Data protection

PRIVACY POLICY

Asociația Copiii care luptă is an association established in accordance with Romanian law, having its registered office in the commune of Balotești, Ilfov County, registered with the Register of Associations and Foundations under No. 354/A/2026 (hereinafter referred to as the "Association").

In accordance with the provisions of Regulation (EU) No 679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR), processes personal data in its capacity as Data Controller or, where applicable, as Data Processor.

Our Association considers it important to ensure the confidentiality of the personal data you provide.

This Privacy Policy is intended to inform you about how we process, collect, use, share and protect your personal data when you use our products and services, our website, and when you interact with us in any way.

1. Principles governing the processing of personal data

The processing of personal data is carried out in accordance with the following principles applicable under the law:

- Your data will be collected only for specified, explicit and legitimate purposes and will not be further processed in a manner incompatible with those purposes.

- Data will be processed lawfully, fairly and in a transparent manner.

- The data processed is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

- Data will not be disclosed to third parties in a manner incompatible with those purposes.

- Personal data will be accurate, and where necessary, corrections will be made.

- The processing of your data will be carried out in a lawful, fair and transparent manner.

- All your data will be kept confidential and stored in a manner that ensures the necessary security.

- Your data will not be disclosed to third parties unless this is necessary for the purpose of providing services in accordance with agreements or in accordance with legal obligations incumbent upon us.

- Data subjects have the right to request access to their personal data, to have it rectified or erased, to object to or restrict the processing of their data, as well as the right to data portability.

2. What is personal data

Personal data means any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to one or more identifiers.

Personal data includes all types of direct or indirect information (i.e. used in conjunction with other data) relating to the data subject, such as:

names, dates of birth, addresses, email addresses, telephone numbers,

including special categories of personal data consisting of data revealing:

racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the unique identification of a natural person,

data concerning health, or data concerning a natural person's sex life or sexual orientation.

3. Categories of data subjects. Personal data processed

We process personal data relating to patients, their relatives, carers or representatives/authorised persons, our employees and individual contractors, as well as other individuals who interact with us in various ways (job applicants, website visitors etc.) - ("Data Subjects" within the meaning of the GDPR).

In the course of providing medical services, the Association processes personal data such as:

- General data, including national identification number (as defined by relevant national legislation): surname, first name, home address, email, telephone number, date of birth, CNP, patient ID, place of work, birth certificate, copy of ID card, signature, nationality, gender, patient/mother/father;

-Health data or data related to our activities concerning patients, such as:

i. Provision of information services regarding patients' rights;

ii. Advice on obtaining medical opinions from clinics in Romania and other EU countries;

iii. The purchase of medical equipment and devices;

iv. Organising and sponsoring scientific and educational activities and meetings;

v. Supporting medical staff in their public relations work;

vi. Organising public events and raising public awareness;

vii. Developing and managing fundraising projects;

viii. Other activities provided for by law, in accordance with the Association's purpose;

- Image data: voice, video image of the data subject;

- Data used for marketing and statistical purposes, where you give your consent to this;

- Data regarding professional role/affiliation (in the case of partners);

- Donation-related data: amounts donated, payment methods, date and frequency of donations, bank account;

- CV data: education, professional experience, cover letters;

- Website browsing data: IP address, device details, browser, website behaviour (via cookies, in accordance with the relevant policy);

- Data relating to the profiling of website users, in accordance with the Cookies Policy;

- Data for the purpose of fulfilling legal obligations and requirements of other authorities.

4. Purposes and legal bases for the processing of personal data

Your personal data is processed for legitimate purposes related to the provision of medical services or our products and services, in accordance with applicable legislation, namely:

- on the basis of your consent as a Data Subject, in accordance with Article 6(1)(a) or Article 9(2)(a) of the GDPR;

- for the purpose of providing medical services, in accordance with Article 9(2)(h) of the GDPR;

- for the performance of a contract concluded with you as a Data Subject, in accordance with Article 6(1)(b) of the GDPR;

- in order to comply with legal obligations to which we are subject, in accordance with Article 6(1)(c) of the GDPR;

- for the purposes of our legitimate interests, provided that these do not override the fundamental rights, interests and freedoms of the data subject, in accordance with Article 6(1)(f) of the GDPR.

In our work, we process personal data for:

- organising, carrying out and reporting on projects run by the Association (e.g. support for children with neuromotor disorders);

- communicating with beneficiaries, donors, volunteers and partners;

- the administration of donations and sponsorships received, including the issuance of tax receipts (contracts, receipts, statements);

- carrying out fundraising campaigns, including via email, electronic newsletters, SMS or other means, with prior consent;

- organising educational activities and public events;

- promoting the Association's activities (e.g. by publishing photos/videos from events on the website or on social media, with the consent of the data subjects);

- recruiting staff and volunteers;

- fulfilling legal tax, accounting or reporting obligations (e.g. to the National Agency for Fiscal Administration, sponsors, authorities);

- fulfilling the Association's legitimate interests (e.g. legal defence, audits, project impact analysis);

- compliance with legal obligations regarding the transparency of NGO activities;

- processing requests from public institutions in accordance with their legal powers - processing for the purpose of complying with a legal obligation to which the Controller is subject, in accordance with Article 6(1)(c) of the GDPR;

5. Necessity of processing personal data

The data processed for the purposes set out above in points (a) to (f) are necessary for the conclusion or performance of the contract entered into with you or, where applicable, for compliance with a legal obligation of the Company in its capacity as Data Controller, so your refusal to provide this data may result in our inability to provide the services or to enter into a contractual relationship for the provision of services.

