Privacy Policy

Information Regarding the Processing of Personal Data (Patients / Companions)

In accordance with EU Regulation 679/2016 on the protection of natural persons with regard to the processing of personal data, MEMORIAL HEALTHCARE INTERNATIONAL S.R.L. is a data controller. The contact details of Memorial Băneasa Hospital are as follows: Șos. Gheorghe Ionescu Sisești 8A, Sector 1, Bucharest; E-mail: office@memorial.ro; Phone: (031) 9393.

Why We Collect Information About You — Memorial Healthcare

MEMORIAL INTERNATIONAL S.R.L. may process the personal data of patients or their companions in the following situations:

To make an appointment for the provision of medical services;
Where the data subject attends a consultation;
Upon the admission of a patient or companion;
Upon enrolment in and participation in a national health programme or sub-programme;
Upon enrolment in a clinical trial;
For the performance of a contract when paid services are provided;
To issue referral letters for investigations, medical prescriptions, and the like;
Where information about a patient's state of health must also be provided to other persons, on the basis of the consent given by the patient;
To allow a relative access to the healthcare facility;
Where MEMORIAL HEALTHCARE INTERNATIONAL S.R.L. has the obligation to comply with applicable laws and to transmit certain information to State institutions;
For the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller;
For the performance of tasks in the public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices;
For the reimbursement of medical services by CNAS / CASMB;
Where MEMORIAL HEALTHCARE INTERNATIONAL S.R.L. must contact an emergency contact specified by the patient;
In the case of photographs or video recordings made to present the healthcare facility or for the security and protection of the organisation;
Where the healthcare facility's website is accessed or where there is electronic communication with the organisation;
In the conduct of marketing campaigns and opinion surveys;
To ensure the IT and cyber security of the organisation.

The personal data required for the processing mentioned above fall within the following categories:

Identity: patient first and last name, emergency contact or companion, etc.;
Contact: address, e-mail address, telephone, emergency contact telephone, relative's telephone, etc.;
Identification: personal numeric code (CNP), CID, observation chart number, test set number, ID card series and number, etc.;
Professional information: workplace, profession, etc.;
Personal information: information about other family members, information on medical insurance, etc.;
Special-category information: religion, state of health, disabilities, etc.;
Financial information: bank accounts, various amounts paid, etc.;
Images or video recordings: CCTV or presentation media.

You are required to provide this personal data in order to fulfil the purposes mentioned above. Your refusal to provide the data necessary for the registration of medical services will make it impossible to register in the Romanian healthcare system and to provide medical services.

Legal Basis for the Processing of Personal Data

1. General legislation and health regulations

Law 95/2006 on the reform of the health sector, as subsequently amended and supplemented;
Law No. 46/2003 on patients' rights and its implementing rules, as subsequently amended and supplemented;
Government Decision No. 521/2023 approving the service packages and the Framework Contract, which provides for the obligation to transmit data to the Electronic Health Record (DES);
Government Decision No. 423/2022 approving the national health programmes (public and curative) for the 2022–2025 period, as subsequently amended and supplemented;
Government Decision No. 2/2014 approving the rules on the organisation and conduct of clinical trials, and Government Decision No. 6/2014 on the authorisation procedure for clinical trials;

2. Protection and processing of personal data

EU Regulation 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Law No. 190/2018 on implementing measures for Regulation (EU) 679/2016;

3. Oversight and quality control of medical services

Order No. 1782/2006 on the statistical recording and reporting of patients receiving medical services on a continuous hospitalisation and day hospitalisation basis;
Order No. 1101/2016 approving the Rules for the surveillance, prevention and limitation of healthcare-associated infections in healthcare facilities;
Order No. 1501/2016 approving the implementation of the patient feedback mechanism in public hospitals;
Order No. 1399/2021 amending Annex No. 2 to Order of the Minister of Health No. 1501/2016 approving the implementation of the patient feedback mechanism in public hospitals;

4. National health programmes (public and curative)

Order of the President of CNAS No. 180/2022, as subsequently amended and supplemented, approving the Technical Rules for carrying out the national curative health programmes for the years 2022–2025;
Order of the Minister of Health No. 964/2022 approving the Technical Rules for carrying out the national public health programmes;

5. Regulations on social health insurance

Government Decision No. 696/2021 approving the medical service packages and the Framework Contract governing the conditions for the provision of medical care, medicines and medical devices, technologies and assistive devices within the social health insurance system for the years 2021–2022;
Order No. 1068/627/2021 of 29 June 2021 approving the Methodological Rules for the application, in 2021, of Government Decision No. 696/2021 approving the service packages and the Framework Contract;

6. Other relevant regulations

Law No. 82/1991 — the Accounting Law (republished), as amended and supplemented;
Decision No. 301/2012 approving the Methodological Rules for the application of Law No. 333/2003 on the protection of premises, goods and valuables and the protection of persons;
Order No. 3670/2022 establishing the visiting schedule in public healthcare facilities;
Law No. 227/2015, the Fiscal Code.

