GENERAL MEMO ON THE PROCESSING OF PERSONAL DATA

Version 1.0

Last amended on September 12, 2018

In this document we explain how the Farmavet group of companies (together, Farmavet  we) processes your personal data and ensures their protection in accordance with the relevant legislation, including Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

This note applies in relation to the data processing carried out by Farmavet. This document is relevant to you regardless of your position: customer, partner – natural person, representative of a partner – legal person, solicitor of an offer or person who contacts us for other purposes (e.g., in connection with requests or complaints), visitor of one of our premises or points of work, former/current/potential employee, internal, visitor of our website, etc.

This memo deals with the following aspects, as follows:

(a) the categories of personal data we process;

(b) the purposes for which we process that personal data;

(c) the grounds justifying our processing;

(d) persons to disclose the data;

(e) the period for which we store the data;

(f) the consequences of refusing to provide us with personal data about you;

(g) your rights and information on their exercise;

(h) our contact details; and

(i) the situations in which this memo and its amendments apply.

1. Categories of data. Purpose. Grounds

1.1 Current or potential customers of Farmavet

We may process personal data relating to you for:

(i) Providing our services. We will use your data to send you a quote (at your request), to conclude and execute the contract with you, and to ensure that we provide you with the services requested. In this case, we will base the processing on the need to conclude and/ or perform the contract with you.

We will mainly process your identification data (name, first name, other identity document data) and, if we have a contractual relationship with you, the data included in the contract with you.

(ii) Resolution of your applications. We will use your data to respond to any requests, requirements, complaints, or any other questions you submit to us in your relationship with you.

In this case, the basis of the processing will be the performance of the contract with you or, as the case may be, your consent.

We will mainly use your first name, last name, contact details (email address, phone number) and information contained in the request you submit us.

(iii) Marketing communication. In order to send you communications and offers about our products, services and promotions (on our initiative), it is necessary to process your personal data. In this case, the processing of the data will be based on your consent.

We will mainly process the following data that relate to you: first name, last name, email address, phone number, postal address.

1.2 Members (employees, collaborators, etc.) of our contractual partners – legal entities

We can process your data for:

(i) Maintaining a contractual relationship with your companies. In order to work with your company (including to communicate with you to resolve any problems your company or Farmavet is experiencing in connection with their contract), we will need to process personal data that relate to you. In this case, we will base our processing on our legitimate interests to be able to execute the contracts we have concluded with other companies and to ensure that the other companies in turn execute those contracts.

We will mainly process the following data that relate to you: first name, last name, position, employer, telephone number, email address.

(ii) Marketing communication. In order to send you communications and offers about our products, services and promotions, it is necessary to process your personal data. In this case, the processing of your data will be based on your consent to receive such communications from us or, where appropriate, on our legitimate interests, where following our analysis we have concluded that our legitimate interests prevail.

We will mainly process the following data that relate to you: name, first name, phone number, email address, postal address.

1.3 Our contractual partners – natural persons (business partners, not customers)

We may then process your personal data for the following purposes:

(i) To be able to conduct business relationships with you. We need to process certain information that relates to you in order to start and maintain collaboration with you.

In this case, we will base the processing of data that relates to you on its necessity for the conclusion/execution of the contract between you and us.

We will mainly process the following data that relate to you: first name, last name, ID data.

(ii) Resolution of your applications. We will use your data to respond to any requests, requirements, complaints, or any other questions you submit to us in your relationship with you.

In this case, the basis of the processing will be the performance of the contract with you or, as the case may be, your consent.

We will mainly use your first name, first name, contact details (email address, phone number) and information contained in the request you send us.

(iii) Marketing communication. In order to send you communications and offers about our products, services and promotions, it is necessary to process your personal data. In this case, the processing of your data will be based on your consent to receive such communications from us or, where appropriate, on our legitimate interests, where following our analysis we have concluded that our legitimate interests prevail.

We will mainly process the following data that relate to you: first name, last name, phone number, email address, postal address.

