Home / Data Protection Policy

Data Protection Policy

Name and contact details of the Data Controller
Definitions
The importance of the processing of personal data by the Controller
Rights of the Data Subject

1. Name and contact details of the Data Controller

ROMED PARTNERS S.R.L. (registered office: Bucharest, 61 Unirii Boulevard, Block F3, Entrance 4, 2nd Floor, Apartment 208, District 3; registration number: J40/7915/2024), hereinafter referred to as the "Company" or the "Controller") is considered as the controller of personal data in accordance with the General Data Protection Regulation and the Law no. 190/2018 on measures for the implementation of General Data Protection Regulation – "GDPR" (hereinafter referred to as the " Controller") due to the processing of personal data by visitors to the website https://prodoctor.ro (hereinafter referred to as the "Website").

Contact details:
Address: Bucharest, 61 Unirii Boulevard, Block F3, Entrance 4, 2nd Floor, Apartment 208, District 3
E-mail: info@prodoctor.ro

Contact details of the Data Protection Officer: UNI HILL Consulting Kft (headquarters: 1051 Budapest, Bajcsy-Zsilinszky út 16. III/17., registration authority: Company Registry of the Capital Court, tax number: 12767667-2-41, e-mail: iroda@unihill.hu, tel. +36 (1) 278 0518).

2. Definitions

Terms not otherwise defined in this Privacy Notice have the meaning given to them in the General Terms and Conditions.

- "Personal Data": any information relating to a natural person - in the terminology of data protection legislation "Data Subject" - may constitute personal data, provided that the natural person can be identified on the basis of that information. Examples of Personal Data include name, telephone number, email address, IP address.
- "Health Data": means personal data relating to the physical or mental health of a natural person, including data relating to health services provided to a natural person which contain information about the health of the natural person.
- "Processing": means any operation on personal data.
- "Controller": means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- "Data processor": means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
- "Recipient": means a natural or legal person, public authority, agency or any other body with whom or to which personal data are disclosed, whether or not a third party.
- "Consent of the data subject": means a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act unambiguously expressing his or her consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her.

¹Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

²Law no. 190/2018 on measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

3. The importance of the processing of personal data by the Controller

3.1 Use of the Website
It is of importance for the Data Controller to provide its services to its customers in accordance with the needs and requirements of the modern age. This Policy contains detailed information about the processing of data during your visit to the Website. Anyone's use of the Website's services and the provision of Personal Data in connection therewith is voluntary. The Controller explicitly draws attention that a transfer of Personal Data to a third country takes place and informs the user of the Website as data subject that: in case of transferring data to the United States, the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies. In case of transfer to Kazakhstan, due to the absence of an adequacy decision and appropriate safeguards such transfers may involve risks. The user of the Website as data subject shall explicitly consent to the transfer. However, without consent to the provision and processing of Personal Data, the services of the Website may not be used.
3.2 Data processing related to Cookies
The Company uses cookies to facilitate the use of its Website. A cookie is a small packet of data that is stored by Internet services in your browser. A cookie is a technology that is essential for the operation of an online service that provides an efficient and modern user experience. The User can find out about the current cookies in the pop-up window on the Website and set his/her preferences when he/she uses the Website. The User has the option to maintain and/or delete cookies at his/her convenience, which he/she can set in the internet browser settings.

