Privacy Policy

I. General information

The pages on the platform (“the platform”) are published and operated by Medicover Integrated Clinical Services Romania S.R.L a limited liability company registered under the laws of Romania under no. J23/1113/2012, trading under the registered trade name “Medicover Integrated Clinical Services” (herewith ‘’MICS”) as a Data Processor, having its place of business at 25 Industriilor Street, Chiajna, Ilfov, Romania, 077040, on behalf of Sandoz AG as a Data Controller, having its registered office at Centralbahnstrasse 4, CH-4051 Basel, Switzerland (herewith “Sandoz” or “we”). Sandoz may exercise this responsibility alone or jointly with other company(-ies) in the Sandoz Group, acting as “co-controller(s)”.

Depending on the relationship between you / your organization and us, Sandoz is either a data controller or a data processor responsible for personal data processed in the platform (where Sandoz entered into data processing agreement with your organization). If you provide personal data to us about any person other than yourself (e.g. patients), you must ensure that they understand how their personal data will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to process it.

We respect your right to privacy and will process personal information you provide only in accordance with the General Data Protection Regulation (EU) 2016/679 hereinafter (“GDPR” or “General Data Protection Regulation”) and other applicable privacy laws. This Privacy Policy is informing you about the processing activities on this platform.

The terms used in this Privacy Policy have the meaning of the definitions mentioned in the General Data Protection Regulation.

II. The information collected and how it is used

We will not collect any information about individuals, except where it is specifically and knowingly provided by them.

Details of cookies that are used on the platform can be found on the Cookie Policy.

II.1. The personal data categories processed

The following personal data may be processed through this platform:

  • When using the details to contact us, we may process your e-mail address, phone number, postal address, depending on how you decide to contact us. We also may process any other personal information you disclose to us when contacting us.
  • When accessing the register button, we may process your registration information in order to create an account onto the platform: work email address, phone number, postal address, first name, last name, institute name, position of the HCP;
  • When accessing the login button, we may process your credentials to log into the platform: email address;
  • When registering a biological sample, we will process the information necessary to allow the registration for JCV testing of blood samples in the Program, such as: patient’s first and last name, date of birth, type of biological sample, results of laboratory testing, sample barcode, unique platform identification number and optionally hospital patient identifier;
  • When using the platform, we may collect certain profession related personal data, such as: your name, surname, e-mail address, phone number, postal address, e-mail address.

II.2. Lawful basis and purposes of processing

  • When contacting us, we may process data subject’s personal data based on our legitimate interest in receiving and answer the request when contacting us. The personal data collected is strictly the data that the data subject will disclose to us when using our Data Privacy team contact details as listed further down below, and it will be used in order to answer the request.
  • In order to use the platform, it may be necessary to create a user account by registering beforehand. When accessing the register button, your personal data is processed strictly in the scope of accessing and using the platform. The legal basis for processing your personal data is fulfilment of obligations under an agreement with you.
  • When registering a patient, you will be requested to fill in certain boxes with the minimum set of information needed on our side with the purpose of performance of the laboratory test results as part of the Program.
  • After anonymizing the personal data received through the platform, the data will be used for statistical purposes. The legal basis for creating anonymous statistics is legitimate business interest.
  • When using the platform there is certain information as mentioned above, processed for security reasons. The Data Controller has a legal obligation to ensure the security of the platform and of the personal data processed through the platform, even when the Data Controller does not have direct access to the data processed and those personal data are being processed by Data Processor on behalf of Sandoz.

II.3. Third-party use of information

The personal data collected through the platform can be disclosed to:

  • Data subject and its legal representatives;
  • Representatives of MICS, only on a need-to-know basis and in accordance with documented instructions from Sandoz;
  • MICS’s sub-Processors from a variety of domains: software as a service provider, data center providers, helpdesk provider, laboratories;
  • Other contractual partners of Sandoz involved in carrying out activities, such as: legal consultants, fiscal consultants, professional organizations;
  • Judicial and public authorities, international organizations if required by applicable law.

Except as described above, your personal data will not be disclosed, sold, or otherwise transferred to any third party.

Sandoz will not receive any personal data or other information processed by its Data Processor in relation to JCV testing of biological samples. The Data Controller may receive from Data Processor only statistical data in anonymized form.

II.4 The period of personal data processing

Your personal data will be processed for the time necessary to achieve the purposes of processing and subsequently in accordance with any applicable internal policies, as well as to comply with applicable legal obligations, including, but not limited to, the provisions regarding the archiving obligation, securing the personal data.

III. Security

We have implemented appropriate technical and organizational measures designed to provide an adequate level of security and confidentiality for your personal data. The purpose of these measures is to protect personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

These measures take into account the state of the art of the technology, the costs of its implementation, the nature of the data and the risk of the processing.

IV. Your rights

According to GDPR you have the following rights:

1. The right to information – the right to receive a minimum content of information regarding the processing activities performed by the Data Controller, in accordance with the legal requirements;

2. The right of access by the data subject – the right to obtain, upon request and under the conditions established by law, confirmation that the data concerning him/her are or are not processed and details on processing activities;

3. The right to rectification – the right to obtain the rectification of inaccurate personal data concerning the data subject, respectively to obtain the completion of personal data are incomplete, including by providing an additional statement;

4. The right to the deletion of data (” the right to be forgotten”) – the right to obtain the deletion of personal data concerning the data subject, without undue delay, in cases provided by law;

5. The right to restriction of processing – the right to obtain the restriction of the processing, in so far as the conditions provided by law are met;

6. The right to data portability, namely (i) the right to receive personal data in a structured, commonly used, and easy to read format, and (ii) the right to have such data transmitted by to another Data Controller, provided that the conditions by law are met;

7. The right to object – the right to object at any time, for well-founded and legitimate reasons related to his situation; Regarding direct marketing activities, data subjects have the right to object to such processing at any time;

8. The right not to be subject to an automatic individual decision – the right not to be subject to a decision based solely on automatic processing, including profiling, which produces legal effects which concern or affect it in a similar way to a significant extent;

9. The right to withdraw consent when there is processing based on it; Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal.

If you wish to exercise any of the above rights, under the conditions and within the limits set forth in the law, please click here or write to sandoz_global.dpo@sandoz.com.

If you have a question or you are not satisfied with how we process your personal information, you may address your request to our data protection officer at sandoz_global.dpo@sandoz.com.

In any case, in addition to the above rights, you also have the right to file a complaint with the competent data protection authority.

V. Third-party sites

Please note that this privacy policy applies only to the personal information that is collected through this platform.

Last updated on 23.12.2024