PREAMBLE

Biofarm S.A. is fully responsible for the processing of personal data that it collects in the daily conduct of its activities and guarantees the protection of such personal data in accordance with Regulation (EU) 679/2016 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR Regulation").

This document explains the type of personal data we process, how and why we process it and the duration for which we keep this personal data.

GENERAL INFORMATION

1.1. Biofarm is a data operator, as defined by the legislation in force, more precisely, the GDPR Regulation known under the acronym G.D.P.R. This means that it has control over the collected personal data and decides on how it is processed. As a result, Biofarm has implemented in its business processes a series of policies, procedures, technical and organizational measures to secure such data and to ensure the compliance with the rights of data subjects.

2. PROCESSES PERSONAL DATA

Biofarm processes personal data about you through several methods:

2.1. Public sources

Biofarm collects financial data about legal entities and personal data about shareholders, administrators, legal representatives and auditors of these legal entities from public sources such as, but not limited to: Trade Register, Official Gazette, ANAF, Ministry of Finance, Bulletin Insolvency Procedures, Electronic Archive of Real Movable Guarantees, Ministry of Justice etc.

2.2. Electronic sources

When you visit the Biofarm website www.biofarm.ro we will collect information about you using files called "cookies", small files installed on your equipment. Cookies are not viruses, but data files that allow us to identify you on the next visit to our website, in order to improve and personalize the services we offer you through our website. You can read more details in our cookie policy.

When you want to apply for a vacant job and send us by e-mail your CV and/or intent letter, we will collect and process the sent information. More information about data processing in this process can be read here.

When sending an e-mail about a possible order to one of the Biofarm representatives.

If you are a shareholder of the company, you will be able to access all the information available to shareholders in the Corporate Governance section. More details about shareholder data processing can be found here.

2.3. Consent

Biofarm will be able to process your data based on freely expressed consent. By consent of the data subject, we mean any manifestation of free, specific, informed and unambiguous will of the data subject by which it accepts, by an unequivocal statement or action, that the personal data concerning it to be processed.

3. PURPOSE AND LEGALITY OF PERSONAL DATA PROCESSING

Biofarm uses your personal data legally, in accordance with the applicable legal provisions and in full compliance with the provisions of the GDPR Regulation, specific to art. 6.1, as follows:

3.1 Based on your consent, for:

  • Advertising offers;

3.2. Based on the legitimate interest, for:

  • Communicating with you
  • Information about the Biofarm company
  • Information about Biofarm products
  • Information on Biofarm clinical trials
  • To develop our services according to your needs and requirements;
  • For the efficient operation of IT&C systems and applications for collecting, storing and processing commercial information;
  • To improve the security of IT&C systems and applications.
  • For communications regarding Biofarm events (including pictures or footage from Biofarm events)

3.3 For the execution of commercial contracts:

  • In preparing and submitting commercial offers for commercial contracts;
  • In the delivery of contracted services and for the fulfilment of contractual obligations;
  • For technical support necessary for the execution of the contract.

3.4 To fulfil our legal obligations:

  • In case of requests received from the competent state authorities we will cooperate and provide data, including personal data, with careful verification of the legality of these requests;
  • We will cooperate with the competent authorities in situations involving illegal activities, fraudulent activities, etc., providing data (including personal data) after verifying the legality of the requests.

3.5 To defend our legal rights:

  • In case of violation of the rights of Biofarm, users, other candidates, employees and other persons concerned, or in the cases provided by law.

If we need to process your personal data for other purposes than those described in this document, we will do so only with your prior information or consent (expressed in advance).

4. STORING AND PROCESSING PERSONAL DATA. SECURITY MEASURES.

The personal data collected by Biofarm are processed in the European Union, in the Biofarm locations, at IT&C infrastructure service providers and / or specific application providers.

In the development of the IT&C infrastructure, Biofarm took into account the best practices in the field, as follows:

  • The virtual perimeter of the organization is secured with firewall equipment;
  • The physical perimeter of the organization is secured with CCTV equipment;
  • Biofarm activity-specific applications are regularly updated as technology vendors publish patches;
  • Internal users' servers and equipment are protected with anti-virus and anti-malware applications;
  • Internal user equipment and certain critical databases will be protected with encryption applications;
  • Access to user systems and applications is controlled and monitored;
  • Critical communications infrastructure is provided with emergency power supply systems;

Biofarm will not make public or transfer your personal data to unauthorized entities.

5. DURATION OF PERSONAL DATA STORAGE

Your personal data will be stored strictly for the time necessary to fulfil the purpose for which they were collected or for the time imposed by the fulfilment of legal obligations.

For example, the data in the contact forms will be kept for 6 months from the moment of their transmission.

For commercial contacts, after their conclusion, personal data will be kept for a period of 36 months for the realization of legal rights, if applicable. Also, after the termination of the contract, according to the fiscal legislation applicable to payments, the personal data from the payment and contract instruments will be stored for a period of 10 years.

If there is no contract between you and Biofarm, your data will be kept for a period of 12 months.

After the expiration of the storage period, your personal data will be deleted.

6. THIRD PARTIES ACCESS TO YOUR INFORMATION

The information will not be shared with third party companies, except for the service providers that make our website usable and the suppliers indispensable in the execution of the assumed contractual obligations.

Biofarm may sometimes be required to disclose your data to third parties, such as local authorities, courts, regulators and/or law enforcement agencies for the purpose of complying with applicable laws and regulations or in response to legal proceedings.

