Farmexim is the trade name of Farmexim S.A., a legal entity of Romanian nationality, having its registered office in Bucharest, sector 1, Str. Pictor Rosenthal, Nr. 14, Et. 2, Ap. 3, postal code 011934, and operational headquarters (mailing address in Balotești, Malul Roșu str. nr 4, jud Ilfov, postal code 077015), with number in the Trade Register J40/2033/1991, unique tax registration code RO 335278 (hereinafter "Farmexim" or "Company"). For the purposes of data protection legislation, we are an operator when processing your personal data.

When you use this website or interact with Farmexim in general, we may process your personal data in accordance with this Data Privacy Policy, as required by applicable law.

The policy is based on the provisions of Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR") as well as applicable national law.

The GDPR defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity".

Farmexim is committed to implementing the highest standards of confidentiality and transparency with regard to the personal data it processes in its day-to-day business. Full protection and transparency regarding the processing of your personal data in our business are our most important objectives.

Your interaction with Farmexim, where it involves the processing of personal data about you, is subject to this Privacy Policy and the Cookie Policy when you browse our website. The purpose of these Policies is to inform you about how we collect, store and use personal data.

These details regarding the processing of your data differ depending on the nature of the relationship you have with Farmexim, i.e.: user of the website, customer, potential customer, legal representative of a contractual partner or the person designated by the latter in the performance of the contract with our Company, candidate for vacancies available within the Company, trainee within the framework of internships organised - under the law - by the Company in partnership with educational establishments/institutions, representative of a regulatory and supervisory authority. Depending on which category you fall into in terms of your interaction with Farmexim, the provisions set out below may become applicable to you accordingly.

As we are always open to hear your views, as well as to provide you with any additional information you may need regarding the processing of your data, we encourage you to contact the Farmexim Data Protection Officer at the e-mail address dataprotection@farmexim.ro, or by post or courier to Str. Malul Roșu nr. 4, com Balotesti, village Balotesti, jud Ilfov, postal code 077015 - with the mention: for the attention of the Farmexim Data Protection Officer.

SPECIFIC PROVISIONS:

  1. DATA ON CANDIDATES IN RECRUITMENT PROCESSES

  1. What categories of personal data we process

In the context of organising and managing the recruitment process, we may process the following categories of personal data about you:

- information that you provide to us when applying for one of Farmexim's vacancies by submitting a CV to us (e.g. by e-mail, via our website, in person) or that we receive from recruitment/ head-hunting agencies or other persons holding your CV. 

The categories of data we may process in this context may include:

- identification data (name, surname, e-mail address, date of birth, place of residence, telephone number), data/ information publicly disclosed on professional online platforms, data on general education, specialist and other qualifications, previous experience, image (CV photo if you have chosen to include it), relevant personal and/ or professional skills (language, communication, organisational, digital skills); 

- information provided in the context of participating in the actual recruitment process (attending interviews/ tests), consisting of any other data you may provide to us in this context, including data obtained by the Company resulting from testing your skills or knowledge, as well as information observed by the interviewers during any such interview, such as communication style, tone, engagement, personality traits (curiosity, creativity, etc.), teamwork, collaboration, leadership skills and management skills, to the extent that they emerge from the interview and are relevant to the recruitment process;

- in case of online interview sessions conducted via the "Microsoft Teams" service personal data consisting of: email address and account name, log data (IP address; date and time of use of MS Teams; data quantity information and MS Teams version), session information (date and time of session; session participants; session ID and password) and other session information stored in MS Teams, information/data contained in text, video and audio files: text in chats; video and audio files for online conversation transmission.

  1. The purpose and basis of processing this data

Your personal data provided in the framework of active recruitment processes are processed for the purpose of contacting you, conducting the recruitment process, organising interviews, conducting prior checks of professional and personal suitability for a job vacancy, creating internal notes/ reports/ sheets on the conduct of interviews/ previous research, carrying out any necessary steps to conclude the employment contract. The processing is carried out on the basis of: i) taking steps to conclude an employment contract [Article 6(1)(b) GDPR]; ii) fulfilling a legal obligation incumbent on the Company [Article 6(1)(c) GDPR].

In the context of your participation in recruitment processes, additional personal data may be requested from you and/ or prior checks on your professional and personal suitability may be carried out, including by conducting online interviews and making internal notes in this context on the basis of the legitimate interest of the Company [Article 6 (1) (f) GDPR].

Please note that in the recruitment process it is possible to use professional online platforms (e.g. LinkedIn) to carry out prior verification of professional and personal skills in relation to the nature and specifics of the position concerned, based on the legitimate interest of the Company [art. 6 para. 1 lit f GDPR].

If an employment contract is concluded, your personal data will be processed, in particular on the basis of i) the performance of an employment contract [Art. 6 (1) (b) GDPR] and ii) the fulfilment of legal obligations [Art. 6 (1) (c) GDPR], as provided for by the Labour Code, the provisions on health and safety at work or other relevant legal provisions. Information on the processing of personal data in the context of the employment relationship will be made available to you at the time of entering into the employment contract.

