you - when you are our contractual partner - Article 6 para. (1) lit. b of the GDPR, i.e. the common legitimate interest of the Company and the contractual partner to carry out that contractual relationship. In the preliminary stage of the conclusion of the contract with the legal entity, processing based on the legitimate interest of Farmexim may take place with a view to undertaking the minimum measures necessary to get to know the partners, due diligence processes, assessment of the creditworthiness of the partners, online meetings - Art. 6 para. (1) lit. f of the GDPR, or the legal provisions applicable to Farmexim in these endeavours - art. 6 para. (1) lit. c of the GDPR, including but not limited to Council Regulation (EC) 2580/2001 and Regulation 881/2002 (due-diligence and KYC).

We may also, if necessary, process some of this data in the context of debt recovery activity and the resolution of any disputes or other legal situations that may arise in connection with the performance of the contract. In such cases, the basis for the processing is the legitimate interest of the Company to protect its financial situation and assets, Article 6 para. (1) lit. f of the GDPR, or the legal obligation to provide data for the purpose of judicial, legal or other extra-judicial proceedings in connection with the performance of the contract - art 6 para. c of the GDPR. We may also process certain data for the purpose of defending or exercising Farmexim's rights and interests before notary publics, other public authorities or institutions, mediators and/or other public or private bodies that settle disputes, our lawyers, consultants or other natural or legal persons, public or private, who are involved in the respective negotiations and/or disputes. In such cases, the basis of the processing differs depending on the context in which these rights are exercised, and may be the contract concluded with you - Article 6(6). (1)(b) of the GDPR, or its legitimate interest - Art. 6 para. (1) lit. f of the GDPR.

There may be situations in which we process personal data in order to fulfil the obligations imposed on Farmexim by legal provisions on tax, anti-money laundering, or compliance with International Economic Sanctions. In such cases, the basis for processing is Article 6 para. (1) lit. c of the GDPR.

  1. How long we keep your personal data

The storage period is determined by the duration of the contract and the applicable legal or contractual limitation period. The storage period of your data, based on the contract, may be extended if there are legal provisions that require Farmexim to store your data for a certain period - such as in the case of legal obligations in tax matters, when storage periods can be up to 10 years starting from the financial year following the year in which the financial-accounting document was issued/ drawn up.

If a dispute arises between Farmexim and the contractual partner, your personal data may be stored in Farmexim's systems until the final resolution of this dispute.

In the case of data processed in the context of interaction with public authorities, the data of their representatives will be kept for the period of time relating to the legal obligations under which the interaction took place.

  1. ISSUING INVOICES
  1. What categories of personal data we process

For invoices we may process personal data as follows:

(1) data filled in by the recipient's representative: name and surname, signature

(2) for dispatch notices issued in execution of contracts with the Ministry of Health (deliveries to territorial Public Health Directorates): identification and contact details of the recipient's representative, in particular: name, surname, position, business telephone number, e-mail address.

(3) Invoices issued to natural persons: name, surname, address belonging to the natural person to whom the invoice is addressed;

  1. Purpose and basis of the processing of these data

In this case, the data are processed for the performance of Farmexim's core business in compliance with applicable legal obligations.

The basis for the processing of your data is Article 6 (1) lit. c of the GDPR, and the fulfilment of a legal obligation, as set out in Annex 1 to Order 2634/2015, respectively.

We may also, if necessary, process some of this data in the context of debt recovery activity and the resolution of any disputes or other legal situations that may arise in relation to the payment of invoices. In such cases, the basis for the processing is the legitimate interest of the Company to protect its financial situation and assets, Article 6 para. (1) lit. f of the GDPR, or the legal obligation to provide data for the purpose of judicial, legal or other extra-judicial proceedings in connection with the performance of the contract - art 6 para. c of the GDPR. We may also process certain data for the purpose of defending or exercising Farmexim's rights and interests before notary publics, other public authorities or institutions, mediators and/or other public or private bodies that settle disputes, our lawyers, consultants or other natural or legal persons, public or private, who are involved in the respective negotiations and/or disputes.

There may be situations in which we process personal data in order to fulfil the obligations imposed on Farmexim by legal provisions on tax, anti-money laundering, or compliance with International Economic Sanctions. In such cases, the basis for processing is Article 6 para. (1) lit. c of the GDPR.