We will also share your personal information with third parties if we have your consent or to detect, prevent or otherwise address fraud, security breaches or technical issues, or to protect your company from infringement or infringement. the safety of Biofarm, users, other candidates, employees and other persons concerned, or in the cases provided by law.

We will disclose your personal data only for the purposes and those of third parties, as described below. Biofarm will take the necessary measures to ensure that your personal data is processed, secured and transferred in accordance with applicable law.

7. EXTERNAL SERVICE PROVIDERS

Where necessary, we will instruct other companies and individuals to perform certain tasks that contribute to our services on our behalf. We may, for example, provide personal data to agents, contractors or partners for hosting our databases, for data processing services or for sending you information that you have requested.

We will share or make available to external service providers that information, to the extent necessary, to process your requests. This information may not be used by them for any other purpose, in particular not for their own purposes or for third parties. Biofarm external service providers are obliged by contract to respect the confidentiality of personal data.

8. PUBLIC AUTHORITIES

We will only disclose your personal data to public authorities, if required by law. For example, Biofarm will respond to requests from courts, law enforcement agencies, regulatory agencies and other public and official authorities, which may include such authorities from outside the country of residence.

9. INTERNATIONAL TRANSFERS OF PERSONAL DATA

Your personal information may be transferred to recipients established outside the European Economic Area. We will ensure that all transfers take place in accordance with applicable data protection laws, including by concluding data transfer contracts if necessary.

Any transfers of personal data to countries other than those for which a decision has been taken as to the appropriateness of the level of data protection by the European Commission as listed on the official websites shall be made on the basis of agreements using standard contract terms adopted by the European Commission or other appropriate guarantees, in accordance with applicable law.

To see the list of countries for which there is an adequacy decision, please check the following link https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

10. BUSINESS TRANSFERS

In connection with any reorganization, restructuring, merger or sale or other transfer of assets (collectively referred to as "Business Transfer"), we will transfer data, including personal data, in a reasonable volume and as necessary for the Transfer of Assets. Business, and provided that the receiving party agrees to respect your personal data in accordance with the applicable data protection legal framework.

The Company will continue to ensure the security and confidentiality of any personal data and notify affected users before personal data becomes the subject of another personal data processing policy.

11. YOUR RIGHTS REGARDING THE PROCESSING OF PERSONAL DATA

As a data subject you have specific legal rights regarding the personal data, we collect from you. Biofarm will respect your individual rights and will take care of your interests accordingly.

Right of withdrawal of consent: You may withdraw your consent for the processing of personal data at any time.

Right to rectification: You can obtain from us the rectification of personal data concerning you. We make reasonable efforts to keep personal data that is used continuously, in our possession, or control - accurate, complete, current and relevant, based on the latest information available to us.

Right to restriction: You can obtain from us the restriction on the processing of personal data, if:

  • You challenge the correctness of personal data for the period in which we must verify the accuracy,
  • The processing is illegal and you request the restriction of the processing rather than the deletion of personal data,
  • We no longer need your personal data, but you request it in order to establish, exercise or defend a right, or
  • You object to the processing in the period in which we verify if our legitimate reasons take precedence over yours.

Right of access: You can ask us for information about the personal data we hold about you, including information about what categories of personal data we have in our possession or control, what is used for, where we have it from, if they are not collected directly from you and to whom it is disclosed, if applicable. You may obtain a copy from us, free of charge, containing the personal data we hold about you. We reserve the right to charge a reasonable fee for each additional copy you may request.

Right to portability: Upon request, we will transfer personal data to another operator, where technically possible, provided that the processing is based on your consent or is necessary for the execution of a contract.

Right to deletion: you can obtain from us the deletion of personal data, if:

  • your personal data are no longer necessary for us in relation to the purposes for which it was collected or is processed in another way;
  • you have the right to oppose the further processing of personal data (see below) and to exercise this right of objection to the processing;
  • personal data have been processed illegally;

Unless processing is required

  • in order to fulfil a legal obligation that requires processing by us;
  • especially for the legal data retention requirements;
  • for ascertaining, exercising or defending a right.

Right of opposition: You may object - at any time - to the processing of personal data. In this case, we will no longer process personal data if we cannot demonstrate well-founded, legitimate reasons and a major interest in the processing or for the establishment, exercise or defence of a right. If you object to the processing, please specify if you wish to delete personal data or restrict the processing by us.

Right to lodge a complaint: In the event of an alleged breach of applicable privacy legislation, you can lodge a complaint with the data protection supervisory authority.

The National Authority for the Supervision of Personal Data Processing at the address: 28-30 G-ral. Gheorghe Magheru Boulevard, District 1, postal code 010336, Bucharest, Romania

Email: anspdcp@dataprotection.ro

Please note

Time period: We will try to honour the request regarding the exercise of a right within 30 days as of its receipt. However, the response time may be extended for specific reasons related to the specific right or complexity of the request.

Restricting access: In certain situations, we may not be able to grant you access to all or part of your personal data due to legal provisions. If we refuse your request for access, we will inform you of the reason for the refusal.

Impossibility of identification: In some cases, we may not be able to search for your personal data due to the lack of identification elements provided in your application.

In such cases, where we cannot identify you as the data subject, we will not be able to comply with your request to exercise your legal rights as described in this section, unless you provide additional identification information.

Exercising your legal rights: In order to exercise your legal rights, please contact our Data Protection Officer by email at dpo.biofarm@biofarm.ro

12. UPDATE OF THE DATA PROCESSING NOTICE

This Data Processing Notice is periodically revised in order to include the technical and organisational measures implemented by Biofarm for the contribution to a balanced and secured computer environment.

This version was updated on 16.02.2021