  1. How long we keep your personal data

Personal data shall be stored for specified periods, applying also the following criteria: i) the time limits laid down in accordance with the applicable legal provisions, ii) the time required for the expiry of legal and/or prescription periods, and iii) the time limits and procedures laid down in accordance with internal rules, including those on data storage.

If the recruitment process has been completed by the conclusion of an employment contract, the data provided in the recruitment process will remain stored in your personnel file and will be stored for periods determined in accordance with the legal provisions or for periods determined in accordance with the above criteria - points ii and iii.

With respect to data stored following your prior consent, we store this data for a period of 3 (three) years as set out in the consent form or until you exercise your right to withdraw your consent, whichever is sooner. If you do not wish to be included in the Company's candidate database, this will not affect the recruitment process for the position to which you have applied, and your personal data will be deleted after a general period of 6 months from the date of completion of the recruitment process for the position concerned, subject to compliance with internal procedures on the data deletion process.

If your data has been stored and processed on the basis of our legitimate interest, the duration of storage shall be that determined according to the criteria indicated by the Controller or until the manifestation of the right to object to such processing, whichever is the earlier. In this situation we no longer process personal data, unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the purpose of the processing is the establishment, exercise or defence of legal claims.

After the end of the declared storage period, the data may be retained only if necessary to comply with the applicable legal provisions and if there are legitimate and compelling reasons justifying the processing.

  1. INCLUSION IN THE CANDIDATE DATABASE

  1. What categories of personal data we process

If we have your consent, we process the personal data provided in your CV, as well as, if you have participated in a recruitment process that did not result in an employment contract, the information/ documents communicated/ obtained or resulting from the recruitment process, as detailed in the previous chapter.

  1. Purpose and basis of the processing of these data

We process the above categories of data for the purpose of including them in our database of candidates, so that we can contact you in the event of vacancies matching your profile.

The basis for the processing of your data in this context is your informed and voluntary consent - Article 6 para. (1) lit. a) of the GDPR.

If you do not wish to be included in the Company's database of candidates, this will not affect the recruitment process for the position to which you have applied and we will delete your personal data after a period of 6 months has passed since the date of completion of the recruitment process for the position concerned which has not been completed by the conclusion of the individual employment contract.

If there is no ongoing recruitment process for a position to which you have applied and we do not have your consent, you will not be included in our candidate database and we will not be able to send you information about future job opportunities in our company.

  1. How long we keep your personal data

Your personal data will be processed solely for the purposes set out above for a period of 3 years from the date of this consent or until the date of the withdrawal of consent, whichever is the earlier. After this period, the data may be retained only if necessary to comply with applicable legal provisions.

You may withdraw your consent to this processing at any time, without this withdrawal affecting the lawfulness of the processing carried out prior to this withdrawal.

  1. HANDLING OF REQUESTS, COMPLAINTS, REFERRALS

  1. What categories of personal data we process

When submitting a general request for information, a complaint/ complaint, you may provide us with certain categories of data which may include: name, surname, e-mail address and/ or telephone number, position (if applicable), any other personal information you provide us with at the time of the request/ complaint.

  1. Purpose and basis of the processing of these data

We may collect such personal data from you for the purpose of corresponding with you or for the purpose of formulating and sending a reply to you. Thus, if you make a request, complaint or referral we will process your data in order to deal with it.

The basis for the processing of your data in this context is the legitimate interest of Farmexim - Article 6 para. (1) lit. f of the GDPR.

There are situations where we have a legal obligation to respond to you and these are dealt with separately in this document.

  1. How long we keep your personal data

We keep your personal data until the final settlement of your request and 3 years after the settlement.

If a dispute arises between Farmexim and you, your personal data will be stored in Farmexim's systems until the final resolution of this dispute.

  1. THE CONDUCT OF RELATIONS WITH THE COMPANY'S COMMERCIAL OR INSTITUTIONAL PARTNERS, RESPECTIVELY WITH PUBLIC AUTHORITIES

  1. What categories of personal data we process

We may have access to information through a contractual relationship with public or private legal entities or through an interaction with an institutional partner/ regulatory and supervisory authority.

To this end, we may process personal data of representatives and contact persons designated by our partners, or of representatives of the authorities, as appropriate.

These may consist of: name, surname, position, telephone number and e-mail address, date of birth, signature. These data are transmitted to us by the representatives of our commercial partners or by you yourself if you act as their legal representative or as a person involved by them in the process of concluding/ executing the contract.

When you yourself are the Company's contractual partner, in addition to the information provided above, we may also process other categories of personal data from your identity document (such as your address, personal number code, and ID series and number), as well as financial data consisting of your bank account identification data.

For preliminary due-diligence or know-your-customer activities we may process data of ultimate beneficial owners or employees in a managerial position, i.e. first and last name, e-mail address, date of birth, dates of criminal convictions and offences, insofar as these are public.

