INFORMATION NOTE ON THE PROCESSING OF PERSONAL DATA BY ENLIGHTEN SMILES RO SRL.

In accordance with the provisions of European Regulation No. 679/2016 (hereinafter referred to as "GDPR"), in force since May 25, 2018, ENLIGHTEN SMILES RO SRL ("ENLIGHTEN SMILES") is obliged to process personal data, in safe conditions, for the general purposes specified in this information, in the context of providing the dental aesthetics services that you benefit from within the collaborating clinics.

preamble

ENLIGHTEN SMILES is committed to providing a level of confidentiality, availability and integrity of personal data corresponding to the GDPR rules for any person concerned through the processing activities carried out, including our service provision or marketing actions.

Through this information we would like to explain to you how your personal data is processed by ENLIGHTEN SMILES.

Personal data (representing any information that can lead to the identification, directly or indirectly, of a natural person) is detailed in section 6 below, being defined taking into account the applicable legal provisions.

For the purposes of this information, we inform you that ENLIGHTEN SMILES is a personal data controller, as defined under the GDPR.

IDENTITY AND CONTACT DETAILS OF THE OPERATOR

  • Name: ENLIGHTEN SMILES RO SRL.
  • Registered office: Bucharest, Sector 1, 55 Admiral Horia Macelariu Street
  • Code 15801244
  • No. ORC: J40/13510/2003
  • Phone: 0799 993 259
  • Email: info@enlightensmiles.ro

 

DATA PROTECTION OFFICER (DPO) CONTACT DETAILS

The contact details of the person responsible for data protection (also referred to as "DPO") within ENLIGHTEN SMILES and whom you can contact in relation to any aspects relating to the protection of your personal data:

  • Email: info@enlightensmiles.ro

 

THE PURPOSES FOR WHICH YOUR PERSONAL DATA ARE PROCESSED

The processing and storage of personal data is carried out under optimal security conditions and for legitimate purposes mainly related to the provision of medical services or related to human resources activities, for advertising, marketing, publicity, statistics, or scientific purposes. Each time we request the collection, subsequent processing and eventual transfer of personal data, the use will be made only for the stated purpose, for other purposes you will have to give your consent or be informed according to the provisions of the GDPR.

Your personal data indicated in section 6 below will be processed for the following purposes:

  • Marketing: Periodic information of a medical nature or regarding ENLIGHTEN SMILES services, promotions, etc. Processing for this purpose will only be carried out if there is your consent expressed in writing and only as long as you maintain this agreement. You can withdraw this agreement at any time by clicking on the "Unsubscribe" link at the bottom of any email you receive from us or by contacting us at the email address info@enlightensmiles.ro
  • Medical statistics or scientific purposes: Processing for this purpose will be carried out only upon written request of the statutory institutions with responsibilities in the field of statistics, respectively for scientific purposes. Your personal data will remain secure and in full confidentiality, and will not be disclosed to third parties.
  • Fulfillment of legal obligations: Processing in order to fulfill various legal obligations of ENLIGHTEN SMILES (such as: in the field of health, security, accounting, record keeping or other obligations imposed by the laws in force).
  • Improving services and resolving complaints: Identifying problems or possible relevant issues regarding existing services in order to improve them, implementing new services or improvements to existing ones, resolving complaints made by you.
  • Financial records: Issuing financial and accounting documents to you (for example: receipts or tax invoices), collecting payments for the services you benefit from, recovering debts from you (which may also involve the involvement of third parties to recover receivables), returning amounts of money to you, sending notifications related to the financial situation/payment status, preparing various reports or statements related to financial records.
  • Dispute resolution: Formulating various requests/opinions in the event of disputes arising in connection with the services provided to you and/or relating to the relationship established between you and ENLIGHTEN SMILES.
  • Management of internal and external audit activity: carrying out external and internal audit activity to verify operational activities.

ENLIGHTEN SMILES states that there is no automated decision-making process (including profiling) based on your personal data and we assume responsibility and ensure security only for that information, personal data:

  • in ENLIGHTEN SMILES partner clinics;
  • in the IT and/or electronic systems/tools/devices, hardware and software, ENLIGHTEN SMILES records;

ENLIGHTEN SMILES is not responsible for the processing carried out, in any form, outside the coordinates mentioned above (including through the exchange/recording of information/personal data during conversations between doctors and patients).

LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

The legal bases of the personal data processing operations carried out by ENLIGHTEN SMILES are:

  • Grounds for processing personal data that do not fall into special categories of personal data (according to art. 6 of the GDPR).