1.4 Members of public authorities?

We will then use your personal data to comply with our legal obligations, such as responding to requests from authorities, keeping legal records and the like.

For example, we will have to keep your first name, first name, authority and signature in the control registers that the law requires us to keep. Also, if you send us a request for information from the authority – your employer, we will process your data (first name, last name, position, employer) to respond.

1.5 Candidates for positions/traineeships at Farmavet

Then we may process your personal data to conduct the recruitment process.

In order to be able to analyse your application, it is necessary to process the data included in it. This data will usually include your first name, last name, contact details (phone number and email address), your work experience, studies and any other information from your CV and other documents that we may request from you or that you voluntarily submit to us.

In these cases, we will base the processing of your data on the conclusion/execution of the employment contract, traineeship, etc. with you.

If we ask you to ensure that letters of recommendation are forwarded to us, we will process personal data on the views that the authors of those recommendations have about you. In this case, the source of your personal data will be those persons. In this case, we will also process personal data on the authors of those letters (on the basis of their consent) and other identified or identifiable persons mentioned in those documents (on the basis of our legitimate interests).

1.6 If you are a visitor to our premises, workstations or other facilities

Then we may use your personal data to ensure the security of individuals and objects.

In some of our premises we have video surveillance cameras (CCTV) installed to ensure the security of our employees, other people in those rooms and our property. So, we will process images (videos) with you (and possibly your voice). In all cases, we have indicated the locations of these rooms through information plates, according to the law. The processing of data for this purpose is based on our legitimate interest in ensuring the security of individuals and objects in our premises.

At reception, we will also process your personal data included in a valid ID, as well as information on the purpose of the visit, also to ensure the security of people and objects in our premises, based on our legitimate interest.

1.7 If you are a visitor to our sites or have interacted with any of our social media pages

Then we may use your personal data for the following purposes:

(i) Improving the experience on our website. To be able to take into account the preferences you have expressed in previous browsing sessions, to tailor our website to the device you use, to address issues you may encounter when accessing, we process data such as: IP address; cookie identifiers; other online identifiers; unique device identifier (UUID); date and time of access to the website; visit history; web request; date and time of request/ date and time of website visit; device from which you access the website; type of Internet browser and browser language; information about events on your device (e.g. errors); information about your device's hardware settings; information about where you are when you visit our website.

For more information on how we use cookies and similar technologies, please visit our dedicated policy [RTPR Note A&O: Hyperlink to the cookie policy that will be published on each website.].

The basis of the processing will in most cases be your consent or our legitimate interest.

(ii) Knowledge of the opinions you communicate to us. Also, when you post a comment under one of our posts on social media, press the  Like button, redistribute our post, or send us a message on one of our pages, we will mainly process your data that you have sent us (username, profile photo, action you have taken –  like/other reaction or the content of your comment).

In these cases, we will base our processing on your consent.

(iii) Managing and protecting our communications and IT systems. We can process your data for: managing our communications systems; managing our IT security; conducting security audits on our IT networks; protecting our data and systems from attacks and similar acts in the virtual environment.

To this end, we mainly process data on: first and last name, user, workstation name, IP address and other details on connection to our platforms and servers.

In this case, we will base our processing on our legitimate interests or, where appropriate, the compliance with our legal obligations.

1.8 In general, in any position you are

We may also process your data for the following purposes:

(i) The resolution of your applications. We will use your data to respond to any requests, requirements, complaints, or any other questions you ask us.

We will mainly use your first name, last name, contact details (email address, phone number) and information contained in the request you send us.

In this case, the basis of the processing will be the performance of the contract with you (if any) or, as the case may be, your consent.

(ii) Response to requests from authorities or data processing in other cases where the law obliges us. We may sometimes have a legal obligation to communicate your data to certain authorities, to store your data for a certain period of time, or to otherwise process your data. In this case, the basis for processing will be the compliance with a legal obligation of ours.

(iii) Transactions, restructurings or other transactions. In the context of some transactions, we may disclose your data to potential purchasers or their consultants or authorities, although we will try to reduce this as much as possible. In this case, the processing will take place on the basis of our legitimate interests or the compliance with legal obligations.

