Privacy policy

The establishment of technical and organizational measures to be applied in order to adapt to the requests of the departments concerned, regarding the use of personal data, to address the requests of data subjects regarding the use of their data by the “Iuliu Hațieganu” University of Medicine and Pharmacy Cluj-Napoca, as well as the internal monitoring of departments regarding the protection, use, compliance, monitoring, implementation, and issuance of responses and/or recommendations of Regulation (EU) 689/2016 on the protection of personal data.
The procedure is applied by the Data Protection Officer (hereinafter referred to as DPO).

The scope reflects on the processing of personal data, carried out wholly or partially by automated means, as well as the processing by other means than those automated of personal data which form part of a data record system or are intended to form part of a data record system.

REFERENCE DOCUMENTS

Law no. 190/2018 regarding measures for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

REGULATION (EU) No 679 of 27 April 2016 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR).

DESCRIPTION OF ACTIVITY
The departments concerned, as well as the individuals whose personal data are processed, are given the opportunity, in accordance with Article 12 of the GDPR, to submit a written request in physical or electronic format whenever they wish to exercise their rights regarding the protection of personal data (under Articles 13-22 of the GDPR).
Personal data is:
  • processed lawfully, fairly, and transparently to the data subject (lawfulness, fairness, and transparency);
  • collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes, in accordance with Article 89(1) (purpose limitation);
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization);
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy);
  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (storage limitation);
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by appropriate technical or organizational measures (integrity and confidentiality).
Information provided under Articles 13 and 14 of the GDPR and any communication and any measures taken under Articles 15-22 and 34 of the GDPR are provided free of charge by the institution. In cases where requests from a data subject are clearly unfounded or excessive, particularly because of their repetitive nature, the “Iuliu Hațieganu” University of Medicine and Pharmacy Cluj-Napoca exercises its right (under Article 12, paragraph (5)) to take the following measures:
  • To charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested;
  • To refuse to act on the request.
The request for exercising the rights regarding the protection of personal data, regulated by the GDPR, shall be drawn up in writing and must contain at least the following information:
  • Identification data of the person submitting the request/complaint (name, surname, and ID number);
  • Capacity of the person submitting the request/complaint;
  • Subject of the request, including a complete description of the information/modifications requested;
  • Contact details (mailing address and email address) for sending the response;
  • Date of submission;
  • Signature of the person submitting the request/complaint.
In accordance with Article 12, paragraph (6), UMF Cluj Napoca may request additional information necessary to confirm the identity of the data subject.
Requests can be submitted as follows:
By physically submitting them to the mailing address of the DPO (details can be found in the DPO contact section) or scanned, via email, to the following email address: gdpr@umfcluj.ro.
The response to the request submitted by the data subject shall be prepared in writing and shall include at least the following information:
  • Identity and contact details of the controller; purposes for which the personal data are processed, as well as the legal basis for the processing; categories of personal data processed; recipients or categories of recipients of the personal data, if applicable; where possible, the period for which the personal data will be stored or, if not possible, the criteria used to determine this period; source of the data collection and the data subject’s rights regarding: rectification, erasure, restriction, objection, and the right to lodge a complaint with the ANSPDCP (in the case of a request for access to personal data);
  • Information on the reasons for rejecting the request (if applicable);
  • Measures taken under Articles 15-22 and 34 of the GDPR to address the request (depending on the subject of the request: rectification, erasure, restriction, data portability, etc.).
The response will be sent as follows:
  • In physical format to the mailing address of the data subject, as specified in the request;
  • Scanned, via email, to the email address specified by the data subject in the request.
The period within which the Data Protection Officer shall provide the data subject with any information mentioned in Articles 13 and 14 of the GDPR and any communications under Articles 15-22 and 34 of the GDPR is 30 working days.
This period may be extended by two months when necessary, taking into account the complexity and number of requests. UMF Cluj Napoca shall inform the data subject of any such extension within one month of receiving the request, providing reasons for the delay.
If no action is taken regarding the data subject’s request, UMF Cluj Napoca shall inform the data subject, without delay and within one month of receiving the request, of the reasons for not taking action and the possibility of lodging a complaint with a supervisory authority and initiating judicial proceedings.

Your Rights as a Data Subject
  1. Right of access to processed personal data: You have the right to obtain confirmation of whether your personal data are being processed, and if so, access to the type of personal data and the conditions of their processing, by submitting a request to the data controller.
  2. Right to request rectification or erasure of personal data: You have the possibility to request, by submitting a request to the data controller, the rectification of inaccurate personal data, supplementation of incomplete personal data, or erasure of your personal data in situations where: (i) personal data are no longer necessary for their initial purpose (and there is no new legal basis for processing), (ii) the legal basis for processing is the data subject’s consent, and the data subject withdraws their consent, and there is no other legal basis for processing, (iii) the data subject exercises the right to object and the data controller does not have compelling legitimate grounds for further processing, (iv) personal data have been unlawfully processed, (v) erasure is necessary for compliance with EU or Romanian law, or (vi) personal data have been collected in connection with the offer of information society services to children (if applicable), for which consent is governed by special rules.
  3. Right to request restriction of processing: You have the right to obtain restriction of processing in situations where: (i) you believe that inaccurate personal data are being processed, for a period allowing the controller to verify the accuracy of your personal data; (ii) processing is unlawful, but you do not wish to delete your personal data, requesting only restriction of their use; (iii) where the controller no longer needs your personal data for processing purposes mentioned above, but you request the data for the establishment, exercise, or defense of a legal claim in court, or (iv) you have objected to processing, for the period while it is verified whether the legitimate grounds of the controller override the data subject’s rights.
  4. Right to withdraw consent for processing, when processing is based on your consent, without affecting the legality of processing carried out before the withdrawal of consent;
  5. Right to object to processing of personal data for reasons related to your particular situation, when processing is based on legitimate interest, and to object at any time to processing of personal data for direct marketing purposes, including profiling;
  6. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you;
  7. Right to data portability, namely the right to receive your personal data provided to the controller in a structured, commonly used, and machine-readable format and the right to transmit this data to another controller, where processing is based on your consent or the performance of a contract and is carried out by automated means;
  8. Right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP) and the right to address competent courts.

All these rights can be exercised through a written, signed, and dated request, sent to our headquarters or to the email address: gdpr@umfcluj.ro

Contact Details of the DPO:
Name: Andreieș Ovidiu
Mailing address: Victor Babeș Street, no. 8
Phone number: 0740086400

Email address: ovidiu.andreies@umfcluj.ro; gdpr@umfcluj.ro

Responsibilities
The identification of all actions related to the process/activity is pursued, and their allocation to the departments responsible for processing personal data, as appropriate, along with the responsibilities towards them, by appointing personnel involved in the procedural activity of processing personal data. Issuance of recommendations regarding the inclusion of actions in the logical order of their conduct and the departments or responsible parties, in the order of intervention in the procedural activity of personnel involved in processing personal data. Issuance of agreements regarding informing data subjects about personal data processing in support of departments that have actions related to personal data processing, according to Article 6 of Regulation 679/2016. Formulation of responses to requests from data subjects regarding Regulation 679/2016.