 

Personal data that does not include special categories of personal data (as defined in Article 9 of the GDPR) are processed by ENLIGHTEN SMILES on the following legal grounds:

  • to offer or execute a contract concluded by ENLIGHTEN SMILES with you (regarding the aesthetic services made available by ENLIGHTEN SMILES through partner dental clinics);
  • within the framework of marketing communications, we will process your personal data based on your express consent (this agreement is requested either by completing a form within one of the ENLIGHTEN SMILES partner dental clinics which can be done either upon initial registration in the database, or later upon registration in the forms on the website; upon participation in events, etc.), as detailed above;
  • for the purpose of permanently improving services, your personal data is processed based on your prior expressed consent;
  • fulfilling ENLIGHTEN SMILES' legal obligations (including with regard to archiving, health, security, record keeping, requesting a public authority and other obligations imposed by law);
  • in certain situations, we will process personal data based on a legitimate interest of ENLIGHTEN SMILES or a third party (such as: compiling service records; resolving requests and complaints received from patients; concluding and executing contracts for the provision of dental aesthetics services with partners and collaborators who provide dental aesthetics services for ENLIGHTEN SMILES; surveillance through the video camera system to ensure the security of goods and people - if there is no legal obligation in this regard; management of internal and external audit activity, transmission within the group to which ENLIGHTEN SMILES belongs).
  • Processing of personal data falling into special categories of personal data (according to art. 9 of the GDPR).

Considering the specific nature of the medical activity/services provided by ENLIGHTEN SMILES, we will process personal data that fall into the category of special data (as defined in accordance with art. 9 of the GDPR) based on the following legal grounds (grounds that will apply in addition to the grounds detailed in art. 6 of the GDPR):

  • considering certain situations in which you may find yourself (physically or legally) and which may make it difficult for you to express your consent to the processing (for example: emergency situations), personal data will be processed to protect your vital interests or those of another natural person;
  • the processing is necessary to allow the establishment, exercise or defense of a right in court, given that, during the relationship established with ENLIGHTEN SMILES, the occurrence of such situations in the context of the services provided cannot be excluded (to the extent that such disputes are addressed to the courts).

 

CATEGORIES OF PERSONAL DATA CONCERNED. CONSEQUENCES OF REFUSAL TO PROVIDE PERSONAL DATA

The personal data that will be processed by ENLIGHTEN SMILES are:

  • data obtained directly from you, in the context of the services provided or
  • data / results obtained as a result of the provision of services made available by ENLIGHTEN SMILES.

The personal information you provide when making an appointment by phone, by email or in partner clinics (surname, first name, telephone, email, date of birth, symptoms, data on the analyses and investigations performed or that you wish to perform, CNP) is recorded and processed by ENLIGHTEN SMILES only to the extent that this information was provided by you without any constraint and with prior information. ENLIGHTEN SMILES assumes no liability for inaccurate, incorrect information/data/documents that you provide to us. You are obliged to send us any changes that occur to your personal data so that they are always accurate and up-to-date. If ENLIGHTEN SMILES has suspicions regarding the authenticity of the documents or information made available, it is entitled to notify the public authorities/institutions with powers of investigation, supervision and control.

Personal data includes the following categories of data:

  • contact details, such as: name and surname, home address/residence, telephone number (landline and/or mobile) and/or fax, e-mail address, mailing address;
  • personal data, such as: date of birth; gender; age; information about tobacco, alcohol, caffeine or drug consumption; information about the environment and lifestyle; series and number of the identity document; personal numerical code (CNP); other information included in the identity card; video images (obtained based on video recordings made in the premises of ENLIGHTEN SMILES partner clinics, where video surveillance cameras are installed); signature;
  • payment data, such as: billing details; bank account number; amounts paid and/or to be paid; payment status;
  • data regarding the relationship with ENLIGHTEN SMILES, such as: the history of the relationship with ENLIGHTEN SMILES; any suggestions or other such opinions that you send us, either directly or through other means of communication (which may also include social networks or other public means of communication).
  • In principle, there is no obligation for you.

RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

As a general rule, your personal data will be processed by ENLIGHTEN SMILES. Due to the need for ENLIGHTEN SMILES to call on certain external partners who provide support in carrying out its activities, we would like to inform you that personal data may also be transmitted to other natural or legal persons, to be processed for the purposes detailed in this Information Notice.

In this regard, personal data may be transmitted to:

  • collaborating doctors and partner, accredited medical service providers, partner clinics. In this regard, we inform you that data/information regarding your health status, dental impression, may be communicated to accredited medical service providers, in accordance with applicable legal provisions. ENLIGHTEN SMILES makes every effort to ensure that collaborating doctors and other accredited medical service providers comply with the provisions of the legislation on the protection of personal data;
  • institutions and/or judicial, research, supervisory and control authorities, to the extent that, in accordance with the legal provisions in force, personal data/information are requested from ENLIGHTEN SMILES by various bodies and/or institutions (for example: criminal investigation bodies, police, financial and fiscal control bodies and institutions, courts of law, and any other supervisory and control institutions and/or authorities), meaning that ENLIGHTEN SMILES is obliged to provide the requested data/information, without asking for your prior consent, including if you object or do not express your point of view. In addition, it is possible that, in certain situations, such data/information may need to be made available without a prior request from these institutions, bodies and/or authorities, situations in which ENLIGHTEN SMILES will transmit the necessary data/information, in accordance with legal requirements;
  • In the event that the personal data processing operations will be carried out by ENLIGHTEN SMILES through persons authorized by it, ENLIGHTEN SMILES will ensure compliance with the specific requirements imposed by the provisions of art. 28 of the GDPR, ensuring, among other things, that (i) the respective personal data processing operations are carried out on the basis of a contract that addresses the specific issues of the controller-processor relationship, in accordance with the GDPR, and (ii) the person authorized will process the personal data based on the instructions of ENLIGHTEN SMILES.