(iv) Defending our rights and interests or those of others. We may process your data for the finding, exercise or defence of our or other rights or interests before the courts, bailiffs, public notaries, other public authorities, arbitral tribunals, mediators or other public or private bodies that resolve disputes, our lawyers, consultants (such as auditors or experts or specialists) or other natural or legal persons, public or private, who are involved in such disputes. In this situation, we will process your personal data, as appropriate, on the basis of the fulfilment of legal obligations incumbent on us or our legitimate interests.

(v) Fraud prevention. We are interested in our work being carried out in a legal manner. Therefore, we can process your data (such as by transmitting this data to our consultants in various fields – auditors, lawyers, etc. or by consulting this data). In these cases, the processing will be justified by our legitimate interests to prevent fraud and other illegalities in our business or, where appropriate, by our legal obligations to ensure the legality of our operations (such as obligations imposed by legislation in the field of money laundering prevention)

1.9 About third party data

If you provide us with personal data about other people (e.g. your representatives, your family members, your dependants, etc.), you must ensure that you have informed them about it and that you have directed them to this information on how Farmavet processes your personal data.

We will inform those individuals appropriately about how we process their data, where appropriate.

1. To whom will we disclose PERSONAL data RELATING TO YOU

As a rule, we will not disclose your data to other natural or legal persons.

We try to limit access to data of people outside the Farmavet group who process your personal data (ie, the company to which you have provided your personal data). However, in some cases we may need to disclose your data, as below.

We may disclose your data to other companies or individuals, such as: other companies in the Farmavet group, natural or legal persons acting as processors for us or for other companies in the Farmavet group in various fields (such as archiving documents, destroying documents, or storing data, payment services, various services that we can outsource , such as in the field of human resources), other persons, courts, authorities. In these cases, we will disclose the data for legitimate reasons related to our business, such as ensuring our ability to ensure the security of documents, the relief of our business, the finding, defence and exercise of our rights or interests or of another person.

Also, as mentioned above, in some cases we may have a legal obligation to disclose the data to public authorities or other natural or legal persons.

In all these cases we will ensure that the recipients of the personal data relating to you process it in a safe and confidential manner, in accordance with the purpose for which we have transmitted it and with respect for your rights.

1. Under what conditions we may transfer your data to third countries or international organisations

At this time, we do not transfer or intend to transfer your personal data or any of it to other companies, organisations or individuals from third countries or to international organisations.

If we need to transfer the data to any of the above destinations, we will inform you in advance of our decision, giving you the time to exercise your rights in connection with the transfer of your data.

1. How long will we keep your data

We will store your data in accordance with our personal data storage policy, which assigns a storage period according to the purpose of the processing and the category of data processed.

Those periods are based on legal provisions (in particular in the field of personal data protection), also taking into account the obligations to store certain data, the applicable limitation periods, the recommended practices in the matter and the purposes of our business.

1. What can happen if you don't provide us with the data

In most cases, you do not have an obligation to provide us with your personal data.

However, if you do not provide us with the requested data, we will not be able, for example, to enter into or negotiate a contract with you, sell your products or provide our services to you, allow you access to all options on our website, respond to your complainants or requests, or send you communications about our products, services and promotions that may be of interest to you.

1. No automated decision-making

We do not make decisions based solely on the automatic processing of your data (including profiling) that have legal effects on you or affect you in a similar way to a significant extent.

1. Your rights and the way in which you exercise them

Your rights

You have the following rights:

• The right of access to data. You have the right to gain access to the data about you that we process or control or copies of; you also have the right to obtain from us information about the nature, processing and disclosure of such data.
• The right to rectification of data. You have the right to obtain correction of inaccuracies in the inaccuracies of the data concerning you that we process or control.
• The right to delete data ("right to be forgotten"). You have the right to obtain from us the deletion of data about you that we process or control.
• The right to restrict data processing. You have the right to restrict the processing of data about you that we process or control.
• The right to object. You have the right to object to the processing of data concerning you by us or on our behalf.
• The right to data portability. You have the right to obtain the transfer to another controller of the data concerning you that we process or control.
• The right to withdrawal of consent. In situations where we process your data under your consent, you have the right to withdraw your consent; you can do so at any time, at least as easily as you originally gave us consent; withdrawal of consent will not affect the legality of the processing of the data concerning you that we made before the withdrawal.
• The right to lodge a complaint with the supervisory authority. You have the right to lodge a complaint with the supervisory authority for the processing of personal data regarding the processing of your data by us or on our behalf. In Romania, this authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP).