  1. How long we keep your personal data

The storage period is determined by the legal provisions, i.e. 10 years starting from the financial year following that in which the relevant accounting document was drawn up.

If a dispute arises between Farmexim and the contractual partner, your personal data may be stored in Farmexim's systems until the final resolution of this dispute.

In the case of data processed in the context of interaction with public authorities, the data of their representatives will be kept for the period of time relating to the legal obligations under which the interaction took place.

  1. USE THE 1VOICE PLATFORM
  1. What categories of personal data we process

By using the 1Voice platform, the caller's data is processed: name and surname, the company they represent, the position held, voice, call content.

  1. Purpose and basis of the processing

In this case, the data is processed to improve and streamline the core business of Farmexim.

The basis for the processing of your data is Article 6 para. (1) lit. f of the GDPR, i.e. the legitimate interest of Farmexim, aiming to improve and make the services offered more efficient.

  1. How long we keep your personal data

The storage period is 6 months from registration.

If a dispute arises between Farmexim and the contractual partner, your personal data may be stored in Farmexim's systems until the final resolution of this dispute.

In the case of data processed in the context of interaction with public authorities, the data of their representatives will be kept for the period of time related to the legal obligations under which the interaction took place.

  1. DOCUMENT ARCHIVING
  1. What categories of personal data we process

In accordance with the applicable legal provisions, point 38 of Annex No. 1 to Order No. 2634/2015 on financial accounting documents and/or the Archives Act 16/1996, each company is legally obliged to archive documents for different periods of time.

Thus, depending on the purpose of the processing, Farmexim will store your personal data for different periods of time. Data subjects are represented by contractual partners (if they are natural persons) or representatives of contractual partners.

  1. Purpose and basis of the processing of these data

In order to comply with legal obligations, the Company archives documents containing personal data for the periods specified by law.

The basis for the processing of your data is Article 6 (1) lit. c of the GDPR, i.e. the fulfilment of a legal obligation, as provided for in point 38 of Annex no. 1 to Order no. 2634/2015 on financial accounting documents; Archives Act 16/1996.

  1. How long we keep your personal data

The storage period is determined by legal provisions, depending on the purpose for which they were processed. The processing activities are set out within this document, each mentioning the period of processing by Farmexim.  

  1. TRAINEE DATA COLLECTED IN THE CONTEXT OF THE ORGANISATION AND RUNNING OF TRAINEESHIPS
  1. What categories of personal data we process

We process the information you provide us with and/or the institution/educational establishment you are attending as a result of your request, in order to register you for internships organised by the Company for students, master students and/or pupils and to carry them out under the conditions provided for by the relevant regulations.

These categories of data may include: surname, first name, personal number code, date of birth, place of birth, nationality, passport identifier (if applicable), residence permit identifier (if applicable), home address, other data visible in the identity card, address where the trainee will live during the traineeship, student/pupil status, academic/school year, educational institution, year of study, series, group, institutional or private e-mail address, telephone number, attendance at the traineeship, performance during the traineeship, results of the trainee's professional assessment related to the traineeship, trainee's insurance status.

  1. Purpose and grounds for processing these data

We may collect and use your personal data for the purpose of registering you as a participant in internships organized by Farmexim in partnership with educational establishments/institutions acting as organizers of traineeships, in accordance with the relevant legal regulations (Law no. 258/2007, on student internships, Order of the Ministry of Education, Research and Youth no. 3955/2008 on the approval of the General Framework for the organisation of internships in undergraduate and master's degree programmes and of the Framework Agreement on the performance of internships in undergraduate and master's degree programmes, and - in the case of foreign citizens - of the Government Emergency Ordinance no. 194/2002 on the regime of foreigners in Romania, republished, with subsequent amendments and additions, the Order of the Minister of National Education No 3554/2017 approving the Methodology for the organization and functioning of dual education, and the associated normative acts, as these normative acts may be amended and supplemented).

We may also process your personal data for purposes related to occupational health and safety and occupational medicine, taking into account the relevant legal provisions.

