Dr. Tatiana Cirimpei

PRIVACY POLICY

Notice regarding the confidentiality of personal data, including special-category data (health data). This notice sets out the basis on which Tatiana Cirimpei RADIOTERAPEUT PFA, as data controller, processes your data in accordance with Regulation (EU) 2016/679 (“GDPR”) and Law no. 190/2018.

Controller: Tatiana Cirimpei RADIOTERAPEUT PFA, VAT/registration code: …, Cluj-Napoca, Bld. Muncii nr. 96-98, Cluj county, Romania. Contact details: +40 754 256 610, programari.cirimpeitatiana@gmail.com and/or tatianacirimpei@medisprof.ro.

We process data mainly for receiving your request, contacting you, and organizing an appointment within the clinic we collaborate with, namely MEDISPROF SRL. If the appointment is confirmed and you attend consultation/investigation/treatment at MEDISPROF SRL, that company will process your data as a separate controller, in accordance with its own notices.

We reserve the right to update this notice periodically. The current version is published on the website, and any relevant changes will be reflected in this content.

The purpose of this document is to clearly inform you about: the purposes and legal bases of processing, storage periods, data recipients, transfers (where applicable), security measures, data subject rights, and how those rights may be exercised.

For cookies and similar technologies (including reCAPTCHA), please consult the separate Cookie Policy.

1. Definitions

• Personal data – any information relating to an identified or identifiable natural person (e.g. last name, first name, phone, email, IP address).
• Special-category data / health data – information regarding health status, investigations, diagnosis, treatment, medical history (GDPR art. 9).
• Processing – any operation performed on data (collection, recording, storage, consultation, use, disclosure, restriction, deletion, destruction).
• Controller – the entity determining the purposes and means of processing (in this case, Tatiana Cirimpei RADIOTERAPEUT PFA).
• Separate controller – an entity processing data for its own purposes (e.g. MEDISPROF SRL, for providing medical services and related records).
• Recipient – the person/entity to whom data are disclosed (e.g. partner clinic, technical providers, public authorities if required by law).
• Processor – a provider processing data on behalf of the controller (e.g. technical/hosting/maintenance services, where applicable).
• Transfer to a third country – transmission of data outside the European Economic Area (EEA), subject to GDPR conditions and safeguards.

2. Principles

• Lawful, fair, and transparent processing.
• Collection for specified, explicit, and legitimate purposes.
• Data must be adequate, relevant, and limited to what is necessary (data minimization).
• Data must be accurate and updated where necessary.
• Storage only for as long as necessary for the stated purpose.
• Ensuring data security through appropriate technical and organizational measures.
• Respect for the confidentiality of medical information, including under Law no. 46/2003 (arts. 21–22).

3. What data we collect

Data provided by you through the form or by direct contact: last name, first name, email, phone number, as well as the content of the “Message” field. If you choose to include them, the message may contain health-related data (special-category data).

Technical data required for website functionality and security: IP address, device/browser information, log data regarding access/submission attempts, and anti-abuse indicators. These are used mainly for security and prevention of automated requests/spam.

Recommendation: for your protection, please include in your message only the information necessary for us to understand your request and organize the appointment. Full medical details are usually collected during the consultation, in accordance with clinical procedures.

4. Purpose of processing

• Receiving your request and contacting you in order to arrange an appointment / provide information.
• Communicating appointment details (confirmation, rescheduling, clarifications).
• Transmitting strictly necessary information to MEDISPROF SRL in order to arrange the appointment within the clinic.
• Ensuring website security and preventing abuse (spam, automated requests, fraud attempts).
• Complying with applicable legal and professional obligations and handling requests from authorities where a legal obligation exists.

Your data are NOT used for commercial purposes, advertising, profiling, or direct marketing (newsletters, promotions).