From the perspective of EU Regulation 679/2016, the information is processed as follows:

Processing of personal data	Conditions provided in the Regulation
Provision of medical services and processing of information in special categories (for example, information relating to your state of health)	– Art. 6(1)(b) — for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract; – Art. 6(1)(c) — in order to comply with a legal obligation; – Art. 6(1)(d) — in order to protect the vital interests of the data subject or of another natural person; – Art. 6(1)(e) — performance of a task carried out in the public interest; – Art. 9(2)(h) — processing is necessary for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services; – Art. 9(2)(i) — processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices.
Conduct of clinical trials	– Art. 6(1)(a) — the data subject has given consent to the processing of their personal data for one or more specific purposes; – Art. 9(2)(a) — the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
Scheduling a patient for a particular service	– Art. 6(1)(a) — the data subject has given consent to the processing of their personal data for one or more specific purposes; – Art. 6(1)(c) — compliance with a legal obligation.
Transmission of certain information to State institutions	– Art. 6(1)(c) — in order to comply with a legal obligation; – Art. 6(1)(e) — performance of a task carried out in the public interest; – Art. 9(2)(i) — processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices.
Use of a specified emergency contact	– Art. 6(1)(d) — in order to protect the vital interests of the data subject or of another natural person; – Art. 9(2)(c) — processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
Photographs or video recordings made to present the conditions and services offered	– Art. 6(1)(a) — the data subject has given consent to the processing of their personal data for one or more specific purposes.
Video surveillance using the internal CCTV system	– Art. 6(1)(c) — in order to comply with a legal obligation; – Art. 6(1)(f) — processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Electronic identification — IP address, e-mail address, etc.	– Art. 6(1)(a) — the data subject has given consent to the processing of their personal data for one or more specific purposes; – Art. 9(2)(a) — the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
Monitoring of internet traffic for the safety and security of the organisation's IT systems	– Art. 6(1)(c) — compliance with a legal obligation; – Art. 6(1)(f) — processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Sending messages presenting the services offered by MEMORIAL HEALTHCARE INTERNATIONAL S.R.L. and its partners	– Art. 6(1)(a) — the data subject has given consent to the processing of their personal data for one or more specific purposes.

Categories of Recipients of Personal Data

The recipients of the information may be:

1. Public health and medical institutions

The Ministry of Health and its subordinate institutions;
The Bucharest Directorate of Public Health (DSP);
The National Health Insurance House (CNAS) and the County Health Insurance House (CJAS);
The National School of Public Health, Management and Professional Development in the Health Sector, Bucharest (SNSPMPDSB);
The National Institute of Public Health (INSP) and the National Centre for Surveillance and Control of Communicable Diseases (CNSCBT);
The National Institute of Forensic Medicine and affiliated institutions;
The National Authority for Quality Management in Healthcare (ANMCS);
Other accredited providers of medical services;

2. Oversight, control and audit institutions

The Court of Accounts of Romania;
The Permanent Electoral Authority;

3. Law enforcement authorities and courts

The courts of law;
The Public Ministry / Prosecutor's Offices;
The Romanian Police and other criminal investigation bodies;

4. Authorities with a social and administrative role

The General Directorates for Social Assistance and Child Protection (DGASPC);
Local authorities (town halls, local councils, population records services, etc.);
Public social assistance services;

5. Institutions in the field of IT, cyber security and data protection

The National Supervisory Authority for Personal Data Processing (ANSPDCP);
The National Cyber Security Directorate (DNSC);

6. Service providers

Equipment maintenance service providers;
IT and telecommunications service providers;
Security service providers.

International Data Transfers

In the case of participation in clinical trials, your pseudonymised data may be transferred to partners outside the European Economic Area, on the basis of an adequacy decision or of standard contractual clauses approved by the European Commission.

How We Protect the Confidential Information Collected

The information collected about you is kept in written and/or electronic form. We ensure that the information we hold is kept in secure locations, with an appropriate level of security and with access permitted only to authorised personnel.

We also ensure that processors are contractually obliged to implement technical and organisational measures for the protection of data, where the data processed by them identifies or could identify a person.

Storage Location and Duration

The personal data collected is stored in spaces and on equipment located within MEMORIAL HEALTHCARE INTERNATIONAL S.R.L. or at our IT and telecommunications service providers.

The storage period for each category of personal data is in accordance with the legal requirements, with the organisation's internal regulations, and with best practice in this field.

Rights Relating to the Processing of Personal Data

Under EU Regulation 679/2016, you have the following rights: the right to be informed, the right of access to the personal data concerning you, the right to rectification or erasure of that data, the right to restriction of processing, the right to object to processing, and the right to data portability. In addition, you have the right not to be subject to automated individual decisions, as well as the right to bring the matter before the competent court. The availability of these rights depends on the legal basis for the processing.

Where the processing of personal data is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

If you have complaints about the way we process your personal data, you have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (www.dataprotection.ro).

If you wish to make a request under EU Regulation 679/2016, in order for us to respond effectively you will need to provide us with your identity (full name, personal numeric code (CNP), address) and details of the information you are requesting.

For further details, please contact the Data Protection Officer at the e-mail address: dpo@memorial.ro.

Content of the Notice, or Reasons Why the Affected Natural Persons Were Not Informed

The notice informing the data subjects about the incident, as posted, is the following:

Subject: Notification of a Security Incident — Unsolicited SMS Messages

Dear patient,

We wish to inform you that we have identified a security incident which, on 21 May 2025, led to the unauthorised sending of unsolicited SMS messages to 5,762 data subjects.

What happened? On 21 May 2025, following maintenance operations on the IT systems used by Memorial Hospital, a trigger was activated that allowed SMS messages to be sent without the recipients' consent.

What did the message contain? The messages sent had the following format: “Thank you for your visit to Memorial Băneasa Hospital. We want to make sure we are continuously improving our services, so please help us with your feedback. Completing the questionnaire takes only 2 minutes:….”

What measures have we taken? We have identified the source of the incident and have implemented measures to prevent its recurrence.

What should you do? We recommend that you do not reply and do not access the links in the message. If you have any questions or wish to report any issue, you can contact us at our official customer channels.

We apologise for any inconvenience caused and assure you that we are taking all necessary measures to protect your data.

Respectfully,
Memorial Hospital