Data Subjects	Processing Activity	Personal Data Collected	Scope of data processed	Purpose of data processing	Legal basis for data processing	Data recipients, contractual partners, data processors	Duration of data processing	Methods of Data Processing	Implemented technical and organisational measures related to the associated risks of the processing activity
The data subjects are the users of the Website (the "Users"). These Users can be either: • patients, i.e., those seeking medical services via the Website, including making appointments with a Partner, either for themselves or for a third party; • healthcare providers, i.e., doctors and medical professionals offering their services through the Website; • visitors, i.e., individuals simply browsing the Website without registering.	Booking appointments with medical institutions and specialists ("Partners") for healthcare services, as well as generating reviews for the services provided by healthcare professionals.	This includes basic personal details (name, email address, phone number, date of birth). This data is essential for creating User accounts, managing profiles, and facilitating communication between patients and healthcare providers.	a) name b) e-mail address c) phone number d) selected health institution e) selected specialist f) selected medical service, examination g) place and time of medical examination h) fee for a medical examination i) review on the provided treatment j) type, date, nature of the treatment	The purpose of the data processing is to operate the appointment booking system available on the Website, to book appointments to the medical institutions and specialists (Partners) available on the Website, and to maintain contact with (e.g. to change or cancel an appointment). In case of healthcare professionals, the purpose of the data processing, further to the above, is to generate review of the services.	Explicit consent of the data subject /User (Article 6(1)(a) and Article 9 (2)a of the General Data Protection Regulation).	Health institutions and specialists available on the Website, visitors of the Website, analytics and marketing service providers. Please note that the Data Controller is not responsible for the adequacy of the data management of the Partners, so please give your consent to the transfer of data by familiarizing yourself with the data management rules of the Partner concerned. Data Processor: • QAZMED Partners LLP (registered office: Astana, Dom 11, kv. 366, prospekt Qabanbai Batyr, registration number: 161140013287) – providing marketing advisory and programming activities (monitoring the system, identifying bugs, optimizing the performance, error detection) • Twilio (registered office: 94105-1554 San Francisco, 101 Spear St FL 5, registration number: 4518652) – providing SMS, Whatsapp and API Services • Mailchimp (The Rocket Science Group LLC, registered office: 30308-2172 Atlanta, 675 Ponce De Leon Ave NE Ste 5000) – providing email services • Amazon AWS (registered office: 98101-1424 Seattle, 1915 Terry Ave) – providing Cloud servers and cloud storage • Google (registered office: 94043-1351 Mountain View, 1600 Amphitheatre Pkwy, registration number: 3582691) (Gmail, Google Analytics, Google maps, etc.) • Sentry (Functional Software, Inc., registered office: 94107-1308 San Francisco, 132 Hawthorne St) (indicting error logs)	The Website will process Personal Data until you request to withdraw your consent.	Collection: Data is collected through user input during registration via web forms, appointment scheduling, and consultation processes. Additionally, technical data is automatically collected when users interact with the Website. Storage: Collected data is securely stored on the Website's servers (via Amazon Web Services), with encryption applied to sensitive and personal information. Usage: Data is used to facilitate healthcare services, manage User accounts, and enhance the Website's functionality. Sharing: Data is shared with healthcare providers whose services are booked by Users through the Platform. For some clinics, data related to User appointments are sent directly to the clinics' software (Health Information System), via API integration. There may also be sharing with analytics providers to improve service delivery. Retention and Deletion: Data is retained as required for the continuity of care, legal compliance, and as long as necessary for service delivery. It is deleted upon User request or at the end of the retention period. No Automated Decision-Making Processes: The Controller does not engage in any automated decision-making processes, including profiling, that would significantly affect Users. All decisions related to patient care, appointment scheduling, and data processing are made by human staff, ensuring that each action is carefully considered and tailored to individual circumstances. This approach not only complies with GDPR requirements, but also ensures a more personalised and human-centred service, enhancing the trust and confidence of Users in the Website.	Implement logistics security controls: Encryption, anonymisation (where possible), data partitioning, access control, traceability, archiving, security of paper documents (where applicable), minimising the amount of personal data collected and processed. According to the contracts concluded between the Controller and its processors, the latter have implemented technical measures to ensure secure data processing through the Website, whilst also assuming specific obligations for the processing of personal data, in full compliance with the provisions contained in the GDPR and applicable national legislation. Implementation of physical security controls: Operational security, access control both in terms of physical access to the Controller's premises and in terms of electronic access to IT systems, network activity monitoring, hardware security, avoiding risk sources, protection against non-human risk sources, stopping software with problems (antivirus, firewall), computer management, back-up procedure, maintenance is done when new software technologies appear or when existing ones need to be updated. The cloud services used by the Controller, i.e., Amazon Web Services, are physically located within the EU (in Germany), Amazon being one of the best cloud services providers within the business sector. Specific measures for designated/responsible/authorised persons: Create a robust password for their email account. Maintain the confidentiality of their access credentials. Do not disclose access credentials to unauthorized persons. Network security: The protection against threats or unauthorised access to the Company's network, to which the persons designated/responsible/authorised to access data subjects' information in electronic format is achieved by: firewall solutions, anti-malware, etc. The persons designated/responsible/authorised shall not use unsecured networks to access data subjects' information in electronic format. Other measures include network access monitoring, encryption, implementation of the concept of access rights. Organisational measures: The Controller has implemented the following organisational measures at Company level, in order to protect the rights and interests of data subjects: Privacy policy; Confidentiality agreements with the Company's employees/personnel; Employee privacy notice; Data breach response plan; Regular security audits and penetration testing; Data deletion policies; Regular reviews and updates of policies. Establishing the responsibilities of the Data Protection Officer (DPO): The Controller has established concrete responsibilities for the DPO so that alignment with the provisions contained in the GDPR is complete and the rights of data subjects are guaranteed. In this respect, the DPO is responsible for ensuring: advising on the legitimacy of the data processing activity; monitoring the documentation of the legitimacy of the processing; compliance monitoring in order to correctly carry out the processing of personal data in compliance with data protection legislation; consulting the Controller on the establishment of retention periods; monitoring the documentation of retention periods; monitoring compliance with retention periods and subsequent deletion of data; ensure compliance with data protection obligations (privacy by design, privacy by default, processing register, DPIAs, etc.); ensure that the main requirements relating to (i) the use of a data processor and (ii) the transfer of data, including to third countries, are met.

