Privacy policy

Thank you for your interest in and use of our Company's services and products.

When you visit our website (i.e. http://parodent.ro), interact with us, and use our services and products, we collect and process your personal data.

The purpose of this policy is to inform you, in particular, regarding: (1) the categories of personal data we collect, (2) the purposes for which we process them and the related legal bases for processing, (3) the retention period for such data, (4) recipients of personal data, (5) your rights, and (6) our cookie policy.

The content of this Privacy Notice is purely informational and does not affect the rights afforded to you by applicable law. We will do our best to facilitate your exercise of these rights.

Identity of the controller

Your personal data are processed by PARODENT MED S.R.L.

Unique Identification Code (CUI): 5442127

Trade Register registration number: ROONRC.J2011009393406

Main CAEN code: 8623 - Dental practice activities

Registered office: Bucharest, Sector 3, Delea Nouă Street, No. 11, Ground Floor, Apt. 2

Contact details

Postal address: Bucharest, Sector 3, Delea Nouă Street, No. 11, Ground Floor, Apt. 2

Email address: office@parodent.ro

Contact details of the data protection contact: 0775 395 466

For easier contact, you may use the contact form on the website.

Categories of personal data we process and their source

For the purposes and legal bases set out below, we collect and process from you the following categories of personal data, to the extent you provide us with these types of personal data:

Type of data collected	Examples of data processed
Medical data (special categories of personal data)	previous illnesses, past tests and medications administered, treatment administered; doctor consulted, medical recommendations, data about your family medical history, biometric data
Identification data	first name, last name, home address, date of birth
Contact data	correspondence address, email address, telephone number
Financial data	bank account, bank name, bank account or bank card number / IBAN, first and last name of the bank account or card holder, date from which the bank card is valid; bank card expiry date
Purchase data	purchase history, services and products purchased from us, how we interact with you
Technical data	IP address, operating system, browser, geolocation, pages on our website that you visit, time spent on those pages, and other statistics
User data	username, password, date and time of login, online activity
Opinions and views	opinions and views submitted or posted about us on social networks (social media) or that you make known through other public channels

As shown in the list above, you may provide us with information about other persons, for example, the medical history of your relatives. Where this relates to identified persons or persons we can identify, we will treat such information as personal data of those persons and afford them the necessary protection as well. However, we will comply with our duty of professional secrecy (including medical secrecy) owed to you and will not inform those persons about this processing in order to respect our duty of professional secrecy (including medical secrecy) owed to you.

We also note that you are under no obligation to provide us with your personal data. However, if you do not provide the data we need, we will not be able to provide the services you request from us.

How we collect personal data from you

In principle, we collect personal data directly from you, by completing online forms or by communicating with us by post, telephone, email, or in person.

We also collect personal data through automated means when you use our website, including through analytics services, in particular where you have a user account and use it.

In addition, we may collect personal data from third-party sources (such as analytics service providers), including but not limited to public sources (such as the trade register, court portals), as applicable.

By completing an appointment or contact form, we will collect only the data you provide. We do not collect IP address, browser data, or any other identification method.

Purpose of processing and legal basis

We process your personal data only to the extent necessary for the purposes set out in the table below.

Processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Purpose	Category of data	Legal basis
For purposes related to establishing a medical diagnosis, providing medical care, or medical treatment	special categories of data: genetic data, biometric data for the unique identification of a natural person, health data	necessary for the performance of our obligations under the contract concluded with you and on the basis of Article 9(2)(h) GDPR — namely for establishing a medical diagnosis, providing medical care, or medical treatment.
In medical emergency situations or other situations where you are unable (physically or legally) to consent to processing	special categories of data: genetic data, biometric data for the unique identification of a natural person, health data	necessary to protect your vital interests (or those of another natural person).
Presentation of our services and products (e.g. direct marketing)	identification datacontact datapurchase data	necessary in the pre-contractual phase where you request a presentation of our services and products necessary for our legitimate interests in promoting our services and products.
Statistics and scientific research	DSP reporting in accordance with Order No. 1255/2016 approving the Rules on the registration, centralisation and reporting of information on the population's medical exposure to ionising radiation	necessary to fulfil a legal obligation incumbent on the controller
Presentation of an offer (i.e. price quotation)	identification datacontact datapurchase data	necessary in the pre-contractual phase where you request an offer (e.g. price quotation).
For the purpose of providing/delivering our services/products and, in general, for contract performance	data included in invoices (e.g. customer names, identification/contact data, services provided, bank account, signature)	necessary for the performance of our obligations under the contract concluded with you necessary to fulfil a legal obligation incumbent on the controller (e.g. regarding invoice content) necessary for our legitimate interests in monitoring and obtaining performance of consideration for our services/products.
For the purpose of accessing financial-banking services (payment by bank transfer / card / instalments)	name, identification/contact data, services provided, bank account, signature	necessary for the performance of our obligations under the contract concluded with you necessary for our legitimate interests in monitoring and obtaining performance of consideration for our services/products.
For the purpose of managing and maintaining our relationship with you (e.g. through a CRM)	identification datacontact datapurchase data	necessary for the performance of our obligations under the contract concluded with you necessary to fulfil a legal obligation (e.g. reporting) necessary for our legitimate interests in managing and maintaining our relationship with you.
For the purpose of administering and protecting our website	technical datauser data	necessary to fulfil an obligation necessary for our legitimate interests in administering the website and preventing/remedying security breaches.
For the purpose of analysing visitors' access data to improve our website and visitors' user experience	technical datauser data	necessary for our legitimate interests in improving the website and visitors' user experience.
For the purpose of fulfilling our legal obligations	—	necessary to fulfil our legal obligations regarding archiving, health, security, record-keeping, and other obligations imposed on us by law.

Retention period for personal data

As a general rule, we will store your data for a period between 6 months and 100 years, in the case of medical records.

Personal data are processed for as long as necessary to fulfil the purposes stated above, after which they may be anonymised for research or statistical purposes.

Below, by way of example, we describe how we determine, for certain specific cases, the retention period for your personal data.

Personal data processed for the purpose of presenting our services and products will be retained until you express your wish no longer to receive presentations of our services and products, unless they are needed for another purpose.

Personal data processed for the purpose of presenting a price offer will be retained for a reasonable period to allow the possibility of concluding a contract.

Personal data processed for the purpose of providing/delivering our services/products and, in general, for contract performance, will be retained for the duration of contract performance and thereafter for a reasonable period and, in any case, for the periods provided by law.

Personal data processed for the purpose of managing and maintaining our relationship with you will be retained for an indefinite period until you exercise your right to be forgotten, to the extent that processing is no longer justified on the basis of law, a contract, or our legitimate interest.

Personal data processed for the purpose of administering and protecting our website will be retained for a reasonable period.

Personal data processed for the purpose of analysing visitors' access data to improve our website and visitors' user experience will be retained for a reasonable period.

Recipients of personal data

Although we cannot at this time provide you with precise information regarding the exact identity of all possible recipients of your data, because we have not predetermined them for each data subject individually, we endeavour below to indicate the categories of third parties to whom we transmit your personal data:

Partners who provide services and products ancillary or additional to our services and products (e.g. dental laboratories, medical practices, accounting firms);
Collaborating doctors and other medical service providers (each of whom is required by law or by contract with us to maintain the confidentiality of your data);
Consultants with whom we have concluded a contract (e.g. lawyers, accountants, who are required by law or by contract with us to maintain the confidentiality of your data);
Natural or legal persons acting as processors in various fields (for example, payment services, document archiving or destruction services, etc.), for whom we will include clauses requiring them to comply with legislation that protects your rights;
Other companies in the group;
Public authorities in any field, in Romania or abroad (in particular public health authorities in Romania: the National Health Insurance House, the Ministry of Health, and others) — at their request or on our initiative, in accordance with applicable law;
Insurers in Romania or other countries — in connection with services you received at our clinics;
Web hosting providers that host our website;
IT service providers that maintain and develop our website;
Analytics service providers (e.g. Google Analytics);
Marketing service providers acting on our behalf.