Personal data such as: name and surname, date of birth, companies in which they are associated, positions held are processed to assess the creditworthiness of potential and current business partners.

For the conduct of business, online meetings (video-call) may be organized, electronic correspondence may be conducted, which may include documents sent/ received for validation/ signature, in which case Farmexim may have access to information such as: account name, function, e-mail address, profile picture (if added by the user), any other data available within the MS Office package, meeting data: date and time, participants, image, voice, chat texts, location (if activated by the participants), date and time of application use, status display.

  1. Purpose and basis of the processing of these data

In this case, we may use the personal data that you provide to us or that we obtain in the manner described above for the purpose of managing your interaction with the authorities, i.e. for the purpose of managing and ensuring the smooth running of the relationship between the parties, including, but not limited to, signing the contract, issuing, paying or collecting the invoices issued in the context of that contract, as the case may be. We may also use your personal data for the purposes of internal due diligence or customer due diligence procedures prior to the conclusion of the contract.

Where appropriate, we may use the personal data you provide to us to measure the satisfaction of our business partners or for marketing research purposes.

To organise online meetings, Farmexim uses the services of contractual partners, namely Skype for business, MS Teams, MS Office.

The basis for the processing of your data in the context of contractual relations is the conclusion and performance of the contract with your employer or the legal entity you represent, or even with you - when you are our contractual partner - Article 6 para. (1) lit. b of the GDPR, i.e. the common legitimate interest of the Company and the contractual partner to carry out that contractual relationship. In the preliminary stage of the conclusion of the contract with the legal entity, processing based on the legitimate interest of Farmexim may take place which aims at undertaking minimum measures necessary to know the partners, due diligence processes, assessment of the partners' creditworthiness, online meetings - Art. 6 para. (1) lit. f of the GDPR, or the legal provisions applicable to Farmexim in these endeavours - art. 6 para. (1) lit. c of the GDPR, including but not limited to Council Regulation (EC) 2580/2001 and Regulation 881/2002 (due-diligence and KYC).

We may also, if necessary, process some of this data in the context of debt recovery activity and the resolution of any disputes or other legal situations that may arise in connection with the performance of the contract. In such cases, the basis for the processing is the legitimate interest of the Company to protect its financial situation and assets, Article 6 para. (1) lit. f of the GDPR, or the legal obligation to provide the data for the purpose of carrying out judicial, legal or other extra-judicial proceedings in connection with the performance of the contract - art 6 para. c of the GDPR. We may also process certain data for the purpose of defending or exercising Farmexim's rights and interests before notary publics, other public authorities or institutions, mediators and/or other public or private bodies that settle disputes, our lawyers, consultants or other natural or legal persons, public or private, who are involved in the negotiations and/or disputes in question. In such cases, the basis of the processing differs depending on the context in which these rights are exercised, and may be the contract concluded with you - Article 6 (1)(b) of the GDPR, or its legitimate interest - Art. 6 para. (1) lit. f of the GDPR.

There may be situations in which we process personal data in order to fulfil the obligations imposed on Farmexim by legal provisions on tax, anti-money laundering, or compliance with International Economic Sanctions. In such cases, the basis for processing is Article 6 para. (1) lit. c of the GDPR.

  1. How long we keep your personal data

The storage period is determined by the duration of the contract and the applicable legal or contractual limitation period. The storage period of your data, based on the contract, may be extended if there are legal provisions that require Farmexim to store your data for a certain period - such as in the case of legal obligations in tax matters, when storage periods can be up to 10 years starting from the financial year following the year in which the financial-accounting document was issued/ drawn up.

If a dispute arises between Farmexim and the contractual partner, your personal data may be stored in Farmexim's systems until the final resolution of this dispute.

In the case of data processed in the context of interaction with public authorities, the data of their representatives will be kept for the period of time related to the legal obligations under which the interaction took place.

  1. ISSUING INVOICES

  1. What categories of personal data we process

For invoices / accompanying documents, we may process personal data as follows:

(1) Invoices issued to legal persons: the data completed by the recipient's representative, i.e. name and surname, signature

(2) for dispatch notices issued in execution of contracts with the Ministry of Health (deliveries to territorial DSP): identification and contact details of the recipient's representative, in particular: name, surname, position, work telephone number, e-mail address.

(3) Invoices issued to natural persons: name, surname, address belonging to the natural person to whom the invoice is addressed.

  1. Purpose and basis of the processing of these data

In this case, the data are processed for the performance of Farmexim's core business in compliance with applicable legal obligations.

The basis for the processing of your data is Article 6 (1) lit. c of the GDPR, i.e. the fulfilment of a legal obligation, as set out in Annex 1 to Order 2634/2015.