Data Subjects

Processing Activity

Personal Data Collected

Scope of data processed

Purpose of data processing

Legal basis for data processing

Data recipients, contractual partners, data processors

Duration of data processing

Methods of Data Processing

Implemented technical and organisational measures related to the associated risks of the processing activity

The data subjects are the users of the Website (the "Users"). These Users can be either:
• patients, i.e., those seeking medical services via the Website, including making appointments with a Partner, either for themselves or for a third party;
• healthcare providers, i.e., doctors and medical professionals offering their services through the Website;
• visitors, i.e., individuals simply browsing the Website without registering.

Booking appointments with medical institutions and specialists ("Partners") for healthcare services, as well as generating reviews for the services provided by healthcare professionals.

This includes basic personal details (name, email address, phone number, date of birth). This data is essential for creating User accounts, managing profiles, and facilitating communication between patients and healthcare providers.

a) name
b) e-mail address
c) phone number
d) selected health institution
e) selected specialist
f) selected medical service, examination
g) place and time of medical examination
h) fee for a medical examination
i) review on the provided treatment
j) type, date, nature of the treatment

The purpose of the data processing is to operate the appointment booking system available on the Website, to book appointments to the medical institutions and specialists (Partners) available on the Website, and to maintain contact with (e.g. to change or cancel an appointment).
In case of healthcare professionals, the purpose of the data processing, further to the above, is to generate review of the services.

Explicit consent of the data subject /User (Article 6(1)(a) and Article 9 (2)a of the General Data Protection Regulation).

Health institutions and specialists available on the Website, visitors of the Website, analytics and marketing service providers. Please note that the Data Controller is not responsible for the adequacy of the data management of the Partners, so please give your consent to the transfer of data by familiarizing yourself with the data management rules of the Partner concerned. Data Processor:
• QAZMED Partners LLP (registered office: Astana, Dom 11, kv. 366, prospekt Qabanbai Batyr, registration number: 161140013287) – providing marketing advisory and programming activities (monitoring the system, identifying bugs, optimizing the performance, error detection)
• Twilio (registered office: 94105-1554 San Francisco, 101 Spear St FL 5, registration number: 4518652) – providing SMS, Whatsapp and API Services
• Mailchimp (The Rocket Science Group LLC, registered office: 30308-2172 Atlanta, 675 Ponce De Leon Ave NE Ste 5000) – providing email services
• Amazon AWS (registered office: 98101-1424 Seattle, 1915 Terry Ave) – providing Cloud servers and cloud storage
• Google (registered office: 94043-1351 Mountain View, 1600 Amphitheatre Pkwy, registration number: 3582691) (Gmail, Google Analytics, Google maps, etc.)
• Sentry (Functional Software, Inc., registered office: 94107-1308 San Francisco, 132 Hawthorne St) (indicting error logs)

The Website will process Personal Data until you request to withdraw your consent.