The basis for the processing of your data in this context is the conclusion and execution of the Traineeship Framework Agreement - Art. 6 para. (1) lit. b of the GDPR, as well as Art. 6 para. (1) lit. c of the GDPR, in view of the legal obligations Farmexim has as a Traineeship Partner, as well as the fact that legal rules regulate the content of the traineeship framework agreement.

Where you have given us your prior and express consent to do so, we may store some of the data provided by you in the framework of these traineeships (such as your name, surname, e-mail address, telephone number, place of residence and the place where you completed the traineeship, the result of the assessment following the traineeship) for a period after the end of the traineeship as provided for in that consent, in order to contact you at a later date to discuss the opportunity of working with you on the basis of an individual employment contract, with a view to an interview and/or a job offer. In this case, the basis for the processing is Article 6 para. (1) lit. a of the GDPR.

  1. How long we keep your personal data

The storage period is determined by the duration of the contract and three years thereafter. As regards your data processed for the purposes of ensuring health and safety at work, the duration of storage is determined by the duration of the contractual relationship, i.e., if applicable (e.g. in the event of an accident at work), by the duration provided for by the relevant legal rules.

The duration of storage of your data, based on the contract, may be extended if there are legal provisions requiring Farmexim to store them for a certain period.

Data collected under your consent will be stored for the period set out in the relevant consent, or until the date of withdrawal of consent, whichever is earlier.

If a dispute arises between Farmexim and you, your personal data will be stored in Farmexim's systems until the final resolution of this dispute.

  1. PATIENT/HEALTHCARE PROFESSIONAL (OTHER CATEGORIES OF REPORTERS) DATA COLLECTED IN THE CONTEXT OF ADVERSE REACTION REPORTING
  1. What personal data we process

We can process:

  1. Information you give us when you report an adverse reaction to a medicine or other product.

Data categories may include: name, surname, telephone number, e-mail, address, date of birth, health status data (adverse reaction, other concomitantly administered drugs), duration/ intensity/ frequency, physiological parameters, laboratory tests, if applicable.

  1. Purpose and grounds for processing these data

When you report an adverse reaction to a medicine or another type of product to us, we process your data for the purpose of handling the case, pursuant to Farmexim's legal obligations - Article 6 para. 1 lit. (c) of the GDPR, i.e. Law 95/2006 on healthcare reform.  

  1. How long we keep your personal data

For data processed for the fulfilment of the Company's legal obligations, the duration of storage is that provided for by those legal rules.

If a dispute arises between Farmexim and you, your personal data will be stored in Farmexim's systems until the final resolution of this dispute.

  1. DATA ON USERS OF OUR WEBSITE

Access to the www.farmexim.ro website does not automatically imply the collection of personal data that directly identifies you. If you decide to provide us with personal data via the website, the above provisions apply to them, depending on the purpose for which you contact us.

However, we may process information that you provide to us when you access our website. Data that may be collected in this way by the Company in the process of administering and operating this website may include: name, surname, email address, any other data provided, directly or indirectly, in the context of your interaction with us, such as IP address.

When you visit our website, we use cookies to automatically collect technical information that can identify the user, which may include: IP address, type of browser used to browse the site, your operating system, data on website visits.

Further details on the use of cookies, including the purpose of their use, the basis of processing, the duration of storage, are set out in the Company's Cookie Policy, available on our website.

  1. DATA COLLECTED AT THE ENTRANCE TO OUR PREMISES

Collection and registration in the company's access register of all persons wishing to enter the premises - company property. At the gate, the security guard keeps two access registers, according to the Methodological Rules for the application of Law 333/2003: (i) motor vehicles - where he/she records the registration number of the vehicle, the name and surname of the driver of the vehicle or of the delegate, the series and number of the identity card, the destination, the time of arrival, the time of departure, the number of the permit/invoice, remarks; (ii) natural persons - where he/she records the data of the visitor: surname, first name, series and ID card number, destination (person visited - employee of the company), time of arrival, time of departure, remarks.

  1. What categories of personal data we process

Information that may be provided/collected when you enter the premises, as applicable, may include the following categories of data:

  • images that can be captured by cameras mounted by our video surveillance system, cameras that are appropriately marked;
  • data that you can provide as a visitor for registration in the visitors' access register, such as name, surname, employer's name - if applicable, date of visit, purpose (the department where you have organised the actual visit), ID card series and number, time of arrival, time of departure, registration number of the vehicle driven.
  1. Purpose and grounds for processing these data

We process this data in order to ensure the security, safety and protection of the goods and persons on the premises of the Company, by implementing rules on access to the premises, by installing video surveillance systems, by keeping records of visitor access.