We may also, where appropriate, process some of this data in the context of debt recovery activity and the resolution of any disputes or other legal situations that may arise in relation to the payment of invoices. In such cases, the basis for the processing is the legitimate interest of the Company to protect its financial situation and assets, Article 6 para. (1) lit. f of the GDPR, or the legal obligation to provide data for the purpose of judicial, legal or other extra-judicial proceedings in connection with the performance of the contract - art 6 para. c of the GDPR. We may also process certain data for the purpose of defending or exercising Farmexim's rights and interests before notary publics, other public authorities or institutions, mediators and/ or other public or private bodies that settle disputes, our lawyers, consultants or other natural or legal persons, public or private, who are involved in the negotiations and/ or disputes in question.

There may be situations in which we process personal data in order to fulfil the obligations imposed on Farmexim by legal provisions on tax, anti-money laundering, or compliance with International Economic Sanctions. In such cases, the basis for processing is Article 6 para. (1) lit. c of the GDPR.

  1. How long we keep your personal data

The storage period is determined by the legal provisions, i.e. 10 years starting from the financial year following that in which the relevant accounting document was prepared or 5 years starting from 1 July of the financial year following that in which the relevant accounting document was prepared for those prepared from January 2023 onwards.

If a dispute arises between Farmexim and the contractual partner, your personal data may be stored in Farmexim's systems until the final resolution of this dispute.

In the case of data processed in the context of interaction with public authorities, the data of their representatives will be kept for the period of time relating to the legal obligations under which the interaction took place.

  1. USE OF 1VOICE/ CALL-CENTER PLATFORM

  1. What categories of personal data we process

By using the (i) 1Voice platform, the caller's data are processed: first and last name, company, position, voice, call content, respectively, (ii) in case of using the call-center platform, first and last name, phone number, email address, position, voice, call content.

  1. Purpose and basis of the processing of these data

In the case of the 1Voice platform, data is processed to improve and streamline Farmexim's core business.

The basis for the processing of your data is Article 6 para. (1) lit. f of the GDPR, i.e. the legitimate interest of Farmexim, aiming to improve and make the services offered more efficient.

In the case of the call-center platform, the data are processed for the management of contractual relationships, pursuant to the legal obligations in the field of distribution of medicines provided for Farmexim.

  1. How long we keep your personal data

The storage period is 6 months from registration and 5 years for referrals related to the distribution of medicines.

If a dispute arises between Farmexim and the contractual partner, your personal data may be stored in Farmexim's systems until the final resolution of this dispute.

  1. DOCUMENT STORAGE

  1. What categories of personal data we process

In accordance with the applicable legal provisions, i.e. item 38 of Annex No. 1 to Order No. 2634/ 2015 on financial accounting documents and/ or Archives Act 16/1996, each company is legally obliged to archive documents for different periods of time.

Thus, depending on the purpose of the processing, Farmexim will store your personal data for different periods of time. Data subjects are represented by contractual partners (if they are natural persons) or representatives of contractual partners.

  1. Purpose and basis of the processing of these data

In order to comply with legal obligations, the Company archives documents containing personal data for the periods specified by law.

The basis for the processing of your data is Article 6 (1) lit. c of the GDPR, i.e. the fulfilment of a legal obligation, as provided for in item 38 of Annex no. 1 to Order no. 2634/2015 on financial accounting documents; Archives Act 16/ 1996.

  1. How long we keep your personal data

The storage period is determined by legal provisions, depending on the purpose for which they were processed. The processing activities are set out within this document, each mentioning the period of processing by Farmexim.  

  1. TRAINEE DATA COLLECTED IN THE CONTEXT OF THE ORGANISATION AND RUNNING OF TRAINEESHIPS
  1. What categories of personal data we process

We process the information you provide us with and/ or the institution/ educational establishment you are attending as a result of your request, in order to register you for traineeships organised by the Company for students, master students and/ or pupils and to carry them out under the conditions provided for by the relevant regulations.

These categories of data may include: surname, first name, personal numerical code, date of birth, place of birth, nationality, passport identifier (if applicable), residence permit identifier (if applicable), home address, other data visible in the identity card, address where the trainee will live during the traineeship, student status, educational institution, year of university/ school study, institutional or private e-mail address, telephone number, attendance at the traineeship, performance during the traineeship, results of the trainee's professional assessment related to the traineeship, trainee's insurance status.

  1. Purpose and grounds for processing these data

We may collect and use your personal data for the purpose of registering you as a participant in traineeships organized by Farmexim in partnership with educational establishments/ institutions acting as organizers of traineeships, in accordance with the relevant legal regulations (Law no. 258/2007, on student traineeships, Order of the Ministry of Education, Research and Youth no. 3955/2008 on the approval of the General Framework for the organisation of internships in undergraduate and master's degree programmes and of the Framework Agreement on the performance of internships in undergraduate and master's degree programmes, and - in the case of foreign citizens - of the Government Emergency Ordinance no. 194/2002 on the regime of foreigners in Romania, republished, with subsequent amendments and additions, the Order of the Minister of National Education No 3554/2017 approving the Methodology for the organization and functioning of dual education, and the associated normative acts, as these normative acts may be amended and supplemented).