Collection: Data is collected through user input during registration via web forms, appointment scheduling, and consultation processes. Additionally, technical data is automatically collected when users interact with the Website.
Storage: Collected data is securely stored on the Website's servers (via Amazon Web Services), with encryption applied to sensitive and personal information.
Usage: Data is used to facilitate healthcare services, manage User accounts, and enhance the Website's functionality.
Sharing: Data is shared with healthcare providers whose services are booked by Users through the Platform. For some clinics, data related to User appointments are sent directly to the clinics' software (Health Information System), via API integration. There may also be sharing with analytics providers to improve service delivery.
Retention and Deletion: Data is retained as required for the continuity of care, legal compliance, and as long as necessary for service delivery. It is deleted upon User request or at the end of the retention period.
No Automated Decision-Making Processes: The Controller does not engage in any automated decision-making processes, including profiling, that would significantly affect Users. All decisions related to patient care, appointment scheduling, and data processing are made by human staff, ensuring that each action is carefully considered and tailored to individual circumstances. This approach not only complies with GDPR requirements, but also ensures a more personalised and human-centred service, enhancing the trust and confidence of Users in the Website.

Implement logistics security controls: Encryption, anonymisation (where possible), data partitioning, access control, traceability, archiving, security of paper documents (where applicable), minimising the amount of personal data collected and processed. According to the contracts concluded between the Controller and its processors, the latter have implemented technical measures to ensure secure data processing through the Website, whilst also assuming specific obligations for the processing of personal data, in full compliance with the provisions contained in the GDPR and applicable national legislation.

Implementation of physical security controls: Operational security, access control both in terms of physical access to the Controller's premises and in terms of electronic access to IT systems, network activity monitoring, hardware security, avoiding risk sources, protection against non-human risk sources, stopping software with problems (antivirus, firewall), computer management, back-up procedure, maintenance is done when new software technologies appear or when existing ones need to be updated. The cloud services used by the Controller, i.e., Amazon Web Services, are physically located within the EU (in Germany), Amazon being one of the best cloud services providers within the business sector.

Specific measures for designated/responsible/authorised persons:

Create a robust password for their email account.
Maintain the confidentiality of their access credentials.
Do not disclose access credentials to unauthorized persons.

Network security:

The protection against threats or unauthorised access to the Company's network, to which the persons designated/responsible/authorised to access data subjects' information in electronic format is achieved by: firewall solutions, anti-malware, etc. The persons designated/responsible/authorised shall not use unsecured networks to access data subjects' information in electronic format. Other measures include network access monitoring, encryption, implementation of the concept of access rights.

Organisational measures: The Controller has implemented the following organisational measures at Company level, in order to protect the rights and interests of data subjects: Privacy policy; Confidentiality agreements with the Company's employees/personnel; Employee privacy notice; Data breach response plan; Regular security audits and penetration testing; Data deletion policies; Regular reviews and updates of policies.

Establishing the responsibilities of the Data Protection Officer (DPO): The Controller has established concrete responsibilities for the DPO so that alignment with the provisions contained in the GDPR is complete and the rights of data subjects are guaranteed. In this respect, the DPO is responsible for ensuring: advising on the legitimacy of the data processing activity; monitoring the documentation of the legitimacy of the processing; compliance monitoring in order to correctly carry out the processing of personal data in compliance with data protection legislation; consulting the Controller on the establishment of retention periods; monitoring the documentation of retention periods; monitoring compliance with retention periods and subsequent deletion of data; ensure compliance with data protection obligations (privacy by design, privacy by default, processing register, DPIAs, etc.); ensure that the main requirements relating to (i) the use of a data processor and (ii) the transfer of data, including to third countries, are met.

4. Rights of the Data Subject

The Data Controller attaches the utmost importance to ensuring that the rights of Data Subjects with regard to data processing are adequately protected at all times when processing Personal Data of natural persons. In this context, the following rights shall apply. In the event of any request by a data subject in relation to the processing of Personal Data, the Data Controller will ensure the exercise of the data subject's right within the shortest possible time from the receipt of the request, but not later than 1 month or, if it needs further information to ensure the exercise of the right, will contact the Data Subject without delay by e-mail or telephone (preferably using the same means of communication as the Data Subject used) to deal with the request.