In all cases, we require recipients of your data to process them in accordance with the law and for purposes compatible with the purposes for which we initially collected your personal data.

Transfer of your personal data

At this time, we do not transfer and do not intend to transfer your personal data or part thereof to other companies, organisations, or persons in third countries or to international organisations.

If it becomes necessary to transfer your data to any of the destinations above, we will inform you in advance.

Security of your personal data

To protect the persons whose data we process from unauthorised access and from unauthorised alteration, disclosure, or destruction of the data we process, we have implemented the following technical and organisational measures to ensure the security of personal data:

Adoption and review of policies and practices dedicated to the processing of data subjects' personal data;
Use of specific contractual clauses with our partners and collaborators to ensure an optimal level of confidentiality and legal compliance regarding the processing of personal data;
Data limitation, in the sense of minimising and processing only data that are necessary, adequate, and relevant for the processing purposes;
Ensuring the accuracy of your data by completing and updating them when necessary;
Restricting access to data, in the sense of: (i) limiting the persons who have access to your personal data (such as our employees or collaborators) and (ii) including contractual mechanisms to ensure their accountability if they fail to comply with confidentiality and personal data protection obligations;
Ongoing training of staff in the field of personal data processing;
Implementation of specific technical measures, such as two-factor authentication;
Periodic backups, which we keep securely for appropriate periods;
Implementation of attack detection/prevention systems;
Anonymisation/pseudonymisation of data where possible and appropriate, so that the persons to whom they relate can no longer be identified.

In the unlikely event of a security breach despite our reasonable security measures, we will follow legal procedures to limit the effects and to inform data subjects and the competent supervisory authority, as applicable.

Your rights

You have the following rights in relation to your personal data, as guaranteed by law:

Right of access to data, i.e. the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to those data.
Right to rectification of data, i.e. the right to obtain from the controller without undue delay the rectification of inaccurate personal data. Taking into account the purposes for which the data were processed, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.
Right to erasure of data (right to be forgotten), i.e. the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller has the obligation to erase personal data without undue delay in certain cases (such as: the personal data are no longer necessary for the purposes for which they were collected or processed, data subjects have withdrawn consent for processing and there is no other legal basis for processing, data subjects object to the processing of personal data concerning them and there are no overriding legitimate interests, or the data subject objects to processing for direct marketing purposes, or processing is unlawful).
Right to restriction of processing, i.e. the right to obtain from the controller restriction of processing in certain cases (such as: the data subject contests the accuracy of the data, processing is unlawful and the data subject opposes erasure of the personal data and requests restriction of their use instead, etc.).
Right to data portability, i.e. the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller, both in certain cases.
Right to object, i.e. the right to object, on grounds relating to your particular situation, to processing based on: (a) performance of a task carried out in the public interest, (b) performance of a task in the exercise of official authority, or (c) purposes of legitimate interests pursued by the controller.
Right not to be subject to automated individual decision-making, i.e. the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, subject to certain conditions.
Right to be informed about security breaches. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller informs the data subject without undue delay about the breach, subject to certain conditions.
Right to withdraw your consent to processing where the legal basis for processing is consent you previously gave.
Furthermore, any person who considers that their rights under the GDPR have been infringed as a result of the processing of their personal data without compliance with the GDPR has: (i) either the right to lodge a complaint with a supervisory authority, (ii) or the right to seek a remedy before a court.

To exercise one or more of these rights or to ask any question about any of these rights or any provision of this Privacy Notice or any other aspect of our processing of your data, please use the contact details in Section 3 above (Contact details) whenever you wish.

We will endeavour to respond as promptly and fully as possible to all your questions and concerns and to facilitate the exercise of your rights in accordance with legal requirements.

Changes to this Privacy Notice

This Privacy Notice may be updated or amended from time to time, and such changes will be brought to your attention appropriately.