We may also process your personal data for purposes related to occupational health and safety and occupational medicine, taking into account the relevant legal provisions.

The basis for the processing of your data in this context is the conclusion and execution of the Traineeship Framework Agreement - Art. 6 para. (1) lit. b of the GDPR, as well as Art. 6 para. (1) lit. c of the GDPR, in view of the legal obligations Farmexim has as a Traineeship Partner, as well as the fact that legal rules regulate the content of the traineeship framework agreement.

Where you have given us your prior and express consent to do so, we may store some of the data provided by you in the framework of these internships (such as name, surname, e-mail address, telephone number, place of residence and place where you have completed the internship, the result of the evaluation after the internship) for a period after the end of the internship provided for in the said consent, in order to contact you at a later stage to discuss the opportunity of a collaboration on the basis of an individual employment contract, with a view to an interview and/ or a job offer. In this case, the basis for the processing is Article 6 para. (1) lit. a of the GDPR.

  1. How long we keep your personal data

The storage period is determined by the duration of the contract and 2 (two) years after this period. As regards your data processed for the purposes of ensuring health and safety at work, the duration of storage is determined by the duration of the contractual relationship, i.e., if applicable (e.g. in the event of an accident at work), by the duration provided for by the relevant legal rules.

The duration of storage of your data, based on the contract, may be extended if there are legal provisions requiring Farmexim to store them for a certain period.

Data collected under your consent will be stored for the period set out in the relevant consent, i.e. until the date of withdrawal of consent, whichever is earlier.

If a dispute arises between Farmexim and you, your personal data will be stored in Farmexim's systems until the final resolution of this dispute.

  1. PATIENT/ HEALTHCARE PROFESSIONAL DATA (OTHER CATEGORIES OF REPORTERS) COLLECTED IN THE CONTEXT OF ADVERSE REACTION REPORTING

  1. What personal data we process

We may process personal data you provide to us when you report an adverse reaction to a medicine or other product.

Data categories may include: (i) in the case of the person reporting an adverse reaction: name, surname, telephone number, e-mail, medical specialty, and respectively (ii) in the case of the patient for whom the adverse reaction is being reported: initials of name and surname, date of birth and/ or age, health status data (adverse reaction, other concomitantly administered drugs), duration/ intensity/ frequency, physiological parameters, laboratory tests, if applicable.

  1. Purpose and grounds for processing these data

When you report an adverse reaction to a medicine or another type of product to us, we process your data for the purpose of handling the case, pursuant to Farmexim's legal obligations - art. 6 para. 1 lit. (c) of the GDPR, i.e. Law 95/2006 on health reform.  

  1. How long we keep your personal data

For data processed for the fulfilment of the Company's legal obligations, the duration of storage is that provided for by those legal rules, but no longer than 5 years from the date of collection.

If a dispute arises between Farmexim and you, your personal data will be stored in Farmexim's systems until the final resolution of this dispute.

  1. CONDUCTING SURVEYS      

1.  What personal data we process

We process personal data in order to conduct surveys to assess the level of satisfaction with the services and goods provided by the Company.

Categories of data processed include first name, surname and e-mail address.

  1. Purpose and grounds for processing these data

We process this data for the purpose of conducting surveys on the quality of products and services offered by the Company, based on the legitimate interest of the Company to improve their quality - Article 6 para. 1 lit. (f) of the GDPR. 

  1. How long we keep your personal data

Personal data are processed during the entire period of the survey, and after the survey is completed, the data are anonymised.

  1. DATA ON USERS OF OUR WEBSITE

Access to the www.farmexim.ro website does not automatically imply the collection of personal data that directly identifies you. If you decide to provide us with personal data via the website, the above provisions apply to them, depending on the purpose for which you contact us.

However, we may process information that you provide to us when you access our website. Data that may be collected in this way by the Company in the process of administering and operating this website may include: name, surname, email address, any other data provided, directly or indirectly, in the context of your interaction with us, such as IP address.

When you visit our website, we use cookies to automatically collect technical information that can identify the user, which may include: IP address, type of browser used to browse the site, your operating system, data on website visits.

Further details on the use of cookies, including the purpose of their use, the basis of processing, the duration of storage, are set out in Company's Cookie Policy, available on our website.

  1. DATA COLLECTED AT THE ENTRANCE TO THE PREMISES WHERE WE OPERATE

Collection and registration in the company's access register of all persons wishing to enter the premises - company property: at the gate, the security guard keeps two access registers, according to the Methodological Rules for the application of Law 333/2003, namely one for (i) motor vehicles - where he records the registration number of the vehicle, the name and surname of the driver of the vehicle or of the delegate, the series and number of the identity card, the destination, the time of arrival, the time of departure, the no. of the permit/ invoice, remarks, and one for (ii) natural persons - where he records the data of the visitor: surname, first name, series and ID card number, destination (person visited - employee of the company), time of arrival, time of departure, remarks.

