1.1  Personal data controller in its relationship with you

The controller of personal data in relation to the personal data provided by you is Vertical Freedom Foundation, based in Cluj Napoca, 41 Traian Moșoiu Street, Cluj County, Romania.

1.2  To whom does this Privacy Policy apply?

This Privacy Policy applies to members of management, department directors, employees, clients, patients and suppliers of Vertical Freedom Foundation.

1.3  Definitions

• a. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
• b. “processing” means any operation or set of operations which is performed upon personaldata or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment orcombination, restriction, erasure or destruction;
• c. “controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law;

A1. Data necessary for the conclusion of the individual employment contract or the stage prior to the conclusion of the individual employment contract.

In the preliminary stage as well as, in view of the conclusion of the individual employment contract we collect the administrative department of our company may collect and process a series of personal data. The data we ask you to provide at this stage are data that identify you: name, surname, home address, identity card (CNP, Serial, Number), bank account and data contained in your CV and any supporting documents supporting your studies or certificates

At the same time, as an employee of our foundation, during the course of the contractual relationship, we may also collect personal data consisting of birth certificate of the child/children, medical certificates (e.g. pregnant women), documents concerning marital status (marriage certificate containing the data of the spouse).

The data processed by the Vertical Freedom Foundation may come directly from you when you contact us by phone, visit our Foundation’s office or send us an e-mail.

The basis for this processing is in accordance with art. 6 para. 1 lit. b of the GDPR the conclusion, performance or formation of the contract.

A2. Data required in order to conclude the contract with the collaborating medical staff.

In order to finalize the contract with the medical personnel, we will collect a series of personal data from you. The data we ask for at this stage are data that identify you or are necessary for us to fulfil our legal obligations, such as: name, surname, CNP, passport, birth certificate, marriage certificate, bank account, documents proving your education, medical certificates, etc.

All these data will be collected and processed as a result of direct communication by you via mobile phone, e-mail, fax, direct communication with our staff.

The basis for this processing is Art. 6 para 1 lit. b of the GDPR, i.e. the data is collected and processed following the conclusion of a contract to which the data subject is a party.

B. Data necessary for the contractual relationship.

• a. As a patient of CMC INTERSERVISAN SRL,if we enter into a contract for the provision ofmedical services with you, we may process the following personal data: name, surname, CNP, sex, function/occupation, medical history, symptoms, diagnoses, medical  recommendations, treatment plans, laboratory analysis results, treatment results, etc.
• b.In relation to the data of our contractual partners (collaborator/supplier), if we enter into acontract with you (e.g. provision of services, supply, rental, collaboration, etc.) we will receive a series of personal data, such as: name, surname, home address, data contained in your identity card (ID card series and number or CNP), bank details (bank name, IBAN, SWIFT, currency), e-mail address, etc.All these data will be collected and processed as a result of you communicating them directly to us by mobile phone, e-mail, fax, as well as by presenting them at our company’s offices. The basis for processing is found in art. 6 para. 1 lit. b of the GDPR, i.e. the data is processed following the conclusion of a contract and is intended for the performance of the contract..

C. Biometric Data

In order to conduct company business we may collect your biometric data, which consists of facial images or video, for the limited purposes set out below.

The video recordings, taken by means of surveillance cameras on the premises as well as outside the premises, to which persons within the company’s administrative department have access, are collected and processed pursuant to art. 6 para. 1 lit. c of GDPR, respectively Law no. 333/2003, H.G. 301/2012 for the approval of the Methodological Norms for the application of Law no. 333/2003 on the guarding of objectives, goods, valuables and the protection of persons.

In the case of the patients/visitors of our company, the processing will be carried out pursuant to the provisions of art. 6 para 1 lit. a of the GDPR, i.e. with prior consent of the persons concerned.

This data is collected by the Vertical Freedom Foundation directly through the closed-circuit surveillance system installed on the premises.

• a. Insofar as you are a potential employee/employee/co-worker of our foundation, we collect your personal data directly from you, for example when you send us an e-mail to our address, when you fill in the contact form on our website, when you conclude an individual employment/co-worker contract, etc.
• b. Insofar as you are a patient of our foundation, we collect your personal data directly from you when you come to our foundation’s office for an appointment/medical treatment/medical procedures, or communicate it to us via mobile phone, e-mail, fax, etc.
  We also collect your personal data indirectly, when you transmit these data to third parties with whom we have a collaborative relationship (Medical Analysis Laboratory) or to the extent they are provided to us by your legal/contractual representatives.
• c. Insofar as you are a collaborator/supplier of our foundation, we may collect personal data as a result of their direct communication by you via mobile phone, e-mail, fax, direct communication with our foundation staff, etc.
• d. To the extent that you are a visitor to our premises, we collect and process your personal data directly from you via surveillance cameras on and off our premises.

