Personal data processing notice

Personal Data Processing Notice

 

This notice explains why and how we process personal data for the purpose of operating the platform comenzionline.antibiotice.ro and provides information about your rights.

By reading this notice, you acknowledge that you have been informed of the information provided by Antibiotice S.A. in accordance with Regulation (EU) 2016/679 and that you have been informed about the rights granted to you by the Regulation and by Romanian legislation regarding the protection of individuals with regard to the processing of personal data and the free movement of such data.

ANTIBIOTICE S.A. may periodically update this notice, and accessing and using the information available on the website represents your agreement with the personal data processing conditions described below.

I. Personal Data Controller

ANTIBIOTICE S.A. (hereinafter referred to as the “Company”), headquartered in Iași, 1 Valea Lupului Street, registered with the Trade Register under no. J1991000285223, fiscal code 1973096, processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the Regulation) and with all other applicable legal provisions regarding the processing of personal data.

II. Contact Details

You may contact us using the following details:

III. Categories of Personal Data Processed by the Company

The Company may process the following categories of personal data:

1. Identification Data

  • Full name;
  • Delivery address;
  • Billing address;
  • Telephone number;
  • Email address;
  • Login credentials (e.g., username and password).

2. Payment Data

Information related to bank cards or other payment methods (as a rule, only payment service providers—e.g., payment processors—have access to full payment details)

3. Delivery Data

  • Delivery address;
  • Telephone number for delivery;
  • Delivery preferences (e.g., preferred delivery time slots).

4. Website Usage Data

  • Data related to user behavior on the website (pages viewed, products added to the shopping cart, searches performed);
  • Browsing data (IP address, browser type, operating system, date and time of visits);
  • Cookies and similar technologies used to track user preferences and behavior.

5. Transaction Data

  • Order history (products ordered, quantity, price);
  • Details of issued invoices;
  • Information regarding payments made.

6. Marketing and Communication Data

  • Marketing preferences (newsletter subscriptions, promotional preferences);
  • Responses to surveys or product reviews submitted by users.

7. Sensitive Data (in certain cases)

  • In certain situations, sensitive data may be processed, such as information related to health (e.g., in connection with pharmaceutical or medical products);
  • Information related to sexual life (in very rare cases, related to specific products).

IV. Purposes of Personal Data Processing

Personal data may be processed for the following purposes:

    1. Order and delivery management

    Personal data are used to process orders, organize deliveries, and ensure an efficient purchasing experience for users.

    2. Creation and management of user accounts

    Processing personal data for account creation, user authentication, and personalization of the purchasing experience.

    3. Payments and financial transaction processing

    Data may be processed in order to perform secure payments, issue invoices, and confirm payments made by users.

    4. Customer communication

    Processing data in order to send notifications regarding order status, special offers, promotions, website updates, or administrative communications.

    5. Marketing and advertising

    Data may be used to create personalized marketing campaigns, product recommendations, and tailored offers based on purchasing behavior.

    6. Improvement of services and user experience

    Data analysis in order to understand how services are used, improve website performance, and optimize the purchasing process.

    7. Security and fraud prevention

    Processing data to prevent online fraud, detect suspicious activities, and ensure a secure environment for user transactions.

    8. Compliance with legal obligations

    Processing data to comply with legal and fiscal requirements, such as issuing invoices and retaining documents in accordance with applicable regulations.

    If it becomes necessary for the Company to further process personal data for a purpose other than those for which you were initially informed, and which is not compatible with the original purposes of collection, we will provide you with information regarding that secondary purpose and any relevant additional information and will continue the processing only with your consent.

    V. Legal Grounds for Data Processing

    As a rule, we seek to collect personal data directly from you. However, in certain situations we may also receive personal data from other sources, such as our customers and partners, legal entities, public institutions and authorities, third parties, or publicly available sources.

    Our policy is to process only the minimum amount of personal data necessary. The legal bases for processing take into account the provisions of Regulation (EU) 2016/679, Romanian legislation regarding personal data processing, as well as other applicable national and European legal acts.

    We may process data based on the following legal grounds:

    1. Consent of the data subject (Art. 6(1)(a) GDPR)

    Consent is required when data processing is based on a clear and informed action by the user. For example, consent may be requested to receive newsletters or to participate in marketing campaigns. Consent will be freely given, specific, informed, and unambiguous.

    2. Performance of a contract (Art. 6(1)(b) GDPR)

    Data processing is necessary for the conclusion or performance of a contract between the user and the online sales platform. For example, to process orders, deliver products, and manage payments, the platform must collect personal data such as the user’s name, address, and payment information. This legal basis applies when processing is essential for delivering the requested services or products.

    3. Compliance with a legal obligation (Art. 6(1)(c) GDPR)

    Processing may be necessary in order to comply with legal obligations of the data controller. For example, an online sales platform may be required to retain fiscal data and issue invoices in accordance with tax legislation.

