Provider signup

GDPR

Information on the Processing of Personal Data

(In accordance with the General Data Protection Regulation – GDPR)

1. Introduction
The National Institute of Public Health (hereinafter referred to as „INSP” or “the Controller”places particular importance on the protection of personal data and the respect of data subjects’ right to privacy, in accordance with Regulation (EU) 2016/679 (“GDPR”).

This information notice aims to inform you about how INSP collects, processes, uses, stores, and protects your personal data through the web platform and the institutional portal.


2. Legal Framework
The processing of personal data by INSP is carried out in compliance with the following legal instruments:

  • Regulation (EU) 2016/679 (GDPR)

  • Law No. 190/2018

  • specific legislation in the field of public health

  • other applicable legal provisions


3. Identity of the Controller
National Institute of Public Health
Str. Dr. Leonte Anastasievici nr. 1–3, sector 5, București
Telephone: +40 21 318 36 20
E-mail: directie.generala@insp.gov.ro


4. Data Protection Officer (DPO)
DPO E-mail: dpo@insp.gov.ro


5. Purposes of Processing
Personal data are processed for the following purposes:

  • registration and administration of providers;

  • verification of eligibility and compliance;

  • management of contractual relationships;

  • administrative communication;

  • record-keeping of departments and laboratories;

  • fulfillment of legal obligations;

  • platform security;

  • service improvement.


6. Legal Basis
Processing is based on:
a) performance of a contract;
b) legal obligation;
c) public interest;
d) interes legitim


7. Categories of Data Processed

7.1 Organizational Data

  • name;

  • tax identification number (CUI / VAT number);

  • CAEN activity codes;

  • contact details;

  • registered office address.

7.2 Departments / Laboratories

  • name;

  • contact details;

  • address;

  • mobile status (where applicable).

7.3 Person of Contact

  • first name and surname;

  • telephone number / e-mail address;

  • position.

7.4 Technical Data

  • IP address;

  • browser type;

  • operating system;

  • date and time of access;

  • pages visited;

  • cookies.


Note: INSP does not process special categories of data unless required by law.

8. Mandatory Nature of Data Provision

Mandatory data are required for registration. Refusal to provide such data may result in:

  • inability to process the request;

  • inability to conclude a contract;

  • restricted access.

Optional data are provided voluntarily.


9. Data Recipients

Data may be disclosed to:

  • authorized INSP personnel;

  • competent public authorities;

  • IT service providers / processors;

  • legal advisors / auditors.


10. International Transfers

Data are not transferred outside the EU/EEA, except where legally required and subject to appropriate safeguards.


11. Storage Period

Data are retained:

  • for the duration of the contractual relationship;

  • in accordance with statutory archiving periods;

  • technical data: in accordance with the Cookies Policy.

Upon expiry of retention periods, data are deleted or anonymized.


12. Security Measures

Technical Measures:

  • HTTPS/TLS encryption;

  • secure authentication;

  • automatic logout;

  • firewall / anti-malware protection;

  • data backup;

  • monitoring systems.


Organizational Measures:

  • internal GDPR policies;

  • staff training;

  • confidentiality obligations;

  • Data Protection Impact Assessments (DPIA);

  • incident management procedures.


13. Rights of Data Subjects

You have the right to:

  • access;

  • rectification;

  • erasure;

  • restriction of processing;

  • data portability;

  • objection;

  • not to be subject to automated decision-making;

  • lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP);

  • withdraw consent (where processing is based on consent).


Supervisory Authority (ANSPDCP)
Bucharest – www.dataprotection.ro
anspdcp@dataprotection.ro


14. Exercising Your Rights

Requests may be submitted to:
dpo@insp.gov.ro
directie.generala@insp.gov.ro

Str. Dr. Leonte Anastasievici No. 1–3, Bucharest, Romania
INSP will respond within a maximum of 1 month.


15. Automated Decisions

INSP does not carry out automated profiling or automated decision-making.


16. Amendments

This information notice may be updated. The current version is published on the portal.


17. Final Provisions

INSP fully complies with the GDPR and national legislation.

For any questions, please contact: dpo@insp.gov.ro