• a. The personal data of potential employees are stored both in physical format in key-secured offices, where access is restricted to persons within the human resources department. They are also kept in electronic format via internal servers. In the case of submitted resumes, the personal data contained therein may also be stored on the company’s e-mail address.
• b. Data of employees/collaborating medical staff is stored both in physical format in key-secured offices and in electronic format via internal servers or on external hard disks, where access is password restricted. In principle, access to these data is granted to persons from the Human Resources, Accounting, Legal, and Administrative departments according to the duties established in the job description, limited to the purpose of performing their duties (e.g., Accounting Department – payroll, Legal Department – for the purpose of contract enforcement, etc.).
• c. Patients’ personal data will be stored both in physical format in key-secured offices where access is limited to medical staff (who have access only to the extent necessary to perform the medical act) and administrative staff at the company reception (for the purpose of making appointments).They will also be kept in electronic format on our internal servers, where access is restricted to departments, which will have access to personal data only to the extent necessary to fulfill the duties of the job description.At times, this data may also be stored on hard drives or memory sticks, where access is also restricted, as well as in Picture Archiving and Communication Systems (PACS)-images collected by the Radiology and Medical Imaging Department.
• d. The personal data provided by our contractual partners (collaboration/supply agreements) will be stored in key-secured offices, where only those departments that by their business purpose are involved in the performance of the company’s contractual relationships (e.g.,Accounting, Legal, Administrative) have access. This data may also be kept in electronic format on external hard disks where access is restricted.
• Personal data provided as a visitor to our company premises will be stored only in electronic format on our company server. Personal data collected through surveillance cameras located on and off our premises will be stored for a period of 21 days on our company’s server to which only the manager of the point of work has access.

1. For the performance of the contractual relationships we have entered into with you (e.g. service, supply, collaboration contract, etc.);
2. For the performance of contracts for the provision of healthcare concluded with patients;
3. For the purpose of concluding contracts – in the context of data processing for telephone appointments requested by patients or by means of remote communication;
4. For the purpose of conducting medical research or presenting your case, but only to the extent that we have obtained your prior consent;
5. In order to carry out an assessment to determine your suitability for the post for which you have applied;
6. With a view to the conclusion of the employment/collaboration contract or subsequently, for the performance of the employment/collaboration contract (payment of salaries, tax obligations of our company, etc.);
7. For video recording: of the presence of persons in the physical locations of the company but also in order to maintain a high level of security of persons and goods and to comply with legal provisions;
8. To communicate with you and to resolve any problems or queries you may have in relation to the services we offer;
9. To fulfill our obligations as a result of the services we provide (e.g. accounting obligations, tax obligations, etc.);
10. For any other purpose ancillary to the above, or for any other purpose for which personal data has been provided to us, in compliance with the relevant legislation;

1. In the case of employees of our company, personal data may also be transferred to our service providers, for example: medical services, labor protection services, lawyers, etc.
2. In the case of patients, these data may be transferred to the online platform of the National Health Insurance House, if there is an obligation on the part of the doctor to do so, to the medical analysis laboratory with which we collaborate, to the collaborating insurance company, security company, etc;
3. In the case of our contractual partners, these data may be transferred to our service providers.
4. Data collected as a simple visitor to our premises will not be transferred to third parties, unless there is a legal obligation to do so.
5. Authorities, institutions and public bodies, if they request us to do so, in accordance with tax, labor protection, social security or any other applicable regulations.

1. Data collected from you for the purposes of recruitment will be stored until the date on which the post for which you have applied has been filled, or for a period of … ;
2. Data collected as a result of the conclusion of the employment contract will be processed until the termination of the employment contract, i.e. for a period of 10 years from the date of termination of this contract for documents constituting accounting records within the meaning of Article 25 Law No. 82/1991 and 50 years for the pay statements of the same normative act.
3. The data processed from you, as a patient, will be stored until the termination of the contract for the provision of medical services, respectively for the period of time necessary in order to fulfil the legal obligations provided for by the applicable legislation including Law 95/2006 onhealth reform.
4. The data provided by you as a result of the conclusion of the contractual relations respectively the data provided on the basis of these relations will be kept until the date of termination of the execution of the contract, respectively until the expiry of the 10-year period stipulated in art. 25 of the Accounting Act.
5. Payroll records of employees will be stored for a period of 50 years, in accordance with the provisions of Art. 25 of Act 82/1991.
6. Certain documents in the personal files of employees will be kept for a period of 75 years, in accordance with Annex 6 of the National Archives Act No. 16/1996.
7. Employee records will be kept until the expiration of the period relating to the criminal or civil liability of the undersigned.