In such cases, the basis for processing is the legal obligations that the Company has - Article 6 para. (1) lit. c of the GDPR.

  1. How long we keep your personal data

For images recorded by video surveillance cameras, we store the data for a maximum of 30 days, after which they are automatically deleted by overwriting. In certain situations, at the express request of the authorities, or in order to defend or exercise the interests and rights of the Company, certain recordings may be stored for a longer period of time, as determined by the Company, or until investigations are completed, as appropriate.

As far as car and visitor access logs are concerned, they are stored for the duration set by the relevant legal rules.

  1. WEEKLY ONLINE NEWSLETTER

  1. What categories of personal data we process

The following personal data of customer representatives are processed for this purpose:

  • Name, surname, e-mail address.

  1. Purpose and grounds for processing these data

A weekly online newsletter is sent to the representatives of the clients with whom the Company has concluded a sale-purchase contract, to inform them about various promotions, offers, information necessary for the execution of the contract. Recipients of the newsletter have the option to unsubscribe from this newsletter.

The legal basis for this processing is the legitimate interest of the company to carry out the contractual relationship in optimal conditions and to constantly inform about various offers or promotions.

  1. How long we keep your personal data

The data will be kept until the customer unsubscribes, or until the contractual relationship is terminated.

  1. DATA USED TO DEFEND OUR LEGITIMATE INTERESTS

There may be situations where we use or transmit information to protect our rights and business. These may include:

  • Measures to protect our website from cyber attacks;
  • Measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities;
  • Measures to manage various other risks.

In this case, the basis for the processing of your data may be the legitimate interest of the Company - Article 6 para. (1) lit. f of the GDPR, respectively the legal obligations that the Company has as an operator of essential services - art 6 para (1) lit. c of the GDPR.

  1. THE EXERCISE OF THE RIGHTS OF DATA SUBJECTS

Under the provisions of Regulation 2016/679 data subjects have a number of rights that they can exercise in relation to the data controller. Exercising rights involves submitting a request/request to the data controller to perform certain operations on the data subject's data.

For this purpose, Farmexim processes the data in the request submitted in order to formulate a response to the data subject.

  1. What categories of personal data we process 

Farmexim processes the following data:

Full name, telephone number, e-mail address, postal address, content of request/request, signature (if sent by post).

  1. Purpose and grounds for processing these data

Your data will be processed for the purpose of providing the response to the request/request submitted and for performing operations on your data as requested.

The basis for processing is Article 6 para. (1) lit. c of the GDPR, i.e. the legal obligation of the controller.

  1. How long we keep your personal data

Your data will be kept for the duration of the resolution of the request and 3 years from the date of resolution. If a dispute arises between Farmexim and you, your personal data will be stored in Farmexim's systems until the final settlement of this dispute.

  1. INTERACTING WITH SOCIAL PLATFORMS

Farmexim uses social platforms such as Facebook to promote its activity.

Interacting with Farmexim through the Platforms means that Farmexim may view public personal data within your account, such as: first and last name (or nickname, username), profile picture, other public information, message content (if you send us messages).

Farmexim does not extract or store this data in its own databases. 

GENERAL PROVISIONS

Recipients of your personal data

We ensure that access to your data by third parties who are private legal entities is carried out in accordance with the legal provisions on data protection and confidentiality of information, on the basis of contracts concluded with them, in accordance with Article 28 of the GDPR in the case of processors, ensuring the same level of protection, or in accordance with Article 26 of the GDPR, if they act together with the Company as joint controllers, as appropriate.