Common legal bases: GDPR art. 6(1)(b) (steps taken at the data subject’s request in order to arrange an appointment), art. 6(1)(c) (legal obligations, where applicable), and art. 6(1)(f) (legitimate interest – security). For health data, processing takes place, as applicable, under GDPR art. 9(2)(h) and art. 9(3) (health care services under confidentiality obligations).

5. Disclosure of data

Data may be transmitted to MEDISPROF SRL strictly for the purpose of arranging consultation/investigation and organizing the medical act. MEDISPROF SRL processes the data as a separate controller, according to its own notices and legal obligations regarding medical records.

For the functioning of the form and communication, data are technically transmitted to our email address through the FormSubmit (formsubmit.co) service, according to the form settings, and are received/stored in the Operator’s email account. Providers of these services may process data according to their own policies (as independent controllers or, where applicable, as providers/together with other controllers), to the extent necessary to provide the service.

To prevent abuse and protect the website, we use Google reCAPTCHA, which may involve the processing of certain technical data (for example IP address, browser/device identifiers) and the setting of a necessary cookie when executed, for risk analysis purposes.

Data may be disclosed to competent authorities (courts, criminal investigation bodies, supervisory authorities, etc.) only where a legal obligation exists or a legally valid request has been received.

In other situations, disclosure to third parties is made only if necessary for the purposes above and subject to legal safeguards (including confidentiality, minimization, and security). We do not sell or rent your data to third parties.

Where certain services involve transfers outside the EEA, these are carried out only under GDPR conditions (adequacy decision and/or standard contractual clauses and supplementary measures, where applicable).

6. Storage period

Data are initially processed for appointment purposes and retained only for as long as necessary for that purpose, in accordance with the storage limitation principle.

If the appointment does not materialize, the data from the request (including the message) are generally retained for a maximum of 30 calendar days, so that communication and possible clarifications may be completed, after which they are securely deleted, except where retention is necessary for the defense of a right or to comply with legal obligations.

Technical data/security logs may be retained for reasonable periods proportionate to the security purpose (for example, to identify attempted abuse), after which they are deleted or anonymized.

If the patient attends consultation/investigation/treatment at MEDISPROF SRL, the data enter the legal circuit of medical documentation managed by MEDISPROF SRL, with the retention periods provided by legislation applicable to medical records and archiving.

7. Your rights

• Right to information and access.
• Right to rectification (correction of inaccurate data).
• Right to erasure (“right to be forgotten”), under GDPR conditions.
• Right to restriction of processing, under GDPR conditions.
• Right to data portability, where applicable.
• Right to object, especially where processing is based on legitimate interest.
• Right to lodge a complaint with the ANSPDCP and/or the competent courts.

To exercise your rights: programari.cirimpeitatiana@gmail.com and/or tatianacirimpei@medisprof.ro. A response is generally provided within 30 calendar days, in accordance with the GDPR, with the possibility of extension in the situations provided by law.

For your protection, we may request additional information to verify identity, especially where the request concerns medical or other sensitive data.

8. Data security

Appropriate technical and organizational measures are implemented, proportionate to the risks: secure HTTPS transmission, access control for the accounts used, limiting the persons who can access requests, confidentiality procedures, and periodic review of security settings.

Please note that sending information over the internet/email may involve inherent risks. We recommend avoiding the inclusion in the message of excessive medical data or full medical documents unless strictly necessary.

For additional questions: tatianacirimpei@medisprof.ro / programari.cirimpeitatiana@gmail.com.

9. Consent

By ticking the checkbox and pressing the “Confirm and accept” button, you confirm that you have read and understood this notice. Processing of the data necessary to respond to your request and organize the appointment is generally based on steps taken at your request (GDPR art. 6(1)(b)) and on the necessity of organizing health care services, and for health data – under GDPR art. 9(2)(h) and art. 9(3), subject to confidentiality obligations.

If there are specific situations in which processing is based on consent (for example, for additional information not necessary for arranging the appointment), you have the right to withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.

Refusal to provide strictly necessary data (for example a name and a means of contact) may make it impossible to process the appointment request.