• a.The right to information – the right to be informed about the identity of the controller -Vertical Freedom Foundation, the purpose for which the data is processed, the recipients or categories of recipients of the data, the existence of the rights provided for by the GDPR and the conditions under which the rights may be exercised.
• b. Right of access – the right to obtain from us, upon request and free of charge, confirmation as to whether or not data concerning you are being processed and the right of access to such data, unless such requests are repetitive or made in manifest bad faith;
• c. Right to rectification – you may request rectification of inaccurate personal data.
• d. The right to erasure (“right to be forgotten”) – data may be erased when the processing was not lawful or in other cases provided for by law (for example when the data is no longer necessary in relation to the purpose for which it was processed). However, erasure may not take place when the processing is lawful;
• e. Right to restriction of processing – you may request restriction of processing if you contest the accuracy of the data, as well as in other cases provided by law;
• f. The right to object – the right to object at any time, on legitimate and legitimate grounds, to your data being processed, except where there are legal provisions to the contrary or where the processing is based on our legitimate interest;
• g. The right to data portability – you may receive the personal data you have provided to us in a machine-readable format or you may request that the data be transferred to another controller.
• h. The right to lodge a complaint – you can complain about the way your personal data is processed to the National Supervisory Authority for Personal Data Processing or you can complain to the courts.
• i. The right to withdraw consent – if the basis for the processing of your data is your consent, we inform you that your consent may be withdrawn at any time. Withdrawal of consent will only have effect for the future, the processing carried out prior to the withdrawal of consent will remain valid. However, if the processing is mandatory for the provision of the services and the processing may be carried out pursuant to other legal provisions, Grup Grena Construcții SRL will proceed to such processing and notify the data subjects.
• j. The right not to be subject to automated decisions or additional profiling related to automated decisions – the right to request and obtain the withdrawal, reversal or reassessment of any decision having legal effect, taken solely on the basis of a processing of personal data, carried out by automated means, intended to evaluate certain personal aspects, such as professional competence, reliability, conduct or other such aspects, where applicable;

1. Access to personal data is limited and authorized only to persons who have the legal right to use it, and they are responsible for ensuring data confidentiality.For example, the personal data that we collect and process to the extent that you are an employee or client of our foundation, are only accessible to persons within the administrative and accounting department in order to perform their job duties or to the extent that there is an obligation imposed by law, such as Law no. 82/1991 and Law no. 227/2015 on the Tax Code.
2. Access to the areas or premises storing personal data is secured by physical means to which only persons designated by the Vertical Freedom Foundation have access (key-secured premises, access is mainly allowed only to the person from the administrative department).
3. Data held for one client will be held separately from data held for another client.
4. No employee or other person who comes into contact with personal data or documents containing such data shall have the ability to disclose such data to third parties.

• Protection against physical data corruption – e.g. fire, flood, vandalism;
• Access to the areas where personal data is kept is allowed only to persons authorized by the job description;
• Computer equipment must be kept in appropriate locations that reduce risks caused by environmental hazards (fire, water, dust, etc.);
• Limiting the risk of computer equipment theft – if necessary, the laptop should be physically attached to the desk;
• No unauthorized person should have access to the sensitive data – photos, processed by the administrative department;
• The network that carries data or provides important information must also be physically protected from any interception or degradation.

• Using a strong password (consisting of numbers, letters and symbols);
• Prohibition of disclosing the password to other persons, respectively prohibition of using the account used in the interest of service by several persons.
• Prohibition of saving the password in both physical and/or electronic format;
• Any computer, laptop or device left unattended must be disconnected from the network, locked or shut down;
• When the computer is not in use, no information such as login username or password should appear on the computer screen.
• Verification of the physical security of the data by locking, applying a padlock; verifying the security of electronically stored data by not leaving the computer unattended, using a password in accordance with this Policy;
• Changing ALL passwords every 3 months
• Retaining the data they have access to for a limited period of time.

Failure to comply with these requirements may cause the company to take disciplinary action against the culpable persons.

However, no method of electronic or physical transmission or storage is 100% secure. If you believe that your data personal data have been compromised, contact us in writing at the address of our registered office located in Cluj-Napoca, 41 Traian Moșoiu Street, Cluj county, Romania, or by email to: office@verticalfreedom.org

If we learn of a security breach, we will notify both you and as well as the authorities about the occurrence of the violation in accordance with the legislation in force, within no more than 72 hours, during which we communicate the relevant information related to security incidents.

As our company’s policy is to be fair and to respect the principle of proportionality when considering the actions taken to inform people affected by the security incident that is likely to result in a risk to the rights and liberties of individuals, in the event of a breach we will notify both the Supervisory Authority and the person or persons concerned about this breach.

Our Privacy Policy applies to all services offered by our company.

Our Privacy Policy may change from time to time, but we undertake not to reduce your rights
under these changes without your explicit consent.

We will post any changes to the Privacy Policy in conspicuous places so that updates are easily
identifiable and so that you can easily review the contents. We will also keep previous versions
of this Privacy Policy in our electronic archive so that it can be reviewed by you at any time
upon simple request.

The most recent update of this policy was made on 01.09.2024