  1. What categories of personal data we process

Information that may be provided/ collected when you enter the premises, as applicable, may include the following categories of data:

  • images that can be captured by cameras mounted by our video surveillance system, cameras that are appropriately marked;
  • data that you can provide as a visitor for registration in the visitors' access register, such as name, surname, employer's name - if applicable, date of visit, purpose (the department where you have organised the actual visit), ID card series and number, time of arrival, time of departure, registration number of the vehicle driven.

  1. Purpose and grounds for processing these data

We process this data in order to ensure the security, safety and protection of the goods and persons on the Company's premises, by implementing rules on access to the premises, by installing video surveillance systems, by keeping records of visitor access.

In such cases, the basis for processing is the legal obligations that the Company has - Article 6 para. (1) lit. c of the GDPR.

  1. How long we keep your personal data

For images recorded by video surveillance cameras, we store the data for a maximum of 30 days, after which they are automatically deleted by overwriting. In certain situations, at the express request of the authorities, or in order to defend or exercise the interests and rights of the Company, certain recordings may be stored for a longer period of time, as determined by the Company, or until investigations are completed, as appropriate.

As far as car and visitor access records are concerned, they are stored for the duration set by the relevant legal rules.

  1. DATA USED TO DEFEND OUR LEGITIMATE INTERESTS

There may be situations where we use or transmit information to protect our rights and business. These may include:

  • measures to protect the website from cyber attacks;
  • measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities;
  • measures to monitor traffic and communications to and from the Company in order to detect any incidents that may lead to the compromise of the security of the Company's data and information;
  • measures to manage various other risks.

  1. What categories of personal data we process

The data and information that may be processed to carry out these activities of prevention and detection of potential risks to data security may be represented, as appropriate, by email address, IP address, type of equipment and browser used, MAC address, possible login data in the Company's applications and systems.

2.      Purpose and grounds for processing these data

In this case, the basis for the processing of your data may be the legitimate interest of the Company - Article 6 para. (1) lit. f of the GDPR, or the legal obligations that the Company has as an essential services operator to ensure the security of the personal data it processes, by ensuring the security of the IT infrastructure - Art 6 para. c of the GDPR.

3.         How long we keep your personal data

The data processed for the purpose of ensuring the security of the IT infrastructure is never intended to identify the individual, but only to prevent, respectively detect and stop, in a timely manner, a cyber threat to the Company's equipment, systems and applications. For this purpose, data is stored for the minimum period necessary to achieve this purpose and no longer than 90 days.

  1. THE EXERCISE OF THE RIGHTS OF DATA SUBJECTS

Under the provisions of Regulation 2016/679 data subjects have a number of rights that they can exercise in relation to the data controller. Exercising rights involves sending a request to the data controller to perform certain operations on the data subject's data.

For this purpose, Farmexim processes the data in the request submitted in order to formulate a response to the data subject.

  1. What categories of personal data we process 

Farmexim processes the following data: name and surname, telephone number, e-mail address, postal address, content of the request/ application, signature (if sent via postal services), as submitted by you in the application or otherwise communicated for the purpose of processing the request.

  1. Purpose and grounds for processing these data

Your data will be processed for the purpose of providing the response to the request/request submitted and for performing operations on your data as requested.

The basis for processing is Article 6 para. (1) lit. c of the GDPR, i.e. the legal obligation of the controller.

  1. How long we keep your personal data

Your data will be kept for the duration of the resolution of the request and 3 years from the date of resolution. If a dispute arises between Farmexim and you, your personal data will be stored in Farmexim's systems until the final settlement of this dispute.

  1. INTERACTION WITH SOCIAL MEDIA PLATFORMS

Farmexim uses social media platforms such as Facebook to promote its activity.

Interacting with Farmexim through the Platforms means that Farmexim may view public personal data from your account, such as: first and last name (or nickname, username), profile picture, other public information, message content (if you send us messages).

Farmexim does not extract or store this data in its own databases. 

GENERAL PROVISIONS

Recipients of your personal data

We ensure that access to your data by third parties who are private legal entities is carried out in accordance with the legal provisions on data protection and confidentiality of information, on the basis of contracts concluded with them, in accordance with Article 28 of the GDPR in the case of processors, ensuring the same level of protection, or in accordance with Article 26 of the GDPR, if they act together with the Company as joint controllers, as appropriate.

