Book now

GDPR

Overview

New privacy laws and best practices with CLINICA VASCULARA VENART SRL

As of May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect, ushering in a new era of data protection and privacy for everyone. While you’ve certainly heard and read a lot of information about GDPR, it can be difficult to understand exactly what it means for your business in practical terms, and what you should be doing to comply with the new rules.

At VenArt, we’re committed to security and privacy best practices. We strive to offer the same level of protection to all users and customers, regardless of location or nationality. And we apply those best practices to all data, not just personal data.

What you need to know about GDPR

If you can, the best way to understand the GDRP is to Read the Official text.

It’s a bit long (99 articles on 88 pages), but easy enough for non-experts to read.

It’s a Regulation, which aims to harmonize and modernize existing privacy legislation, such as the EU Data Privacy Directive that it replaces. It lays down rules for the protection of individuals with regard to the processing of their personal data and the free movement of personal data in Europe.

It is a Regulation, not a Directive, and is therefore immediately applicable in all EU Member States, without requiring transposition into each country’s national law. EU countries have a limited margin of interpretation for finer points, but the fundamental rules will be the same for everyone, everywhere in the EU.

GDPR also brings the law into the next millennium, taking into account social networks, cloud computing, cybercrime and the major challenges they cause for privacy and security of personal data.

In short: Don’t panic!

GDPR is not revolutionary new legislation and is essentially a good thing for citizens and businesses.

It’s Positive!

We want to emphasize that GDPR can be great for you and your customers. Complying with GDPR may be a lot of work initially, but the new rules have benefits:

Increased trust from your customers and users.
Simplification: the same rules apply in all EU countries
Streamlining and centralizing your organizational processes

GDPR aims to give individuals more oversight over their personal data. If your company puts the right strategies and systems in place, it will be more manageable, more secure and more secure for years to come.

What are the risks if you don't comply?

The maximum penalty for non-compliance is an administrative fine of €20 million or 4% of annual global annual turnover, whichever is higher. For smaller infringements a lower maximum of €10 million or 2% of annual global annual turnover applies.

These maximums are intended to be a deterrent for companies of all sizes, but the GDPR also requires that fines are kept proportionate.

Supervisory Authorities (also known as Data Protection Authorities: DPAs) must take into account the circumstances of each case, including the nature, seriousness and duration of the breach. These DPAs also have powers to investigate and impose corrective actions, which include curbing infringing activities, without necessarily imposing a fine.

Another risk if you don’t comply is losing the trust of your customers and prospects who care about how you process their data!

In conclusion, many DPAs have suggested that they will not impose fines until 2018, but expect businesses to demonstrate that they are working to comply.

GDPR principles

Applicable Domain

The Regulation applies to any processing of personal data by any organization:

  1. If the controlling or processing organization is located in the EU.
  2. If the organization is not in the EU, but the processing involves personal data of data subjects located in the EU and is related to commercial offers or behaviour monitoring.

 

The scope therefore includes non-EU companies, which was not the case with the older legislation.

 
Roles

The regulation distinguishes two main types of entities:

  • Data controller: any entity that determines the purposes and means of processing personal data, alone or jointly. As a general rule, each organization is a controller for its own data.
  • Data processor: any entity that processes data on behalf of a data controller.
 
Personal Data

GDPR provides a broad definition of personal data: any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly,by their name, emails, phone numbers, biometric information, location data, financial data, etc. Online identifiers (IP addresses, device IDs, …) are also in the scope.

This also applies in business contexts: info@clinica-vasculara.ro is not considered personal, but dan.stoica@clinica-vasculara.ro is, because it can be used to identify an individual within a company.

The GDPR also requires a higher level of protection for sensitive data, which includes specific categories of personal data such as health, genetic, racial or religious information.

 
Data Processing Principles

To be compliant, processing activities must comply with the following rules:

(all listed in Article 5 of the GDPR)

  1. Lawfulness, fairness and transparency: to collect data you must have a legal basis, a clear purpose, and you must inform the data subject:
    • Have a simple and clear privacy policy and refer to it wherever you collect data;
    • Check the legal basis for each of your data processing activities.
  2. Purpose limitation: once collected for one purpose, ask for permission if you want to use it for another purpose.
    e.g. – You cannot decide to sell your customer data if it has not been collected for that purpose.
  3. Minimization: you should only collect data that is necessary for your purpose.
  4. Accuracy: reasonable steps should be taken to ensure that the data are kept up to date, according to the purpose for which they are intended;
    e.g. – Asigurați-vă că gestionați e-mailurile respinse și corectați sau ștergeți adresele.
  5. Limiting storage: personal data should be kept only as long as necessary to fulfill its main purpose.
    Define time limits for erasure or review of the personal data you process, depending on the purpose of the data.
  6. Integrity and Confidentiality: Data Processors must implement appropriate access control, security and data loss prevention measures in accordance with the types and extent of data being processed.
    e.g. – Make sure your backup system works, have adequate security controls, use encryption to protect sensitive data such as passwords, …
  7. Accountability: data controllers are accountable and must be able to demonstrate compliance with all the above processing principles.
    • Establish and maintain a data mapping baseline for your organization that describes the compliance of your processing activities;
    • Inform your customers with a clear privacy policy.
 
