National Institute of Public Health (INSP)

1. General Provisions

This Privacy Policy establishes the general framework regarding the manner in which the National Institute of Public Health (hereinafter referred to as “INSP” or “the Controller”) collects, uses, processes, stores, discloses, and protects personal data in the context of the use of websites, IT platforms, and digital applications administered by INSP.

The purpose of this Policy is to ensure complete, accurate, and transparent information for data subjects regarding:

– the nature of the personal data processed;
– the purposes and legal grounds of processing;
– the security and confidentiality measures applied;
– the rights recognized to data subjects under applicable legislation.

2. Scope of Application

This Policy applies to all personal data processing activities carried out by INSP through:

– official websites;
– operational IT platforms;
– electronic reporting, analysis, and interoperability systems;
– applications used in the exercise of INSP’s legal responsibilities.

The Policy applies to all categories of data subjects, including:

– platform users;
– medical staff and technical personnel;
– representatives of public institutions;
– patients or persons whose data are processed for public health purposes, in accordance with the law.

3. Legal Framework

The processing of personal data by INSP is carried out in strict compliance with the following legal instruments:

– Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR);
– Law No. 190/2018 regarding measures for the implementation of the GDPR;
– Law No. 506/2004 regarding the protection of privacy in the electronic communications sector;
– national legislation in the field of public health;
– orders and regulations of the Ministry of Health;
– legal acts concerning information security and public IT systems.

4. Data Controller and Contact Details

Data Controller: National Institute of Public Health
Registered office: Str. Dr. Leonte Anastasievici No. 1–3, District 5, Postal Code 050463, Bucharest, Romania
Telephone: +40 213 183 620, +40 213 183 619
Fax: +40 213 123 426
E-mail: directie.generala@insp.gov.ro

5. Definitions

For the purposes of this Policy, the terms used have the meanings provided by the GDPR. Additionally:

-“Personal data” – any information relating to an identified or identifiable natural person;
-“Health data” – personal data relating to the physical or mental health of a person;
-“Processing” – any operation performed on personal data, including collection, storage, use, disclosure, or erasure.

6. Principles of Processing

INSP guarantees that all data processing activities comply with the following principles:

– lawfulness, fairness, and transparency;
– purpose limitation;
– data minimization;
– data accuracy;
– storage limitation;
– integrity and confidentiality;
– accountability and traceability.

7. Categories of Personal Data Processed

7.1 Identification Data
– first name and surname;
– professional identification codes;
– position and institution.

7.2 Contact Data
– e-mail address;
– telephone number;
– professional address.

7.3 Technical and Operational Data
– IP address;
– authentication data;
– access logs;
– transaction history within the system.

7.4 Health Data
– medical data strictly necessary for fulfilling INSP’s legal duties;v
– data processed for public health, statistical, reporting, and epidemiological analysis purposes.

8. Purposes of Processing

Data are processed, including but not limited to, the following purposes:

– fulfilling INSP’s legal responsibilities;
– administration and operation of IT platforms;
– ensuring secure user access;
– monitoring and auditing system usage;
– preventing unauthorized access and security incidents;
– interoperability with other public systems;
– reporting, analysis, and research in the field of public health.

9. Legal Grounds for Processing

Data processing is carried out based on:

– Article 6(1)(c) GDPR – legal obligation;
– Article 6(1)(e) GDPR – public interest;
– Article 6(1)(a) GDPR – consent, where applicable;
– Article 9(2)(h) and (i) GDPR – health data.

10. User Access and Access Control

Access to IT systems is strictly regulated through:

– security policies;
– role-based access control;
– multi-factor authentication (MFA);
– device validation;
– automatic logout after periods of inactivity;
– full logging of all operations.

Direct access to the database is granted exclusively to the authorized database administrator.

11. Technical and Organizational Measures

INSP implements appropriate measures to:

– protect data against unauthorized access;
– prevent accidental loss, destruction, or alteration;
– ensure data availability;
– restore access to data promptly in case of incidents;
– maintain the confidentiality of communications.

Systems benefit from regular security updates.

12. Confidentiality of Communications and Interoperability

Communication between applications is secured through advanced encryption protocols.
API transactions are protected, and transfers of medical data are carried out, where applicable, using HL7 and FHIRstandards, in accordance with the national e-Health strategy.

13. Data Recipients

Data may be disclosed to:

– competent public authorities;
– IT service providers, based on data processing agreements;
– other public institutions, strictly within the limits of the law.

14. International Data Transfers

As a rule, data are not transferred outside the EU/EEA. Any transfer is carried out only with appropriate safeguards.

15. Storage Period

Data are retained:

– for the period necessary to fulfill legal purposes;
– in accordance with archiving terms;
– until inactive accounts are deleted or upon request, where permitted by law.

16. Rights of Data Subjects

Data subjects benefit from the rights provided by the GDPR, including:

– the right of access;
– the right to rectification;
– the right to erasure;
– the right to restriction of processing;
– the right to object;
– the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).

17. Exercise of Rights

Requests may be submitted to INSP in writing, using the contact details provided above. INSP will respond within the legal timeframe.

18. Policy Updates

This Policy may be amended whenever necessary. The updated version will be published on the website.

19. Final Provisions and Contact

National Institute of Public Health
Address: Str. Dr. Leonte Anastasievici No. 1–3, District 5, Postal Code 050463, Bucharest, Romania
Secretariat telephone: +40 213 183 620, +40 213 183 619
Fax: +40 213 123 426
E-mail: directie.generala@insp.gov.ro