Recipients

Processing for which data may be transferred

Companies within the PHOENIX group of companies, to which Farmexim belongs, - for internal administrative purposes or for auditing and monitoring our internal processes. We may also transfer your data to companies within the PHOENIX group that provide products and services to us, such as information technology systems, or that carry out activities in collaboration with Farmexim. Access to your personal data is limited to those employees who need to know your personal data and who are subject to firm confidentiality commitments;

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Using the 1Voice platform
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/healthcare professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Weekly online newsletter
  • Exercise of data subjects' rights

providers of software and data storage or archiving solutions, as appropriate

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Using the 1Voice platform
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/healthcare professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Weekly online newsletter
  • Exercise of data subjects' rights

providers of software maintenance services and/or technical equipment

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Using the 1Voice platform
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/healthcare professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Weekly online newsletter
  • Exercise of data subjects' rights

courier or postal service providers

  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Exercise of data subjects' rights

third party acquirers, to the extent that Farmexim's business would be transferred (in whole or in part) and personal data would be part of the assets subject to such transaction or to other companies in the group of which Farmexim is a part, which will comply with Farmexim's instructions regarding the processing of your personal data ;

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Using the 1Voice platform
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Weekly online newsletter
  • Exercise of data subjects' rights

institutions or public authorities that request the provision of personal data for the fulfilment of their lawful tasks;

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Using the 1Voice platform
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Weekly online newsletter
  • Exercise of data subjects' rights

other third parties who may have access to personal data in the performance of their duties in the context of their interaction with the Company, such as: (i) authorities with regulatory and supervisory powers over the activities carried out by the Company; (ii) financial auditors and tax consultants; (iii) courts, bailiffs, notaries public; (iv) lawyers, mediators, experts who represent us or assist us in defending or exercising the rights and legitimate interests of the Company.

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Using the 1Voice platform
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Weekly online newsletter
  • Exercise of data subjects' rights

providers of analytics solutions for customer insight purposes

  • Conducting relations with the company's commercial or institutional partners and public authorities

payment/banking service providers

  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices

marketing/telemarketing service providers; advertising agencies, telecommunication service providers (sms, e-mail)

  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Weekly online newsletter

providers of market research services

  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Weekly online newsletter

other companies with whom we can develop joint programmes to market our goods and services

  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Using the 1Voice platform
  • Archiving documents

traineeship organisers, occupational health service provider, occupational health and safety service provider - for certain data processed in the context of the organisation and conduct of traineeships

  • Trainee data collected in the context of the organisation and running of traineeships

suppliers and/or manufacturers of products about which you have reported an adverse reaction

  • Data on patients/healthcare professionals (other categories of reporters) collected in the context of adverse reaction reporting

National Agency for Medicines and Medical Devices of Romania in case of adverse reaction reports

  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting

security service providers

  • Data collected at the entrance to our premises

Where we store and to which countries we transfer your personal data

We currently store and process your personal data on the territory of Germany and Romania, as appropriate.

Your data is not transferred outside the EU. If and to the extent that, in the context of a particular processing operation, it would be necessary to transfer your personal data to third countries outside the EU or the EEA, any such transfer will be made in compliance with the requirements of the GDPR in terms of ensuring adequate safeguards for the transfer of data.

How we protect the security of your personal data

Ensuring the confidentiality of the personal data you submit to us is an important concern for us. We have implemented technical and organisational measures to maintain the confidentiality and security of your personal data in accordance with our internal procedures regarding the storage, disclosure and access of personal data. Personal data may be stored on our personal data technology systems, those of our contractors or in hard copy format.

The transmission of your personal data can be done using state-of-the-art encryption algorithms and we store it on secure servers while ensuring data redundancy.

The information you provide via the Farmexim website is automatically transmitted and verified in encrypted form using a Secure Socket Layer (SSL) protocol. We do this to prevent misuse of data by third parties.

As for the other situations in which we process your personal data, we are constantly taking measures to increase the level of training of employees in terms of compliance with data protection rules, Farmexim employees being subject to firm confidentiality commitments.

Your rights

The GDPR has established a number of rights of data subjects with regard to the processing of their data by controllers. In this context, you can request access to your data, correct any mistakes in our files and/ or object to the processing of your personal data in certain cases.

You can also exercise your right to lodge a complaint with the competent Supervisory Authority or to go to court. Where applicable, you may also have the right to request the erasure of your personal data, the right to restrict the processing of your data and the right to data portability.

To exercise your rights, please contact us:

-    by e-mail to: dataprotection@farmexim.ro or

  • by post or courier to the address Str. Malul Roșu nr. 4, com Balotesti, village Balotesti, jud Ilfov, postal code 077015 with the mention to the attention of the Farmexim Data Protection Officer.