Legal Basis

To be lawful under the GDPR (first principle), the processing of personal data must be based on one of the six possible legal bases, as set out in Article 6 (1):

  1. Consent: It is valid when the data subject has given his or her consent explicitly and freely after having been duly informed, including with a clear and specific purpose. The burden of proof for all these lies with the controller.
  2. Necessary for the performance of a contract, or to fulfill requests from the data subject in preparation of a contract.
  3. Compliance with a legal obligation imposed on the controller.
  4. Protecting a vital interest. When processing is necessary to save a life.
  5. Public interest or official authority.
  6. Legitimate Interest. Applicable when the controller has a legitimate interest that is not overridden by the interests and fundamental rights of the data subject.

A major change brought by the GDPR compared to previous data privacy regulations are the stricter requirements for obtaining valid consent.

 
Data Subject Rights

Existing data privacy rights for individuals are further extended by GDPR. Organizations must be prepared to handle requests from data subjects in a timely manner (within 1 month), free of charge:

  1. Right of access – Individuals have the right to know what and how their personal data is processed, in full transparency.
  2. Right to rectification – Individuals have the right to have their personal data corrected or completed.
  3. Right to erasure – Individuals have the right to have their personal data deleted for legitimate reasons (consent withdrawn, no longer necessary for the purpose, etc.).
  4. Right to restriction – Individuals may request the controller to stop processing their personal data if they do not wish or are unable to request complete erasure.
  5. Right to object – Individuals have the right to object at any time to certain processing of their personal data, for example for direct marketing purposes.
  6. Data Portability – Individuals have the right to request that personal data held by a controller be provided to them, or to another controller.

How you should prepare for GDPR

Disclaimer

We cannot give legal advice, this section is provided for information purposes only. Please consult your legal advisor to determine exactly how GDPR affects your company.

Here are the key steps we suggest for a GDPR compliance roadmap:

  1. Establish Data Mapping of your organization’s data processing activities to get a clear picture of the situation. Data Protection Authorities often provide spreadsheet templates to help with this task. For each process, document the type of personal data and how it was collected; the purpose, legal basis or erasure policy of the processing; the technical and organizational safeguards in place, and the subcontractors (processors) involved.You will need to update this data mapping regularly as your processes evolve.

  2. Based on step 1, choose a Remediation Strategy for any processing where you do not have a legal basis (e.g. lack of consent) or where you do not have adequate security measures in place. Adapt your processes, internal procedures, access control rules, backups, monitoring, etc.

  3. Update and publish a clear Privacy Policy on your website. Explain what personal data you process, how you do it, and what are the rights of individuals with regard to their data.

  4. Review your contracts with a legal advisor and adapt them to GDPR.
  5. Decide how you will respond to different types of Data Subject Requests.
  6. Prepare an incident response procedure in case of a data breach.

 

Depending on your situation, other items could be added to the list, such as the appointment of a data protection officer. Consult your internal processing experts and legal advisors to determine any other relevant measures.

Remember!

Establishing a clear map of your processes will make everything easier on the road to compliance!

How VenArt complies with GDPR

At VenArt, implementing privacy and security best practices is not a new idea. As a healthcare company, we are constantly reviewing and improving our systems, tools and processes to maintain a great and secure platform.

Our GDPR Documents

As Data Controller, our activities are covered in our Privacy Policy, which has been updated for GDPR. This policy explains as clearly as possible what data we process, why we process it and how we do it.

Ca și client al Clinica Vasculara Venart SRL nu aveți nimic de făcut pentru a accepta aceste schimbări, beneficiați deja de noile garanții, și vom considera că sunteți de acord dacă nu auzim nimic de la dvs.!

În plus față de aceste documente, am actualizat site-ul nostru web pentru a insera notificări de confidențialitate în toate locurile relevante, pentru a-i ține pe utilizatorii noștri informați în permanență.

 

Dreptul de Acces (Art. 15) și Dreptul la Portabilitatea Datelor (Art. 20)

Under the GDPR regulation, customers have the right to request access to and a copy of their personal data, as well as to request the transfer of this data to another data controller.

To exercise these rights, please send us an email to gdpr@clinica-vasculara.ro with the subject “Request data access” or “Request data portability”. In order to ensure the security and confidentiality of your data, please attach a copy of a valid identity document (e.g. identity card, passport) to the email.

Once we receive your request, we will respond within 30 calendar days and provide you with any personal data we hold about you or transfer it in accordance with your instructions.

 

Right to be forgotten (Art. 17)

GDPR grants data subjects the right to request the deletion of their personal data under certain conditions, such as:

  • The data is no longer needed for the purpose;
  • They withdraw their consent to a processing that was based solely on consent;
  • Prosecution in this case is illegal.

If you wish to exercise this right and request the deletion of your personal data from Venart’s systems, please send us an email to gdpr@clinica-vasculara.ro with the subject “Data deletion request”. To validate your identity and to protect the confidentiality of your information, please attach a copy of a valid identity document (e.g. ID card, passport).

Upon receipt of your request, we will review your request and, to the extent applicable, delete your personal data from our systems within 30 calendar days with appropriate notification.

Phone:

Email:

Appointments:

Cluj-Napoca

Address: 27 René Descartes St, 400486

Address: 56 Calea Turzii , 400193

Bucharest

Address: 5 Ghiță Pădureanu St, 020311

Address: 79-91 Traian Popovici St, (former Unității), 031424

S.C. Clinica Vasculară Venart S.R.L.

J12/1354/18.05.2012 / CUI: 30214391

Head Office

12 Mamaia St, Fl. 4, Ap. 30, Cluj-Napoca, Cluj County, 400024, Romania

Bank accounts:

Libra Bank: RO24BREL0002000886450100

Banca Transilvania: RO35BTRLRONCRT0252610501

  • © 2025 VenArt Clinica. All rights reserved.
Poza care reprezinta logo-ul gdpr
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.