    4. Legitimate interests of the controller or a third party (Art. 6(1)(f) GDPR)

    Processing may be necessary for the legitimate interests pursued by the data controller or a third party, provided that such interests do not override the fundamental rights and freedoms of the data subject. For example, processing for fraud prevention, improvement of user experience, or website security may be considered a legitimate interest, provided that GDPR principles are respected.

    5. Protection of vital interests (Art. 6(1)(d) GDPR)

    Processing may be necessary to protect the life or safety of a person. This legal basis is rarely applicable in the context of an online sales platform, except in exceptional circumstances (e.g., emergency situations).

    6. Performance of a task carried out in the public interest or in the exercise of official authority (Art. 6(1)(e) GDPR)

    This legal basis generally does not apply to online sales platforms, as they do not perform public authority functions. However, it may be relevant in special cases, such as processing data for purposes related to public order or national security.

    VI. Technical and Organizational Measures

    Taking into account the provisions of Regulation (EU) 679/2016, we undertake to implement appropriate and reasonable technical and organizational measures to ensure compliant processing of the personal data entrusted to us:

    • storage periods are limited to the fulfillment of the purpose or as required by law (e.g., for a period of 3 years after the termination of contractual relations)
    • if the data are no longer necessary, or upon the user’s request, we ensure that they are deleted
    • data will not be transferred to entities outside the EEA; transfers outside the EU will occur only after ensuring an adequate level of protection in accordance with European Commission standards
    • system protection measures
    • updated antivirus and firewall systems
    • periodic data backups
    • capacity to ensure confidentiality, integrity, and resilience of systems
    • internal data processing policies and procedures
    • controlled access to users’ personal data based on the “minimum data processing” principle
    • ongoing staff training (including training sessions and confidentiality agreements with employees)
    • continuous evaluation of the impact of data processing and adoption of new measures to ensure compliance with legal requirements

    VII. Your Rights and How to Exercise Them

    Our Company is responsible for facilitating the exercise of any of your rights:

    1. Right to information (Art. 13 and 14 GDPR)

    Data subjects have the right to be informed about the processing of their personal data, including the purposes of processing, categories of data collected, recipients, and retention periods. This information must be provided in a clear and easy-to- understand manner, usually through a privacy policy.

    2. Right of access (Art. 15 GDPR)

    Data subjects have the right to request access to their personal data and receive a copy of them. This right also includes the right to know whether their data are being processed, why they are being processed, what data are being processed, and who processes them.

    3. Right to rectification (Art. 16 GDPR)

    Data subjects may request the correction of their inaccurate personal data or the completion of their data if it is incomplete. This is an important right to ensure the accuracy of the data.

    4. Right to erasure (“right to be forgotten”) (Art. 17 GDPR)

    Data subjects have the right to request the erasure of their personal data under certain conditions, such as when the data are no longer necessary for the purposes for which they were collected, or when consent has been withdrawn and there is no other legal basis for processing.

    5. Right to restriction of processing (Art. 18 GDPR)

    Data subjects may request the restriction of the processing of their personal data, for example, when they contest the accuracy of the data or when the processing is unlawful but they do not wish the data to be erased.

    6. Right to data portability (Art. 20 GDPR)

    Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format. These data may also be transferred to another data controller where technically feasible, and where the processing is based on consent or a contract.

    7. Right to object (Art. 21 GDPR)

    Data subjects may object to the processing of their personal data in certain cases, including the processing of data for direct marketing or where the processing is based on legitimate interests. In such cases, the controller must cease processing unless it can demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject.

    8. Right not to be subject to automated decision-making (Art. 22 GDPR)

    Data subjects have the right not to be subject to a decision based solely on automated processing of data, including profiling, which produces legal effects concerning them or similarly significantly affects them. Exceptions are permitted only in certain circumstances, such as where the decision is necessary for entering into a contract or is based on the explicit consent of the data subject.

    9. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

    Data subjects have the right to lodge a complaint with the national data protection authority (usually, the National Supervisory Authority for Personal Data Processing) if they believe that their rights have been violated.

    10. Right to withdraw consent (Art. 7(3) GDPR)

    Where processing is based on consent, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

    To exercise these rights, as well as for any further questions regarding this notice or in connection with the Company’s use of personal data, please contact us using any of the communication methods described in Section I of this notice.

    To protect your data and prevent misuse by malicious individuals seeking access to your information, we may require you to complete certain identification steps in advance, to ensure that you are the person exercising the rights outlined below through a request.

    If you are not satisfied with the response received, you have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).

    We may continue processing your data only if there are compelling legitimate grounds that prevail over your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.

    This data processing policy was last updated on 07.02.2025.