Please note the following if you wish to exercise these rights:

Identity. We take the confidentiality of all records containing personal data seriously. For this reason, we ask that you send us your requests for such records using the e-mail address/ identification information you use in your dealings with us. Otherwise, we reserve the right to verify your identity by requesting additional information to confirm your identity.

Response time. We will respond to any valid requests within a maximum of one month, unless this is particularly complicated or you have made several requests, in which case we will inform you within one month of the reasons for the delay and you will receive a response from us within a maximum of two months. We may need to ask you for more information in order to qualify your request. This will help us to act more quickly and shorten the response time to your request.

Third party rights. You should be aware that the exercise of rights conferred by the GDPR is not unlimited, and if a request by you would adversely affect the rights and freedoms of other data subjects we will not be able to honor your request.

Rights of data subjects

Description

Access

You can ask us:

  • to confirm whether we process your personal data;
  • to provide you with a copy of this data;
  • provide you with other information about your personal data, such as what data we hold, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it, how you can make a complaint, where we obtained your data, to the extent that information has not already been provided to you through this notice.

Correction

You can ask us to rectify or complete inaccurate or incomplete personal data.

We may try to verify the accuracy of the data before correcting it.

Deleting data

You can ask us to delete your personal data, but only if:

  • they are no longer needed for the purposes for which they were collected; or
  • you have withdrawn your consent (if the processing is based on consent) and there is no other legal basis for the processing; or you are exercising your right to object under Article 21 para. 1 or 2 of the GDPR; or it has been unlawfully processed; or we have a legal obligation to do so.

We are not obliged to comply with your request for erasure if the processing of personal data is necessary:

  • to comply with a legal obligation; or to establish, exercise or defend a right in court.

Restriction of data processing

You can ask us to restrict the processing of personal data, but only if:

  • their accuracy is disputed (see the rectification section) to allow us to verify their accuracy; or
  • the processing is unlawful, but you do not want the data to be deleted; or
  • they are no longer needed for the purposes for which they were collected, but you need them to establish, exercise or defend a right in court; or
  • you have exercised your right to object, and verification of whether our legitimate rights prevail is ongoing.

Where processing has been restricted, your personal data may, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.

Data portability

You can ask us to provide your personal data in a structured, commonly used and machine-readable format, or you can request that it be "ported" directly to another data controller, but in each case only if:

  • the processing is based on your consent or the conclusion or performance of a contract with you; and
  • processing is done by automatic means.

Opposition

You may object at any time, for reasons relating to your particular situation, to the processing of your personal data on the basis of our legitimate interest, if you consider that your fundamental rights and freedoms prevail over this interest.

You may also object at any time to the processing of your data for direct marketing purposes (including profiling), if the case, without giving any reason, in which case we will stop such processing as soon as possible.

Automatic decision-making

You may request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you; or otherwise affects you to a significant extent.

This right does not apply when:

  • The automatic decision is necessary for the conclusion or execution of a contract between you and Farmexim;
  • the automated decision is authorised by Union law or national law which applies to Farmexim and which also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or
  • the automatic decision is based on your explicit consent.

Complaints

You have the right to lodge a complaint with the supervisory authority about the processing of your personal data. In Romania, the contact details of the data protection supervisory authority are as follows:

National Supervisory Authority for Personal Data Processing

B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, postal code 010336, Bucharest, Romania

Phone: +40.318.059.211 or +40.318.059.212;

E-mail: anspdcp@dataprotection.ro

Without prejudice to your right to contact the supervisory authority at any time, please contact us in advance, and we promise to make every effort to resolve any issues amicably.

We remind you that you can contact the Farmexim Data Protection Officer at any time by sending your request in any of the following ways:

- by e-mail to: dataprotection@farmexim.ro, or

- by post or courier to the address: Str. Malul Roșu nr. 4, 077015 Balotești, Ilfov, Romania with the mention to the attention of the Farmexim Data Protection Officer.

Final remarks:

From time to time, as necessary, this Privacy Policy may be amended or updated. We will inform you of any material changes to it in a manner that ensures that you are kept informed, for example by publication on the Company's website or by any other appropriate means that ensures effective communication of changes to the terms of our processing of your data.

Date of last modification: 24.10.2022