4.1 Right to information and access

The Data Subject has the right to receive feedback from the Controller at any of the contact details indicated in this Policy as to whether or not his or her Personal Data is being processed and, if such processing is ongoing, the right to access the Personal Data and the following information:
a) the purposes of the processing;
b) the categories of Personal Data concerned;
c) the recipients or categories of recipients to whom or with whom the Personal Data have been or will be disclosed, including in particular recipients in third countries or international organisations;
d) the intended duration of the storage of the Personal Data or, if this is not possible, the criteria for determining that duration;
e) the right of the Data Subject to request the Controller to rectify, erase or restrict the processing of Personal Data relating to him or her and to object to the processing of such Personal Data;
f) the right to lodge a complaint with a supervisory authority;
g) where the data have not been collected from the Data Subject, any available information about their source.
h) the fact of automated decision-making (if the case may be; at the present, The Controller does not engage in any automated decision-making processes, including profiling, that would significantly affect Users), including profiling, and, at least in these cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.
4.2 Right to rectification and completion

The Data Subject has the right to request the rectification of his or her Personal Data processed by the Data Controller if he or she considers that they are inaccurate or inaccurate. The Data Subject shall have the right to request the completion of the Personal Data processed by the Controller if he or she considers them to be incomplete.
4.3 Right to restriction

The Data Subject shall have the right to obtain, at his or her request, the restriction of processing by the Controller, unless otherwise provided by law, if one of the following conditions is met:
a) the Data Subject contests the accuracy of the Personal Data, in which case the restriction applies for the period of time that allows the Controller to verify the accuracy of the Personal Data;
b) the processing is unlawful and the Data Subject opposes the erasure of the data and requests instead the restriction of their use;
c) the Controller no longer needs the Personal Data for the purposes of processing, but the Data Subject requires it for the establishment, exercise or defence of legal claims; or
d) the Data Subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller prevail over those of the Data Subject.
4.4 Withdraw consent, right to object

Where the processing by the Data Controller is based on the explicit request and consent of the Data Subject, the Data Subject has the right to withdraw his or her consent at any time. In this case, the Controller shall delete the Personal Data relating to the Data Subject without undue delay.

Where the processing of data on the Website is carried out for the protection of the legitimate interests of the data subject or of a third party, the data subject has the right to object to the processing of his or her data.
4.5 Right to data portability

In the case of processing based on the data subject's consent, by contract or by automated means, the data subject shall have the right to receive the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data.
4.6 Right to erasure

The Data Subject has the right to request the erasure of his or her Personal Data processed by the Controller if:
a) considers that the processing of Personal Data for the original purpose is no longer necessary;
b) not consent to further processing of your Personal Data - where the processing is based on consent and there is no other legal basis for the processing;
c) considers that your Personal Data is unlawfully processed by the Controller;
d) expressly objects to the processing of your Personal Data, where the legal basis for the processing is the protection of the legitimate interests of the Company or a third party.
4.7 Remedies

If the Data Subject believes that the Data Controller is unlawfully processing his or her data, he or she has the right to lodge a complaint with the Data Controller in order to have the Data Controller terminate the processing. If this is unsuccessful, he or she has the right to apply to the National Supervisory Authority for Personal Data Processing ("NSAPDP").

Complaints can be submitted to the NSAPDP at the following contact details: postal address: 28-30 Blvd. Gheorghe Magheru, 1st District, postal code 010336, Bucharest, Romania; e-mail: anspdcp@dataprotection.ro; website: dpo@dataprotection.ro. The procedure for filing a complaint is available on the website of the NSAPDP.

In case of non-compliance by NSAPDP with the legal provisions, the concerned person can address the administrative litigation section of the competent court, after completing the preliminary procedure provided for by the Administrative Litigation Law no. 554/2004, with subsequent amendments and additions.
4.8 Exercise of rights of access

The Data Subject may exercise the above rights against the Data Controller. Requests under this point may be sent to or made at the Data Controller.

Data Protection Policy

1. Name and contact details of the Data Controller

2. Definitions

3. The importance of the processing of personal data by the Controller

3.1 Use of the Website

3.2 Data processing related to Cookies

4. Rights of the Data Subject