TRANSFER TO THIRD COUNTRIES

In certain specific situations, your personal data will be transferred to entities located in other states within the European Union and/or the European Economic Area, in order to carry out various analyses or obtain specialized medical opinions in the context of the services provided by ENLIGHTEN SMILES to you. In such cases, we will ensure that adequate safeguards are in place to allow the transfer in an appropriate manner, in accordance with the requirements of the GDPR and the legislation on the protection of personal data (safeguards which may include: the application of standard contractual clauses on data protection or the existence of a decision of the European Commission adopted in this regard

PERIOD FOR WHICH PERSONAL DATA WILL BE STORED

We will store your personal data for the entire duration of the relationship established with you, but also for a certain period of time thereafter, taking into account the applicable legal provisions. Thus, your personal data will be retained for a period ranging from 1 to 30 years (the extended retention period being applicable, in principle, to medical documents that must be retained for such periods).

To the extent that certain personal data are included in or are also related to certain accounting documents of ENLIGHEN SMILES, for which a specific retention period must be respected (for example 5 or 10 years), such personal data will be retained for the applicable periods.

Regarding images obtained through video surveillance means, they will be maintained for a maximum period of 30 calendar days from the date of recording, except in duly justified cases or when a longer period is permitted or required by applicable legislation.

YOUR RIGHTS REGARDING PERSONAL DATA

In accordance with the applicable provisions regarding personal data, we inform you that you have the following main rights:

  • The right of access to the processed personal data, meaning your right to obtain from ENLIGHTEN SMILES a confirmation as to whether or not personal data concerning you is being processed and, if so, access to that data and the conditions under which it is processed (including the purpose of the processing, the categories of data processed, the recipients of the data).
  • The right to request rectification of personal data, meaning your right to request us to rectify inaccurate personal data that is no longer current or to complete incomplete data.
  • The right to erasure of personal data, including: the situation where the personal data are no longer necessary in relation to the purposes of the processing; the situation where the data subject objects to the processing and there are no other legitimate interests that prevail for the processing; the situation where the personal data have been processed unlawfully.
  • The right to request restriction of processing, meaning your right to obtain from ENLIGHTEN SMILES restriction of processing in the following cases: (i) you contest the accuracy of the data (the restriction will last as long as it is necessary for ENLIGHTEN SMILES to verify the accuracy of the personal data); (ii) the processing is unlawful and you oppose the deletion of the data by requesting the restriction of their use instead; (iii) ENLIGHTEN SMILES no longer needs the personal data for the purposes mentioned above, but you request the personal data for the establishment, exercise or defense of a right in court; or (iv) you have objected to the processing, for the period during which ENLIGHTEN SMILES verifies whether the legitimate rights of ENLIGHTEN SMILES prevail over your rights.
  • The right to object to processing, meaning your right to object to processing on grounds relating to your particular situation, where the processing (i) is based on the legitimate interests of ENLIGHTEN SMILES or a third party, including profiling activities based on this basis or (ii) to the extent applicable, is carried out for the purpose of direct marketing communications, involving profiling.
  • The right to withdraw your consent at any time, if the processing is based on consent, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal;
  • The right not to be subject to automated decision-making, which means that, as a user of our services, you will not be subject to a decision by us based solely on automated processing of your data (including profiling) that produces legal effects concerning you or similarly significantly affects you.
  • The right to data portability, meaning your right to request the movement, copying or transfer of your personal data existing in the ENLIGHTEN SMILES database to another database, in a structured, commonly used and machine-readable format, where the processing is based on consent or a contract and is carried out by automated means.
  • The right to file a complaint with the National Supervisory Authority for Personal Data Processing (Bucharest, Bd. General Gheorghe Magheru 28-30, sector 1, postal code 010336, Bucharest, Romania, telephone: 031 805 92 11, e-mail anspdcp@dataprotection.ro) and to address the competent courts.

The rights mentioned in the above points can be exercised by a written request, signed and registered with ENLIGHTEN SMILES, using the following communication channels (for the attention of the Data Protection Officer – DPO): (i) to the e-mail address info@enlightensmiles.ro, (ii) at the ENLIGHTEN SMILES clinics or (iii) sending the request by post to the address ENLIGHTEN SMILES. in Bucharest, Str. Amiral Horia Măcelariu no. 55, Sector 1.

In your request, you have the option to indicate whether you want the information to be communicated to you at a specific address (which can also be an email address) or through a courier service that ensures that the delivery will be made in person.

The communication of the requested information will be made within 1 (one) month from the date of receipt of the request, respecting your possible communication option.

If it is not possible to meet the aforementioned deadline, you will be informed of the reason for the delay in responding, while also communicating the procedure envisaged for resolving your request, as well as the estimated deadline.