How to exercise your rights

To exercise one or more of these rights or to ask any question about any of these rights or any provision of this information or any other aspects of the processing of data concerning you by us, please use the contact details in our CONTACT DETAILS section below.

1. Our contact details

You can contact us at the details below.

Our contact details

Full name: FARMAVET SA

Head office address (mailing address): 333, Calea Giulești, District 6, Bucharest

Phone number: (021) 221.99.60 (available from 9:00 a.m. to 5:00 p.m.)

Email address: office@farmavet.ro

Website: www.farmavet.ro

Contact details of the Personal Data Protection Officer

First and last name: Marian Belivaca

Mailing Address: 333, Calea Giulești, District 6, Bucharest

Phone number: 0723 260 448

Email address: marian.belivaca@farmavet.ro

1. When this Information applies

This general information applies in relation to the processing of data relating to you to the companies in the Farmavet group.

This information does not apply in connection with services or products offered by other companies or individuals, including those posted on our websites or otherwise informed of. This information also does not cover the work of other companies or persons who advertise our services or products or otherwise process your data through our websites or on social media in connection with our pages.

1. Changes to this policy

We may change this policy. In such cases, we will inform you in advance by posting this policy on the website 20 days before its entry into force.

We will also post this briefing note on our website at the following link: [●]. We will also keep all previous versions of this policy at the link [●], so that we can be consulted by the interested parties.

This version of this policy will take effect at [●].

1. THE SIGNIFICANCE OF THE TERMS WHICH WE HAVE USED HEREIN

• Supervisory authority for the processing of personal data: an independent public authority which, according to the law, has powers to supervise compliance with the legislation on the protection of personal data. In Romania, this supervisory authority for the processing of personal data is the National Supervisory Authority for the Processing of Personal Data (ANSPDCP).
• Special categories of personal data (sensitive personal data/ sensitive data): personal data that: reveals racial or ethnic origin, political opinions, religious confession or philosophical beliefs or membership of trade unions; genetic data; biometric data for the unique identification of a natural person; data on the health, sexual life or sexual orientation of a natural person.
• Personal data: any information concerning an identified or identifiable natural person (called a 'data subject'). A natural person is identifiable if it can be identified, directly or indirectly, in particular by reference to an identification element, for example: name, identification number, location data,  online identifier, one or more specific elements, specific to that person's physical, physiological, genetic, mental, economic, cultural or social identity. Thus, for example, the following are included in the concept of personal data: first and last names; address of domicile or residence; e-mail address; telephone number; personal numeric code (PNC); medical services accessed (sensitive data); diagnosis (sensitive data); genetic data (sensitive data); biometric data (sensitive data); geolocation data. The categories of personal data relating to you that we process are listed above.
• Controller: the natural or legal person who decides why (for what purpose) and how (by what means) personal data are processed. According to the law, the responsibility for complying with the legislation relating to personal data lies primarily with the controller. In relation to you, we are the controller and you are the data subject.
• Processor: any natural or legal person who processes personal data on behalf of the controller other than the operator's employees.
• Data subject : the natural person to whom certain personal data refer (to whom they "belong"). In relation to us (the operator), you are the data subject.
• Processing of personal data: any operation/set of operations carried out/carried out on personal data or on sets of personal data, with or without the use of automated means; e.g. collection, registration, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction of such personal data/sets of personal data. These are just examples. In practice, processing means any operation on personal data, whether by automatic or manual means.
• Third State: a State outside the European Union and the European Economic Area.