Recipients

Processing for which data may be transferred

Companies within the PHOENIX group of companies, to which Farmexim belongs, - for internal administrative purposes or for auditing and monitoring our internal processes. We may also transfer your data to companies within the Phoenix group that provide products and services to us, such as information technology systems, or that carry out activities in collaboration with Farmexim. Access to your personal data is limited to those employees who need to know your personal data and who are subject to firm confidentiality commitments;

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • 1Voice platform/ call-center usage
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Conducting surveys
  • Exercise of data subjects' rights

Providers of software and solutions for data storage or archiving, as appropriate. Recipients of data processed when conducting an online conversation using MS Teams include Microsoft Corporation (One Microsoft Way Redmond, WA 98052-6399

USA) and subcontractors used by Microsoft to deliver MS Teams. Microsoft provides an updated list of subcontractors at the following URL under the heading 'List of subprocessors' and indicates which subcontractors are involved in which Microsoft services: https://www.microsoft.com/en-ww/trust-center/privacy/data-access. More information about data processing by Microsoft itself can be found at the following URL: https://docs.microsoft.com/de-de/microsoftteams/teams-privacy?view=o365-worldwide.

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • 1Voice platform/call-center usage
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Conducting surveys
  • Exercise of data subjects' rights

Providers of software maintenance services and/ or technical equipment

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Using the 1Voice platform
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/healthcare professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Conducting surveys
  • Exercise of data subjects' rights

Courier or mail service providers

  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Exercise of data subjects' rights

Third party acquirers, to the extent that Farmexim's business would be transferred (in whole or in part) and personal data would be part of the assets subject to such a transaction or to other companies in the group of which Farmexim is part, who will comply with Farmexim's instructions regarding the processing of your personal data.

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • 1Voice platform/ call-center usage
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/ healthcare professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Conducting surveys
  • Exercise of data subjects' rights

Institutions or public authorities that request the provision of personal data for the fulfilment of their legal duties.

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • 1Voice/ call-center platform usage
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/healthcare professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Conducting surveys
  • Exercise of data subjects' rights

Other third parties who may have access to personal data in the performance of their duties, in the context of their interaction with the Company, such as: (i) authorities with regulatory and supervisory powers over the activities carried out by the Company; (ii) financial auditors and tax consultants; (iii) courts, bailiffs, notaries public; (iv) lawyers, mediators, experts who represent or assist us in the defence or exercise of the Company's rights and legitimate interests.

  • Data on candidates in recruitment processes
  • Settlement of requests, complaints, referrals
  • Conducting relations with the company's commercial or institutional partners and public authorities
  • Issuing invoices
  • 1Voice platform/call-center usage
  • Archiving documents
  • Trainee data collected in the context of the organisation and running of traineeships
  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting
  • Data collected at the entrance to our premises
  • Conducting surveys
  • Exercise of data subjects' rights

Providers of customer insight analytics solutions

  • Conducting relations with the Company's commercial or institutional partners and public authorities

Payment/banking service providers

  • Conducting relations with the Company's commercial or institutional partners and public authorities

Marketing/telemarketing service providers; advertising agencies, telecommunication service providers (sms, e-mail)

  • Conducting relations with the Company's commercial or institutional partners and public authorities
  • conducting surveys

Market research service providers

  • Conducting relations with the Company's commercial or institutional partners and public authorities
  • Conducting surveys

Other companies with whom we can develop joint programmes to market our goods and services

  • Conducting relations with the company's commercial or institutional partners and public authorities
  • 1Voice/call-center platform usage
  • Archiving documents

Organisers of traineeships, occupational health service provider, occupational health and safety service provider - for certain data processed in the context of the organisation and conduct of traineeships

  • Trainee data collected in the context of the organisation and running of traineeships

Suppliers and/or manufacturers of products about which you have reported an adverse reaction

  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting

National Agency for Medicines and Medical Devices of Romania in case of adverse reaction reports

  • Data on patients/health professionals (other categories of reporters) collected in the context of adverse reaction reporting

Security service providers

  • Data collected at the entrance to our premises

Where we store and to which countries we transfer your personal data

We currently store and process your personal data in Germany, Ireland and Romania, as appropriate.

Your data is not transferred outside the EU. If and to the extent that, in the context of a particular processing operation, it would be necessary to transfer your personal data to third countries outside the EU or the EEA, any such transfer will be made in compliance with the requirements of the GDPR in terms of ensuring adequate safeguards for the transfer of data.

How we protect the security of your personal data

Ensuring the confidentiality of the personal data you submit to us is an important concern for us. We have implemented technical and organisational measures to maintain the confidentiality and security of your personal data in accordance with our internal procedures regarding the storage, disclosure and access of personal data. Personal data may be stored on our personal data technology systems, those of our contractors or in hard copy format.

The transmission of your personal data can be done using state-of-the-art encryption algorithms and we store it on secure servers while ensuring data redundancy.

The information you provide via the Farmexim website is automatically transmitted and verified in encrypted form using a Secure Socket Layer (SSL) protocol. We do this to prevent misuse of data by third parties.

As for the other situations in which we process your personal data, we are constantly taking measures to increase the level of training of employees in terms of compliance with data protection rules, Farmexim employees being subject to firm confidentiality commitments.

Your rights

The GDPR has established a number of rights of data subjects with regard to the processing of their data by controllers.  In this context, you can request access to your data, correct any mistakes in our files and/ or object to the processing of your personal data in certain cases.