In the case of processing carried out for the purposes of our legitimate interests, you have the right to object to such processing, in which case we will no longer carry out such processing unless we have proven, legitimate and compelling grounds justifying the processing which override the interests, rights and freedoms of the data subject, or the purpose of the processing is the establishment, exercise or defence of a legal claim.

Where processing is carried out on the basis of your consent, you have the right to withdraw your consent at any time; the withdrawal of consent does not affect the lawfulness of processing carried out up to that point. Withdrawing your consent will have no effect on the provision of medical services to you. Data processing based on your consent will be carried out on the basis of consent freely given, explicitly and separately for each specific purpose.

6. Duration of data processing

Personal data will be retained for as long as necessary for the purposes of processing or for the period of time provided for by the applicable legislation for each type of processing.

7. Retention of personal data

We are obliged to manage the personal data you provide to us about yourself, a member of your family or another person in a confidential and secure manner and solely for the specified purposes.

We attach great importance to data protection, confidentiality, security and compliance with legislation on the protection of personal data and privacy; therefore, we will process personal data only for the specified purposes and on the basis of legal grounds.

Personal data will be processed lawfully, fairly and transparently, for specified, explicit and legitimate purposes, and will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; we ensure that the data processed is accurate and kept up to date where necessary.

The processing of personal data for other purposes shall take place only insofar as such processing is compatible with the purposes for which the data were collected or if such processing is based on the data subject's freely given and explicit consent or on the provisions of Union or national law.

Processing shall be carried out in a manner that ensures the confidentiality and appropriate security of the data through appropriate technical and organisational measures implemented for this purpose.

8. Transfer of personal data. Authorised persons/Recipients/Associated processors

Your personal data may be processed by the following persons, in strict compliance with the legislation on the protection of personal data:

- Service providers acting on behalf of the Association, such as, but not limited to, IT service and system providers, contractual partners (solicitors, consultants, accountants, auditors and inspectors bound by a duty of confidentiality regarding the data provided), as well as all companies within these categories of recipients from whom the Association will contract services and products and which have taken appropriate safeguards, in accordance with legal provisions.

Where authorised persons subcontract part of the activities involving the processing of personal data, the subcontractors shall be subject to the same obligations regarding the implementation of the security, technical and organisational measures provided for by the GDPR and relevant legislation.

- Contractual partners acting as joint controllers pursuant to Article 26 of the GDPR, namely: companies offering medical service packages to patients and their relatives, and insurance companies.

- State authorities such as the Health Insurance Fund, the Public Health Directorate, the tax authority etc., based on their powers as provided for by applicable law.

- Companies affiliated with the Association.

- Data transferred to third parties will be adequate, relevant and not excessive in relation to the purpose for which it was collected and which permits its transfer to a specific third party.

9. Security of processing

We make every reasonable effort to protect your personal data in our possession or under our control by implementing reasonable security measures to prevent unauthorised access, collection, use, disclosure, copying, alteration or disposal, as well as other similar risks.

Whilst we strive to protect your personal data, we cannot accept responsibility for, nor guarantee the security of, information you transmit over the internet, and we urge you to take all necessary precautions to protect your personal data when using such platforms. We recommend that you change your passwords frequently, use a combination of letters and numbers, and ensure that you use a secure browser.

10. Your rights regarding personal data

Under the General Data Protection Regulation, as a Data Subject, you have the following rights:

- Right to information and access to data: the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, if so, access to those data and to the information provided for by law.

- The right to rectification: the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning you.

- Right to erasure: the right to obtain from the controller the erasure of personal data concerning you, without undue delay, under the specific conditions laid down by law.

- The right to restriction of processing, namely the right to obtain from the controller the restriction of processing in the specific cases provided for by law.

- The right to data portability, namely the right to receive the personal data concerning you and which you have provided to the controller in a structured, commonly used and machine-readable format, and the right to transmit such data to another controller.

- Right to object: the right to object at any time, in the case of personal data processed in accordance with Article 6(1)(e) or (f), on grounds relating to your particular situation, to the processing of data concerning you or to profiling, except where the controller demonstrates that there are legitimate and compelling grounds for the processing which override the interests, rights and freedoms of the data subject, or that the purpose is the establishment, exercise or defence of legal claims.

- The right to withdraw your consent at any time, without affecting the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

- The right not to be subject to an individual decision, which means that you have the right to request and obtain the withdrawal, annulment and reconsideration of any decision that produces legal effects on you, adopted solely on the basis of the processing of personal data by automated means.

- The right to lodge a complaint with the National Supervisory Authority for Personal Data Processing or with the courts to defend any rights guaranteed by EU Regulation 2016/679 which you consider to have been infringed.

- The right to be notified by the controller in the event of a personal data breach.

These rights may be exercised by sending a written, dated and signed request to us, electronically to the email address: contact@copiii-care-lupta.ro