You can also exercise your right to lodge a complaint with the competent Supervisory Authority or to go to court. Where applicable, you may also have the right to request the erasure of your personal data, the right to restrict the processing of your data and the right to data portability.

To exercise your rights, you can contact us:

-    by e-mail to: dataprotection@farmexim.ro or

  • by post or courier to the address Str. Malul Roșu nr. 4, com Balotesti, village Balotesti, jud Ilfov, postal code 077015 with the mention to the attention of the Farmexim Data Protection Officer.

Please note the following if you wish to exercise these rights:

Identity. We take the confidentiality of all records containing personal data seriously. For this reason, we ask that you send us your requests for such records using the e-mail address/ identification information you use in your dealings with us. Otherwise, we reserve the right to verify your identity by requesting additional information to confirm your identity.

Response time. We will respond to any valid requests within a maximum of one month, unless this is particularly complicated or you have made several requests, in which case we will inform you within one month of the reasons for the delay and you will receive a response from us within a maximum of two months. We may need to ask you for more information in order to qualify your request. This will help us to act more quickly and shorten the response time to your request.

Third party rights. You should be aware that the exercise of your rights under the GDPR is not open-ended, and if a request from you would adversely affect the rights and freedoms of other data subjects we will not be able to honour your request.

Rights of data subjects

Description

Access

You can ask us:

  • to confirm whether we process your personal data;
  • to provide you with a copy of this data;
  • provide you with other information about your personal data, such as what data we hold, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it, how you can make a complaint, where we obtained your data, to the extent that information has not already been provided to you through this notice.

Correction

You can ask us to rectify or complete inaccurate or incomplete personal data.

We may try to verify the accuracy of the data before correcting it.

Deleting data

You can ask us to delete your personal data, but only if:

  • they are no longer needed for the purposes for which they were collected; or
  • you have withdrawn your consent (if the processing is based on consent) and there is no other legal basis for the processing; or you are exercising your right to object under Article 21 para. 1 or 2 of the GDPR; or it has been unlawfully processed; or we have a legal obligation to do so.

We are not obliged to comply with your request for erasure if the processing of personal data is necessary:

  • to comply with a legal obligation; or to establish, exercise or defend a right in court.

Restriction of data processing

You can ask us to restrict the processing of personal data, but only if:

  • their accuracy is disputed (see the rectification section) to allow us to verify their accuracy; or
  • the processing is unlawful but you do not want the data to be deleted; or
  • they are no longer needed for the purposes for which they were collected, but you need them to establish, exercise or defend a right in court; or
  • you have exercised your right to object, and verification of whether our legitimate rights prevail is ongoing.

Where processing has been restricted, your personal data may, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.

Data portability

You can ask us to provide your personal data in a structured, commonly used and machine-readable format, or you can request that it be "ported" directly to another data controller, but in each case only if:

  • the processing is based on your consent or the conclusion or performance of a contract with you; and
  • processing is done by automatic means.

Opposition

You may object at any time, for reasons relating to your particular situation, to the processing of your personal data on the basis of our legitimate interest, if you consider that your fundamental rights and freedoms prevail over this interest.

You may also object at any time to the processing of your data for direct marketing purposes (including profiling), if applicable, without giving any reason, in which case we will stop such processing as soon as possible.

Automatic decision-making

You may request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you; or otherwise affects you to a significant extent.

This right does not apply when:

  • The automatic decision is necessary for the conclusion or execution of a contract between you and Farmexim;
  • the automated decision is authorised by Union or national law applicable to Farmexim and which also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or
  • the automatic decision is based on your explicit consent.

Complaints

You have the right to lodge a complaint with the supervisory authority about the processing of your personal data. In Romania, the contact details of the data protection supervisory authority are as follows:

National Supervisory Authority for Personal Data Processing

B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, postal code 010336, Bucharest, Romania

Phone: +40.318.059.211 or +40.318.059.212;

E-mail: anspdcp@dataprotection.ro

Without prejudice to your right to contact the supervisory authority at any time, please contact us in advance, and we promise to make every effort to resolve any issues amicably.

We remind you that you can contact the Farmexim Data Protection Officer at any time by sending your request in any of the following ways:

- by e-mail to: dataprotection@farmexim.ro, or

- by post or courier to the address: Str. Malul Roșu nr. 4, 077015 Balotești, Ilfov, Romania with the mention to the attention of the Farmexim Data Protection Officer.

Final provisions:

From time to time, as necessary, this Privacy Policy may be amended or updated. We will inform you of any material changes to it in a manner that ensures that you are informed, for example by posting on the Company's website or by any other appropriate means that ensures effective communication of changes to the terms of our processing of your data.

Kindly note that this Privacy Notice is available on our website in Romanian and in English version. In case of contradiction between the two versions, the Romanian one prevails.

Date of last modification: 25.08.2023